Please ensure Javascript is enabled for purposes of website accessibility

CFO Article Illustrates Internal Audit Cowardice & CCM Confusion

the-cowardly-lion.jpgEditor’s Note: Robert Stewart is a former Big 4 auditor and ex-Marine who has since served in several executive management roles in both Internal Audit and Corporate Finance. He is also the founder and chief contributor to the online accounting and audit community, The Accounting Nation. Outside of work, he is a husband, father, brother, writer, and woefully inadequate aspiring triathlete.
Alright, CFO.com, with your latest contribution you’ve satisfied your requirement to pander to your internal audit constituents. If you put a little more effort into the headline, they might read it too. With an article paraphrase like:

A biotherapy firm’s continuous controls monitoring program, which is essentially run by its internal audit team, is credited with creating numerous (though unquantifiable) benefits

you’ve assured that nobody will read further. Talk about hard hitting journalism. Grabs ya’ right by the goods and begs you to read more…doesn’t it? Well, I did read more. Because I am an idiot. Because I need to get out more. Because I’m an internal audit junkie. And mostly because I just love the apathy directed at internal audit by “real” business people.


This article touts the benefits of implementing a Continuous Controls Monitoring system through the “success” story of Talecris Biotherapeutics, a $1.4 billion provider of injectionable medical treatments.
Here’s what I have to say about some points in the article:
The quote that exemplifies why there is such apathy toward Internal Audit: “‘We can’t help [management] design controls or tell them that a control is the right one to have in place, but we can help them monitor it,’ states Mary Anne Tourney, IAD at Telecris.” This, of course, is bullshit. YOUR JOB IS TO HELP MANAGEMENT.
Don’t twist the IIA Standards to relinquish one of the tenets of your responsibilities (i.e. to offer “advisory” services to management). Hiding behind the independence argument is cowardice. Maybe if you acted like a member of management, they’d treat you like a member of management (and CFO.com might capitalize your title in its article).
• As for the program’s ownership, Tourney states that management designs the controls, ‘But we control the program in internal audit so the parameters of the tests don’t get changed without our knowledge.’ WTF? Where is your independence argument now? Listen, you can’t just apply the standards when they suit you and bend them when they’re inconvenient.
• Miklos Vasarhelyi, a Rutgers professor, states that quantification of the CCM program’s effectiveness is difficult and it’s “flaky” to do too much quantification. At another point in the article, Talecris declined to comment on how much it has spent on the CCM system.
This illustrates another point that internal audit practitioners need to understand better: it’s not just about having an en vogue system that you can brag to your fellow IA geeks about at the local IIA chapter meeting. It’s about spending the company’s money where you get the greatest return on investment. Calling the act of quantifying the ROI of the system “a bit flaky” illustrates why this guy is a professor instead of a CFO. Shareholders don’t care if you have the Cadillac of internal control systems unless it translates into increased shareholder value. This may not always drive the best behavior but let’s face it, that’s how the game works.
Look, the jury on CCM is still out in my book. Although I believe the foundation is sound, I’m not sure about the relative importance in the web of controls chosen by an organization to mitigate its risk. It is, after all, still a back-end monitoring tool that detects anomalies after they have occurred and I’m inclined to spend more of my money on the preventative controls rather than detective controls.
And to all you Internal Auditors out there, stop being afraid to consult management on their internal controls and make control recommendations. THAT’S. YOUR. JOB. You can’t implement or own the controls, but for god’s sake, share your knowledge to improve the organization. It’s the only way for internal audit to start getting some respect (it’s a good start anyway).