Auditing a Galactic Empire *spoiler alert*

Tags

Internal Audit, internal auditor, internal auditors

So the Evil Empire of The Return of the Jedi has been supplanted and replaced with the First Order. The Death Star has been replaced with a planet-sized version of the weapon, Starkiller Base.

So I wonder, does the First Order have an internal audit department, and if I was CAE of it, would I have prevented their fate in the film? (let’s put aside the rather unpleasant references to fascist states of old and assume Galactic internal audit standards allowed me such ethical licence to work for the First Order).

I guess I would have had a look at governance first. Was the planning of the strategy suitably overseen and reviewed? Was it done through a reasonable process? Was there enough external challenge from non executive directors? Leader Snoke seemed to be a one man band and, whilst he listened to advice from a slightly younger Peter Cushing general replacement, General Hux, there were some dysfunctional governance processes. No three lines of defence here! He was also an absent leader, seemingly appearing from a distance in holographic form. So all in all I would like to think I would raise a number of challenges to the strategic planning and governance processes.

Let’s think about the starkiller base for a moment. This is a little like the IT systems we use in our galaxy. So I think it is well recognised that the ‘castle and moat’ approach to IT control is now well and truly dead. In particular the idea that one can prevent intruders and can prevent access, fully, seems a little fanciful. So the approach must be one of detect and respond.

We learn that the rebel alliance does not have any detailed plans for the base. They have a vague idea that the base has a weak point in its power system. They arrive at the base and sail through the shields at light speed as ‘they were not designed to stop light speed approaches’. That seems like a big hole to have in a firewall or shields. So who assured the shield’s design? Who looked over it and did a risk assessment. I suspect this wouldn’t have been a direct task of internal audit, but it would have been the role of internal audit to look at where other sources of assurance were, how the technical design was assured, was the assurance of high technical quality and independent? was the project completed within a reasonable project methodology? and did the project get signed off and approved as go live through a reasonable process?

We also identify an HR issue with the defection of one stormtrooper, FN2187 to become Finn. We see good controls being deployed with analysis over the defection, what controls were missing, and why the defection was not detected earlier, although Kylo Ren did seem to notice on Jakku, no other controls kicked in. So I would not, on a risk basis, think the first line management or the HR department of the First Order would have been at fault here. Nor do I think as the CAE for the First Order I would have picked it up.

It goes without saying that ethics processes and culture of the First Order would have been picked up by me as the CAE. The illegal and amoral acts of the organisation were pretty clear, as was the culture. So I think I would have thought carefully about being the CAE of such an organisation, and if I was, think carefully about whether I could stay. I suspect this is the real reason the CAE of the First Order does not make an appearance in the film; they did not have one appointed (!).

If we consider security processes, often neglected by internal audit as being ‘specialist’ I think I would have had a look at these. The film suggests that various individuals were allowed to wander about the base with little in the way of detection, including a former prisoner. This all seems a bit lax to me. I do often suspect that security is 80% deterrence and 20% actual control. So perhaps this is a timely reminder for me in this galaxy to refresh my view of this critical area.

Health and safety seems somewhat lax. So as the Starkiller planet begins to collapse, and it seems to do this over some time, there is no great exit of staff, though some senior staff seem to take off quickly. I wonder what fire alarms, damage alarms, escape pods or equivalent were installed? This should have been assured by the project assurance over the project that built it, so I would be disappointed that so few staff appeared to escape from final destruction of the base.

So all in all my conclusion is that the First Order is probably unaudited. The third line of defence would not be effectively put in place in any case, as the governance and senior management processes appear to be missing for it to graft effectively into the organisation. I think, the First Order got what they deserved for such an absence! 

It does make me think what uniform I would have for the audit and counter fraud teams in the First Order. I think it has to be something to mark out the independence of the audit team – so plain white stormtrooper uniforms would not cut it – thoughts on a postcard (or in comments below) please!

Agile, adaptive, serendipitous or out of control?

Tags

assurance processes, external auditor, financial risk, Internal Audit, internal audit function, internal auditor, internal auditors

One of the greatest pleasures I get as an auditor is working in a cross–disciplinary way across my client organisations. This means I can be a marketer, IT person, HR person, finance etc. The way I do this is not to be an expert in each area, but to bring my professional expertise of being an auditor to each of these disciplines and areas of my client organisation. I do this primarily through being a qualified internal auditor (not chartered accountant – it’s not the same), but also through being  multidisciplinary myself, being a chartered accountant, holding a generalist MBA, also being qualified in risk management and IT audit.

I mention cross disciplinarity because as an auditor you can see this playing out in different professional areas of the business. So as a recent example, IT professionals have now discovered ‘agile’ systems development and also my international development programme management colleagues have discovered adaptive programming. The two are quite similar.

It’s difficult to find a good working definition of agile so I will attempt to define how I see it. For a good paper see US Govt: http://www.gao.gov/assets/600/593091.pdf Both agile and adaptive development to my mind have similar traits. They adopt short windows of work incrementally, are close to customers and beneficiaries, locate success in meeting customer and beneficiary needs and have less burdensome documentation, and frequently change direction. In other words it is an incremental and iterative, rather than a linear and process oriented way of delivering projects.

Agile is a process through which it is recognised that software systems need space to react, move, develop, iterate and incrementally develop. It works on the idea that most systems are still valuable with 80% of the functionality specified and do not need to be perfect. So instead of a linear process of specifying needs, then building them, testing them and releasing them, it provides for iterative loops until a good enough system is developed (i.e the ‘technical debt’ is paid off – the gap between the system and users’ requirements).

Adaptive programming is quite similar. In international development the variables creating the ‘wicked problems’ preventing development are too many and numerous to calculate in advance with any reliability. So why not try something, then adapt it as you go along, and, once working, scale it up? Most projects are not linear, so why not be upfront about it recognise it.

So the common challenge in these two approaches is control. Control because the way organisations control things is through management approval, normally on a hierarchical and linear basis, of a set plan. This plan is then prioritised and resourced and the party that is approved to deliver it has a set of inputs (resources) from which processes to deliver outputs and then ultimately outcomes, related to the original objectives, are delivered. Variances to budgets, processes, outputs and outcomes are then measured and value for money and success are then delivered.

This command and control process does not work well in the context of adaptive or agile programming. Programmes are not well understood at commencement; the starting point varies considerably from the potential range of end points. Variances provide poor, if any, indicators of performance; value for money is extremely hard to judge until the final completion of the programme.

So is adaptive or agile work simply poorly controlled or does it recognise our human nature and allow for complex problems to be solved? As an auditor, but also a socially scientific auditor, I am torn. My professional training tells me that control should be established, that order and documentation make sense. Anarchy cannot be allowed to reign. Yet the social scientist in me, a realist one at that, tells me that this makes better sense of the real world. People, organisations and problems are messy. Why not be realistic and remove the linear planning processes we put in place to manage it? The same arguments are deployed in international and IT development as are deployed for research. Namely – you cannot plan research, you cannot know where you will end up at the beginning of a project.

Yet more scientific disciplines seem to manage. House builders, architects, physicists, manufacturers and many other disciplines seem to be able to design, build and deliver things from the outset and use budgets, input process and output measures to control the activities. These are also complex things. Boeing builds complex aeroplanes. Mercedes complex cars. So why should IT, international development and academic research be any different?

I guess as a socially scientific auditor I see a position in between. I see adaptive, agile, serendipitous activities as valuable. Valuable as part of a portfolio. A minority part of a portfolio. All universities, companies, international development NGOs and IT functions need some space to be creative. Space to allow freedom to adapt and change. This is where the truly imaginative and creative breakthroughs will occur. But most organisations will need to balance this. They will need to justify the use of the resources applied. They will need to be able to have overall value for money. High risk (in the uncertainty sense) high return (in the innovation sense) processes are fine, but you need some lower risk but still substantial return projects to balance this out. Any organisational portfolio that only comprises these elements will fail at some point; it is just a matter of time.

So is serendipitous, adaptive or agile work auditable? Sure. First question – is it suited to the task? i.e. does the project need something that mostly works or 100% works. I would not like to see agile work on airplane construction for example. Second question – are these types of project too significant at a portfolio level? If the they are, the organisation is put at significant risk of failure. Third question – If it fails, can the organisation cope with all of the impacts? For this think not just financial, but also legal, political and most importantly, reputational. Reputation risk is difficult to predict and even more difficult to control. Fourth question – is the project controlled? For being adaptive, agile, or serendipitous is not being out of control. I would expect to see excellent risk management. Constant updates to paperwork in an efficient manner. A really strong audit trail of decisions taken and escalation of decision making where they required it.

