Las Vegas 2022
Fireside Chat on Audit with Norman Marks
Fireside Chat on Audit with Norman Marks hosted by Gene Kim
NM
Norman Marks
Author, Thought Leader, Consultant,
GK
Gene Kim
Author, Researcher & Founder, IT Revolution
Transcript
To introduce the next talk. I wanna motivate why I asked this person, uh, here, uh, for us today. Uh, the person's name is Norman Marks, and I think he's one of the finest minds in auditing. He and I have, uh, known each other for about 15 years, and there was a project we got to work on together, and, uh, it was probably one of the most professionally exciting experiences, uh, I've had in my career. So, to set the stage, it's 2005, uh, the Sarbanes Oxley, uh, act, which just passed, and in response to the massive fraud at WorldCom, Enron, and, uh, you know, too many more, and it was breathtaking legislation. But one of the unintended consequences that it created so much work for it, uh, often driven by the external auditors. The computer world said at the time that the, according to CIOs, SOX was rated the biggest time waster ever.
Um, someone put very pithily, this sucks because Enron was not caused by an unauthorized database change. So I, I got to be a part of this team, um, uh, at the Institute of Internal Auditors, where we worked with the heads of IT audit, uh, the big four, the P-C-A-O-B, uh, the Public Corporation Accounting Oversight Board, who audits the auditors, uh, to see if we could create, uh, an endorse set of scoping guidelines for it audits. And in other words, if a failure in an internal control can't result in a material error in a financial statement, it should not even be in scope of the audit and therefore shouldn't be audited. So, to watch Norman in these scenarios, I can only characterize it as intellectual combat, uh, with the National Practice League of the Big Four, it was incredible to watch. It was one of the most incredible professional experiences that I've ever had, and I learned from that experience what it looks like to be able to change an industry.
So it was really important to me, uh, that Norman Marks give his opinion on what Clarissa Todd, and his team is and have been doing. After all, if it's crazy, it's better we find out now than later. Before, you know, people get their auditor badges taken away. So he's always been a leader, both in business, uh, in audit to help the organization win. And he's chosen to do most of it. As an auditor, he was a Chief Exec Audit executive at Max Corporation Business Objects Electron toco. Uh, he's held executive positions at SAP. So, Norman, I'm so delighted and honored that you're could join us today. Norman Marks. Jeff, can I get a stopwatch? My, uh, this on my desk? Norman <laugh>.
Gene.
Okay. Norman. Uh, it's, this is the first time we've got to hang out in almost a decade. I'm so delighted that you're here. So we were catching up backstage, and you actually told me some of your reactions and feelings watching some of these talks today before we began. Could you share some of what you told me?
Absolutely. This is after he accused me of being a career auditor.
Oh, sorry, <laugh>. Um,
I'm all about helping the organization, uh, that I'm involved in succeed. And what I heard today is a passion. What I heard today is that we are in the middle, some of you further along than others, in a, in a, in a revolution, a revolution that is gonna change the way in which not only it, but the whole organization is gonna be able to respond in this dynamic disruptive, um, climate that we are in, is, this has been something which I've had a lot of passion about, um, even before I retired, uh, which is some years ago now, and trying to help people become faster, more agile, more responsive to the, the needs of the, of, of the organizations to actually take more risk. <laugh>, okay? In these days, and this is what you're doing, you're actually taking more risk and failing fast. I heard that today and I thought, wonderful.
And I heard you're breaking all the rules. Fantastic, right? Because those are rules which are slowing us down and stopping us from being successful. And we've gotta get past that. And what I heard with Clarissa today, and, and her partner, the two of them partners, which is so wonderful to see, is a recognition that we are actually on the same side. And I think you'll find that if you give your auditors a chance, I hope we will talk about that. Um, they are going to not only be with you, but they'll help you. They'll actually break down some of the barriers that I know you are uncom uh, running into every day on your journey. Because we also not only want to help the organization succeed, but we wanna help you succeed. And what I helped, what I told Jean today was, um, just before this, that what I heard today makes me want to, it makes me regret that I retired <laugh>. It makes me regret that I left it. I was, I was a vice president in, in it for a while before I went back into internal audit and then into risk management. It, it, it made me regret not being in a position to be part of a change like this, which is just so exciting.
