A reminder not to let the pendulum swing too far.
Sometimes looking back into the past will give you ideas for the future.
Blogs Mike Jacka, CIA, CPA, CPCU, CLU Dec 16, 2021
I was talking with some old friends a while ago, friends I have known since the days we all worked together at Farmers Insurance. (That makes it quite a while ago.) For some reason, the 98 account came up. No rhyme nor reason, it just weaseled its way into the conversation of a group of people talking about the old days.
"What is a '98 account?'" you might ask. Well, that is pretty much what we were asking. The scary part is that, with very little mental prodding, I was able to recall that the 98 account was the escheatables account — the account that held the funds related to uncashed checks. As the group chided me for remembering something so arcane, I defended myself by noting that one of my first audits was a review of this account. I also noted that it was an audit I did more than a few times.
And therein lies a lesson about the way we used to audit back in the early 1980s. Our schedule was based on a cycle of audits. There may be a few of you out there old enough to remember this approach, but for everyone else, let me enlighten you. Somewhere in the organization's misty past, someone had decided which audits were the important ones to do. (Back in those days, that often meant a lot of financial audits.) Those audits were then scheduled throughout the year. And those same audits were done the next year, and the next year, and the next year, and so on. Sometimes there might be a two-year cycle. But in general, the same audits were done at the same time, over and over again.
It was not a great approach. Proof: Every May we did an audit of our salvage operations — looking at the cars, the sales, and the monitoring processes within the regional office. After a couple of audits, we realized the salvage clerks knew when we were coming and would pull all the diary strips to make it look like they were up to date on their work. (Don't know what a diary strip is? Ask your grandparents.)
Yeah, the cycle of audits was not a great approach, but it was all most of us knew. And the profession has definitely gotten better. But that is only the beginning of this little parable. We have more to cover, so let's move on.
Once our little coffee klatch finished exploring the 98 account (a short exploration), our discussion became a litany of numbers as we (for some reason, fondly) recalled the various accounts and related audits — the 88 account, the 74 account, the 14 account, and the 06 account (that was an important one because it was an uncontrolled account.) Yeah, we were reliving all the hits. (And I wish to also note that I am not making these up; these were accounts we actually audited.)
We then started talking about the way our audit planning evolved. (Yes, this was an audit-nerd convention.) Like so many others, we changed to a risk-based approach. It had its problems, just like everyone else's, but in general, it went very well. And that is where the story ended — at least as far as those in this conversation knew.
Because reminiscing about those accounts reminded me of an interesting discussion that occurred at the end of my tenure with the company. Internal audit was focusing on processes — operational audits intended to provide value by identifying opportunities for improved efficiency and effectiveness and generally helping everyone achieve their objectives. And because we were risk-based, we were focusing on processes where we thought the greatest risks resided. But I got to thinking about those accounts — all those numbers and all those transactions and all those dollars. I was wondering if we had developed a blind spot regarding some of that work and those accounts and, in general, a lot of those audits that had fallen by the wayside when we moved away from the cycle of audits. As an example, I couldn't remember the last time we had done a review of the 98 account. (I can't give you dollar totals, but I'm guessing you can figure out why this might be a big deal.)
I went to the CAE and made a case for reviewing some of these accounts. And I was summarily dismissed.
I was given some insubstantial reasons, but it all seemed to come down to this point: "Why should we care about those accounts? We have bigger issues and risks to address." And yeah, that could be a valid argument. But my additional concern was that we were not considering these accounts and processes in our risk assessments. That is, I would have been fine if we had included these in our assessments and agreed they were not an issue, but they were being summarily dismissed without any real deliberation.
And one more thing. I genuinely believe the CAE, someone who had been around as long as I had, was still distancing himself from our old approach to planning and audits — he was actively keeping away from the audits that were part of that cycle of audits approach we had dropped nearly 20 years before.
We never did any audits over those accounts. I retired. And, to the best of my knowledge, the audits were not done after I left. Farmers Insurance still exists, so I'm guessing the fact that internal audit did not look in those directions did not signal the demise of a 75-year-old company. However, as indicated before, there are a couple of lessons to be garnered here.
First, look back at the audit work that your organization has completed. Be willing to go way back and see if there was something done in the past — something that has a hidden component of risk you hadn't thought about — to determine if another visit might not be warranted.
Second, (and somewhat related to the above) don't let the pendulum swing too far. In an effort to distance ourselves from the cycle of audits, we were potentially avoiding and missing some long-standing risks. And the profession falls into this trap just as easily as individual departments. Was SOX a response to too much of a focus on operational auditing? Are we so focused on cyber and IT that we're missing something in the non-technical world? Was our focus on all the latest, top-20, hot-off-the-presses risks the reason that, rather than being unprepared for the pandemic, we were woefully unprepared? No one type of audit approach is perfect. And finding the balance that is effective means keeping one foot in every type of audit. (And, yes, I know that means you need more than two feet for such a feat to be accomplished, but this has gone on too long for me to worry about perfecting metaphors. You know what I'm trying to say.)
But there's one more thing: a broader issue about management, leadership, and innovation. Make sure people know why decisions are being made. When I suggested the review of past accounts, I never really heard any discussion on why the idea was rejected. I got some generic excuses that all came down to nothing more than it would be a waste of time. And maybe it was a waste of time. Maybe not doing those audits was the right decision in that situation. But I will never know because I don't know how the decision was reached.
With every suggestion that is made, there is a chance it will be accepted or rejected. (And your percentage of success will vary.) Maybe they are good ideas; maybe they are bad. However, no matter the situation, let people know why the decision to accept or reject was made. Innovation and progress will only occur with an influx of new ideas. And nurturing that influx is key to successful innovation. To enhance creativity — to drive improvement and innovation to rise to the next level — you have to welcome ideas. And nothing will shut down the flow of creativity quicker than being summarily dismissed. No, you don't have to accept every idea. But when rejecting an idea, make sure you have established your reasons and thought them through. And let everyone involved know why the decision was made. And who knows, maybe when you think it through, you may realize that rejection isn't the way to go.
Now, what did I do with that check I forgot to cash?