New Ground

My interest is in the future because I am going to spend the rest of my life there.

Honestly Lay Bare - being the cutting edge commentator that it is, or at least likes to think that it is (never really sure!) - was recently asked by Deloitte to put pen to paper as to what were challenges facing internal audit.

Here are my ramblings.

**

I suspect that many of the responders will talk about the impact of the global financial crisis and the impending regulatory response thereto. They are important issues that we need to consider as internal auditors but I do not believe that they are the defining challenges.

In the same way that Enron gave rise to the era of SOX; the global financial crisis will give rise to another era.

But they are just that – eras.

They are not fundamental shifts in what internal audit is and what it is to be an internal auditor.

I am going to go out on a limb and raise three areas that will forever impact the perception of internal audit within the organisations that they are designed to serve and as such are issues that will have the greatest importance to our relevance, differentiation and longevity.

Internal Audit as a Profession

If you are a doctor and you are either grossly incompetent or posses an ethically challenged character, processes exist in most countries for such persons to be removed from the practice of medicine.

Similarly with the law, accounting and engineering.

If you a sales person and you suggest that your service offering is something that it isn’t, there are mechanisms in most developed jurisdictions for those aggrieved to be compensated for the false and misleading promotions.

Internal Audit does not have a regime that forcibly quarantines the professional incompetent.

Internal Audit does not remove from its ranks those that take advantage of others or situations.

Internal Audit rarely has a mechanism by which an aggrieved person can raise their concerns about the quality of the work provided to them by the internal auditor outside of the internal governance frameworks of the organisation.

Until such time as Internal Audit has a publicly convened, rule based, punitive disciplinary environment – a fundamental element of the existence of a profession – that transparently addresses the deficiencies within our population, we will never be properly seen as a profession.

As such will never be afforded the respect that the medical, law, accounting and engineering professions demand.

Nor will we ever be in a position where those that are less morally suitable for the practice of Internal Audit are removed, and penalised, where appropriate.

Internal Audit’s standing within the community and within the organisations she is mandated to serve will be accordingly compromised.

Full Data Testing

If there is one aspect of the current practice of internal auditing that I suspect we will – in the not too distant future – look back on and reminisce about the ghosts of audit procedures past, it is the concept of data population sampling.

We already have full data sets.

We already have the means to test full data sets.

What we don’t have is the understanding of auditors and auditees as to the inherent failings of sampling and, to date, we have allowed ourselves to be convinced that full data population testing is expensive and no more representative than sampling.

If Internal Audit is to be seen as the pre-eminent independent assurance provider we need to remove from our work any caveats as to depth of testing.

At present our work is only ever as good as the sample chosen.

Impact of Collaborative and Social Medias

The biggest change is probably the one paradigm shift that even society itself is struggling to comes to terms with.

I have never been more certain of a reform that will come to Internal Audit than I am of the changes that collaborative and social medias will visit upon Internal Audit.

We are just about to enter into something called Internal Audit; but it won’t be Internal Audit as we know it.

The mantra of so many Internal Audit departments for many years has been that they are business partners – yet they interacted with their ‘clients’ in a static and rigid communication framework.

Collaborative mediums such as wikis have the potential to incorporate the auditee, fully, in every aspect of the audit execution cycle.

We will no longer present a draft report to the auditee as their first point of ability to express an opinion – agreeable or not – on the work performed to date.

Why not use such collaborative tools to identify, manage and provide assurance over the risks and for all the risk stakeholders to have full and ongoing interaction, accountability and ownership of a successful outcome.

Internal Audit is mandated to assist organisations to improve their internal control environment.

Never has there been a good internal control environment that has poor communication frameworks between the respective constituents.

What has, however, been missing until now is the ability to bring together individuals of a similar mind, irrespective of their job description, to most effectively manage and better an internal control environment.

By bringing together like minded souls irrespective of job grade, geography, experience – what one is describing is the business model for successful social media.

This is where the role of Internal Audit fundamentally changes – we should be seeking to facilitate the founding and collaboration of those similarly disposed diasporas as a means to improving the organisation’s internal control environment.

The ex post facto elements of our assurance work will become secondary to what will emerge as our new role – that of the corporation’s tour guide.

