Home > Audit, Compliance, Jobs, Training and Certifications, Corporate Governance > Auditing Career: Do “Dumb Auditors” have more Professional Longevity than “Smart” ones?

Auditing Career: Do “Dumb Auditors” have more Professional Longevity than “Smart” ones?

Thanksgiving Day
Image via Wikipedia

Two days ago I attended a nice Thanksgiving party given by a CIO friend, who like in previous years, had invited several CFO‘s, corporate attorney’s and high level management people from high profile Fortune 500 companies in the New York region to his house.   After a few drinks and delicious turkey, conversations about the state of the economy, technology and the headaches of regulatory compliance ensued.   There where two auditors in the group and it felt as if we where the only ones who did not feel regulatory compliance is a headache.    My Merlot and turkey friends, perceiving that they had numerical superiority over us, went on to a typical “we hate the auditors” discussion, where we had the “pleasure” of hearing every criticism launched against auditors since the time of Heraclitus.   Thank goodness I too had access to the Merlot.   One of the discussions that has stayed in my mind is one about how “well appreciated” dumb auditors are.   And, this I’ve decided to share with you.

Most auditors learn early in their careers that auditing is not a popularity contest.  As a result they adjust to the fact that they are paid to investigate, search, test, snoop around, and in many cases confirm the existence of wrong doing and mistakes by members of the organization at all levels.    The auditor is usually the person who has ulterior motives for asking questions, and the one who usually does not bring good news.    The auditor by his/her simple presence disrupts the “normal order” of things, makes the staff feel uncomfortable and require that all evidence be double checked for accuracy and legitimacy.   Often, when those being audited most want the auditors  to “go away,” some action or words  deep in the crevices of the organization send a message to the auditors to dig deeper or further expand their questions.   In common language, auditors are a pain in the neck.

The intensity of hatred or dislike towards the auditor however varies depending on his/her ability to understand what he/she is testing or investigating.    The smart, experienced auditor tends to ask deep, relevant and timely questions, often not found in a strict audit script or checklist, which can open the doors to problems and issues hidden just below the surface.   The smart auditor is happy when he/she finds problems, because he/she sees himself as a solution or insurance policy against risk exposures to the company.  However, this feeling is not shared by those who “own” the problems and depending on company politics, the reactions can range from lukewarm admission, challenges bordering threats from some levels of management, to a long term stealth campaign against the auditor leading to his/her dismissal for supposedly  “unrelated reasons.”  Like a Whistle-blower, the good auditor walks a dangerous road.    During difficult times, the good auditor has few or no allies.

The dumb auditor on the other hand, usually sticks to a rigid script or checklist, and is not likely to expand his questions beyond the “scope” of the audit, preassigned or created with the approval of management.  The audit process of the dumb auditor tends to be quick, rarely discovering problems and always neatly on time.   His reports usually sound like this:  “We tested A, B, and C and found no exceptions.  Managements’ controls are working according to established policies and guidelines and” (here is the mandatory recommendation for improvement – so it looks like some work was done),  “we believe the Segregation of Duties process in AP can be tightened by implementing the following…..  Otherwise all is well.”   This cookie cutter report, used by both Internal and External auditors, is the type that makes its way to most audit committees today.    This is also the type of report, according to my friends at the Thanksgiving party, that management wants and pays handsomely for.   I found myself looking at the other auditor and realized that we where both nodding in agreement.    My friends in the party, all experienced dealing with auditors, pointed out that “Smart” auditors, or auditors with independent minds can not last long in a typical organization, because the very act of following their ethical, inquisitive and legalistic mentalities gets them into serious conflicts with management and they end up fired after short tenures. Also, good auditors have few champions in the organization who see value or gain in “protecting” someone who is serious in his/her responsibility to investigate or test anyone (including them) in the future if they have to.   This is simple human nature.    A “Dumb” auditor on the other hand, creates few waves, does not offend or criticize too much, uses neutral and complimentary language in reports, and keeps to his/her “scripts” as planned by management.   By playing dumb, this type of auditor is indirectly “winning friends and influencing people.”   His/her back is covered because he/she is needed by those who need coverage.  The dumb auditor has allies.

