This time I don’t have much to write on revenue assurance. Thus, I thought it would be good to just look at the related area of audit.
Over the past few months in my new role, I have heard a lot about design and compliance. Picture this: there is a head office functionary, technocrat, kahuna or don seated somewhere in Nairobi, Kenya. His title is either Chief of This or Chief of That. He enjoys a good car, a serviced apartment, weekend visits to wildlife parks and the occasional flight to the coastal town of Mombasa where he roams the white sandy beaches, to massage the soles of his feet after a month or so of serious corporate warfare (you know how bruising the battlefield can be). He is charged with ensuring that his people in the various operations receive and operate within the framework of the process that he has designed. Assume he issued this process one year ago, complete with exhortations and warnings of fire and brimstone in case people don’t toe the line. As the auditor, you come at the end of this period and you find things are not working. Two simplistic answers exist – either the design of the process was not good or the design was good but for some reason, the people in the OpCo just did not or could not adhere to the process. So the head office honcho asks that you clearly show him whether it was an issue pertaining to design or compliance. By design, he means “show me if the framework I set was somehow inadequate, and please think carefully before answering”. By compliance, he means, “show me which son-of-a-gun thought himself to be above what I asked and I will make mince-meat of him”.
For some time, I have been content with taking any of those two options – that it was an issue in design or it was an issue in compliance. But as time goes by, I find that the answers are only on the surface. What if the starting design was good, the compliance rate was good but as time went by, the business landscape changed so much that the design was no longer good or for one or several reasons, complying with this design, on the face of it, would adversely affect the business? Therefore the real workers who actually bring in the cash (which the head office functionary so much enjoys), made the call to not obey. What if the design was good, to start with, because it only compared an initial set of variables and those variables have changed, because market dynamics are ever so shifting? I posit that the whole design/compliance problem is only a reflection of what real entrepreneurship is about – breaking the boundaries and any attempt to rein in this passion will only work for some time. The question is: do we even need to?
I start from the position that controls are over-rated. It is perfectly possible to run a business that is weak on controls (the bulk of which may have been defined to sustain bureaucracy and give head-office honchos something to do, in addition to being a steady revenue source for Big4 and the myriad of other consultants – small_N?). However, those of us who have careers that depend on ferreting out these control weaknesses have to justify our existence by such frightening terms e.g. “governance”, “going concern”, “serious reputational risk”, “statutory compliance” and all manner of verbiage that makes CFOs and Audit Committees, boards and investors cringe with fear. Throw in some SoX and people quake in their boots. And yet, it is the boy who draws outside the lines who will one day be an artist. So, why do we spend a lot of time whipping the boy to make sure he only draws within the lines? The set of controls which I think are essential is minimalist. As a business we should aspire to make sure that we:
(i) Observe the laws of the land. “We are not criminals”.
(ii) Avoid intentional misrepresentations (e.g. in financial reporting). “We are not fraudsters; we don’t do creative accounting like Enron”. Very much a subset of (i) above.
(iii) Don’t rob shareholders, employees, customers and/or the wider society (in some jurisdictions, this is already a subset of (i) and (ii) above).
Well, Google says “Don’t be Evil”. That, in my view, is what we should review when auditing. The rest is fair game. Any Audit Committee that is presented with Internal Audit findings that do not address those areas should ask the auditors to sod off and let business get on with business. The head office honcho, if he can take some time off the golf course, should likewise ask auditors to tell him if his people have been bad boys regardless of whether he asked them to behave or not.
I am aware that by writing this ill-advised post which is full of reckless statements I may just have ruined my chances of ever working for a serious audit firm. That is OK – I am working hard to become one of them head office honchos!