Auditing isn’t Investment Banking.
It isn’t Strategy Consulting.
We aren’t operating executives and we are rarely called upon to become CEO.
It’s a tough profession that’s based on second guessing your peers and superiors. We are the pessimistic kids in the room who ask, “but what about,” or “what if,” when the discussion is almost over. The profession isn’t well understood and those who understand it still glaze over its output when motivated by unbalanced financial measures. And, worse yet, auditors poke fun at themselves for doing what they do!
If you didn’t know me, you would think that I lack respect for the Internal Audit profession. But, that would be farthest from the truth. I love it, I am passionate about it, and yes, I do believe that auditing can be sexy, strategic and a function that every executive should come to know and love.
During the course of my career I’ve seen more than one Company experience significant share shock (stock price declines of 30% or more) driven by a negligent focus on risk and controls. How could that be?
Risks and controls are tactical words used by auditors, accountants and lawyers as a means to characterize what “could go wrong” and “what could keep it from going wrong.” These concepts aren’t taught in college programs and they aren’t taught in fancy Ivy League MBA programs. Rather, business managers are taught the language of execution – Revenue, EBITDA and Net Income.
So, should they be faulted for overlooking risks and controls? The answer is yes and no. Unfortunately, overlooking controls is traditionally driven by a lack of education and experience, as well as arrogance towards tactics. And, in many cases, lack of senior executive support for the function of audit.
Understanding “internal control speak” may not be an inherent duty of an operating executive, but, he or she should be held accountable for making sure that the business operates as intended. Or else, the organization could be impacted by lower margins, morale issues, and worst of all, significant legal exposure.
The significant share declines that I referenced above were caused by a failure of basic, intro to audit, level-101 internal controls.
Consider the following examples:
• A retailer had material financial misstatements almost leading to the delisting of their stock because they failed to track inventory leaving their distribution center and arriving at their store.
• A major casino suffered public embarrassment and costly lawsuits because their Procurement Director had basic access to manipulate the price stated in a vendor’s competitive bid. It turned out, the vendor was owned by a friend of the Director and he was adjusting the pricing to be lowest by one penny, leading to millions of dollars of procurement awards.
Each of these situations could have been prevented with an “intro to auditing” level control. So basic, so simple, yet overlooked.
• The retailer needed an exception report that only printed if there were differences between what was shipped and received.
• The casino only needed to review system access permissions.
Both controls are the “boring” type of recommendations that auditors make in their standard reports. We’ve all seen them. A landscape-formatted table with “Observation, Impact, Recommendation and Management Action Plan.” Upon delivery, the auditee is usually complementary of the auditor which their way of keeping the auditor happy and saying “ok, please leave now so we can get back to work.” And, the internal control recommendations are often regarded as of little value add – especially when compared to the valued delivery of a “business consultant” from Accenture, IBM or similar firm – an auditors biggest nightmare.
Internal Auditors have a unique and under valued skill, much like that of a palm reader – we see the future and we see what CAN happen. Our reports may not have immediate value to an operator who is accountable for Revenue, EBITDA and Net Income, because they often (but not always) have little impact on cash generation.
I am inviting Corporate America, and operating executives throughout to seek a greater understanding for what we know and what we preach. In many cases, the no-cash-value-control may prove to have a far greater impact on your financial position that consultative cost savings do now. Recalling back to my three examples. In each scenario the business spent millions of dollars fixing something that a second-year auditor from firm XYZ most likely had marked as missing from a checklist whose meaning even the young auditor didn’t know. It’s that simple, so listen up.
Investment Bankers create value by providing large entities with access to capital that can be further invested in their business. Strategy consultants find new markets and ways to generate revenue. CEOs are called upon to increase the organization’s enterprise value such that shareholders will seek the ownership even at a higher price.
As for auditors…..
We aren’t here to tattle on you, and we sure don’t boost our egos by finding your problems.
We look after you.
We find the things that could hurt you.
We, should be, a valued aid to you.
After all, our sole purpose is to protect the very same enterprise value that you worked so hard to create.