Exploring the Black Box

You can't oursource your core tasks

There are a couple of essential tasks you cannot outsource:

• If you're about the execute a coup d'etat, you can't bring in mercenaries in key roles or positions and assume you will remain in control;
• If you want to rule a market, you cannot have key product development and innovation done solely by third parties;
• If you want to fundamentally change the way your organization functions, you cannot have a full successful reengineering done by an outside consultant;
• If you want assurances your business is run with due diligence, you cannot outsource your internal audit function

Why? Because the people you outsource this function to don't care as much or are not as informed as people on the inside. After all, they are but guns for hire. When the job is done, their work is done, and they move to another role or responsibility. Even worse, who do you believe defines when the job is done? You, the client? Don't bet on it. The job usually is done just about when the money runs out.

Providing assurance on due diligent behaviour is a core task

Your organization is likely to be about a very specific set of services, products or solutions. That's what makes your organization special. That's what clients come to experience or purchase. Some organizations are more specific than others, but the way they function internally is usually very specific and requires both a deep knowledge of the processes themselves as well as a thorough understanding on how these processes came to be what they are.

Now, in order to provide assurance on due diligent behaviour by all people involved, you need people who understand what is going on in the organization and why it is going on. Your assurance providers need to be specialized, not only in your business, but in your organization. In order to provide your organization with the most relevant value for money findings and recommendations, the internal auditor needs to be able to take the time and develop a deep understanding of your functioning.

The specialization fallacy

Most internal audit service providers will try to convince you of their uniqueness (let's be real here, they really aren't that special) and the skill set of their advisors. A couple of issues:

• The leverage model dictates a 1 to 3 (123) hierarchical structure to make a project profitable. Remember the mercenaries above who leave when the money runs out? A typical service provider aims at providing you with three juniors for every senior, with three seniors for every manager, with three managers for every director or partner. Given that deep expertise on average requires 10.000 hours of hard work, and that real chargeability will run at around 60% for seniors or above, which is where the real learning happens, you can make the calculation yourself. The more experienced the advisors are, the less likely you are to find one of those on the team being proposed to you;
• Service providers often claim sectoral experience. At the same time, they claim fire walls between their teams. This to me just doesn't add up. In a competitive environment you either have sectoral knowledge gained at a competitor. In that case, you should not be on the team. Or you have no knowledge of the sector that is relevant to me.
• If not sectoral experience, they can bring technical experience. I agree that under certain, very strict conditions, it makes sense to outsource a very technical aspect of a job because you don't have adequate knowledge of the area. However, the number of cases in which this is applicable are limited to mainly specific ICT areas. And even then ...

Bottom line, the specialization you need access to the most should not be available due to firewalls in place between teams in a sector. And it's unlikely someone will have invested significantly in your organization ... because the return usually isn't there, except for really large organizations. And if this is the case, if a consultant has invested so much in your organization, where is his independence? How independent can you remain if your goal is to be paid by this organization?

But what about experts? Experts working for a service provider are most often no longer actively involved in the practice. They have an expiration date.

Even the best technical auditors cannot make up for a lack of knowledge about the specifics of the business and the organization.

What works

In order for internal audit to be relevant, to be able to provide adequate assurance on due diligent behaviour by the collaborators of an organization, requires deep expertise in the business or the possibility to develop this expertise. An external party often does not have the means nor the intention to invest adequately in building this expertise.

Deep expertise needs to lead to good risk assessments and the development of efficient, effective and economic audit activities focused on relevant audit objectives and audit areas.

When using external support at all, this external support can at the earliest be asked to assist in developing audit work programs. Their aim should be to optimize the audit approach, not the objectives nor areas.

The actual audit execution should, where possible, remain with the internal auditors, supported where required by ad hoc expertise which can then be acquired at the best market value.

Final reporting should always remain with the internal audit responsibles.

Providing assurance on due diligent behaviour

is a core responsibility of internal audit. The audit committee needs to have adequate assurances that the work done is not determined by the available budget for outsourcing, but rather by a deep understanding of the need of the organization to function at the best possible level, an understanding most efficiently developed from the inside.

The emptiness of due diligence

Looking around in current day to day business, I see less and less evidence of due diligence in its core meaning. At least the core meaning I learned but mainly understood based on practical experience. The idea of due diligence has been replaced by a number of elaborate governance frameworks which did not necessarily add to the practice of due diligence. On the contrary, these frameworks often created an escape mechanism for culprits aiming at formally complying with the concepts while at the same time ensuring their direct responsibility was as limited as possible. We can have a long discussion on due diligence, but this being New Year's Eve, I wanted to give you my interpretation of due diligence. For me, due diligence is inextricably linked with a set of core "beliefs" from my youth: the three laws of robotics as defined by Isaac Asimov.

