On the Frontlines: Jedi ERM
Blogs Jason Stepnoski, CIA, CPA, CFE and CISA Jul 14, 2022
Internal auditors are, in essence, the Jedi of their organizations. Auditors, like Jedi, are dispatched throughout the galaxy of organizations with our audit plan to guide us in solving complex problems. The Jedi approach their missions in the same way auditors execute projects. Take the three phases of an audit:
- Planning. A Jedi has to learn about an issue to identify problems and determine their root causes.
- Fieldwork. A Jedi must execute on what he or she has learned and gather evidence on reportable observations.
- Reporting. A Jedi must recommend solutions for high-risk issues, which if implemented may help the organization achieve objectives. (Hopefully, it doesn't come to aggressive negotiations.)
If we are doing well in all of these phases, we earn the moniker of trusted advisor, aka Jedi master. Audit teams, like the Jedi, are independent business partners with a unique reporting structure. Internal audit is typically the only department to report directly to a committee of the board. (Tell me Jedi Council meetings don't bear a striking similarity to audit committee meetings.)
One of the other vital services internal audit provides is relevant and valuable advice based on their risk assessments. And just like the Jedi using the force, auditors must constantly be aware of the ever-changing business and social landscapes to identify and evaluate current and future risks.
It is kind of ironic then that the Jedi were not more like internal auditors as they were awful at assessing risk. Had the Jedi allocated some resources to enterprise risk management or internal audit, maybe even included some books from The IIA bookstore in their vast library, they'd have detected and prevented the ultimate fraudster from becoming Emperor of the Galaxy.
Sith Lords turned out not to be the Jedi's specialty as Obi-Wan Kenobi once stated while standing a few feet away from the very Sith Lord, Palpatine, who not too long after directly caused the end of the Jedi Order as it was constituted. The Jedi completely ignored the risks posed by events transpiring throughout the three prequel movies, which led to inadequately addressing the issue of a Sith Lord being the leader of their governing body until it was far too late.
The Jedi's response was to ignore most red flags leading up to Sith Lord Palpatine's big reveal, despite having many, many years after first learning of the threat from Darth Maul's shenanigans. Imagine inadequately assessing your most significant risk for a decade. The Jedi were like the modern-day Blockbuster, which ignored the risk of emerging technologies of streaming services and then reacting far too late to survive in a meaningful way. Now, like the Jedi, there is the last Blockbuster out there.
Even organizations with the best of intentions must remain focused on identifying and adequately evaluating risks. Perhaps some additional due diligence would've been merited on the clone army that suddenly sprung up at a very convenient time for some needed mergers and acquisitions. The Jedi then went on and exceeded their objective as peacekeepers and became combat generals to an army of clones. Ethically questionable actions at best, and definitely outside any approved audit charter.
There was no way Yoda was fostering a healthy corporate culture. He is the epitome of a micromanager. One day into training, he was already riding on Luke Skywalker's back and barking instructions at him. There's no way that method of teaching equates to a Jedi Academy having a winning formula for company culture. These are not the actions of an agency that takes risk management seriously.
Internal audit should be mindful of maintaining their independence while still seizing opportunities to provide objective and relevant insights to our business partners and stakeholders. And most importantly, it should be a champion for good culture and good governance while being mindful of staying within the scope of its audit charter. These are definitely lessons that even Jedi masters could learn from auditors.