Sunday, December 28, 2008

The War Room

Auditors need dashboards too.

In an earlier blog post (Dashboards), I discussed the joy of auditing parts of the organization that were actively using trustworthy dashboards. Even if these dashboards aren't comprehensive, the thought process required to establish and review them drives a control-minded management team.

But our audit clients aren't the only ones who need dashboards. So do we.

Why?

Right off, I can think of two reasons. First, we need to live what we preach. If we can't demonstrate highly effective control processes, how can we hold our audit clients to the same standard?
Second, demonstrating a well-controlled audit process to the audit committee and senior management drives credibility. Credibility drives appreciation for our efforts. That appreciation drives additional funding, interesting audit projects, and is, frankly, the gateway to making a difference.

The War Room strategy that we invented at RSA is a great illustration of an effective dashboard process. Along with a number of other techniques (coverage targets, planning memorandums, control self appraisals, service level agreement metrics, and scheduling tools), a War Room can be an excellent way to demonstrate a well-controlled audit process.

You see, at the time, Home Depot sold 4x8 sheets of melamine for about $15 apiece. This is the stuff from which white-boards are made. Stealing the idea from my days on NEODATA's production floor and combining it with some tactics we observed from Accenture, we took a corner of our office and covered the walls. We titled each board with an organizational risk area and it became the responsibility of the audit managers and their staff to keep the boards updated.

At any time, the Chief Auditor, Audit Committee, President, and Senior team could see what we were working on, the status of our last audits, upcoming audit work, and the key risks that were keeping us up at night. We filled the boards with dashboard details.

But most importantly and beyond the information contained on the boards, the act of maintaining the boards drove a control focus.

You see, adequately updating the boards required our team to ...
  • stay ahead of the audit schedule and plan
  • plan and hold regular conversations with our audit clients
  • develop an informal network to gather intel
  • understand our client's true risk profile
  • prepare to discuss and defend our understanding and opinions
Every one of these things is key to moving audit from a compliance role to being a trusted partner. And, they are critical to providing a deeply informed audit opinion.
- Prescott Coleman, CIA, CISA

No comments: