When the NSA surveillance mess came to light, it was in the form of an internal audit report. And the reaction of the news media was largely what one would expect: “Internal audit reveals NSA exceeded legal authority”[jurist.org], “NSA admits mistakes” [cnn.com], “NSA violated privacy rules thousands of times” [news.cnet.com].
Here’s my question, Why didn’t anyone write this: “Internal audit discovers errors, which is exactly why internal audits take place”? One good reason is because it’s dull. But more significantly, it contradicts the critics, who want to claim there is insufficient NSA oversight. The fact that the very existence of the audit report is evidence of oversight is somehow lost in the mix.
Being the fan of audits that I am, here’s how I’d like to see a Congressional inquiry go down:
Senator: “And were you aware of all of the privacy violations?”
NSA representative: “Yes. We saw it in the same report you saw. Our audit department does a good job. That’s why we have them.”
Senator: “And why have you done nothing to stop these errors?”
NSA representative: “We are doing something. The audit led to a corrective action plan that is being tracked against target dates. As I said, we have faith in our audit process to catch these things and guide how we fix the underlying processes.”
Senator: “I am getting bored. You, sir, are not helping me whip up support for my reelection.”
NSA representative: “We have project plans if that would help. Did I mention our audit department has management’s full faith?”
Senator: “You are dismissed.” (Turns to staffer and whispers, “How soon can we get Alex Rodriguez in here?”)
It’s easy to believe the more unrealistic side of this exchange is the senator, but I think it’s the mythical NSA representative: Very few organizations embrace their own audit function to this extent. Think about it. When was the last time you went through an internal audit? Did you welcome the process as a chance to root out potential problems or did you cringe at every turned page? When was the last time you heard someone say, “Make sure put that down in writing, in case there’s an audit?” Nobody wants to get an audit finding. And at one company I used to work for, an audit finding led to $0 bonuses for everyone involved. The temptation was to cover up as much as possible, rather than use the power of audit to blow the whistle on poor practices.
Indeed, adversarial relationships with internal auditors often mask the true role of audit, which is to reveal and help solve process problems the organization can’t solve for itself. These are often the kinds of problems that, when revealed more broadly, can cause far more grievous harm to the organization’s reputation.
Consider the tobacco industry during the debates over the health effects of smoking, or the U.S. auto industry when Japan was hammering it in quality. Internal reports to management showed the problems clearly. What was lacking was management’s commitment to bring those problems to the fore.
But not all internal control departments are so weakly supported. And the thing that amazed me about the NSA leak was the granularity of audit’s analysis: the exact number of violations, the causes of each. Amazing! Bully for audit! It may be boring, but audit gets a bad rap.
I imagine a better world, one in which audits get the respect they deserve. Perhaps one day my imaginary headline will come true. “Audit uncovers missteps; problems to be addressed.”