Intelligence Gathering and the Future of Internal Audit
Looking for Answers in Unlikely Places

By Joseph W. Koletar

E-mail Story
Print Story
APRIL 2006 - As the internal audit function continues to come to grips with the increasing demands placed upon it in a post–Sarbanes-Oxley (SOX) environment, many chief audit executives (CAE) are turning to technology to help them cope. This may be a function of resource constraints, the need to produce timely and accurate audit assessments, or simply the availability of a vast array of products and services. Computer-assisted analytical tools abound, and systems promising “dashboard” metrics seem to be the rage. Many CAEs see these systems as a way to handle an increased workload with fewer resources. Intrigued by the promises of many a salesforce, they long for cheap, off-the-shelf, plug-and-play solutions.

Intelligence Gathering Throughout History

While technology may offer many options, and perhaps even some solutions, it is worth examining the 50-year history of a distant but instructive field: intelligence collection. Long considered the province of spies and glamorous gadgets, intelligence collection is as old as humankind. Technology has been increasingly used to gain foreknowledge of an adversary’s capabilities and intentions. In this regard, the intelligence and audit functions are similar. Both ask essentially the same question, although for different reasons: “Is anything going on out there that I should be concerned about?”

While much has been made of the use of technology to further intelligence aims in the 20th century, as long ago as the Civil War tethered balloons were used as aerial observation posts and enemy telegraph lines were tapped to intercept messages. But techno-intelligence came into its own during the Cold War, when ships, airplanes, submarines, ground locations, and satellites were used to further U.S. intelligence interests. Most of these efforts were directed at intercepting electronic data, including radar signals, missile telemetry, and electromagnetic pulses from devices and nuclear explosions, in work called signals intelligence and electronic intelligence. An allied field is the interception of communications intelligence. Billions of dollars have been spent to operate, process, and protect these sources of information.

At the same time the oldest, and arguably the most reliable, form of intelligence, human intelligence, was increasingly falling behind. The classic spy of popular culture was becoming passé simply because some of these individuals were unsavory, deceitful, manipulative, misinformed, unstable, grandiose, or plain crazy. Second, dealing in human intelligence is labor-intensive; for example, a source’s motives and usefulness must be painstakingly and continually vetted. Third, some sources are intentional “plants” working at the behest of a hostile intelligence service. Fourth, some sources have a personal agenda of revenge or opportunity, and may alter or exaggerate information accordingly. Fifth, sources of intelligence can be the source of their handler’s ruin. Former FBI agent John Connelly, now in prison, was convicted of serious misdeeds during his handling of several organized-crime informants, and former FBI agent James Smith was seduced, literally and figuratively, by a female Chinese spy he was handling. Finally, many people find dealing with so-called traitors, snitches, or rats to be distasteful.

While the use of human intelligence waned, the use of signals and communications intelligence surged. Evolving technology allowed more intelligence to be collected, albeit for a price. In addition to often being expensive and difficult to maintain, the efficiency of these technologies sometimes overwhelmed the resources available to evaluate the information they collected (referred to in the intelligence community as the “take”). Finally, the pulse of technological innovation sometimes produced a “Let’s do it because we can” mentality, with more collected information being added to already-strained analytical capabilities.

Fairly or not, a series of intelligence miscues caused a fair number in the intelligence community to ask whether this imbalance had gone too far. The collapse of the Soviet Union caught intelligence services by surprise, as did the fall of the Shah in Iran. The explosion by Pakistan of a nuclear device was seen as another significant intelligence failure, as were the tragic events of September 11, 2001.

While hindsight is always 20/20, some knowledgeable observers in the intelligence community began to question whether the human intelligence shortfall had become too great. They did not question the value, often considerable, of electronic collection, but rather postulated that the equation needed more balance to be truly effective. That is, the electronic take had to be married to an equally robust human intelligence capability. Only humans, they argued, can provide information as to intentions, dispositions, plans, motives, weaknesses, self-assessments, relationships, ambitions, feuds, alliances, personalities, and other factors that form human character and provide insight into what makes one tick.

If this assessment has merit, it may have interesting implications for internal auditing. Certainly, CAEs do not want to be in the spy business, nor do they want to run spy networks in their organizations. At the same time, the apparent move to embrace increasing levels of technological assistance is very much like the path that the intelligence community took when it embraced ever-increasing levels of technological capability in collecting various types of intelligence.

Human Intelligence and the Internal Audit

What, one may ask, is the human intelligence component that is pertinent to internal audit? If we are not going to establish and run spy networks, where does our human intelligence come from? Interestingly, organizations are awash in human intelligence, but do not recognize it and only rarely use it effectively.

Human resources (HR). This is often the unseen, unappreciated, and neglected bloodstream that carries nutrients throughout the organizational body. In performing their duties, HR personnel routinely deal with problems, complaints, mediations, and separations. These intensely human interactions are often full of information about what is going on within the organization. When discussing being overlooked for a promotion, a disgruntled employee may reveal that he knows that someone within the organization is cutting corners to make his numbers. The exit interview is often seen as a perfunctory exercise, but competently performed, it is an invaluable opportunity to ask a few basic questions about departing employees’ opinions of how the organization, and their department in particular, is run. Often the opportunity to develop valuable information is lost because no one thought to ask for it.

Hotlines. Statistics indicate that more than half of the calls coming into hotlines involve HR issues, and some believe this is a major weakness of the hotline function. To the contrary, it is perhaps its greatest strength. HR issues are, by definition, matters of intense personal interest to the caller. When an employee’s complaint is handled promptly, competently, and fairly, that employee’s faith in the hotline probably increases. Although obviously not every hotline caller gets what she wants, these calls generally work to the benefit of the organization, because an employee is more likely to report something of interest to the organization if it has been fair and responsive in dealing with something of interest to her. Also, an increasing number of organizations are making their hotlines available to customers and vendors as well, often with good results.

Anonymous calls and letters. Many of these communications are ignored, and few organizations have a policy as to how to handle such matters. Accordingly, anonymous communications lie scattered throughout various departments, and the organization may never learn that in the last year department X or manager Y was the subject of seven such communications. They may mean little themselves, but collected and coordinated, they may be an excellent early warning of problems. So, too, for online chatrooms devoted to an organization’s business, products, or services. Simple monitoring of these in a coordinated fashion can be an excellent source of information. Interestingly, research reports that an increasing number of employees are more likely to use hotlines if they permit reporting via e-mail.

Public relations (PR). This is usually the primary interface between an organization and the outside world. Although usually viewed as a one-way street, pushing information out, in reality the street runs both ways. Inquiries, questions, and complaints may often wind up in PR, and analyzing them may reveal important issues inside the organization.

Sales. Years ago, Hewlett-Packard made great inroads into the marketplace by seeing its salesforce as an intelligence-collection mechanism capable of informing the company about competitors’ activities and customers’ desires. Sales is another function often seen as one-way, with the objective of pushing products and services into the marketplace. Astute organizations see sales as a two-way function. Each day numerous salespeople interact with customers, competitors, and other people who may have valuable information about the organization. Complaints, observations, rumors, and more often fall into their hands, because they personify the organization to the customers they deal with. Some information may be of great interest to the internal auditors, but little of it is captured, because salespeople often do not see reporting back as part of their jobs.

Procurement. This is also viewed as a one-way process, but with blinders. The procurement function brings goods and services into the organization. What is not recognized is that it can also bring information about what vendors say about the company, its procurement practices, and its reputation in the business community.

Security. Often viewed as merely locks, alarms, and guards, security can be an invaluable source of information because it spans every area of the organization and often deals with disputes and contentious issues, some of which may be of interest to internal auditors. Again, like exit interviews, it behooves internal auditors to ensure that security personnel are aware of their issues and interests.

Using the Intelligence at Hand

The information sources noted above vary from organization to organization, but they illustrate the rich human intelligence environment present in most companies. The issue is not so much creating new sources of information as it is systematically tapping into ones that already exist. This must be done in a manner consistent with organizational mores and culture, lest the effort be seen as intrusive or heavy-handed. At the same time, a CAE can go back, review the human intelligence sources, and reflect upon his career. If he has been in the business for any amount of time, a CAE has probably dealt with an internal issue that originated in HR, PR, or another area. Unfortunately, it was probably because someone took the time to make a telephone call or ask a pertinent question, not because the organization had decided to use its rich human intelligence holdings in an organized fashion.

As internal auditing responds to the requirements of a post-SOX world, signals, electronic, and communications intelligence will continue to be important components of compliance. Human intelligence should be invited to join the effort as well.

Joseph W. Koletar, CPA, CFE, is a principal and service line leader with Ernst & Young LLP’s global investigations and dispute advisory services practice.




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices