Tata Group
 
 
Features links
Articles
Interviews
Speakers' Forum
Related info
Tata Tea profile
print this page
  Speakers' Forum
 
The risky side of auditing

Internal auditors, that breed whose job it is to see what ordinary mortals don’t or can’t, have to change constantly and considerably to cope with a world where nothing remains constant. H. R. Khusrokhan* explains what it takes to be a good internal auditor in the age of transformation

H. R. Khusrokhan

Life in the not-so-distant past – in the good old days, as people of my generation would say – was so simple and predictable. But the life of the poor individual known as the internal auditor was never really simple, even in that long gone past.

The internal auditor was always obliged to be the savant, the visionary, the super snoop, the only guy endowed with clear vision in an organisation where all others wore wrongly-numbered spectacles. He was the person supposed to, whose sole job was to, see and spot dangers others were conveniently, and sometimes explicitly, exempted from looking for. Why? Because "it clearly isn’t their job", or "they do not possess the skills or expertise".

Each year this poor individual was burdened with the onerous task of taking the management by the hand and leading its denizens through a field of landmines and delivering them to safety. From the auditor’s point of view, managements have always been peopled by the severely myopic (if not totally blind), people who were absent-minded at best and negligent at worst.

What made life a little simpler for internal auditors was that they knew the pitfalls they would encounter, that the turf to be traversed was a minefield. The auditor was equipped with a metal detector and all mines then were made of metal. As long as the auditor took reasonable care and as long as he had a decent dose of that scarce commodity called luck, he could make it across.

With experience, auditors became adept at anticipating and understanding the typical pattern in which these landmines were placed. That helped them avoid common pitfalls, and even allowed them the liberty of throwing away their metal detectors. These experienced internal auditors led the blind (or nearly blind) across the minefield before quietly disappearing into the wings, leaving the ones they had led on centre-stage at the annual general meeting, looking as pleased as punch and receiving all the applause for a job well done.

Things have changed today, unfortunately for the worse. The minefield now has to be traversed on a dark night; mines are no longer made only of metal; they can evade even the most sophisticated detection devices; and there are invisible trip wires requiring laser vision to spot. Worst of all, the mines are no longer placed by a sane, predictable person, but by maniacal geniuses with corrupted and devious minds.

Life certainly has changed and become far more complex and unpredictable over the years. Extrapolate from today’s experience and the future seems frightening. We are entering a new millennium where many things will be different from what we have been used to. The knowledge and experience of the past will not do us much good and we will have to find new ways of managing and living with uncertainty.

Let’s map some of these profound changes:
The marketplace has certainly seen dramatic change in the last few years and will continue to be increasingly more amorphous;
We now have markets with no boundaries and barriers to free trade are coming down all over the world. The World Trade Organisation has created a new trading order with a new set of rules. The openness of markets is something we will have learn to live and deal with. Competition will not just be local — and therefore known and visible — but global and totally unexpected.
With the rapid growth of e-commerce and e-business, the visible and tangible markets we have been used may vanish over a period of time. Face-to-face contact between buyer and seller could vanish; business will be done from the home or from offices with zero visibility of client or customer and there could be zero physical movement of people. Physical markets will give way to virtual markets, just as paper money is gradually making way for plastic money.

It’s not just markets that are changing; so are the products being offered:
Products become obsolete within a few years of being introduced and shorter and shorter product life cycles are the norm. Examples: Changes in the audio and video mediums; office automation (telegrams, tele-printers, telexes, faxes, digital and intelligent photocopiers); the rapid obsolescence of IT products (take the time gap between Pentium and Pentium III).
In pharmaceuticals, it once took 10 years for a similar drug to be introduced once a breakthrough discovery happened. It took 10 years after Inderal for the second beta-blocker to be introduced; it took six years for the second anti-peptic ulcerant (Zantac after Tagamat); it took four years for the second anti-retroviral drug (3TC after AZT in Aids therapy); it took just three months for the second protease inhibitor to follow Inverase in Aids treatment.

As products become obsolete quicker, there is less and less actual differentiation even among those available. Uniqueness and novelty are being replaced as selling points for products by value differentiation, by creating lasting customer relationships built around service rather than the product itself (pharma companies are now offering disease management services).

Technology and human knowledge — the greatest change of all
The examples I present are from a field I’m familiar with: drugs and the discovery drugs.
 Consider what combinatorial chemistry and high throughput robotic screening have done to drug discovery. Old paradigm: one chemist, one compound, one week. Today: one robot, 5,000 compounds, one night.
The human genome project started six to seven years ago and is likely to be completed between 2001 and 2003. Human DNA is made up of 3 billion pairs of neucleotides. When the project is complete we will have a map of all the three billion pairs.

A parallel project that started two to three years later has already started identifying genetic dissimilarities between people. It has been found that 99.9 per cent of neucleotides are common to all humans. Only 0.1 per cent, or 300,000, differ. These unique genetic abnormalities are known as ‘single nucleotide polymorhisms (SNIPs).
Researchers have already started trying to identify genetic markers that will identify whether you or I have any SNIPs, which will establish why I am prone to a certain disease while you are not. Along with credit cards and identity cards we will, in 10 years, be carrying our genetic cards in our wallets. Or certainly cards that will identify certain genetic markers we possess.
Doctors will plug these into their computers and be able not only to prescribe a tailor-made drug for the disease you have, but they may also be able to manipulate that genetic defect and eliminate the risk of you getting a particular disease.

We now also have the ability to replicate life. A small scraping of skin from your cheek, which contains your DNA, is all that is required to make an exact replica of you. Dolly, the cloned sheep, would — if laws had permitted — have been followed by Hubert, the cloned human.

Ethics and morality
Technologies are becoming more complex to learn and understand but simpler and simpler to use. The last change I am going to refer to is something that is the extremely difficult for the majority of people to come to terms with and accept.

We see corruption and immorality of a scale we have never witnessed before: corruption at the highest levels in countries around the world, the criminalisation of politics, the general erosion of values, the list goes on.

Today’s newspapers read like the porn novels of my time. Nothing is sacred. The question is: How much lower can it get? The mushrooming growth of computer viruses is a clear example of the shape of things to come.

In a recent survey on fraud, 74 per cent of the respondents chose ‘the weakening of societal values’ as the No 1 cause of fraud, followed by a lack of emphasis on the prevention and detection of fraud. The changes I described earlier, read in conjunction, mean that knowledge will be put into the hands of people whose moral values are becoming more and more suspect.

One has to seriously question and ponder what the role of a function such as internal auditing will be in a world that is changing too quickly for people to keep up.

The internal auditor’s role must change fundamentally
The internal auditor can no longer be just a super sleuth; he has to become an expert trainer of managements.
He cannot function as a one-man army; he has to build an army.

He cannot be the sole repository of certain skills; he has to create those skills in managers around him.
He has to ensure that managements understand the fundamentals of risk management.
He has to get managements to understand the principles of control assurance, just as quality control managers of the past have had to teach their production colleagues about quality assurance.
He has to make every person in the organisation understand and appreciate that prevention is always better than correction.

Risk management needs the involvement of all managers
All managers need to be involved in risk identification, risk appraisal and risk management. Risk is no longer the sole concern of the internal auditor and the finance director; it should be the concern of every manager in the organisation. Managers should be encouraged — whenever they embark on large projects, major changes in strategy or major business plans — to ask these questions:

  • What can go wrong?
  • What will be the consequences if something do go wrong?
  • What precautions can I take to minimise the chances that things don’t go wrong?
  • What will be the cost-benefit of taking those precautions?

Risk assessment and control assurance workshops where the internal auditor acts as an expert facilitator is a way of jointly appreciating the importance of risk recognition in any organisation.

Learning to live with risk
The secret of learning how to manage in an uncertain and changing environment is not to attempt to eliminate risk (that would be the death knell of all enterprise and value creation). The solution is to understand and minimise unwanted exposure to risk. Different organisations have different degrees of comfort with or tolerance of risk. Each has to establish clearly understood norms for acceptable risk-tolerance levels.

Empowering others to deal with risk
Empowerment and flexibility are the hallmarks of successful organisations. The last thing one would like to do in an increasingly entrepreneurial business environment is to stifle the creativity of people. In a federal organisation risk must be managed at every level in the organisation. Decisions on acceptable risk must be taken at all operational levels and should not be passed to the top. Risk management decisions must be continuously forced downwards.

Risks that affect the future are as important as the risks that affected the past
The mindset about what needs to be safeguarded from risk has to change, and this could be the greatest challenge. Managements have not only to protect past wealth and the value created from risk, but also worry about future value creation. Few managements do that today and that truly is to me the challenge of risk management in the future.

*H. R. Khusrokhan is the managing director of Tata Tea. This article is an edited version of the presentation he made at the annual conference of the Institute of Internal Auditors of India in October 2000.         

top of the page