In light of current scandals, like the Bernie Madoff case, and the mortgage meltdown, it has become common for many to ask:  “And, where were the auditors while all this was happening?”  My answer has to be that most of the auditors involved where diligently doing their jobs as good “dumb” auditors do, so they can stay employed.   That is, they where auditing every nick and cranny that was within scope and within the “Risk Appetites’ of their organizations, as set by “management.”   But, what about the codes of conduct, the audit charters, the PCAOB, the SEC, the GAAS‘s, ISACA and the IIA‘s.   Don’t these organizations have some level of control over how auditors should conduct themselves and how they should investigate and follow up on questionable activities?   Are all of these structures useless? My answer is no.  These are not useless organizations, and without them, the problems cited by my friends in the Thanksgiving party would be much worse.   The codes of ethics, guidance documents, audit frameworks and standards created by these organizations are the only line of defense we auditors and audit committees have against the many Barbarians who dwell in the halls of corporate America today.    But, are these standards  and frameworks sufficient?  My feeling is that they are not, and here is why.   Money corrupts as every auditor knows.  When you follow the money you find the power.   Organizationally, there is an imbalance between the auditor and those he/she audits.  On the one hand you have a well meaning, ethical person who wants to do the right thing, making an average mid-level management salary, tasked with uncovering wrong doing among those at levels that can crush him/her with ease, and whose interests are the maintenance of the status-quo, a low profile and making sure the company’s stock value is not disrupted by doubtful auditor reports.   In most companies, those in the Director, V.P. and “C” levels (usually persons with net worth’s in the millions of dollars and stock holders in the company) can easily muster the resources of the organization whenever they raise a red flag regarding a “trouble maker.”   The controlling factor here is not bribery, but the threat of dismissal.   So, in my opinion things boil down to a primal level for the auditor.   Ethics, integrity, morality, legality and professionalism on one side,  versus no job on the other. Unemployment, inability to pay the mortgage, damaged credit rating, children without college tuition’s, etc.   How many good auditors can consistently afford to be martyrs, and when it happens, who shows up at their door to help them pay the mortgage?   The fact that the majority of auditors are good, ethical, law abiding and take their oath’s of conduct and ethics seriously is a reflection of the social, religious and cultural values they share with the greater society, and less so on other types of controls  promoted by various groups.   As these cultural, religious and social values erode,  resulting from poor education, dysfunctional families, media aggrandizement of thieves, the belief that the  “bad guys” win and little understanding of civics, I suspect we will see more problems relating to poor auditor ethics and values.   In general, auditors are still good because they perceive that the society provides more positive reinforcements for good behaviors than bad ones.

In addition to the money and power challenges I noted above, there are issues dealing with the “Culture of Auditing,” which most of us are familiar with.    In my opinion, many of these favor the “Dumb Auditor.”   Some of these also help explain why many Madoff type schemes go “Undetected.”  Here are the top fifteen that come to mind.  I am sure there are others:

  1. Auditors are taught to find ways to give bad news in a positive manner.  Avoid bad news as much as possible.
  2. Auditors should avoid using the words “Failure,” “Problems,” or naming specific individuals who fail or pose problems.  Instead they should call these things “Exceptions,” or “Positive findings Needing Improvement.”
  3. Even when management has repeatedly ignored auditor recommendations and warnings, auditors are expected to be “flexible” and at best point out the issues as “still needing some levels of improvement.”
  4. Auditors are bound by extreme discretion and confidentiality.  They are to be like flies on the walls.  Rarely seen and not too vocal on any subject or occasion.
  5. Management has the last say in terms of what is possible by way of solutions to issues raised by audit.   The “Business” is the key determinant in whether a risk gets addressed as recommended by audit.
  6. Auditors work on behalf of management, and are not to be seen as impediments or obstacles to managements’ decision making.   Aggressive auditors can inhibit management’s entrepreneurial spirit.
  7. The auditor is there to protect the business from outside risks.
  8. Management sets the “Risk Appetite” for the company.  Auditors work within those parameters.   Even when the parameters are not well defined (on purpose).
  9. Auditors are supposed to uphold the utmost ethical standards, but often their superiors lie, cheat and have no scruples.   Some times the code of Ethics, zero tolerance statements, and even the Audit Charter are disregarded at higher levels, while zealously enforced at the lower levels.
  10. Auditors are supposed to remain positive and un-moved, even when those audited usually assassinate their character, create rumors and gossip about their professionalism, plant fake or doctored evidence against them, and call for their dismissal.
  11. Auditors are supposed to maintain meticulous notes and documentation, while many of their superiors rarely answer  email requests for clarifications, or document an opinion.
  12. Auditors are supposed to advocate for and practice “meritocracy” being on a constant race to obtain and maintain professional certifications.   While it is not unusual to see many of their superiors having reached positions of authority because they have either slept, drank, bought or strong armed their way up the ladder.
  13. When the Chief Audit Officer is weak, unstable and/or indecisive, audit work is reactive and there is unusual turn over in Internal Audit.   Expertise, maturity and professionalism has little time to take root.   “Dumb Auditors” flourish in these environments.
  14. In a recession and during cost cutting, some Audit departments let go of their “expensive” talent, keeping lower paid less experienced staff on hand until better times (and budgets) return.    “Dumb Auditors” flourish in these environments also.
  15. When the “C” level executives have been around for 10, 15 or 20 years and their “old boy” culture does not care about “irritants” such as “compliance,” or “industry best practices,” or “well designed controls,” and the head of compliance and legal counsel are never in the mood to “disturb” the old boys, smart auditors often become dumb by way of necessity.

As I prepared to finish this article, I discussed it with my friend, the other auditor at the Thanksgiving party, and he felt many of the issues tackled here are highly controversial and uncomfortable.   He said I make many generalizations  like what constitutes “Dumb” or “Smart.”   He said that what I call here the “Dumb Auditor” may really be the “Smart” one.  Every person faced with the sorts of challenges I mention has a huge reservoir of personal, professional and family reasons for taking one or another path, and those are known only to that person.   Passing judgment as I appear to do in this article may be too insensitive and simplistic.   The issues are just too complicated to put them in simple moral boxes.

I admit that my friend makes good points here, and I can only say that in this article my intent is to shed light on what is clearly a serious challenge with ramifications that go far above those of individuals.   This is a serious systematic problem  in the business world and many good minds in government and in professional organizations worldwide are working hard to find the right solutions.   In an ideal world, the typical auditor should not have to spend sleepless nights wondering whether he/she should play “Dumb” or “Smart.”

I  personally do not have a clear answer on how to solve these dilemmas for others.  I only know what my ethical, moral and social values are and I have first hand experience on the high costs and frustrations of being a “Smart” auditor.

If you are a new auditor, I hope I’ve alerted you to issues that may come your way sooner or later.   If you are an experienced auditor, I hope that by reading this you realize that you are not the only one who has seen these things.

To all readers.  I will appreciate it very much if  you left  your comments on this subject, so we can make this a more diverse  exchange.  Do you believe that “Dumb Auditors” indeed have a longer professional longevity than “Smart” ones?

Enhanced by Zemanta
About these ads
  1. drymocke
    November 30, 2009 at 10:55 AM | #1

    As an IT Audit Manager w/ 20+ years of IT experience at a large insurance company I was far and away the most prolific audit lead when it came to finding serious issues. I attributed this to my broad knowledge of Information Systems and Infratructure compared to my accountanting coworkers. And while I was openly praised for the detail and quality of my work I found myself being pushed away from the more important or visible audits towards more routine work where there was less chance of discovery of serious issues. That along with being passed over for promotion led me to see that the “Mutual Admiration Society” metality that is senior management at almost all large companies is more concerned with appearances than substance and reqards the so called “team players” as more valuable and side tracks those who truly wish to make the improvements claimed in Corporate Vison Statements and carry out their tasks with due diligence.

    To take a line from Dilbert, when management’s metaphorical car gets a flat tire they much prefer to rotate the tires and drive on rather than fix the flat.

  2. Alex Orlov
    November 30, 2009 at 12:12 PM | #2

    I do beleive that “Dumb” auditors have a longer longevity.

    My only comment is there is no “dumb” auditor per se. One chooses to be a “dumb” auditor, unfortunately.

    Overall, this is a great article and I concur with the most of it.

    Thank you.

    Alex

  3. Maine CPA
    November 30, 2009 at 1:32 PM | #3

    I agree with everything presented.

    I have been fired a number of times for being a “smart” auditor. In one case, I did receive a 5 figure settlement for a whistle-blower claim, but the stress was pretty severe.

  4. Richard
    November 30, 2009 at 2:02 PM | #4

    I agree totally.

    I have the scars from personal experience. As the organisational expert on IT Governance and security I was opening cans of worms that management preferred closed. In addition, I was exposing weaknesses in the audit management from the CAE down in that these areas had never been looked at before and did not feature on the Internal Audit radar. Audit Management preferred to be able to turn a blind eye and not rock the boat. My professionalism and integrity meant I could not do this so I was sidelined and management found it easier to get rid of me under the pretext of ‘downsizing’.

    By being a ‘smart’ auditor you do risk your career and position – but I’d still do exactly the same given the same circumstances again!

    Richard

  5. Ron
    November 30, 2009 at 2:55 PM | #5

    I could have wrote this article!

    Dead on and nobody will say it. We have to be the most ethical people in the organizations while those above us stoop to the level of “sleeze”.

  6. Felix
    November 30, 2009 at 3:03 PM | #6

    I agree with your article and would like to add that there is a relatively easy theoretical fix to this while hard in practice (because of politics). The fix is that congress should enact a law whereby:

    1. Audit Committees (Board of Directors) should have a bank account with enough cash to pay the auditors and the CFO.

    2. The Audit Committee should be directly responsible for hiring/firing auditors and CFO’s.

    3. Auditors and CFO’s should work only and directly for the Board of Directors in representation of the shareholders.

    4. Employment Insurance policy provided by the PCAOB (or other body holding CFO’s/auditors to ethical/moral standards) for auditors and CFO’s. If a CFO or auditor is fired due to claimed unethical reasons, they are eligible to receive 100% of what they were making. Then it is up to the insurance company and its army of lawyers (surely shortly followed by the smart shareholders) to sue the Board and the management team. This threat would create a much needed balance of power.

    While many CFO’s and auditors have been shown in the media lately as being the culprits of shenanigans, there is a group that would do the right thing if their livelihoods where not on the line. In other words, “dumb” CFO’s and auditors would smarten up. Do this in association with also making Boards more directly accountable to the owners of businesses (whom they represent) and you have yourself a much better solution than imposing laws like Sarbanes Oxley. All that rules like Sarbanes do is increase costs and make United States companies into inefficient bureaucracies. Crooks will always be crooks no matter how many laws you throw at them.

    What is for sure is also that some crooks would not be crooks if society would not accept as “good” many things that are NOT good. The unfortunate relativism that we live in now a days is contrary to how the United States was founded. It was founded on deep moral principles and as a result there was a key ingredient that was not there in many other countries or societies throughout history: trust. Trust can only exist when the society is a morally correct society that has not transformed values. In other words when a bad act is considered OK by many and vice versa. The problem we are facing in the United States of today runs deeper than audits and rules.

    The problem goes to the core of the humanity of our country.

  7. Mark Pennington
    November 30, 2009 at 3:46 PM | #7

    Yes, substantially everything in your article is true.

    Unfortunately you failed to report on the fact that no one cares. Hence, your article was a waste of my time.

    And I, like everyone else, do not care. And, since I’m in charge, I do not have to care either.

    Goodbye.

  8. November 30, 2009 at 3:51 PM | #8

    All too true.

    We are currently conducting an IT General Controls audit for a client as the independent 3rd party auditor. We were hired by the head of Internal Audit ( a very sharp person) who candidly pointed us in the direction of all the missing or deficient controls that he once pointed out a few years ago but, due to job security, would not bring up again other than to say that “everything was ok but some improvements were recommended”. It’s unfortunate that auditors have to “play dumb” rather than lose their jobs by doing their jobs. And if something bad happens due to poor controls then the auditor gets blamed. I guess the “smart” auditors or the ones too principled to become dumb and wind up starting their own companies.

