When is it Too Much?


My series of posts last month focused on the need for internal audit to embrace creativity and innovation in order to maintain relevance in the future. I have gotten some interesting responses to that message. Some came in the form of comments (which you can read here) and others were follow-up conversations I had with friends and colleagues. To be honest, it is going to take a little while to get to all the points I see being raised, and so I plan on revisiting this subject throughout the rest of this month.
But in very broad terms, the comments and discussions have run the gamut from "Amen, Brother" to "Get thee behind me Satan." Actually, no one compared me to Satan. But in the passive-aggressive approach that seems to be so favored by internal auditors, it was evident that there were individuals who believed I was leading us to something nowhere near akin to the Promised Land. While they wanted to be nice and indicated that what I had to say was interesting, they threw in enough caveats to make buyers not only beware, but run to a different city's marketplace
Most of the naysayers (or rather, the "yes-you-are-right-but..."-sayers) tended to fall back on the standards, on our traditional roles, on our core skills, and on the reminder that we should not take our eyes off our primary responsibilities.
Let me be clear. I have never advocated an anarchist revolution with the objective of building something new on the smoking ruins of all we've accomplished. I am not abolishing the standards or our traditional roles or our core skills or our primary responsibilities. However, what I do advocate is an approach that looks at what internal audit does tabula rasa – imagining nothing has come before, imagining all possibilities without restrictions. Such an approach is instrumental in breaking the shackles of our preconceived notions.
However, such an approach includes risk, and there's the rub. The backward looking approach – the need to "not keep our eyes off (name your particular preference/prejudice)" – is indicative of internal auditors' natural aversion to risk. When speaking with auditors about the need for change, I invariably here concerns about the risk we would face. And, while there is nothing wrong with taking the potential risks into consideration, internal auditors (when they are speaking of their own profession) tend to use risk as the primary reason to avoid big changes.
Our strongest trait; our biggest problem.
Our focus on potential risks and approaches for best mitigating those risks is one of the foundations upon which we have built our reputation. But our love of that foundation means we have become some of the biggest risk avoiders in the organization. Here's a simple test – when was the last time you actually reported that a control should be removed because it was not providing value? I think most of us have done it, but I also think the instances are few and far between. And I further believe that we avoid doing so partly because we just want to be sure things are under control – we fear that any (emphasize any) unmitigated risk is bad and, even more tellingly, if it leads to a problem will reflect on professionalism.
We won't take the risk.
And then it all leads to the biggest impact this has on the profession - our fear that we cannot make mistakes. If we are to be the ones who are the control experts, then we seem to think we have to have absolute control over the work we do. 
Because we have such an important role in risk mitigation, we shy away from risk – we don't want to be seen making even the most infinitesimal, inconsequential mistake. Take a look at your operation – take a look at your processes – take a look at anything going on in your department – and I'll bet that half of the work you are doing is geared toward reducing that risk.
First and second reviews of workpapers. Checking and double-checking mind-numbing details. Innumerable meetings geared towards talking about what was done, what is being done, and what will be done. Rewriting reports until results are so old they aren't worth reporting any more.
Has anyone done a cost-benefit analysis of how much our controls cost versus the exposure?
That is a key point. And that is the fear I see from most auditors when we discuss creativity and change. Of course there is a risk. There was a risk over 70 years ago when a group of internal auditors got together and decided we should be a real profession. There was a risk when our principals were put in writing. (Put it in writing and you have to be held to it.) There is a risk every time we put forward an opinion.
And we have to raise our risk tolerance, allowing ourselves to occasionally fail.
I would argue there is no such thing as too much creativity and too much innovation. And for those who fear there will be "too much", I share a quote from John Burroughs. "Jump and a net shall appear." You have to take the chance or else you will achieve nothing.
And one more quote to end this part of the discussion – this time from some weirdo named Pablo Picasso: "The chief enemy of creativity is good sense." Allow me to paraphrase for our profession.
The chief enemy of internal audit's success is good sense.

Posted on Feb 2, 2014 by Mike Jacka

Share This Article:    

  1. Mike, I hope you didn't infer from my previous posts that I don't think the changes you are advocating are necessary, but that these changes will affect different audit departments in different ways. We certainly need to embrace creativity and innovation and take risks. We do need to constantly re-think what we are doing (I couldn't agree more about mind-mumbing reviews of working papers which I used to hate. I passed some responsibility for this onto senior auditors, since they could learn from others' papers). Will you be commenting on my point that maybe the profession at the top should lead? Should there be a general session at the London conference on seismic changes, or maybe a concurrent session devoted to it?

  1. Mike: Thanks for continuing your efforts to elevate the importance of the internal audit profession embracing change. I believe the biggest single reason IA needs to change is simple - current internal audit methods don't support the new board risk oversight expectations. I encourage readers to Google "AIRMIC + Report challenges risk managers to develop new skills" It is a short article that appeared Feb 1. Although it is focused on convincing risk specialists to change, the same principles/reasons for radical change apply to the internal audit profession. The IA profession is at a cross road - embrace radical change or risk being considered increasingly irrelevant and channelled in to the narrow, marginal value world of process documentation and "controls" testing.
  1. David: To your question "Should there be a general session at the London conference on seismic changes, or maybe a concurrent session devoted to it?" - my vote for a general session is an unequivocal "YES". I will be presenting a three hour pre-conference in London July 6th on a new approach to IA we are calling "Board-driven/Objective-centric" that calls for significant change in status quo IA methods. My thanks to the IIA for supporting a change agenda. I really hope there will also be a general session from an influential speaker that really understands the issues that makes a best effort to sell the business case for radical change in the existing internal audit paradigm. I have suggested on more than one occasion to IIA executive the IIA should sponsor at least one conference per year on innovation and step-out thinking in the profession. In the oil business a "step-out" well is one where there isn't as much certainty of finding oil as an "in-fill" oil well where likelihood of oil is very high. I think the IA profession has been doing far too much "in-fill" development and not enough "step-out" or, may I be struck down by lightning, "wild-cat" drilling to look for really great returns in areas previously not explored.
  1. David,

    Don't worry.  My comments were more specifically related to conversations I had with other auditors. And your point about different shops being affected differently is definitely on point.

    I can't tell you exactly what's coming next because I haven't got it figured out myself.  I can only say that it will reference a lot of the topics that have come up in the comments here and from other individuals.


Leave a Reply