**

As I said at the outset, I suspect others may identify more immediate and – in their minds – more pressing concerns around audit coverage and budgetary constraints.

Those issues are indeed important but we should never lose sight of the revolutions that are coming for they are the greater challenges that Internal Audit is about to face.

As the saying goes – show me someone who doesn’t dream about the future and I’ll show you someone who doesn’t know where they are going!

An Old Friend

The most useless are those who never change through the years

Every time that Honestly Lay Bare visits London, we are greeted by an old friend.

This old friend stands tall and salutes the weary traveller and we know for sure that the next time that we visit the Mother Land there she will be again.

The old friend is approaching 80 years of age and is a celebrity in her own right ... not to be outdone by the Beatles (in which she appeared in the movie, Help!) or Pink Floyd (in which she appeared as album cover art).

Without being overly callous, though, Honestly Lay Bare thinks that this old friend is past her use by date ... yet we are attracted to her in a way that that we can neither describe nor is it necessarily rationale.

In her original form, she served her masters well and a metropolis turned to her during the depths of the Second World War to keep them warm and safe.

But now she sits there unkempt staring across at the great buildings of the world .... the Westminster Palace; Buckingham Palace and Stamford Bridge Football Stadium (OK so perhaps only two out of the three qualify ... your call!).

Many have tried to reinvent her; many have failed.

Great ideas conceived in inspiration have come to nothing in reality.

And yet there she rots away - reminding us all of the tragedy of her unfulfilled promise.

The old lady is the Battersea Power Station.

Battersea Power Station is a now unused coal-fired power station located on the south bank of the River Thames near Battersea in London. The station comprises two individual power stations, built in two stages in the form of a single building.

The two stations were built to an identical design, providing the well known four chimney layout. The station ceased generating electricity in 1983.

The station is the largest brick building in Europe and is notable for its original, lavish Art Deco interior fittings and decor.

Sadly years of neglect have seen her condition to be described as "very bad" by English Heritage. Since closure the site has remained largely unused, with numerous failed redevelopment attempts from successive site owners.

**

Every time that Honestly Lay Bare drives (or let it be known in a recent visit ... ran!) past her, it is struck by the analogy that something that is so dominant and once so useful can become not only useless in its intended original form but dangerous to those around it.

And with that analogy in mind ... our thoughts always detour to the longevity of the practice of risk management (funny how one's mind works when afflicted by jet lag!).

There is little argument that risk management as a practice has served us well in the past in the same way that Battersea provided power to London in her times of need.

What concerns Honestly Lay Bare is that the frameworks upon which the concept of risk management is based are no longer capable of serving the functions for which they were originally designed.

Where was value at risk during the global financial crisis?

Where was business continuity planning when the great banks of the world fell or threatened to topple?

Unless there is a radical overhaul of the frameworks and our applications thereof, Honestly Lay Bare can see a future for risk management not to dissimilar to the Battersea Power Station.

An impressive edifice for which there is no real, viable current use.

Stop!

The warning message we sent was a calculated ambiguity that would be clearly understood.

The history of risk management is also a history of the colour coding of levels of risk.

Should a very, very high risk be red or should it be something different to red because we usually use red to signify a high risk ... and actually ... who was it that decided that colouring of risks was a good idea in the first instance.

At Honestly Lay Bare we have always been challenged by the use of colour coding of risks and ratings. Let us be clear, we are a great fan of colour coding as it draws the readers eyes to what you really want them to understand.

Equally, however, colour coding has its failings.

The best way to illustrate those failings is to drive down the road of history of the invention on which nearly all risk management colouring systems is based – the humble traffic light.

**

On 10 December 1868, the first traffic lights were installed outside the British Houses of Parliament in London, by the railway engineer J. P. Knight. They resembled railway signals of the time, with semaphore arms and red and green gas lamps for night use. The gas lantern was turned with a lever at its base so that the appropriate light faced traffic.

Unfortunately, it exploded on 2 January 1869, injuring the policeman who was operating it.

The modern electric traffic light is an American invention.

As early as 1912 in Salt Lake City, Utah, policeman Lester Wire invented the first red-green electric traffic lights.

On 5 August 1914, the American Traffic Signal Company installed a traffic signal system on the corner of East 105th Street and Euclid Avenue in Cleveland, Ohio. It had two colors, red and green, and a buzzer, based on the design of James Hoge, to provide a warning for color changes. The design by James Hoge allowed police and fire stations to control the signals in case of emergency.

