jump to navigation

Quote of the Week – 6 Sept 2013 September 6, 2013

Posted by Audit Monkey in Quote of the Week, The Joy & Pain of Internal Audit.
Tags: , , ,

I will confess is slightly manufactured this week’s quote but I hear it so much I thought I’d share.

After you have been auditing a while, a pattern begins to emerge in terms of what people [the auditee] say to get themselves out of hole or simply throw up a smoke screen as obfuscation. On point one, getting out of hole, rather than say ‘we haven’t done it because we are lazy, can’t be bothered or don’t have the resources, time or inclination’, an item becomes ‘aspirational’. I play along with this as it saves time and effort arguing.

On point two, the old smoke screen tactics, when you’ve backed the client into a corner or they know they are on the ropes because the whole operation is a shambles and they are about to be rumbled, the standard come back is ‘it’s complex’.

If I had fifty quid for the times I’ve heard that it’s complex, I wouldn’t have to pay my bar bill on a Friday night. A couple of examples. I was doing a ‘Financial Management and Budgetary Control’ audit at a NHS Hospital and was quizzing the Director of Finance. From memory, I was asking how an overspend was going to be corrected (something along those lines – give me some latitude) and the reply was ‘it’s a complex organisation’. Leave it out, it’s a hospital; sick people come in, either by accident because they’ve had an accident or for elective surgery. The complexity lies in the actual surgery or arranging adequate staff, beds and theatre time.

Example two. I was at Financial Services firm and reviewing the underwriting process. Again, the message was ‘it’s a complex process, you won’t understand as it’s complex’. What do you think? Was it complex? No, it was simplicity it’s self. As far as I could see, there was no hidden magic or great underwriting skill.

To end, the ‘complex’ phrase often crops up with the issue of key person dependency. Key person dependency is a simple concept; if the firm relies on a sole computer programmer to maintain the mainframe system, a Director of Finance to do the tax comps, if they fall under a bus, the firm is screwed. I was posing this to a CEO once regarding reliance on an actuarial modeller. Would key person dependency arise should the modeller have a meeting with a double-decker? The CEO replied:

‘None of it is beyond the wit of man”. Sorted. Not so complex after all.


1. ITauditSecurity - September 8, 2013

The version I hear is that it costs too much (because it’s complex).

I don’t care how much something costs. Risk is risk. Risk doesn’t change based on how much a solution costs.It is what it is.

Either get management to provide the money to fix it, or get their signature indicating that they accept the risk.

The cost isn’t the important thing; ensuring management knows about the risk and deals with it is the critical piece. How they deal with it is on their shoulders (although audit gets to comment on how they handle it).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: