A cow in Willesden

Public psychotherapy for a veteran auditor

Shh! Don’t tell mom we shrunk the babysitter

Do you ever feel like you’re trapped in a Disney movie?

Not the cartoon ones, that would be great. All those tiny broomsticks fetching buckets of water and all. That would rock.

I mean the other kind, the ones which are basically a series of contrived misunderstandings, piled one on top of the other like a tower of cards, for the sole purpose of extending an otherwise trivial resolution to the inciting incident into a 90 minute feature film. My position is that if a 5-minute conference call, with frank and honest speaking all round, between all the lead characters, would resolve the entire drama, then its not a proper movie, and it shouldn’t have been made.

If I use the same test on my work, as I often do, I come to the horrifying conclusion that most of my audits shouldn’t have been made either, or at least the reports shouldn’t. Well, exasperating at least, if not horrifying.

“Steady on there, Cow! Don’t undervalue yourself, your work is important, these audit issues are insightful and forward-looking, the genius of your deeper thinking reveals truths and solutions that have never been known, and your clients really appreciate them,” I hear you say. Well, yes obviously we’d all hate to live in a world without an effective, independent audit function staffed by the brightest minds ever to look upon the non-academic vista. And why did you not mention my coup de grace of the subtly worded ‘damning with faint praise’ descriptions of the key processes and controls – surely my proudest legacy to the audit community? But hear me out, and stop interrupting.

I’m talking about the culture of secrecy over our audit findings. This paranoid fear that some clients <Editing note – confirm if some or all before publishing this one> demonstrate when it comes to discussions about potential weaknesses in control processes. The presumption, or even insistence, that we don’t share our findings with the next level of management until everyone at this level has had a several-week-long bedding in period to familiarise themselves with the finding, and to suggest all manner of tweaks and wording changes.

Seriously. Why The Face. Its straight out of a Disney movie, and has no place in the civilised corporate world.

Allow me to elaborate. Line management reviews the findings, comes back with comments and suggested changes, we agree with some, disagree with others, we go back with a revised draft, they have more comments, we finally get their OK, we escalate it to their immediate managers, who come back with comments, and to use my currently most detested phrase, rinse and repeat. I’ve worked in a place where they apply this approach through 6 separate layers of management within their business group, before it even gets to executive management. Incredible I know, but true, and I have it in writing. Some of these people sit on the same row of desks, for frig sake, and still insist on the protocol of ‘eyes-only secrecy’ until they’ve had their say and the chance to mull it over for a few weekends.

Now if these reviews were consistently giving valuable direction; if they were clarifying, rather than muddying the issue wording, that would be a different story, morning glory. I’d be happy to take that to the audit committee : “we’re not publishing this report until we’ve heard what X has to say – their input is invaluable, and helps ensure that the report is accurate and the issues have properly identified the root cause.” Or if the almost mandatory (as predictable as the death of an unChristened ensign on the away party with Kirk, Spock and Bones) suggestions to reduce the rating of the issues were coming from clients who had established a track record of thought leadership (sorry, didn’t have time to put that into real english) in risk management, then I’d be delighted to wait and hear their valuable contributions. But if its all about rewordings, changes to the tone (i.e. trying to pretend that no-one was at fault for what is often basically a dereliction of duty), reduction of the issue ratings, and all manner of other insubstantial, cosmetic tinkering, then when am I allowed to say “er, no?”

Some of these levels, with creditable mention to the operational risk management function, often come back with changes that are putting back the things we took out through the earlier reviews. But we can’t speak to them about it until we’ve been through the maze of operational management (try and stay with me non-auditors – operational risk means they manage risk, and get in trouble if bad things happen the business that they didn’t predict, so their incentives are mostly around good practices in governance, but because those incentives are also often dealt out by operational management they lack the independence that the audit function has; operational management run things, as in they manage operations, and their incentives are more statistical <q?> and short-term, they’re fine if the downside is outweighed by the upside over the period, and if they take big risks, they often stand to profit massively, and when bad things happen they go and work somewhere else, or retire on the bonuses they made while the company picks up the bill for the losses. Think Lehman Brothers or Enron. Or think of a see-saw, with unlimited up-in-the-air, but a big brick pylon underneath so it can never go down very far because the best that happens someone is a gigantic performance-related bonus based on the past year’s performance, and the worst is just a sacking, which never involves paying back the pervious 10-years worth of huge bonuses).

As an aside, I know plenty of auditors, even very senior ones, who regard it as essential practice to leave non-issues in the draft report, even though they know them to be bollocks, just so we have a bargaining chip, something that we can say ‘OK, I’ll drop these 2 issues if you let the other 4 ride,’ in the basest sort of horse trading that you’d expect in an Egyptian market, and they frame it as pragmatism and relationship building. It’s not, it’s deceit and compromise, it devalues everyone involved, its ineffective, inefficient, impractical, and an insult to the integrity of the audit function and to management. If they aren’t real issues, if they don’t present a significant risk to the business as a whole, if the only practical response is an acceptance of the risk or reconsideration in the course of normal business change, then we should not pimp them out as draft audit issues for any reason, much less in the name of practicality. Its only a good approach if you assume that your clients are ignorant and weak-minded, or worse (if there is anything worse).

Anyway, back to my point. I appreciate that these layers of management often know many aspects of the business better than we do. Yes, I get that. There are always things that we don’t cover, that might mean the risk isn’t quite as we initially thought. But if that’s the case, why is the request always to reduce the rating, and never to increase it? Why do clients not occasionally say : “You know, I can see why you’d think this was a low, but if you really look at the lack of downstream controls in the back office for this particular scenario, you can see that its really more like a medium risk.” Wouldn’t that vastly increase the regard we could show for their requests to reduce other ratings?

Not saying that it never happens. There are clients out there who have given me input like that. But they have never asked that I make sure not to let anyone else see a draft until I’ve upped the rating. So full credit to those clients for putting the governance and risk management of their business ahead of their ego. But it absolutely boils my pips that a group of people,auditors and clients and risk managers and senior business management, all with the same aim for the transparent and practicable management of risk, can, and often do, get caught up in their personal agendas (auditors and clients alike) to the extent that we construct these rat-run approaches to evaluating and agreeing improvements to our joint business objectives, pandering to the most shallow, selfish wants of the unenlightened or paranoid at the expense of countless hours of wasted effort by auditors and management, and the further expense of unclear messages about significant risks to the business. For someone like me, who believes so passionately in risk management, its enough to drive me to the refuge of poorly conceived dramatic tension realised through the fantasy of Disney movies. And for anyone who knows me, you’ll know that it’s a sorry fate.

So in conclusion, may I please have signatories to my social contract below :

We, the undersigned, agree neither to exaggerate nor downplay the significance of any risk or issue that arises or comes to light from the work of audit. We agree to be frank and honourable in our dealings with all involved parties. We agree to put our egos and shallow reputational markers aside when confronted with something that may put us all out of work in the near future, and to admit that none of us have all the answers. We agree not to bully or pull rank, nor to unreasonably or excessively defend to a view which is disputed by corroborated management assertions, or which is genuinely held and presented by a suitably qualified audit professional as a result of peer-reviewed audit work. We agree to work efficiently together, all levels of management as appropriate, to assess in good faith the findings arising from audit work, and to desist from agitating and nay-saying for the purposes of maintaining a personal façade of omniscience or for protecting any other personal interest. We agree that where the objective view of audit differs from the view of management, that we will acknowledge this and make reasonable efforts to identify the source of the difference. We will agree to disagree. We agree that we will refrain from personal attacks in smoky back rooms, except in the case of extreme and unprovoked idiocy, and from waging a war of attrition in order to cover up the weaknesses in our risk management awareness or practices on the one hand, and our deficiencies on audit skills and business understanding on the other. We agree to either give definitive, authoritative, reliable statements that something is or isn’t a risk or exposure (and give evidence or support for why it is or isn’t so) OR to state that it is uncertain and either it deserves more investigation or is not practicably knowable and therefore an issue of conjecture, best dealt with by senior, experienced, and accountable management, be that audit, or more often business management. We commit to working towards good governance and an appropriate, transparent acceptance of risk where that is the right course of action. We agree to stay ’til the credits roll, no matter how much they telegraph the supposed surprise at the end of the movie, before we storm out of the theatre slagging off the cast and crew. We agree that Casablanca is the best movie ever made, because otherwise we may as well stay in our hotel room hiding under the bed like frightened children, and we may as well also give up on governance and just run these companies as if it was an ebay trading operation run out of our mum’s garage.

So 11.5 blogs in, I think I’ve finally reached the essence of what I wanted to achieve in this exercise. If I can get a response to this mammoth entry (matron) that confirms I’m on to something, then I might leave it there, and tail off the blog with a few more lighter posts over the next month or so. If not, if I don’t get a response along those lines, or if I get so little response that I feel my preaching is going unheeded, I might tail it off in another direction. Either way, I’ve a feeling that this post was really what my objective was, in respect of audit blogging anyway. Its way better than the only competition I could find.

Please let me know, leave a comment if you can (its only me that sees your email address and I guarantee not to use it or pass it on, its just a website thing to track who is a real reader and who is a spammer). Maybe I’ll limp on to my 1,000 hits target in any case, and then see if I can make one of those computerised films instead. I truly hope that some of you have enjoyed this or found it thought-provoking to anything close to the degree that I have enjoyed thinking it and writing it.

Finest regards to all of you from a Cow in Willesden. And a belated thank you to the man from the hazel gap, from whom the originating quote came to my attention : There won’t be a cow milked in Willesden tonight! Never a truer word.

4 responses to “Shh! Don’t tell mom we shrunk the babysitter

  1. Sofia April 1, 2011 at 1:36 am

    You must keep going Cow. I think there is so much more to say on the subject. I also think you should develop a feature film on the side.

  2. ITauditSecurity May 28, 2011 at 5:19 am

    Hey, the bollocks trick is pretty funny. Can’t say I’ve ever done that.

    The way we’ve approached findings is that we tell auditees in the opening meeting, status meetings, and every other chance we get that we do NOT negotiate findings and their ranking. We revise issues based on facts (missed or new) and mitigating controls. It works for us because we have really strong management and a well-documented ranking process, which we publish.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: