I have seen various comments by people on twitter, not least the variations and ‘attempts’ at spelling or understanding names by those employed in Starbucks stores.
When this first happened I found it disconcerting. Perhaps because I am reserved and British, probably because they didn’t really explain why they were asking me for my name. Have our daily lives really become so divorced of ‘human’ interaction that the mere act of wanting to interact with us as a named, human, being now seems so odd. We all interact with computers, processes and systems so much that perhaps we are becoming unused to personal service and interaction. Even for innately human activities, such as eating, we go to restaurants of the ‘chain’ type that do their best to make each experience standardised, the same, equivalent. A meal of X in Y chain of restaurants should taste, look and be served the same wherever in the country, region, world you go.
As an auditor of course I rely on systems and systematisation. It is the cornerstone of risk management and control that consistency allows generalisability from specifics or individual data points to be applicable across the population.
The lesson I learn every day, however, is that real control and real risk management occurs and is done by people. Complex, challenging, inconsistent, people. I have spent a long time auditing preventative, operational, and process controls, when in fact the ones that manage strategic and significant risks are at best detective, and most certainly, cultural.
The real risks that matter are those that are done by people, those that matter, usually senior. As a result audit is a qualitative, highly personal and not a systematised experience. Yet we as a profession spend time making our professionally derived, complex, nuanced, human, opinions and views, appear to more ‘scientific’, rationale and ordered than they really are.
We still publish tick box audit reports that purport to treat qualitative judgements in a quantitative, weighted way. I have seen a professional services firm still argue in its audit reports that three minor points equal limited assurance, and two major points limited assurance (or whatever nomenclature was designed by head office).
This, in my view, is all nonsense. We should be publishing more meaningful reports that are bespoke, the equivalent of the ‘named’ coffee I started this blogpost with. Reports (if that is right for the audience we aim at) should present an evidenced argument, a rationale for the opinion and should not be ashamed to accept that it is a judgement. For what is risk if not uncertainty? If we had the ability to predict the future we should be in banking or put money on the lottery. We do have the ability, which grows with each audit we do, to expand our understanding and knowledge of the complexities we evaluate and that is, ultimately, the value of good internal audit.
I do not have a crystal ball, other than to say, as a professional auditor with years of experience, that any unmanaged risk will most likely, at some point, if left unmanaged, crystallise into an issue. That is the one constant certain I can put in all of my reports, and one systematic, scientific, point that all auditors can put in their reports.
So next time you are asked for your name when buying a coffee, embrace it; we are people, not machines.