Book Review - Investments Unlimited
In Investments Unlimited: A Novel about DevOps, Security, Audit Compliance, and Thriving in the Digital Age, readers follow the story of Investments Unlimited, Inc., "a fictional company in the financial sector.[1]" The story follows Susan Jones, CEO of Investments Unlimited, Inc., and her team as they scramble to address a Matter Requiring Immediate Attention (MRIA) from the organization's regulators, regarding insufficient IT governance processes.
The book's list of authors includes an all-star line-up of thought leaders and experts in their fields: Helen Beal, Bill Bensing, Jason Cox, Michael Edenzon, Topo Pal, Caleb Queern, John Rzeszotarski, Andres Vega, and John Willis.
I first read the book (in electronic form) shortly after it was released in September 2022, and I immediately loved it. I recently purchased the paperback version as well and re-read it. The second time around was just as good as the first. What stands out to me the most is how relatable the book is to real-life. Not only do the book's authors effectively portray the frustration non-auditors (audit clients) can experience with regulators, auditors, and risk management/security professionals, they also debunk some myths about these professions.
For example in chapter 2, Bill Lucas, VP of Product, lashes out at Security and Audit for not getting his team a list of Audit requirements. Jada King, who represents both Risk and Audit at Investments Unlimited, Inc. (IUI), responds with the following:
"Audit doesn't have requirements... Audits role is simple. We look at the controls, what IUI says it should do to manage risk, and compare it to what we actually do. Audit doesn't make the rules... Audit answers the question: Is IUI doing what they say they should be doing?"[1]
I can't tell you how many times I've heard clients asking for Audit's requirements or saying they're doing something "for the auditors" or trying to figure out what the auditors want to see. In response, I challenge my clients to think about those situations a little differently. Instead of doing something to prove to the auditors a control is effective, they should be asking how they know a control is effective. Conversely, when my team of auditors drafts a finding saying that evidence wasn't provided, so we couldn't perform the audit test, I ask them to think about from our clients' perspective. If we can't perform an audit test to determine whether a control is effective, then our clients likely don't have what they need to know whether their risk is managed effectively (i.e., whether the control is effective). It all gets back to understand the role of Audit, Risk and Security professionals – understanding what it is and what it isn't – and Investments Unlimited helps to clarify just that.
Another example of frustration the authors expose is when audit results (or in the instance of IUI, regulatory exam results) are flung at the organization in a surprise move. Jason Colbert, SVP of Digital Transformation at IUI, sums it up in the beginning of the story by saying:
"It's not uncommon for an MRIA to be informally notified through back channels so there's no surprise when it's issued. Bernard [Chairman of the Board] has a good relationship with the director of the regulatory agency approving the MRIA. That director reached out to Bernard as a show of good faith." [1]
It's no wonder people fear their auditors! If they're lucky to get a preview of the findings and otherwise they're just flat-out surprised, it's no wonder why auditors get a bad reputation for being "gotcha" people. I wish I could say that is a fictional liberty the authors took and that they totally embellished that to add drama to the story. Unfortunately I can't. This does happen – albeit not all the time – but it does happen. As auditors, we need to do better than this. Things like intentional collaboration between auditors and audit clients, as well as auditors and audit clients working together daily, are ways we can do better. I talk about those in detail in Beyond Agile Auditing: Three Core Components to Revolutionize Your Internal Audit Practices.
The authors also capture the frustration of audit findings that don't add value or make sense to audit clients:
"Well, we did push back on several of these... findings.... We asked questions on the ones that don't make sense or don't apply. But we got radio silence. Zero response!" [1]
Chapter 5 of Beyond Agile Auditing dives into ways you can get more value out of an audit, including more valuable audit results (e.g., findings or assurance on whether your controls are effective). You can also check out my article "From Checklist Auditors to Value-Driven Auditors" for more on value-driven auditing.
Finally, Investments Unlimited shares the frustration audit clients face with the unplanned or invisible work created by audits:
"We not only have to manage our engineering projects but we have to shepherd all this paperwork to get stuff done here. I don't have enough people to do that. And it sure isn't in our backlogs." [1]
For those of you who have experienced this, check out my article titled "Go from Unplanned Work to Planned Work with Integrated Auditing 2.0" to learn how integrated auditing can help you overcome this challenge.
Another problem this book helps to shine a light on and solve is the language barrier between auditor and technology experts. As an auditor, I speak in terms of risk and control, but that's not typically my clients' native language. They're saying things like SBOM, pull requests, branches, and merges – none of which were in my regular vocabulary when I started auditing IT. I absolutely love how the authors informally defined a control as how organizations commit to keeping the promises they make. That's something everyone can relate to, regardless of what "side of the table" you represent.
Finally, at 139 pages (including the appendices) it doesn't require a huge time commitment to read it and learn from it. Plus, the story is a gripping page-turner for those of us in IT or risk/audit/security, so you won't want to put it down once you start.
If you're looking for a good read, I recommend Investments Unlimited. Once you read it (or if you've already read it), let me know your thoughts in the comments of this post.
Happy Auditing!
[1] Beal, H; Bensing, B; Cox, J; Edenzon, M; Pal, T; Queern, C; Rzeszotarski, J. Vega, A; Willis, J. 2022. Investments Unlimited. IT Revolution.