My definition of due diligence

To convey what I refer to when referring to due diligence, I'll try to define it. In order to go to a good, applicable and pragmatic definition, let’s first look at the two words individually:

• Due: owed or owing as a debt, either as a natural or moral right or according to accepted notions or procedures.
• Diligence: persevering application, or the attention and care legally expected or required of a person The adjective related to diligence is “diligent”, which Merriam-Webster defines as “characterized by steady, earnest and energetic effort, painstaking.

And what does due diligence mean according to Merriam-Webster?

• Due diligence: the care that a reasonable person exercises to avoid harm to other persons or their property

A dutch translation

In Dutch, we translate “due diligence” by “goed huisvaderschap”, which can be loosely translated as “behavior equal to a prudent family man”. I like this translation at an emotional level because it links behavior in the context of a firm to a subjective but intuitively well understood moral high ground in the personal context. It's a lot closer to home, a lot more concrete. Most of us understand what being a prudent family responsible entails. However, let’s return to due diligence.

Interpreting the definition

Based on the Merriam-Webster provided definitions above, due diligence as a key requirement in the context of good governance is the persevering application of care and attention owed as a result of the responsibility entrusted upon a group of individuals. When you are bestowed with that responsibility, you immediately owe a very high level of care and attention to those who bestow this responsibility on you.

I’ll go further than that. Those who bestow this responsibility upon you are not only your shareholders, who come in with means and ask for a return. No, it’s all of your stakeholders, your collaborators, your clients, your environment and in a wider sense society. But how could you, as a responsible, manage this? You need to exhibit on a continuous basis a behavior equal to a prudent family man. But what does that mean? What are stakeholders, for that matter? They remain so abstract. Here I want to make a very long stride and perhaps risk injury in the leap … let’s look at science fiction literature ...

Using Asimov’s “Three laws of robotics” to provide a baseline for due diligence

When I was young, I voraciously read science fiction. One of my favorite authors was Isaac Asimov, and of his work I adored his novels and short stories dealing with robots. Now, in his 1942 short story “Runaround”, Isaac Asimov introduced a set of laws which were to provide a framework for the behavior of autonomous machines.By rephrasing these, we can have a guiding framework which serves as a baseline for due diligent behavior of a company. I’ll always start with Asimov’s original law and then rephrase it for the due diligence baseline. After this definition, we'll explore how these baseline rules, if applied, could have influenced organizational behaviour. Again, this comparison may not work for you, but it works for me:

1. First law of robotics: A robot may not injure a human being or, through inaction, allow a human being to come to harm - First law of due diligence: An organization or its management may not injure human beings or, through inaction, allow human beings to come to harm.
2. Second law of robotics: A robot must obey the orders given to it by human beings, except where such orders would conflict with the first law. - Second law of due diligence: An organization or its management needs to account for its actions to real human beings representing stakeholders, not other organizations, and needs to respond to these human beings, except where such response would conflict with the first law.
3. Third law of robotics: A robot must protect its own existence as long as such protection does not conflict with the first or second laws. - Third law of due diligence: An organization or its management must protect the existence of its purpose as long as such protection does not conflict with the first or second laws.

Applying the laws

What would the application of these simple but at the same time accessible and complete laws have influenced recent socio-economical events?

Law 1 would have prevented a number of precursors to the 2008 financial crisis. It would not have allowed selling of derivates of subprime loans to other parties. That would be a clear violation which would have resulted in the harming of human beings. Pushing up a market for own profit until it starts to default in massive numbers, chasing millions of people out of their homes? A clear violation of the first law.

Law 2 would have reshaped current power concentrations in certain markets, would ensure appropriate levels of quality in delivery and production and would have influenced environmental impacts as well, in as far as these are not covered by the first law. If management, charged with continuous behavior consistent with a prudent family man, had to explain, on a regular basis, what they had engaged in and how this contributed to their purpose, to a group of people which were a true representation of all of their stakeholders, I dare to assume the critical questioning would have been more stringent and more relevant, potentially leading to early changes in organizational behaviour.

Law 3 would ensure a focus on continuity and shareholder value as well as long term contribution to a wider group of stakeholders, but only after the conditions under laws 1 and 2 are met.

In absence of these laws

I believe internal auditors need to dare ask the hard questions. They are, currently, after all, the prime guardians of due diligent behaviour by the organizations they audit.