I few months ago I joined the Board of a non-profit health care organization. We have a budget of over $100 million a year. Like health care organizations everywhere we are fighting rising costs. Like the auditing profession, many of our costs are guided by old, unproven or totally false beliefs. Our organization provides in-home care in order to relieve the pressure on hospitals. We send medical professionals to the homes of recovering patients. One of the common services required is wound care. That involves changing the dressing on patients wounds, either surgical wounds or in some cases bed sores resulting from being bedridden for long periods.
The standard medical practice for years had been to apply a “wet” or medicated dressing and to rip it off and change it every 2 hours. Medical science has proven that this practice actually slows the healing process. Applying dry dressings and changing them less frequently can actually heal the wounds up to 10 times faster. This is not insignificant. Some patients have wounds that are very difficult to heal. Some wounds never heal. Some patients die. I have yet to meet a health care professional in my organization who is not utterly dedicated to and passionate about the services they provide and about healing. They would be appalled if they believed they were causing harm. Good , kind, professional people can be guided by false beliefs. Yet the change from “wet” to dry dressings was difficult to achieve. In fact it was resisted. It is rather common for change to be resisted, even when the change is known and accepted to be beneficial, even when the change is not difficult to make, even when the change involves stopping something rather than adding something.
I believe it is happening to internal auditors today. The fundamental frameworks and practices that guide internal auditors are largely belief based. They are institutionalized. They blind even the best, most proactive progressive practitioners to progress. Much of what we have come to believe is false. Some of our practices perpetuate harm.
Here is my interpretation of why the change in wound care practice was difficult. First consider the patients and their families. They have been trained to expect a change in the wound dressings every two hours and demand it if it is late. The professional standards of the health care professions, to the extent they are written, are slow to change. Job descriptions and service agreements specify the old practices. Stock rooms are managed so that when the “wet” dressings run low, they are replenished from the supplier. procurement has negotiated contracts with the lowest bidders and they have factories and warehouses devoted to keeping the supply chain of wet dressings replenished. Ordering new dry dressings takes time, requires one or more RFP’s, contracts, additional storage space etc. etc. And life goes on. Or in some cases, in the health care business, it ends.
The most insidious problem though, is not that change is slow. That in itself is bad but is not the worst problem. The worst problem is that institutionalized bad practices, however well intentioned, drive good practices out. Bad practices, especially belief based bad practices, those which do not and never di have any evidence behind them, form an almost impenetrable barrier to progress. Belief based practices are emotionally charged. Facts won’t change them.
There is very little fact based evidence to support belief that the control based approach adopted by COSO, AS5 and the auditing profession generally has been effective. Every 10 years or so COSO publishes research on the incidence of fraudulent financial reporting. The most recent report, soon to be released, analyzes 347 SEC Accounting and Auditing Enforcement Releases (AAERs) dealing with fraudulent financial reporting in the period. The previous report, covering the 11 year period ending in December 1998 covered 300 AAERs. Incidents of fraudulent financial reporting were up, not down. Clear evidence exists from these and other studies that the roots of fraudulent financial reporting lie in smaller companies and lies at the top of those companies. Sarbanes Oxley and AS5 has been implemented in a way that focuses on larger public companies and largely at a transactional level in those companies. Most frauds are related to senior executive integrity and weak board oversight. Most “control” documentation is related to computer controls and such things as segregation of duties at a transactional level. I would call them “wet dressings” in the fight for the cure to fraudulent financial reporting and other critical GRC failures.
In a blog post I wrote last week, I made a not so facetious comparison of the stellar safety record of commercial aviation in the US and reporting on internal control over financial reporting. It generated calls and comments from commercial airline pilots. I asked them what they thought was the most important single thing that caused the persistent decline in air safety incidents despite the dramatic increase in aircraft complexity and air traffic generally. Did they attribute air safety to increased inspections and audits by the FAA? Did they claim the increased automation of aircraft made them safer? Was it better aircraft design? None of the above. The factor that came up repeatedly was advances in flight simulation and increased use of flight simulators. In other words, pilots are better trained to deal with flight risks and better trained to control the aircraft in a variety of emergencies.
Who is training Boards, CEO’s senior managers and staff in better risk and control management in business today? Is it happening in business schools? Not that I can see. In my blog I went on the identify several other significant practices in the commercial aviation regulatory framework that are absent or under emphasized in traditional audit based approaches. Among them were standardized incident reporting, performance statistics and root cause analysis. Trends can be analyzed and reported. We can track and monitor airlines safety incidents and their root causes. We simply do not track, analyze or do root cause analysis in the world of GRC.
The principles that will vastly improve the track records of GRC failures are well known. Their effectiveness has been proven. They are not difficult to implement. All the required tools, technology and frameworks exist today. I believe the logical group to lead the change is internal audit. I’d be happy to speak to any auditors, or others for that matter, on what specific things can be done within the IIA Standards to make this happen. I’ll be expanding on these ideas in an upcoming Webcast with Compliance Week.