  9. November 30, 2009 at 4:22 PM | #9

    Joel,

    The semantics of “Smart” and “Dumb” aside, your article hits many issues directly and for some uncomfortably on the head. One chooses to either do the job correctly or not. As the renowned Charles Emerson Winchester III said in MASH I do one thing at a time and I do it very well.

    I hold a JD, LLM and MS (the latter two in areas relating to intelligence)over the years I’ve learned that you have to ask the hard questions now (audit wise) in order to avaoid having to answer the harder questions in court.

    Recently,we asked some hard questions in the acquisition of a foreign firm by our private US client, related to hat the original due diligence had recorded as “Usual and Customary”. The Usual and Customary practices and expenses would have resulted in serious issues for the client related to the FCPA.

    When you are hired to do the job then my feeling is the same as David Farragut “damn the torpedoes and full steam ahead!” Personally, I’d rather be “Smart” and look at myself in the mirror than “Dumb” and be one of the causes of a meltdown.

  10. Marie
    November 30, 2009 at 5:08 PM | #10

    Thank you for the simultaneously entertaining and disturbing article.

    Key to the longevity of a smart auditor is Board engagement and support. In the absence of a strong or knowledgable Board, the corporate life expectancy is brief for the smart auditor.

  11. November 30, 2009 at 5:29 PM | #11

    This article really leaves one to question the whole state of audit and QA in general.

    I have a background in IT development and QA/Compliance as well as Auditing. While I have not worked as an external auditor, in the last decade, I have always felt appreciated as an internal auditor. I think most CTOs and CIOs understand that our additional imposing questions can only prepare them for the external audits they must participate in annually. My experience with CFOs has been a mixed bag, but all constraints on the audit were due to funding the internal consulting hours rather than seeing the audit team as a thorn in their side. Generally, to cut costs, control numbers were cut with the external auditors permission. The examples I speak of were all SOX audits. When dealing with CXOs, I make sure they understand my job is to prepare them for the external audit and make sure they understand the difference between the various levels of deficiency versus areas where improvement may be made. In these areas, commentary would be valuable in preparing remedy or a plan for the following year. While the teams I have been on may have carried our inspections into more detail than required by the control language, we discern between what is the action needed to meet the controls approved by the external auditors, and those notations that should be kept as advice from the internal audit department.

    I too believe that the reporting structure and funding of audit departments is key to an effective audit environment. Even with involvement of a Board of Directors, there will always be the “necessary evil” perception toward audit teams. I do think the culture of various firms a has a huge affect on its audit department. Enron would be the perfect example of this. That was a firm where the environment was very anti QA and audit. I have worked at firms earlier in my career in compliance positions where I had to be concerned for my position for noticing things that could be “construed as risks”. We have to determine on our own where to draw the line between adding value in our jobs and “going overboard?”

  12. thomas butler, cpa, cisa, cia, cfe, cgap, cgfm, citp, capm
    November 30, 2009 at 5:37 PM | #12

    A rather lengthy soap-box article but of course all true. I have been in the profession some 25 years. Now, how about solutions to the perceived problem, as I am tired of hearing complaints. Do the audit associations have the answer or should they. The answer to both is “no”!

    The solution is money, money, money in both commerce and governments. Take for example the medicare improper payments of some 23 billion that was recently publicized. Most organizations do not know how to use auditors efficiently and effectively. That is their problem really, not mine. The solution is for auditors to propose, show, and prove that they can recover at least their own yearly salary. For example, I worked for Defense Contract Audit Agency. Their statistics showed to Congress that DCAA recovered taxpayer money of 10 dollars for every dollar spent to run DCAA. That is something that people understand. As auditors we need to present this same scenario to executive management of every organization. I say every organization because I know that every single organization of any size has recoverable money in the form of payment errors, improper payments, overpayments, erroneous payments. fraudulent payments.

    So instead of writing up nit-picky non-compliance findings that have little monetary harm let us auditors show management that we can recover money for them.

    Of course we as auditors and the audit associations would need to go through process improvements in philosophy, training, and auditor education. “Show them the money” and to heck with all the ethics stuff. Auditors are supposed to strictly adhere to ethics. How about the C-suite. I think a Harvard MBA is almost like a license to steal. CEOs are driven by greed. Clearly the philosophy and agendas of auditors are not on the same page as CEOs. If we can show the CEO and C-suite that we can make them money, money, money, me thinks they may listen.

  13. Rob
    November 30, 2009 at 5:45 PM | #13

    This is so true and most likely the reason why I was let go when my past company, Quality Distribution Inc. needed to cut 20% of staff due to poor financial results. Of course, there is nothing you can do in Florida because we are an employer friendly state and companies can let you go for no reason.

    I definitely worked with great auditors, but I was the one who would ask more questions which helped identify errors in balance sheet reconciliations that no one else caught and got the popular high ranking sales guy fired when I identified that he was submitting fraudulent expenses on his expense reports.

    Kind Regards,

  14. Mark P. Ruppert
    November 30, 2009 at 10:59 PM | #14

    Hmmm, fun article!…as an auditor who also owns conflict of interest administration in my company, it just proves that we are potentially conflicted in all situations. Can we do the right audit job while also being “nice” about it? Can we do the right audit job while also holding long-lasting careers in a single organization? Is the “right audit” or “smart audit” truly well-defined? Is there any difference between fraud audit and just audit? At what point should an auditor go past the Board to external authorities? Is internal audit’s role only cost recovery – if so, then when controls are truly effective and they recover less, should they get a pay decrease that year? Perhaps we are experiencing an identity crisis as internal audit has transitioned from finance to risk-based? Is being smart only asking the tough questions or is it also balancing the tough questions with a true understanding of the organization, organization culture and industry in a manner that helps management and Boards see the benefit of a change resulting from the tough question (as opposed to merely asking a bunch of touch questions and making people embarrassed instead of focused on improvement)?

    As to professional safeguards, barring being funded from the outside (which would make us no longer internal), if your organization includes functional reporting to the AC and admin reporting to the CEO with a required joint decision on comp and hire/fire decisions, the issue of playing dumb should no longer matter. Do your job and longevity should follow.

    More importantly, IMHO, the Board and management need solutions and management must implement those solutions. If internal audit asks a lot of tough questions but never helps management and the Board focus on solutions, does anyone win? We can ask tough questions and issue findings until the cows come home; if we don’t help turn those into real change, we’re just a nag and are not “smart” auditors even though we may be quite intelligent.

    If internal auditors ask the hard questions and do so in manner that helps management derive new approaches, see the benefit of controls and identify new solutions, everybody wins and internal audit achieves its ultimate objective: creating positive change that balances control, governance and risk.

    I’ve been in internal audit for 23 years, with the last 13 as the CAE and am working in my 5th organization with my recent longevity at 8+ years. I’m not sure if I’m “dumb” or “smart” but I hate to think I devoted my career and have achieved a decent level of success by relating the experience down to those mere two concepts.

    It’s not the easiest profession though; we’re not loved much and I’ve also noticed that most auditors subject to peer review often react to “findings” much the way management does to internal audit observations. Perhaps somewhere between “dumb” and “smart” is savvy.

    Thanks for the intellectual stimulation as I’ll now be analyzing where I might fit in this scale and, hopefully, that will only make me a better auditor for the benefit of myself, the Board and organization I serve and the greater good.

  15. Doc
    November 30, 2009 at 11:03 PM | #15

    Great article, Joel!

    In my capacity as a management consultant, I have faced similar issues. The CEO of a very large corporation brought me in to audit the management team in one of their plants, find the problems, and tell him who needed to go. As a “smart” auditor, I lasted six months.

    As you say, nobody likes the guy that digs up the dirt. I think Felix’ point #4 is very valid. Had I not answered directly to the CEO, I’d have probably lasted less than six weeks!

  16. Marcio Ferreira
    December 1, 2009 at 9:03 AM | #16

    Great article.

    The politics of the corporate world are dificult to manage at all levels and for everyone. Internal Auditors are just part of the cattle trying to survive and to pay their mortgages (if not rent) at the end of the month.

  17. Hrvoje Pernar
    December 1, 2009 at 1:35 PM | #17

    Let me ask you a question – if nobody is auditing the fed, what is the purpose of it anyway?

  18. Elliot Fisch
    December 1, 2009 at 1:49 PM | #18

    Interesting article.

    The critical issue on whether you are a dumb or smart auditor is whether you are committed to reporting the “truth” or quitting your job. I’ve had some experience where I quit my job rather have my findings or integrity compromised. I usually ended up in a better job with a more ethical company.

  19. December 1, 2009 at 3:31 PM | #19

    Wow – now I’m depressed.

    I agree with your article and have had my share of problems for bringing up uncomfortable questions and exposing bad practices. It’s nice to hear that others struggle with similar problems throughout their careers. This is an interesting and valid topic and I hope to see more discussions about the “good auditor vs. bad auditor” in the future.

    Thanks for writing this!!

  20. Doug
    December 1, 2009 at 5:01 PM | #20

    Homerun!

    Enjoyed the article.

    Thanks for sharing.

  21. Shawqi AlAsadi
    December 1, 2009 at 5:33 PM | #21

    Yes, you are absolutely right.

    Your article shows a deep and practical sight on the practice and the sufferings of the Internal Audit profession.

    In fact, you have relieved me as I have felt now that it is not my suffering only, as many others share this pain and headache.

    I can say that in this “dirty” time dirt and corruption are reaching the auditors. But I must say that if in the presence of “smart” and good auditors we encounter such scandals and financial crisis, what would happen if we turn “dumb” or corrupted? We are the last defense line so don’t let everything fail.

    SHAWQI

  22. FormerTransplantedSouthernNortherner
    December 1, 2009 at 7:35 PM | #22

    Amen, brother!!

    I once worked with a “girl” down South who was reeeaaaaallly good at image management. She was also “Not Smart Enough To Come In Out Of The Rain” – literally! (She got caught in a downpour and was locked out of her house. She said she stood there for 20 minutes until her husband came home. They had a PORCH!)

    Reading your article made me feel like I was proofing one of her reports!!

    And, the description of the “smart” auditor?? I thought, “Have Joel and I met?” The description sounded like every conversation I had with my former boss from their first day: “Scope, scope, scope!” To which I replied, “Risk, risk, risk!”

    Ultimately, the joke is on the rest of us, because now the “One in the Rain” works at a large southern university, making over $50K two years out of college!!

    Stay true, my fellow auditors, and repeat my mantra: “I do not come to work to make friends. I have friends.”

  23. Rodney Kocot
    December 2, 2009 at 4:06 PM | #23

    So True!

    A problem will not be fixed unless it is identified. Auditors have a responsibility to identify issues that put the organization or the public at risk.

    I have been told that I would never work again four times and I did the right thing anyway.

    I am now out of work. The people that looked the other way while drug lords laundered money are still working and getting $200K+ salaries while I was threatened, retaliated against, shot at and asked to leave because I wrote issues. The bank was later fined $31.6M for money laundering.

    When I found a problem that put tens of thousands of people’s lives at risk I was told by a CPA consulting company that if I wrote the issue I would never work again. I wrote the issue anyway and never got another job in that industry. By the way, Homeland Security found the issue in over 80% of the systems in the USA and the Chinese had put trojans on many of the systems. The CPA/CPA consulting company did not want to resolve the issue because it would have cost several thousand dollars. Tens of thousands of lives vs. several thousand dollars – the right choice seems obvious to me.

    Programmers told me about problems that would put the company out of business and I wrote a memo regarding the issues. For perspective, one of the issues was a userid “Test” with a password of “test” that was shared by over 30 undocumented people all over the world. The manager tried repeatedly to have me fired and fired several of the programmers. My cars started being vandalized. The issues were exploited by hackers and the stock price went down over 40%. People blamed me for not being able to retire because their company stock lost so much value.

    The CPA firms are calling me a trouble maker because I actually look at listings and write issues. The problem is that they ask the auditee “Are you doing a good job?” The auditee says “I am doing a great job and need a raise.” The auditor says “She/he is doing a great job and needs a raise.” A month later I go in, look at listings and find obvious significant issues (vendor supplied passwords, unprotected encryption key files, shared userids, default access not requiring a userid to access data, unprotected personal information, non-compliance with laws and standards…) The client audit committee then renegotiates the CPA’s fee. By the way, it takes less than an hour to identify the issues once the listings are obtained.

    I have a friend that quit a day after she identified a significant fraud. She and her family was threatened, she lost considerable income, and the criminals are still making a ton of money. Senior management was aware of the fraud, supported the criminals by destroying the evidence and looked the other way.

    The problem is that the criminals have been stealing from the public for so long that they now have the resources to do anything they want. Fraud and corruption have been institutionalized. Second and third generation drug lords, money launderers, and criminals have the organizations, resources and knowledge to do anything they want and we are pawns as long as dumb auditors look the other way. When the United States gets nuked and/or plundered and becomes a third world country the dumb auditors will continue to say that everything is OK.

    I sleep at night and they will burn in hell.

  24. December 4, 2009 at 4:29 PM | #24

    I just got off the phone with a compliance manager of a small public company who hired us to go through SOX 404(a) for the FIRST time (even though it was required back in 2007). We found twenty eight (28) fraud deficiencies whereby someone could ongoing embezle funds, commit fraudulent reporting or IT fraud. The compliance manager asked why their outside auditors XXX and XXX (you would recognize their names) never had problem with these fraud matters. I said, “I don’t know, i was thinking the same thing myself. I was just following SAS 99 Fraud Considerations, a CPA auditing standard that has been around for ten years.” He understood but HELLO…

  25. December 5, 2009 at 2:36 PM | #25

    Excellent discussion, everyone. I would add:

    Should we focus more on creating a “values-based” ethical culture and less on a “compliance” mentality?

    Should we concentrate more on ethics training and less on compliance training?

    Adis Vila

  26. Sounds Familiar
    December 7, 2009 at 12:11 PM | #26

    I agree with this article and have experienced the pressures and consequences of asking those hard questions and uncovering problems (or “challenges”, if you prefer).

    I was with a company for 25 years (the last 5 in audit) and was recently downsized. The fact is that you don’t make too many friends when you are a tough auditor and when a downsizing occurs, often you’re at the top of the list of people who are let go because people are afraid of you. Some would argue that you can overcome this by being “nicer”, less “direct”, more “diplomatic”, etc. But there comes a time when you find something bad, management doesn’t like it, and there’s no way to save your integrity and your skin.

    I wonder what the solution is? We aren’t going to get rid of greed and hubris. Maybe internal audit should be outsourced? Or, maybe all internal auditors should switch companies after a couple of years to avoid long-term career repercussions?

  27. Jay Somasundaram
    December 7, 2009 at 8:04 PM | #27

    Where I disagree somewhat with the author is in the perceptipon that this is a problem unique to audit. It is a porblem faced by every person in an organisation, the need to play and make decisions based on politics.

    The skill, required of audit as well as any other organisational position, is not only to find the best solution, but to sell it in a way that it gets implemeted.

    As often as an auditor ‘finds’ a problem through investigation, someone simply hands it to audit on a platter – someone who could have raised it themselves, but for political reasons did not. They look to audit to push a wheelbarrow they should be pushing.

  28. Qamar
    December 8, 2009 at 5:44 AM | #28

    Interesting article, I think this is a global phenomenon.

    To survive you have to act dumb. I think in order to satisfy your professional urge, the Smart Auditor should act as a consultant to negate the perception that Auditor always tries to find fault / flaws in your work. As a consultant an Auditor can guide the Auditee to amicably achieve the target without any risk / exposure.

    You did a great job. Now it is satisfying for us to know that we are not the only one in this ocean.

