I'm out here in Coyote and Roadrunner land, knee deep in internal auditing. I co-presented yesterday on privacy, as a co-author of an Institute of Internal Auditing publication.
It's been a interesting couple of days, driven in part by the isolation of the location. As attractive as a golf/casino resort may sound, it's not so groovy if you don't golf, don't gamble and didn't have the foresight to rent a car. I can meditate on the cacti, and read. I packed a couple of books to get me in and out of the Internal Auditing mindset: The Digital Person by Daniel Solove (highly recommended), a Kierkegaard anthology (because what is auditing but fear, trembling, and sickness unto death?) and Nassim Nicholas Taleb's The Black Swan (I've been alternately writing "YES!" and "BULLSH*T!" in the margins. (It's my policy to keep the margins safe for work.))
But this morning I had my own inverse Damascus moment, as Bill Power (if that is his real name) of the PCAOB was giving the assembled throng his information technology application auditing method, as demonstrated through a manufacturing case study. It was interesting enough as analysis of manufacturing financial systems go (yes, exactly that interesting), but at the end of his case study it seemed to me that he just plopped Red, Yellow and Green Legos into the risk spaces in his spreadsheet, and chalked it up to judgment. In fact, one of the slides read something like "RISK ASSESSMENT IS ALL JUDGEMENT" (I'd quote directly, but his presentation is not on the conference CD-ROM. I do remember he spelled "Judgment" with two "E"s.)
O.k. Sure. Risk assessment without judgment is pretty worthless. And auditors have an obligation to use their judgment to assess risk. Nonetheless, it doesn't seem worthwhile to go through all this spreadsheetin' and flowchartin' just to get to the point where you pull red, yellow and green Legos out of your velvety Audit Sack of Judgment and snick-snack them on financial information systems and processes master control grid. How about the stuff you don't understand well enough to apply judgment? I'm getting the idea that it's called "Out of Scope."
At what point does "judgment" intersect with "caprice"?
Go ahead, call me naive (if you haven't already). But it's getting dark, and I'm going to see if the cows come back to the hotel parking lot again tonight. This time I'll be ready.
Photo courtesy of The Bill.