What Makes Internal Auditors Mad About the Yellow Book?

Today, I enjoyed working with internal auditors with the county, school district, transportation district, and community college in San Antonio. We were covering the Yellow Book standards.

Most internal auditors have a designation from the IIA - like a CIA or CGAP - and would prefer to follow the Red Book if given a chance. But sometimes, the choice is made for them. A rule, regulation, contract, or law calls the Yellow Book into play, and there is nothing they can do about it.

One of my previous managers at the Texas State Auditor's Office was instrumental in drafting the Internal Auditing Act in Texas that requires all internal audit directors of state agencies to be orange shops - in other words, cover both the IIA and GAO standards. But when I did a training for his group last year (he now works for a large university) he complained about his decision. He feels like the Yellow Book goes too far in a variety of areas. My audience today felt the same.

What are they annoyed with in the Yellow Book?

Independence. In general, the IIA encourages auditors to be helpful - to consult as well as provide assurance services. The GAO discourages 'consulting' work and calls this sort of work 'non-audit services.' The GAO strongly warns auditors that engaging in non-audit services could ruin their independence on audits.

The GAO also far exceeds the IIA's requirements on quality control and peer review. The GAO mimics the intense requirements of the AICPA. One onerous quality control requirement asks that auditors perform an annual monitoring inspection to ensure that the quality system is working. A peer review must be conducted every three years under GAO standards and every five years under IIA standards.

The GAO also goes into a lot more detail than the IIA regarding how to plan an audit. The IIA's Red Book is mostly focused on how to run an audit shop - not in how to conduct an audit. The GAO says very little about how to run an audit shop but goes into great detail regarding how to run an audit project - asking that auditors design their audit to detect fraud and noncompliance, describing the qualities of strong evidence, and laying out general principles for working paper documentation.

My participants today - like my old manager at the University - wish they hadn't gotten themselves into the strict land of GAO standards.

An Experienced Auditors View on Independence

This morning, I wrote to the GAO and asked them when they would be publishing the proposed revision to the Yellow Book. Michael Hrapsky (the GAO answer man) thought they'd have something out by the end of August. I expect one of the major changes to surround independence. The GAO has been playing with that concept throughout this decade and I hope they can be clear about it this go round.

I published an article on peer review last week and heard back from a 65 year old government auditor. I respect his opinion and this is what he had to say about independence - although he won't let me share his name with you... I'll share what he said:

"Being impartial, objective and fair are absolutes. Being independent is relative. In reality, no auditor is totally independent. We all are hired by, work for, paid by, and can be fired by someone. I have encountered auditors who have a maximum of independence (e.g., GAO staff) who did not remain impartial, and I have encountered auditors with little true independence who were fearlessly impartial and objective. The issue for me is not how independent I am, but how impartial, objective and fair I can be when auditing a particular subject and/or program."

From that viewpoint, no wonder the GAO is having a hard time with the issue of independence. If no one is independent - should that section of the Yellow Book be retitled 'objectivity.' What a sticky mess of a concept - a theoretical tar baby. When the GAO draws their new line in the sand - which historically has surpassed the AICPA's line in the sand - we can reassess our personal situation.

Sensational Fraud Stories

OOOH – That’s bad

I fell for it again. I was attending a governmental conference and decided to stay for the general session where an FBI agent went into the gory details of a huge fraud case he worked on last year. He went as far as to share excerpts from phone conversations where they dropped the f bomb so much, it was like watching GoodFellas or something. He even went as far as to call one of the fraudsters “The Godfather.”

And the whole audience sat there riveted. “Oooh – that is bad.” “Wow, I can’t believe that.” The audience sounded like they were watching fireworks… Oooh. Ahhh. Wow….

When he started talking about how one of the fraudsters, who in addition to stealing massive amounts of money, also had child pornography on his computer, I got up and left.

Was I being edified by this information or just disgusted? I felt like I had just read something sordid in The National Enquirer about Britney Spears

Auditors are so fascinated by the topic of fraud that we actually hire ex-fraudsters to speak to us at conferences. In an effort to ‘get in the heads’ of fraudsters, we reward those fallen from grace by paying them thousands, sometimes tens of thousands of dollars to tell their fascinating story. Who is getting ripped off now?

Yes, yes, I know fraud is real. Yes, yes, I know it is important. But do we have to talk about it all the time? At every conference?

Our addiction for sexy fraud stories has made the Certified Fraud Examiner designation super popular among auditors. And as far as I can tell, very few of us ever encounter fraud in our work lives. Some of us wish we would – that way we could act like those cool investigators on TV. Maybe like a CSI.

I hope we all realize that we are not on TV.

While we are lapping up this drivel over and over and over – we are failing to learn new auditing techniques. We aren’t sharing with each other the most effective way to sample. We don’t hear from the experts about what sort of things really hang clients up when it comes to federal grants… I could think of a dozen topics that I would find more useful. I went to one session at the conference about preparing for an orange (red book and yellow book combined) peer review and I learned a few wrinkles in the standards that I didn’t catch on first read. Now that is useful information.

And, although I have been told several times that I am wrong – and expect to hear it again – how can we have a professional designation without any standards? Why does the CFE refuse to tell its members what a fraud report should contain? Maybe that doesn’t matter.

What the CFE has shared with us is the fraud triangle and the fraud tree. Both are very useful and help identify what fraud looks like. That is great. I’ve got it. Seen both, know what they say.

Now it is time to move on to another topic - maybe something to do with IT. I feel like our lack of knowledge regarding this topic is really going to bite us in the butt down the road. IT will be the next big auditing scandal and we aren’t doing anything to prepare for it. Why? Maybe because we are wasting valuable conference time being distracted by sexy, redundant, stories of fraud.

I think we should stop expecting our conferences to be filled with tantalizing, firework like fraud stories and instead use them as an opportunity to share what works and how to get better. I also would love it if we could drop the whole ‘faciliated panel’ idea…all that means is no one on the panel has to prepare… and it usually shows.

Why Doesn't Government run like a Corporation?

I have heard this lame question so often - I am beginning to get numb.

I am 6'3" Yep - I am extremely tall. Guess what question I get asked all of the time? Do you play basketball? I mean REALLY! My favorite response to that is, "No, but do you play minature golf?"

I also feel like saying something smarmy back when people talk about the inefficiencies of government and ponder why government can't run like a corporation. First of all, having seen both sides of this - government and corporations - corporations have very little to brag about. Corporations can be disfunctional, dark, and weird places. And corporations fail all of the time. The survival rate is very slim. Government can't fail. That is not an option unless you want everything - schools, electricity, commerce, emergency response, the mail! - to come to a grinding halt.

In the February 22, 2010 issue of Newsweek - An article called "America, Inc" by Andrew Romano and Michael Hirsh was discussing the trend of corporate CEOs putting their hats in the political ring and reasoning that they could clean things up and run government like a great corporation. One ex-CEO turned governor, Jon Corzine, begged to differ with that statement. He, too, felt that his experience as CEO of Goldman Sachs would turn the State of New Jersey around. But concludes that "The idea that your accountable to a bottom line and to a payroll in managing a business - it gives voters the confience that you have the right skills [to govern]. Buyt its 20,000 people versus 9 million. I don 't think candidates ge the tscale and scope of what governing is. You don't have the flexibility you imagined. There's no exact translation."

Newsweek goes on to say "Very little that happens inside a corporate suite is like governing a state or a country. CEO's, like generals, can issue orders and expect them to be carried out. Jobs and budgets can be pared by fiate, with little public controversy. It's not nearly as simple for governors, or senators - even presidents. Their authority is never absolute. They are constrained by the separation of powers and forced to ride teh giger of public opinion. They must persuade, cajole, and arm-twist to get their way. As Harry Truman once said about his presidential successor. Dwight Eisenhower: "He'll sit there all day saying do this, do that, and nothing will happen. Poor Ike - it won't be a bit like the Army.""

What is the best a political leader can do - face the issues head on - begin the discussion - and then hang on for a rough ride. They can start the ball rolling, but they can hardly finish the job on their own. No, governments can't be run like corporations. And no, I don't play basketball.

Silly Work

A few years ago, I worked with a school district in California. And this school district had a pool at every school that was run by subcontractors. Since we don't have pools at our schools in Texas, I was slightly jealous. And then I realized that this might be one reason why California is bankrupt and we are doing OK. When you build a pool - it costs money. It costs money to maintain and repair it. It costs money to regulate it and to audit it. The school district took on a world of expense and work when they took on pools!

The audit team I worked with was assigned the responsibility to monitor the pools (among other things). And the regulations over the pools were extensive. The four requirements I rememember from the regulations were:

* the pool chairs must be ergonomically designed

* the pool sign height should be at child level (30 inches above the floor)

* the pool should be staffed by qualified lifeguards when children are swimming

* the pool water quality should be monitored three times a day

Unfortunately, the pool auditors did not do a risk assessment on these requirements and were checking everything. So they used a ruler to measure sign height and then wrote the contractors up if they were off by an inch. WHAT?!? What an embarrasing finding to present to management. What should they have been looking at? Lifeguards and water quality obviously.

They complained that each pool audit took them several days and most of the pools went without review. Of course it took several days when they looked at every silly requirement! Wouldn't it be better to cover more pools for the significant requirements rather than cover every silly requirement at only a few pools? You'd better say yes! :)

Today, I am teaching a group of monitors and auditors from various state agencies in Texas. Compliance auditors don't think they need to do risk assessment. Yes, they do if they don't want to waste time and the taxpayer's money.

SAS 117 made it clear that when auditors do a compliance audit, they must also follow the other SAS's. INCLUDING the risk assessment SASs. Unfortunately, many of the auditors and monitors in my class are making no effort to follow standards. But that is a subject for another blog post...

A Few Weeks Between Me and the IIA International Conference

A few weeks later, I’m not sure it was worth the $2000+ I spent to attend.

Why did I go? To network and to learn.

On the networking end, I did show my face and visited with some of my old buddies in the government arena. But as I told one of them – who was the best presenter during the whole conference – I could have done that right here in Austin. When there are almost 3000 folks in attendance, it is difficult to track down new folks.

I met one gentleman who knows his stuff about risk, a few other people who are also in the CPE business, and learned how Jim Kaplan started AuditNet. Maybe something will come from those interactions.

I was hoping to convince the Public Sector committee that I was worthy of appointment – but I understand from a friend of mine who works for a Big 4 – the committees don’t like vendors.

On the learning end, I was disappointed. Maybe I just didn’t pick the right stuff for my breakout sessions.

Ken Moray – the City of Austin Auditor – who was the best of the conference – did a great job putting IT professionals in their place. And he provided some great tools for assessing IT.

Joel Kramer – of MIS – was entertaining and insightful as usual. He had a list of the 25 things that stupid internal auditors do – and that was fun to laugh along with. It was funny and instructional.

I saw a woman from Britain who argued that auditors should not make recommendations – she reasoned that we should be change agents not dictators. Cool concept. I listened to the Capability Maturity Model study – which was interesting. Using it, I can decide where my clients are along a scale of audit shop maturity.

For one session – I moved four times and still didn’t find anything I was interested in.

Two keynoters were notable. The CEO of Home Depot made me proud to be a woman. When asked how she handles her busy life without passing out from stress – she said she worked at being present in each moment – meaning she doesn’t let the past or the future encroach on what she is supposed to be paying attention to now. It reminded me of a Buddist teacher Tan Nicht Tran who wrote that when you are doing dishes – do dishes. Enjoy the dishes. He called It ‘mindfulness’. One sanctuary put bells at the top of each door so that the door would ring as you pass through it to snap your mind back to the current moment. Kinda’ cool to hear an executive talk about how minfulness helps her day-to-day.

Another keynoter was key in exposing the Bernie Madoff fraud. It was interesting to hear how Bernie Madoff used the worst of human nature to feed off of the unsuspecting. For instance, he formed a mafia-like network of advisors who were interested in lining their own pockets and remained loyal to him out of fear and self interest. He also told several stories of audit failure and how many years ago, Bernie thought he was done for when the auditor finally asked some decent questions. Only problem was, the auditor didn’t follow through and he went on to live his lie for another decade. A pretty good cautionary tale – but our profession is full of them.

Overall, I think I’ll wait another four years for the conference to cycle back around to the United States – by then maybe they’ll be talking about something other than ERM (Enterprise Risk Management).