Objective: Evaluate the design and effectiveness of the Galactic Empire's operations during the Galactic Civil War.
Methodology: Conclusions are based on observations of events from the period of 0 ABY to 4 ABY (Galactic Standard Calendar based on years before and after the Battle of Yavin (BBY/ABY)).
Executive Summary: Management failed to include appropriate enterprise risk management (ERM) practices in day-to-day operations. This pervasive exclusion of best practices degraded organizational culture and led to the failure of the Galactic Empire.
Finding No. 1: Employee Safety Is Not Prioritized
Observation: Auditors observed multiple workplace fatalities and injuries due to a lack of physical safeguards such as handrails and safety nets over dangerous areas with large floor openings such as extension bridges, tractor beam controls, and shield generators at the Endor Moon Base.
Auditors also observed Death Star employees were not provided personal protective equipment (PPE) while operating near a most likely radioactive, planet-destroying super-laser.
Auditors also observed multiple employees were choked to death or near-death for poor performance by executives with what appeared to be a magic "Force."
Root Cause: The Empire failed to consider safety protocols during the facility construction and uniform issuance design processes. This was likely the result of cost-cutting measures enacted because of the ballooning costs of moon-sized space stations.
Impact: Worker safety is critical to ensuring positive morale. Positive morale will improve employee performance in areas such as laser-rifle targeting. Furthermore, the financial impact of increased worker compensation claims is a material amount.
Recommendation: Employees are an organization's greatest asset, and their safety and well-being should always be the No. 1 priority. We recommend:
- Access to areas that require physical safeguards should be restricted immediately.
- PPE should be immediately distributed to affected employees.
- Appropriate safeguards should be installed as soon as possible.
Finding No. 2: Critical Infrastructure Projects Contained Single Points of Failure
Observation: Auditors observed two instances where high-value infrastructure projects (Death Star, Death Star II) were destroyed due to design weaknesses in their main reactor cores.
Root Cause: Imperial Quality Control failed to detect structural vulnerabilities in both battle stations:
- The original Death Star contained a design weakness inserted by a rogue scientist during the planning and implementation phases.
- Death Star II contained large tunnels that led to the reactor core, which were then used by enemy ships to destroy the battle station.
Auditors also anecdotally noted the Death Star II might not have been as "fully operational" as leadership was led to believe, which resulted in premature deployment as efforts were not "doubled."
Impact: Loss of each infrastructure project estimated at $852,000,000,000,000,000.
Recommendation: Management should consider outsourcing quality control altogether based on the successful use of bounty hunters to locate and ultimately capture key members of the Rebel Scum leadership team.
Finding No. 3: IT and Physical Access Controls Are Ineffective or Do Not Exist
Observation: Auditors observed an R2 unit was able to bypass IT and physical access controls. The R2 unit was able to gain access to several ERM applications. As a result, the R2 unit obtained confidential information and hacked the detention and garbage areas' controls.
Root Cause: Internal controls were not properly designed to prevent unauthorized access to enterprise systems and physical locations.
Impact: Rebels were able to vandalize ERM systems, which ultimately led to the destruction of the original Death Star, as noted in Finding No. 2.
Recommendation: IT management should install or upgrade existing firewalls, antivirus software, and intrusion prevention/detection systems. Management also should consider investing in additional information security training for all employees.
The chief audit executive (CAE) could go on about more issues the Empire had, such as nepotism towards long lost children or the lack of risk management skills — after all it did prioritize the cost savings of one laser beam over shooting an escape pod during battle.
Audit reports should be written with their reader in mind — board members and executives. It is critical that reports achieve their objectives and present information as clearly and concisely as possible using simple language. This will increase the chances that audit reports get more executive buy-in and add the most value to the organization.
Then again, at this point in the report on the Galactic Empire, the CAE most certainly would be force choked to the ground, and it was always unlikely that Darth Vader was going to provide corrective actions anyway.
Jason Stepnoski, CPA, CISA, CFE, is internal audit manager at VSP Global in Sacremento, Calif.