Some time back, I blogged about “big impact” audits, those career milestones we look back on with the satisfaction of knowing that our work, and profession, made a significant difference. Whether it’s in internal auditing or in life in general, we all aspire to make a difference. We want that feeling of accomplishment that comes with knowing we have changed the world, if even in a small way. But internal auditing is especially rewarding when we can make a big impact — when we can bring about major changes that improve operations and prompt senior management and the board to sit up and take notice.
Often, it’s not the big things, but the littlest of things that generate the most attention. We assume that those who read our reports will assess the significance of our findings and recommendations by using the same criteria as we do. However, I learned early in my career that “significance is in the eye of the beholder.” Occasionally, facts that we communicate in our reports capture the attention or imagination of the reader in ways we did not anticipate, and “all heck breaks lose.” I call this phenomenon the “Small Rock Effect,” in which something with the financial significance of a rounding error can cause a tsunami of adverse reaction or publicity.
In 2001, during my tenure as inspector general of the Tennessee Valley Authority (TVA), we reported a cybersecurity breach that had allowed an unauthorized third-party access to our network after hours. It was a small rock: 17 employees (of a workforce of almost 13,000) had downloaded an application from the Internet that allowed the University of California, Berkeley’s SETI@home project to commandeer our spare bandwidth in their search for extraterrestrial intelligence. In return, the employees received a cool screen-saver.
The point wasn’t that they were looking for space aliens — the human genome project did something similar. No damage was done as a result of the breach, and the 17 employees were reprimanded for the indiscretion.
It was a minor issue, barely a paragraph in a 35-page comprehensive semi-annual report that I sent to Congress. But like the legend of the US $600 Defense Department hammers, the idea of TVA employees using government computers to hunt space aliens was manna for the media. A reporter for the Knoxville News Sentinel reported the facts, and it was distributed over the Scripps Howard News Service. Newspapers and other media outlets as far away as Australia reported the story. The topic became a source of fierce debate on the Internet, and I even received a few pieces of hate mail. Ironically, little mention was made anywhere in the media that our semi-annual report had also identified more than US $70 million in questionable/unsupported costs or funds that could have been put to better use. It was the small rock that generated the waves.
If such a small event could generate a tsunami of global publicity, imagine the waves you could make with otherwise insignificant findings in your audit reports — particularly if you are a government auditor whose reports are publicly available. Today, with the benefit of hindsight, I can tell you that context is key. I’m not saying anything could have stopped my SETI tsunami. Some things just cry out for publicity. By putting your findings in context, however, you may be able to avoid troubled waters.
I welcome other examples of little rocks that caused big waves.