The first four-way, three-color traffic light was created by police officer William Potts in Detroit, Michigan in 1920.

The first interconnected traffic signal system was installed in Salt Lake City in 1917, with six connected intersections controlled simultaneously from a manual switch. Automatic control of interconnected traffic lights was introduced March 1922 in Houston, Texas.

The colour of the traffic lights representing stop and go are likely derived from those used to identify port (red) and starboard (green) in maritime rules governing right of way, where the vessel on the left must stop for the one crossing on the right.

**

Thankfully risk management colour codings are unlikely to explode causing injury to their operator .. but having said that ... calling a risk out as green when the risk should be categorised as a red risk can cause injury to one’s organisation.

Of greater interest however from the annals of traffic light history is that in a relatively short time after its invention, those entrusted with its perfection, decided that the warning systems need to be interconnected and automated.

Interconnected. Automated.

Only of recent times have risk management warning systems mastered the automated side of things.

On the interconnected side ... we are still waiting.

To go back to our original observation – if a very, very high risk is a red risk ... then what is a high risk surrounded (ie interconnected) by other high risks – is that a red too. And how do we distinguish between those two types of red risks.

We still have a way to go before we get those warning lights working well!

The Pagodas of Japan

Honestly Lay Bare read a fascinating article this week about Japanese pagodas.

As The Economist tells it scholars over the ages have been mystified as to how these tall, wooden buildings cope so well with the earthquakes and typhoons that plague Japan. Many have been struck by lightning and burned to the ground. Others have been torched by marauding warlords. Fire was a perennial hazard in Japan when wood and paper buildings were the norm.

But, remarkably, only two of the country’s hundreds of wooden pagodas have collapsed over the past 1,400 years as a result of violent shaking.

The disastrous Hanshin earthquake of 1995 killed more than 6,400 people, toppled elevated highways, flattened office blocks and devastated the port city of Kobe. Yet the magnitude 6.9 shock left the magnificent five-storey pagoda at the Toji temple (pictured above) in nearby Kyoto unscathed, even though it levelled a number of lower structures in the neighbourhood.

You can see the Toji pagoda soaring 55 metres (180 feet) into the sky from the train as it pulls into Kyoto station. Though burned down four times since it was first erected in 826 by the master builder Kobodaishi, the current building has stood its ground since 1644. It was the tallest structure in Japan until the 36-storey Kasumigaseki Building was erected in 1968. The slightly smaller Horyuji pagoda in Nara was built in 607 and is thought to be the oldest multi-storey wooden structure in the world.

So, why don’t they topple over at the first tremor?

For two reasons. First, as the structure begins to sway, the heavy-tiled roof covering the extended eaves of each storey acts like the long pole with weights on the ends that a tightrope walker uses to steady himself. In both, the large “radius of gyration” means the shaking has a lot of inbuilt inertia to overcome.

Second, as the loosely stacked storeys slide to and fro—with each consecutive floor moving in the opposite direction to the one above and below—they collide internally with the trunk-like shinbashira dangling through the central well of the building. With each collision, they dump more of their kinetic energy into the massive column—trying vainly to make it swing like a pendulum.

Like all great buildings, a Japanese pagoda is as much a machine as a structure.

Engineers distinguish carefully between the two. Great pains are usually taken to ensure that structures, although flexible, are incapable of swivelling or sliding at their joints as machines do.

Otherwise, they may collapse in a heap.

What the pagoda builders realised was that they could use controlled motion at the joints of a building to help it dissipate sudden stresses imposed on its various members.

***

Honestly Lay Bare could not escape the - perhaps far fetched but none the less valid - links to the internal control structures that we build and assess each day.

What really intrigued us was whether these modern day disciplines have learnt the lessons of the last 700 years.

How do our internal control and risk management framework use controlled motion to dissipate sudden stresses?

Are our frameworks flexible living beasts like a pagoda or are they destined to be the first to fall in a financial earthquake like that of the global financial crisis?

How many risk management structures were found to be inadequate about September / October 2008?

One would suggest that modern day risk management and internal control structures could learn a lot from 14th century Japanese pagoda builders!