So I would argue that these flexible methods, applied well, in context, in proportion, by the very best people the organisation has to offer, can be perfectly well controlled. It can be equally well audited with an auditor with the right mindset.

My experience tells me that too often though, these structured methodologies are taken to be a lack of structure, a relaxing of control, a lack of suitable accountability, and too often they are done with others’ resources without recourse to the funder. For the methodology is never a justification for poor control, only different control. As auditors we will need to lighten up, be less scientific and more flexible, for these are spaces in which independent, intelligently applied, internal audit has a legitimate and helpful remit.

So when is your next agile, adaptive or serendipitous audit?

IT assurance or not?

Tags

Internal Audit, internal audit function, internal auditor, internal auditors

So I had the benefit of a heads of audit course considering IT assurance last week. It was a good course and there were lots of ideas for me to take away. What came across  most strongly for me was the fact that internal audit’s IT assurance work has not really moved on much since I was a junior auditor.

What I mean by this is that IT assurance is conceptually behind. As I don’t believe in general internal audit work focusing on compliance and preventative and authorisation controls (the world is just much too complex and difficult to be controlled in this manner), so I don’t for IT controls; the IT world has moved on. IT assurance is no longer about a moat and castle approach, because IT is not like that. Modern IT to my view is about managing risk and accepting failure. i.e. there will be data loss, there will be hacking, there will be problems.

IT is different to most sorts of risk, as once you have a hole in the system, the whole lot can be compromised. I think of IT risk as being like an ocean liner, if a single porthole is left open, the whole lot is liable to sink. This is not like a physical risk (fire takes time to transfer from site to site), reputational risk takes time to take its toll, business risk takes time to spread from business unit to business unit.

So back to IT assurance, if the model of prevention and managing risk to nil and preventing attacks is gone, perhaps it is about better detection and event management? Having an appetite for IT risk is something we auditors don’t like to consider. We like the neat idea of all passwords being kept secret or no-one ever leaking data or being socially engineered to give access, or all coding to be perfect and not allow unauthorised access. Most companies, organisations, and individuals cannot afford such control and this level of control, if you want to speak to the outside world with your IT (which all organisations need to), is simply not possible in any case.

So I think we as internal auditors need a new paradigm for IT assurance, we need to think about it in risk management terms and we need to think about risk appetite. Can we segment our client’s data? Can we have zones of protection? Can we be clearer about how data and other IT assets are managed? Can we consider how computer systems will cope with disaster and recovery (which ones need critical back up etc)? For IT assurance is not about poking holes in our clients’ IT systems, for there will be holes, and the better and more technically savvy we are as auditors, the more we will see the holes. Just as the better we understand business management, specialist areas we audit, and our client’s businesses, we will see greater holes in the management effort. So can we move on and deal with IT audit in the same way we do for general business risk and not aim for perfect, but have an analytical view of priorities and what needs doing, compared to the cost and effort of doing so and the relevance or criticality to business objectives?

The other interesting thing about IT assurance is that we are still asking ourselves the same questions. Do we outsource or not? This seems such a binary way of thinking about IT assurance and also seems to let ourselves off the hook. For all auditors should understand IT, I studied for the UK IIA’s ITAC qualification because I felt I should know about IT for any audit. So what would I outsource? Not general IT assurance, for a good core audit team should be able to do this in any case. I think it should be the specialist IT and technical knowledge. It’s too expensive for any team to maintain on its own. Technical IT assurance makes no sense on its own however. It does not have the wider context-dependent business knowledge to understand the context for IT.

So what’s the solution? I think the solution is to combine a good IT-savvy internal audit function with specialist technical support. We also need to focus less on prevention and control and more about management of IT risk within an appetite. It is difficult to assess and assure IT risk, simply because a single coding error can make an entire system open to loss and risk. So when we next consider the porthole left open on the boat, let’s focus less on bolting it shut, but more on how we will detect its opening and manage the resulting flood!