GUEST BLOG POST
Over recent years, I have found myself watching various specials on TV about the mythical Bigfoot creature. Blurry, distant images of ‘blob squatches’ collected in almost every state can fascinate even the biggest skeptic. We all want to see the evidence, the proof that the big guy is out there lurking in the woods. Indeed, Bigfoot is so popular sometimes I think I have seen him in our local Walmart!
DNA proof of the existence of the Yeti, however, is hard to come by. Concrete evidence always seems lacking, no matter the expert laboratory performing the analysis. What about the footprints? These certainly seem more plausible—the flat-footed gait and long stride point to something strange being out there. There are even PhDs and university professors who actively point to the data gleaned from footprints all over the United States and Canada as being part of a normal distribution, indicating that a full population exists. Wow!
All that said, most of us—myself included—struggle with the quality of the evidence. We cannot conclude easily and with clarity that Bigfoot is out there. Some believe, but many do not. When it comes to Bigfoot, no matter his social and cultural popularity, the jury is still out.
Why am I bringing up the hunt for Bigfoot? Because Internal auditors can face similar challenges in proving their findings. Management discussions may initially imply that all is well, but it is critical to perform thorough process and control walk-throughs to validate descriptions, control points, approvals, exceptions handling, and other aspects. We validate control designs and walk-through testing, or use data analytics to affirm operational effectiveness. Evidence of control performance, outcomes achieved, and management review is critical. Data conformance to hypotheses is critical when testing full datasets and positions internal auditors to size issues more precisely with a clear audit trail for all exceptions.
Show Me the Evidence
The lesson from Bigfoot is that Internal Auditors must always be skeptical. We trust but always verify. We routinely look to triangulate data points, observations, and management views, always digging deeper when necessary. We need documented evidence to support our audit findings. If we cannot see the clear evidence and validate expected outcomes, we raise a red flag. Audit findings should always be supported by evidence, and the conclusions internal auditors reach should comply with the audit methodology and be capable of independent verification as part of a quality assurance review.
When we show clear evidence to management we tend to get on the same page and clearing audit issues tends to be more straightforward and with less drama. Equally, if we jump to conclusions that cannot be clearly supported by the audit evidence, then we risk our reputations for being professional and fair. If we lack the audit evidence for a clear issue, but still think there is an opportunity for management to consider, we must share the potential insight and use it to build trust.
Open, Honest, Humble, and Candid
Lessons for internal auditors like the one Bigfoot teaches us are everywhere. Let’s move from myth to legend. The late, great Ian “Lemmy” Kilmister was many things to many people: legend, hero, scoundrel, and reprobate. He was the front man of the heavy metal band Motörhead, a world-renowned bass guitar player and singer (ok singer might be a bit of a stretch—gravelly shouter might be a better turn of phrase)! Surprisingly, the one trait besides his music that everybody who knew him mentions about Lemmy, was his honesty. He was direct, blunt, and often said unpopular things. He never claimed to be perfect and was very open about his rock-and-roll lifestyle. He had his vices and demons, like we all do. However, if you watch the documentaries about his life, and his many interviews, above all else it is his honesty that comes across loud and clear.
Despite his menacing look, he was very humble and down to earth. He never refused to sign an autograph or take a picture with a fan. He was well read and a trivia expert too, despite his own father abandoning him and his mother at a young age. He is also open about the fact that he was not really around for his own son until much later in life. Still, he was a father figure to many young aspiring rock musicians. He treated his road crew like family, and many of this team worked with him and his band for decades as they toured the world non-stop. The lesson of Lemmy is that you can’t judge this book by its cover. He was tough and he was gruff, but it was his honesty that shone through.
When Lemmy died, hundreds of thousands of people attended his funeral service virtually. Great musicians (band members from The Foo Fighters, Metallica, Judas Priest, and many others) all eulogized his music, his life and friendship, and in particular, his honesty. My sense is, if Lemmy was in management and ever asked to provide a self-assessment, he would have no hesitation to give himself Cs and Ds all the way down the page if circumstances required. He would have been brutally honest. He never dressed things up, he did not care whether you liked him or not; he was humble and the epitome of the words “open, honest, and candid.” It is no surprise then that Motörhead, despite little radio play, remained one of the most successful rock bands in the world for decades. In this respect, many of us internal auditors could learn lessons from Lemmy. May he RIP.
Keep Your Eyes and Ears Open
So, sure, these are far flung examples of how lessons for internal audit are everywhere. As we learn from Lemmy, being open, honest, and candid are critical aspects of a positive organizational risk culture. Those organizations and teams that strive for continuous improvement, and accept and learn quickly from mistakes and failures, as part of their risk culture, will thrive. Likewise, as Bigfoot teaches, skepticism is vital. We must look beyond the water cooler rumors and office scuttlebutt for the real evidence. If we look hard enough, we will find many other examples to learn from in our internal audit practice.
Management should be paranoid about emerging risks and be proactive in setting out and critically assessing key risk scenarios. Equally, internal audit should be a good sparring partner and regularly challenge risk scenarios thoroughly and independently issue reports of sufficient quality, transparency, and candor.
Reflecting on the recent failure of Silicon Valley Bank (SVB), where was management and board’s Lemmy-like openness, honesty, and candidness a year or more ago when it was evident that a U.S. interest rate shock was very likely to happen to squeeze inflation out of the financial system? Seems to me that there were significant shortcomings in basic leadership, risk management, culture and, control practices best described as Banking 101 failures. Perhaps SVB was chasing a myth with little evidence. Indeed, SVB could have benefited from a page or ten from Lemmy’s playbook. 
PHOTO: IAN “LEMMY” KILMISTER BY MARK MAREK PHOTOGRAPHY, USED UNDER CC BY-SA 3.0.
Shane Rogers, FCA, MBA, is an independent risk and audit management consultant. He is also a former Audit Managing Director and U.S.-based Chief Audit Executive with deep, partner-level, insurance, and investment banking experience globally.