  29. Ben
    December 8, 2009 at 10:19 PM | #29

    I read the article with GREAT interest and couldn’t agree more.

    The “lap dog” Audit Professional seems to outlast what you have coined a “Smart Auditor” in most cases. However, in the beginning of my career path, I worked for one of the nastiest Office of Inspector Generals’ Audit Division (Federal) where we walked in and demanded practically anything we wanted to see . . . looking back, it was a seemingly better environment. LOL

    It’s very difficult to garner business, retain clients, and make a good name if you’re TOO HONEST — unfortunately. However, that is the path I’ve chosen, personally, and at least I can sleep at night. I’ve seen everything from an audit quashed (actually “ended” by the Hospital Director) because I uncovered a significant adverse event (death of a research protocol patient) that was not reported timely, open and rather significant audit findings lag from Audit Committee meeting to another, all the way to a change in Policy MID-SOX IMPLEMENTATION just to keep a Senior VP from having egg on his face. Lots of other stories, but I won’t bore you with them . . .

    I learned two things long ago that have helped me tremendously — notwithstanding the fact that I’m now viewed as a Management “team player” when Clients utilize Consulting Services outside of Internal Audit:

    1. Make sure during your interview process that you ask not only about the reporting chain (including ALL “dotted-lines”) but also ask “how well is Internal Audit supported in this organization?” Ask for an example of a real issue and the resulting outcome . . . don’t worry that the question might be viewed “negatively”. A hiring Manager or other superior won’t perceive that as truly negative unless s/he isn’t serious about your capabilities / potential. After all, a passive Audit professional wouldn’t ask such a question anyway. In other words, the interviewer that would take exception is most likely not looking for a “strong” Audit Professional. Bottom line: Any prudent Audit Professional should know going into an Organization about the general climate. If you don’t think your work will be appreciated and used appropriately, DON’T DO IT.

    2. Always keep the auditee apprised and emphasize why any findings are important and corrective action is necessary. Some or even most auditees seem to hang onto every single audit point or finding versus seeing the bigger picture, the “potential cumulative effect” of risks if you will . . . Unfortunately, it is TRUE that mid- to upper-level Management has to have their hand held at times in order to mentally “link” and understand the overall risk(s). Once Management is a bit versed in “Risk”, they seem to be more accepting of adverse findings.

    Lastly, on a lighter note, if you should ever have to audit a Sales function, pray hard VERY HARD, practice your relaxation / meditation or BOTH!!!

  30. December 11, 2009 at 4:29 PM | #30

    Not much to add – great article. Enjoyed the comments immensely.

  31. December 15, 2009 at 1:52 AM | #31

    Coming from the industry side, I respectfully disagree with your hypothesis and conclusions. Furthermore, citing the Madoff case is pointless seeing as the auditor was actually complicit in the scam.

    Dumb or smart, the auditors I have seen simply have no real understanding of 1) materiality and 2) ongoing business activity. Things don’t fit nicely into little boxes in the course of operations.

    The nature of business is messy, it’s full of uncertainty and doubt, it’s sublime.

    Maybe we need an accountant-auditor foreign exchange program.

  32. Julie Zhu
    January 7, 2010 at 4:16 PM | #32

    Excellent article!

    There is tremendous truth in it unfortunately. Dumb auditors do last longer in an organization that fosters such professionally unethical behavior.

  33. ITaudit
    February 3, 2010 at 11:05 PM | #33

    Wow, I thought my posts were long!

    I’m not sure that dumb auditors last longer than those who find problems and are more creative in their audits. It depends on the company. Some companies actually value their auditors (I actually worked for one–wait, I was laid off, hmmmmm).

    My layoff aside, I think what does matter in many “successful” people, auditor or not, is how you handle issues and how hard you push them.

    I’ve always viewed my job as a security analyst or auditor as one who surfaces risks and provides the options for handling them. Then I stand back and let management do their job (manage). Sure, they fail to manage “appropriately” sometimes, but hey, I did my job.

  34. Cinthya
    March 11, 2010 at 2:47 PM | #34

    Tienes mucha razón en muchos puntos que comentas, sobre todo porque he tenido la fortuna de trabajar con auditores Dumb y también con aquellos que son más inteligentes.

    He podido identificar muchos de los puntos que mencionas han sido aplicados por ambos tipos de auditores debido a que en tiempos de recesión es necesario y una prioridad mantener los trabajos por diversas causas.

    Y al mismo tiempo que leo esto, también me surgen dudas, porque muchas veces hay que mantener una actitud positiva, como dices en el punto 10 aún cuando de antemano sabemos que regularmente a tus espaldas esto sucede, te asesinan en las reuniones o te recortan o simplemente te aislan.

    No sé que sea lo ideal para todos pero con este artículo me quedaron claras cuales son las cosas que no quiero hacer.

    Saludos a todos.

  35. March 12, 2010 at 1:27 AM | #35

    Cinthya,

    Estoy muy contento porque de nuevo has visitado mi blog. Pues como sabes, lo que escribi es un problema universal para todos los auditores. Me agrada que has podido encontrar valor en el articulo, y te pueda alludar a navegar con los “Tiburones.”

    Lo que dices sobre los tiempos de recesion es 100% correcto. Y es necesario sobrevivir. Para cada persona la manera preferida, etica y moral es diferente. Como decimos los cubanos “A la hora de los Mameyes, nadie se aparece con un cheque para pagar la renta!” Sigue tu sentido comun…. Y nunca te quedes en un lugar donde no te respeten.

    Saludos

  36. Papa_K
    May 5, 2010 at 3:51 PM | #36

    Not my real name for obvious reasons. Joel Font you are my hero. I just finished reading though the previous article “Auditing Career – Dealing with Mentally Unstable Managers” and now this one. Two very well written, well though out articles. Thank you. It is refreshing to hear these things from another auditor.

    They say that you never become an ex-Marine. I feel the same is true for auditors, you never become an ex-auditor. I started my audit career with IRS and they taught me an invaluable lesson, audit the individual as well as the books.

    I am now and have been a CISO and ISO for the past 8 years. I am returning to my roots before I retire as an auditor. I can tell you I’ve never liked work papers that was always a sore spot with me. But being able to ask the questions to cut through the bs was one of my best abilities.

    As an IRS auditor, in several cases I was able to find unreported income in a matter of a few hours. And I don’t mean a few grand here and there, I’m talking a quarter of a million in less than an hour. As an IT auditor I could find internal control problems and findings just interviewing people.

    I was once told how secure a system was, I was also told that I could not touch any computers at their site nor could I bring a computer into their site. I asked the system administrator, before all the “C” level people to help me as I asked her to use the mouse to right click a file logged on as guest and managed to get admin privilege with two mouse clicks. The room was filled but the only sound you could hear was the hum of the AC.

    It’s not easy for an auditor to step out of that role and into the role of an ISO with all that experience and expertise. Actually it makes it very difficult because you know how simple you can make things to provide better internal controls yet for some ‘unstable mental’ reason they resist.

    You have helped me make my next decision.

    It’s also difficult to be a ‘smart auditor’ if you have a family to feed and a career. Many would rather look the other way. I’ve always felt that if I’m expected to toe the line then it shouldn’t be difficult for others to do the same.

    I’m not an anal type of auditor, my philosophy is basically the way I drive. On the road of audit or life you tend to go with the flow of traffic. There are speed limits but you can’t always drive 55. There are times in early morning rush hour traffic when the speed limit is 60 but the traffic flows at 15. The minimum speed limit is 40 so is everyone breaking the law? So if the flow is 70 and the speed limit is 60 are we still breaking the law?

    The point there is I audit according to the flow of traffic, with all other controls accounted for I can go with the flow. If there are mitigating controls I can logically analyze them, insure that they will not affect another critical area, question the circumstances within the process and when it all fits I can go with the flow.

    Thank you Joel. I would love to buy you lunch one day.

  37. Marusja
    November 17, 2010 at 2:49 PM | #37

    I absolutely agree with the title of the post.

    But, what is it “to be smart”?

    If you love your work and if you want to have professional longevity, you will close your eyes on many subjects you find doing audits. For me it was not possible, and after 5 years of audit career I’m gonna start something more independent.

    M

  38. Janet B.
    December 4, 2010 at 12:59 AM | #38

    Joel, this is a fantastic article. Thank you for posting this information.

    Janet

  39. Wendy Brinson
    July 16, 2012 at 3:40 PM | #39

    I’m currently in a position to decide just what I want to do with my NCSO designation. In the interest of keeping all my options open I completed the “practicum audit” and chose a company a very dear friend of mine works for. Perhaps that was an error. Regardless, I went in with grand ideas of doing the best audit I possibly could.

    I worked hard, taking my time, trying to be tough but fair. I enjoyed the task a great deal so imagine my surprise when their safety plan failed. During the entire process, as suggestions and low scores stacked up, I was continually plagued with this one nagging question. Why and how had this company passed their previous audits as the manager reminded me multiple times?

    I admit, I was concerned for my friend when I went over the final results with the manager. They had not passed my audit after all but since it wasn’t a “real” audit I had no real fears. Besides, their failure is not my doing, I’m merely pointing it out. Regardless, here is this student, newly introduced to the system of auditing and I had the nerve to fail a company that is getting the thumbs up from not only their internal auditors but their externals as well. So where is the failing?

    I believe the reasons are just as you stated in your article Joel. The internal auditors are not rocking the boat, or frankly doing their jobs, for fear of becoming unemployed. The external auditors are in the same position, but perhaps on a larger scale. This external company has been passing them for years and will likely continue to do so until a major incident occurs and all these processes are put under a court ordered microscope. But the point is, the external auditor does not want to lose a client and thus says all is well every time they call him in.

    I don’t know the answers either. There are definitely ethical, moral and political issues at play. But one thing I do know for sure is companies should be allowed to use the same external auditor again and again as it seems to be to closely related to the relationship an internal auditor has with said company. If they are vying for their jobs at the internal level, so to is the external auditing company that wants to remain the client’s first choice.

    The need and desire to be employed full time without the fear of job-loss from only doing my job is making me reconsider auditing as an option. That is a sad statement indeed…but so is it the truth.

  40. Manuel
    September 4, 2012 at 2:41 AM | #40

    Excellent post. Thank you for taking time to share.

    Manuel

  41. Mavrik
    January 12, 2013 at 12:03 PM | #41

    Mortgage or kids or not, ultimately we all have to live with ourselves and do what we know is the right thing to do. For me it’s never been a dilemma and like Elliot I have quit my job rather than compromise and ended up in a more ethical company with better pay. Follow your heart. It works, it does.

  1. November 30, 2009 at 1:47 AM | #1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 44 other followers

%d bloggers like this: