So the Evil Empire of The Return of the Jedi has been supplanted and replaced with the First Order. The Death Star has been replaced with a planet-sized version of the weapon, Starkiller Base.
So I wonder, does the First Order have an internal audit department, and if I was CAE of it, would I have prevented their fate in the film? (let’s put aside the rather unpleasant references to fascist states of old and assume Galactic internal audit standards allowed me such ethical licence to work for the First Order).
I guess I would have had a look at governance first. Was the planning of the strategy suitably overseen and reviewed? Was it done through a reasonable process? Was there enough external challenge from non executive directors? Leader Snoke seemed to be a one man band and, whilst he listened to advice from a slightly younger Peter Cushing general replacement, General Hux, there were some dysfunctional governance processes. No three lines of defence here! He was also an absent leader, seemingly appearing from a distance in holographic form. So all in all I would like to think I would raise a number of challenges to the strategic planning and governance processes.
Let’s think about the starkiller base for a moment. This is a little like the IT systems we use in our galaxy. So I think it is well recognised that the ‘castle and moat’ approach to IT control is now well and truly dead. In particular the idea that one can prevent intruders and can prevent access, fully, seems a little fanciful. So the approach must be one of detect and respond.
We learn that the rebel alliance does not have any detailed plans for the base. They have a vague idea that the base has a weak point in its power system. They arrive at the base and sail through the shields at light speed as ‘they were not designed to stop light speed approaches’. That seems like a big hole to have in a firewall or shields. So who assured the shield’s design? Who looked over it and did a risk assessment. I suspect this wouldn’t have been a direct task of internal audit, but it would have been the role of internal audit to look at where other sources of assurance were, how the technical design was assured, was the assurance of high technical quality and independent? was the project completed within a reasonable project methodology? and did the project get signed off and approved as go live through a reasonable process?
We also identify an HR issue with the defection of one stormtrooper, FN2187 to become Finn. We see good controls being deployed with analysis over the defection, what controls were missing, and why the defection was not detected earlier, although Kylo Ren did seem to notice on Jakku, no other controls kicked in. So I would not, on a risk basis, think the first line management or the HR department of the First Order would have been at fault here. Nor do I think as the CAE for the First Order I would have picked it up.
It goes without saying that ethics processes and culture of the First Order would have been picked up by me as the CAE. The illegal and amoral acts of the organisation were pretty clear, as was the culture. So I think I would have thought carefully about being the CAE of such an organisation, and if I was, think carefully about whether I could stay. I suspect this is the real reason the CAE of the First Order does not make an appearance in the film; they did not have one appointed (!).
If we consider security processes, often neglected by internal audit as being ‘specialist’ I think I would have had a look at these. The film suggests that various individuals were allowed to wander about the base with little in the way of detection, including a former prisoner. This all seems a bit lax to me. I do often suspect that security is 80% deterrence and 20% actual control. So perhaps this is a timely reminder for me in this galaxy to refresh my view of this critical area.
Health and safety seems somewhat lax. So as the Starkiller planet begins to collapse, and it seems to do this over some time, there is no great exit of staff, though some senior staff seem to take off quickly. I wonder what fire alarms, damage alarms, escape pods or equivalent were installed? This should have been assured by the project assurance over the project that built it, so I would be disappointed that so few staff appeared to escape from final destruction of the base.
So all in all my conclusion is that the First Order is probably unaudited. The third line of defence would not be effectively put in place in any case, as the governance and senior management processes appear to be missing for it to graft effectively into the organisation. I think, the First Order got what they deserved for such an absence!
It does make me think what uniform I would have for the audit and counter fraud teams in the First Order. I think it has to be something to mark out the independence of the audit team – so plain white stormtrooper uniforms would not cut it – thoughts on a postcard (or in comments below) please!