Skip Ribbon Commands
Skip to main content
Global Institute of Internal AuditorsBreadcrumb SeparatorNewsBreadcrumb SeparatorThe Wall Street Journal Features Chambers Book

The Wall Street Journal Features Chambers Book

An excerpt from IIA President and CEO Richard F. Chambers’ new book, Lessons Learned on the Audit Trail, appeared in the April 16 edition of The Wall Street Journal’s CFO Journal. In the excerpt, Chambers encourages internal auditors to anticipate and mitigate potential negative media attention brought on by seemingly insignificant details in an audit report.

The excerpt:

Early in my internal audit career, I learned how easy it is for something relatively insignificant to have far-reaching ripple effects — how findings in an audit report can be taken out of context or assigned much greater significance than warranted.

Alien Presence at TVA

When I was inspector general at the Tennessee Valley Authority, we received a complaint that some employees were using their computers for a study-at-home initiative called Search for Extraterrestrial Intelligence, or SETI. Software had been downloaded onto the employees’ computers, allowing them to help sort through radio-signal data collected by the giant Arecibo radio telescope in Puerto Rico.

When TVA employees signed up for the program, they received a free computer screensaver — and software that allowed the study-at-home coordinators, when the employees’ computers were inactive, to access the TVA computers via the Internet to help search the radio signals from outer space that could indicate the presence of extraterrestrial intelligence. We recommended that the software be removed.

It was a fairly modest report. We identified nineteen employees who had been using their work computers for the SETI project. We shared the report with management and, as required by law, I included a reference to it in my semiannual report to Congress. The local newspaper picked up on it and, lo and behold, it went viral. I remember it making the news in Australia.

At the time, the SETI computer program, which came from the University of California at Berkeley, had been downloaded by more than three million computer users worldwide. The TVA security breach was a violation of the agency’s written policy but was not considered a serious one. We recommended that administrative action be taken against the employees — something inspector generals, though not internal auditors, occasionally do. The TVA employees were warned that any future computer-security violations could result in dismissal. No evidence of damage to the TVA’s computer network was found, and TVA managers conducted a computer security awareness campaign throughout the agency.

It’s a Matter of Perspective

I wish public officials and the media had paid as much attention to some of the truly consequential examples of waste and inefficiency in the internal audit reports I worked on or supervised during my years in government auditing. But if you analyze enough audit reports, you can begin to see why certain findings resonate with stakeholders and the public in ways that much more important findings do not.

People’s reaction to findings of waste or inefficiency in an internal audit report have less to do with the amount of money involved or the consequences of the error than they do with how much they identify with the problems, usually in a negative way.

So, what’s an internal auditor to do? I learned early on the importance of putting my report observations in perspective. If the amount of money involved is not material and the problem or error cited is not systemic and poses no threat, then the observation may not even warrant inclusion in the report; you can still review such issues with management so they can be addressed without the turbulence of the “small-stone effect.”

If disclosure is appropriate, then the finding should be discussed in a way that clearly places the issue in perspective, especially if you anticipate media coverage or other public scrutiny.

If you observed nineteen cases of employees using their computers inappropriately, as we did at the TVA, you should probably mention that it was out of a total workforce of almost 13,000 people. If you find two instances of a wasteful activity within an organization, you should indicate the total number of instances examined, or express the wasteful activity as a percentage of the whole.

The SETI security breach at the TVA was a minor issue — barely a paragraph in a thirty-five-page report sent to Congress. But the idea of TVA employees using government computers to search for space aliens was manna for the media. The topic became a source of fierce debate on the Internet, and I even received a few pieces of hate mail.

Ironically, little was said in the media at the time that the same semiannual report to Congress also identified more than $70 million in questionable or unsupported costs or funds that could have been put to better use. It was the pebble, not the rock, that made the big splash.

Published by The IIA’s Research Foundation, Lessons Learned on the Audit Trail is based on Chambers’ nearly 40 years of experience in internal auditing, including directing the internal audit functions at major private and public organizations. The book is available for purchase through The Foundation.