Earlier this week, I told a story about the reviews I used to perform over the investigation reports our department would issue. The point of that story was, very often, the problem with a report is not that it is poorly written, it is that the work underlying that report was done poorly. But that story (and that point) was actually just a prelude to a much bigger discussion.
It's Not Me, It's You
Blogs Mike Jacka, CIA, CPA, CPCU, CLU Mar 15, 2019
As part of that discourse, I referred to the book Thinking in Bets by Annie Duke. A quick reminder: this book, while relying heavily on her poker experiences is not a book about poker; it is a book that delves into how we think. In the book, Ms. Duke talks about how her growth as an expert poker player really occurred when she realized there was nothing to be gained from discussions made up of little more than commiserations about bad deals, cards, and luck. Instead, she realized she needed to be talking with people who dug more deeply into the game, the underlying circumstances, and the overall strategies. And she learned she needed people who could be trusted to tell her the truth — the truth about her playing, the truth about her skills, and the truth about herself.
She describes how it all started with her brother, a world-champion poker player himself. "My brother took a blunt approach with me. My instinct was to complain about my bad luck and to marvel at how poorly others played, decrying the injustice of any hand I might have lost. He wanted to talk about where I had questions about my strategic decisions, where I felt I might have made mistakes, and where I was confused on what to do in a hand."
When an audit goes bad, I'd like to think that internal auditors are above the type of lamentations Ms. Duke describes — complaining about our bad luck; decrying the circumstances that led to a less-than-perfect audit; or lamenting it was the fault of the interviewee, the fault of client supervision, the fault of client management, the fault of client executive management, the fault of the documentation, the fault of the computer, the fault of the commute, the fault of the weather, the fault in our stars … everyone else's fault but internal audit who stands by, humbly blameless, waiting to face the slings and arrows of outrageous fortune.
I'd like to think we don't fall into that trap. But I've seen it happen. (Honesty forces me to admit I've done it myself.)
Off the top of my head, here's a few fingers-pointing-elsewhere examples:
- "We would have been on time, but when we tried to schedule the final meetings, everyone we needed to meet with was on vacation."
- "Just as we were ready to begin testing, they changed their processes."
- "I found out later the supervisor had told her employees to never talk to the auditors — to refer all questions to her."
- "I couldn't get any two people to give me the same story of how things were done."
- "They didn't have any written procedures."
- "I kept requesting the documents, they kept promising me they were on the way, and they wouldn't arrive."
- "It was obvious they had gone in and changed the files, knowing where we were going to look." (Had that one happen to me twice.)
- "They kept wanting changes to the report."
And here's a confession. I thought it would take a bit of work to come up with more than one or two examples. Nope. Came to mind pretty darn quickly. And, if you gave me five more minutes, I could double the number without breaking a sweat.
Stripped of context, these examples show themselves to be the hideous excuses they are meant to exemplify. But I'll bet 1) you have actually uttered something close to one of two of these in the past, and 2) if you look closely at the excuses you are currently using for why your audits don't succeed — why they are not on time, why something significant was not identified, why the test had to be left out, why the interview didn't go well, why the kick-off meeting was a disaster — you will find that, stripped of the surrounding noise, those excuses are as thin as the ones listed above.
Stripped of the surrounding noise, we are effectively saying, "It had nothing to do with me or the department; it was all the fault of the client."
And, if you sincerely believe that to be true, then why do you continue to have problems? If every failure in every audit was because of "the other guys," then a fascinating question arises. Aren't we supposed to be the ones who are so good at understanding risk and risk management? And doesn't that mean we should be real good at mitigating these risks and reducing the number of times there is a problem?
And yet it happens and happens and happens and …
Even if absolutely every single instance of a problem could be placed at the feet of someone besides internal audit, then it is still our fault. Again, we're supposed to be experts at risk management, and we can't even manage the risk of messing up (even in small ways) our audit work.
What this means is we have to quit accepting the thinnest of excuses and spend some time understanding why things go wrong. In fact, even when things go right, we need to figure out how to make them go better.
Which will lead us to discussions about postmortems; who we have involved in postmortems; and how we get to the real truth of what's going wrong, what's going right, and how we can improve. And, while we're at it, we'll probably take a different look at the concept of "trusted advisor." And there'll also be more references to Ms. Duke's book.
Let's get together next Friday and see what happens next.