<laugh>, that's so great. By the way, I, I just wanna remind everyone that this is coming from someone who's held a position of Chief Audit Executive. So it's just, uh, delightful beyond words. So, uh, Norman, let's talk about, uh, Clarissa and, uh, Todd's presentation. I can imagine auditors of a certain background may have watched that presentation and, uh, uh, would conclude that it's reckless, irresponsible, and maybe even immoral <laugh>. Um, so, uh, can you, uh, val, uh, maybe opine on, uh, their working relationship between audit and technology, uh, that isn't surprising, crazy sounding, but it's even consistent with great auditors and practices you've seen in your own career.
So Jean, there may be this misapprehension, um, and it's born out of what people have experienced, right? A great many people in management have had bad audits. When I was in it, I had a bad audit <laugh>, so, okay. So I've lived through it. Um, I've lived through the auditor coming in and telling me, um, all the things that I had listed as, as tasks in my information security product implementation were findings. And they were gonna write me up for not doing anything about all of these tasks. And I said, but these are tasks I told you about. And he said, yes, we haven't got them done yet. And, and I said, well, should I be doing them faster with the resources that I've, that I've got? Have I prioritized? They said, yes, you've done everything right, but we're still gonna write you up. So there are still some people out there, okay, who, uh, are this very traditional gotcha kind of auditor.
But most people today in the audit profession really, really want to be part of the success of the organization. And they are willing to adapt. And that's why people are talking about lean auditing. They're talking about agile auditing in different ways, auditing with agility, which is so different for actually from what people like, um, Clarissa's company are talking about. It's not about sprints, it's about auditing at speed, just like you are trying to develop at speeds. And so, and the other thing is that when I was in, in it with this bank, um, I, I saw them move to quarterly releases and I shuddered <laugh>. I actually shuttered and said, why are you doing this? Have you talked to your customers? They are complaining to me when I was in IT audit before I moved into, uh, in it, into management. They were complaining about the backlog of all the things they needed to run the business not being done. And yet you're slowing everything down. Why are you doing this? And, and to see all of you working to turn that on its head is just fantastic.
And by the way, uh, you called, uh, kind of this, uh, your, you characterize in the ideal, uh, your auditor should be an independent friend. Can you say a little more about that?
Well, one of the, the leaders in internal auditing is a gentleman called Richard Chambers. He was the, um, president and CEO of the Institute of Internal Auditors, which you and I were both involved in. And he came out with this essentially a bestseller when you're talking about internal auditors, bestseller, <laugh>, um, called the tru, the, uh, the trusted partner. And that's a concept which goes only so far. And then recently I saw something about being an independent friend. That also doesn't really go far enough in my opinion, it, but it's, it, it brings out the idea that the auditor has to be objective. They had to provide an independent, um, opinion assurance, but they also had to provide an insight and advice to help the organization upgrade its processes. Upgrade is, is its services, what it's doing in terms of delivering value. And so this idea recognizes that we are hopefully trying to do things together, and it's in our, both of our interests to work together, as we saw with, with, in the previous session to, but it, we, we can still go further. We can still go an awful lot further. And, and I think you're gonna ask me some.
No, exactly. In fact, as we, as we prep for this, uh, uh, I actually was kind of shocked <laugh> by some of the stories that you told me about some phenomenal exemplar, uh, kind of, uh, engagement models, uh, specifically, uh, Chris Keller. Could you tell us about that and teach us what great could look like?
Chris Keller is a rebel, just like many of you. He, he saw the traditional,
What
Company was he at? He was with a little company called Apple, um, which is not really a traditional company any, in any, in any stretch. But he was with Apple, and he saw this whole idea of an audit report as being less than adding huge value, and, which I totally agree with, I totally agree with. And one of the things I've been writing about recently is where is the value in an audit report? Okay? Aren't there better ways of, of communicating, uh, what we're doing in internal audit? And so that's another subject. But what Chris Keller did is, is he recognized that the greatest risk for Apple lay in their products, all the different products they were developing and maintaining and doing upgrades to. So what he did is he turned internal audit on its head and changed the entire methodology. And, and what he did is he embedded auditors into every different product group.
And their role was basically to be there as a consultant and as an advisor, making sure that management was going through an appropriate process to understand the risks and what they were doing to not to be taking too many chances of developing products that weren't gonna work, weren't gonna be delivered on time, weren't going to have the, the, the, the functionality that the, the market needed. And they would work then, and they would cohabit with the developers, with the product group, with the same objective of delivering like excellence. And if they found something that they didn't like, they would then immediately, not just twice a week, but twice a day, right? Talk to management and have a discussion, agree upon the facts, agree upon what needed to be done. And then they found that actually everything was working throughout the cycle of the development. Uh, and if they ever did have a problem, Chris had direct access to the CEO
By the way, he was head of internal audit.
He was head of internal audit. Yes, he was. He said what was called the Chief Audit Executive. And he reported to the audit committee of the board, everything from a governor's point of view, the same as everybody else. But he just realized that his job was to help make sure the company was doing the right thing, taking the right level of risk or the right risks to succeed. And so, if, if one organization, if one product, CEO started doing things, which he knew the Chris would, would, would be told were in violation of what the board and the CEO wanted, he could just pick up the phone, talk to that vice president, whatever, and say, you know, you're doing something that the board doesn't want. Maybe we should, why don't you come over and let's just sit down with the CEO <laugh>. And all of a sudden they started recognizing, yeah, this probably isn't the right thing to be doing, <laugh>. But his, his whole idea was help the organization succeed by doing the thing that is right for the business. And frankly, he didn't care about those standards that, that, uh, Clarissa mentioned. And, and frankly, this is not something that every auditor necessarily understands. And this is why the audit, the professional standards, hiring the process of being changed, whoa, to, to reflect the need to partner with, uh, management, um, every day, every minute of every day, to make sure that things are going right. Not to catch them out, but to help them on their journey.
That's all. And, and so, if I remember correctly, you said, uh, uh, he never wrote an audit report.
Gene never wrote an audit report, <laugh>. That is absolutely right. And frankly, on many of the projects that I did on my team, um, so the, the, the, the professional standards recognize this, that there are times when you're just going into do an audit, maybe of accounts payable or sales contracting, and you want to make sure that, um, senior management and the board understand whether things are going the way in which they should be going and writing an audit report. But a lot of our work may be 20, 30, 40, 50% of the work of my team was actually where change was happening, where systems were being developed, where new methodologies were being implemented, not only in technology, but also in, in the refining operations, for example. And we would go in as consultants, and the only report we ever produced was to management, not to the board. Okay. Because we, and we, and we told the board that this is what we were doing, because the, the best way to make sure the risks are being taken appropriately is to prevent them from being taken inappropriately to start with.
That's incredible. And so I'm gonna ask you about your Circle K story, which is another mind expanding example, but, uh, I, I feel like we, we should, uh, tell the about the twist in the story, uh, with, uh, Chris Keller, uh, because eventually, uh, um, you know, he changed roles.
He changed roles, unfortunately, what happened was the external auditors went to the audit committee and said, you don't really have an internal audit department. There are risk function. And over his objections, the, the board said, okay, we'll set up a separate internal audit function to do more traditional things to satisfy the auditors. So Chris Keller was given the option of becoming more traditional, but he said, no, what I believe in what I'm doing. And so he, he became the chief risk officer. Interesting.
Uh, so interesting. So I'm, I'm, uh, and it's interesting that the guidance and the standards are changing as well. So you told me another story that blew me away in terms of, uh, uh, a time when audit was very much, um, uh, interacting with the technology group in a very unfamiliar, unfamiliar, alien way. Could you tell us that story?
Are you talking about the convenience store?
Yeah, yeah, yeah, exactly.
Okay. So the company I was with is a company called toco, which is a fif close to $50 billion r we're finding a marketing company, mostly domestic in the United States. So we owned about 6,000 convenience stores, um, under the Circle K branch, some, uh, branch, some, some Exxon, some Mobil, um, and mostly in the west and south, uh, down into Florida. And they decided the, from a technology point of, from a business point of view, they really needed to upgrade everything in the convenience store. So they went out and they bought new, uh, software for each of these individual stores, um, new hardware for each individual store. And then they purchased, um, a, a, a new central stores accounting system, which would be operating out of our Phoenix headquarters. What they didn't realize was that, oh, and, and in the process, by the way, they also decided to acquire new identity access <laugh>, uh,
And no test environments.
So what they, what they didn't realize was that the, the software for the stores was actually built for fashion boutiques in, in miles, not convenience stores. It was running on hardware that had never been, uh, designed for, and the, the, the central store system, uh, that they purchased was not designed for these, this software. So we came along and we said, first of all, I, I was, fortunately, I hadn't told you this gene, but one of my recent hires was a techie, and he had experience with that access method methodology, the IIM that was being used. And he came and said, told me they're doing it all wrong. He said, what are you telling me? Tell them <laugh>. And so he went, and then he partnered with them and helped set it up properly based, 'cause he had the experience that our company did not. But anyway, we, we found that they did not have the test environment in order where they could even come close to simulating the, the volume of 6,000 stores all trying to, to send data and receive data from the central store system. By the way, this
Is just like the Phoenix project. I mean, this is,
This is terrible. <laugh>
<laugh>. Um, so my team, which was two IT managers and, uh, a business, uh, auditor who, so we understood that we could actually break down some of the barriers between it and the user. Okay. 'cause we would, we would actually like a, an interpreter sometimes between the different parties. Uh, so my team came to me and told me that this is highly likely to fail. Highly, highly likely to fail, and not really surprising. And so I took, I encouraged them to go to the, uh, steering committee for the project, which was chaired by the C-F-O-C-I-O and the different vice presidents of the business. And explained to them the project board fully understood what was going on. And they did, they looked at all the risks. They looked at the risk of going forward and failing. They looked at the risks of delaying, but they're getting close to the fourth quarter where they didn't want to implement.
They were heavily rely upon Arthur Anderson back then, or Anderson consult, whatever it was, aa, um, consultants who they might lose if they de delayed. So they decided the greater risk was delaying versus going forward. So my team came back to me, all dispirited, and I said, well, okay, what do you think we should do? And they, they went away and came back and said, we think we know, we think we can predict where it'll fail. Say, why are you telling me go talk to management <laugh>. And so they went and talked to the CIO and his team and told them where it's most likely to fail. And then they worked with management to put response teams and band-aids in place. It went live, it failed multiple places, but it failed fast. And was the, the bandaid was applied at speed. And so it was actually a successful deployment. <laugh>.
Awesome. Uh, by the way, round applause for that cool story. <laugh>. Um, thank you. So two questions that we need to cover in about three and a half minutes. Yes. Uh, what advice would you give to this community who are on often the frontier of creating new ways of working that may look very alien, strange, and even dangerous to not just auditors, but maybe everyone rare around them? What advice would you give
Realize that the auditor can be your friend. They want to help the organization succeed. And if your organization, your CIO and top management has done a good job of persuading the senior management of the organization and even the board, that this is a change that's needed and why your head internal auditor should be part of understanding that and will understand why you want to do it. And then bring in your external, or your, sorry, not your external <laugh> internal auditor as a consultant and advisor, because they will be objective. They will break through any bias. They will break through any, um, potential for authority to stop people from complaining about this won't work. They will also be able to talk to your users and be a translator. They can help you. Okay? They can help you on your journey. You are breaking the rules. Get the auditor to embrace that, which they usually will, and make sure that you have new rules in place, which will work effectively to address the risks of any kind of damage to the business. And, and trust me, the auditors I talk to and I talk to a lot, um, they want to be part of this, a journey like this. They really want to, because they will be invigorated. They will be just as motivated as you are with, with your success.
Ah, that is mind expanding. So, I know you're retired now, but I know that you can be occasionally coax out of your period of quiet reflection and contemplation. Can you describe what sorts of projects excite you these days?
Jean? I only do small things. 'cause I, I don't want to get involved. I'm being asked to do some large projects, but I am trying to be mostly retired. So, but I, I do do mentoring and consulting, um, for organizations. So there are some people that will, um, call me up and say, will you help us talk to our board? Will you help us talk to internal audits? Even <laugh>? So for example, if you are having a problem persuading your internal auditor to work with you, bring me in <laugh>. Okay. Um, I'm considered by many to be one of the top influencers in the internal audit space. And so maybe my voice added to yours will bring them along a little bit and, and encourage them to break their rules because their rules are not helping them do their business either.
Awesome. And by the way, I can, if I can just, uh, double down on that, uh, Norman, marks without a doubt in my mind, is one of the best thinkers and doers, uh, in the audit profession and many other domains as well. Thanks. So thank you so much for teaching us about audit and, uh, I'm so grateful that you'll be available for q and a, uh, right after lunch, I believe. Yes. O'clock details to be announced. A round of applause for Norman Mark. Thank you. Thank you.