Interested in this topic? Visit the links below for more resources:
Visit The IIA’s website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit Tech.
00:00:06 The IIA
In this episode, Daniel McCarfield speaks with Bill Bensing about shadow IT and why it continues to emerge inside organizations.
00:00:14 The IIA
They explore how shadow IT often signals innovation rather than just risk.
00:00:20 The IIA
and how internal auditors can help organizations balance experimentation, governance, and operational control.
00:00:26 Daniel McCarville
The conversation also introduces A practical framework for understanding how ideas move from exploration to validation and ultimately into formal operations.
00:00:39 Daniel McCarville
One of the things that I know you're really interested in is the world of shadow IT.
00:00:44 Daniel McCarville
Just to set the stage for what we're going to be talking about, what is shadow IT?
00:00:49 Bill Bensing
I'll give my definition of it.
00:00:51 Bill Bensing
It's anybody that's in an organization that's not inside of a, we'll call it blessed IT.
00:00:58 Bill Bensing
Now I'm assuming this organization is not a software or information technology organization, right?
00:01:02 Bill Bensing
So it could be your standard bank, it could be some type of manufacturing.
00:01:06 Bill Bensing
They don't build, their inherent product isn't software, for example.
00:01:10 Bill Bensing
So these folks inside of these types of companies who have competencies to build information technology systems,
00:01:17 Bill Bensing
doing it outside of the formal constraints of what their internal, their IT organization allows and provides.
00:01:25 Bill Bensing
That's what I call it shadow IT, but it's like they're in the shadows, right?
00:01:28 Bill Bensing
So it could be, like me, my formal organization, when I, at Boeing, I was a procurement agent and I was writing these small little pieces of software outside of IT for procurement agents and I was shadow IT.
00:01:39 Bill Bensing
What I realized too is when you look at something like a big thing, like a Google or like even a Red Hat, like to a large degree, there's not a concept of shadow IT.
00:01:47 Bill Bensing
because that whole organization is valued on everybody delivering capabilities when it comes down to software.
00:01:53 Bill Bensing
So when I say shadow AT, that's what I specifically look at.
00:01:56 Bill Bensing
There is these organizations, and I won't use the word traditional, but these organizations where software is not the main thing that they sell and people in there building software outside of the blessed or the formally recognized constraints of where how software gets built in those organizations.
00:02:13 Daniel McCarville
So for a lot of people out there who are presumably internal auditors, compliance professionals, they may have analytics teams within internal audit or within their compliance organization.
00:02:23 Daniel McCarville
And it sounds like those are examples of shadow IT.
00:02:26 Daniel McCarville
They are people doing development of various kinds who are outside the core of the IT infrastructure.
00:02:32 Bill Bensing
Exactly.
00:02:33 Bill Bensing
You could, one can consider it.
00:02:34 Bill Bensing
And actually, I think you bring a point up there's an implied there, like not that your point was implied, but a lot of people think shadow IT is negative.
00:02:42 Bill Bensing
I like the term for what it is.
00:02:44 Bill Bensing
It's outside of the formal constraints, because where does a lot of innovation happen?
00:02:48 Bill Bensing
Less inside of the formal constraints and outside.
00:02:50 Bill Bensing
So to your point, these analytics teams who are doing some of the stuff, now they may have some level of blessing, but yeah, they're working on technology for the business sake outside of possibly the normal channels.
00:03:02 Bill Bensing
And like, it's not negative, and it's not that it's positive or negative.
00:03:06 Bill Bensing
I like to think of it as a neutral term.
00:03:07 Bill Bensing
But it describes the, it's almost like there was a guy named Kevin Henley.
00:03:12 Bill Bensing
He's out of, I think he's out of Norway.
00:03:13 Bill Bensing
Have you ever heard of the whole thing of functional versus non-functional requirements?
00:03:17 Bill Bensing
It's almost like going into a zoo and you see elephants and then everything is a non-elephant, right?
00:03:21 Bill Bensing
So like this false dichotomy.
00:03:23 Bill Bensing
So it's almost like I want to sort of break down that, but yeah, you're right.
00:03:26 Bill Bensing
Those are exactly the shadow IT.
00:03:29 Daniel McCarville
That's a really interesting perspective too on organizational culture, because you mentioned an organization like Red Hat, where the concept of shadow IT doesn't make sense because everybody in Red Hat has to be data forward and technology forward.
00:03:42 Daniel McCarville
As a part of their culture, many businesses don't operate that way.
00:03:46 Daniel McCarville
We've specialized certain people into being the data people or the tech people, and that creates the possibility of shadow IT.
00:03:54 Bill Bensing
Exactly.
00:03:55 Bill Bensing
You're right.
00:03:55 Bill Bensing
And you hit it, the specialization, right?
00:03:57 Bill Bensing
And I think when you look at those organizations, what do they deliver?
00:04:01 Bill Bensing
They deliver whether it's a specific good or something, like because it's not ingrained in what they deliver, that's why they specialize and that's why they separate, which by the way, that's not negative and bad.
00:04:10 Bill Bensing
There's a lot of people in those organizations that find it bad.
00:04:14 Bill Bensing
But if you think about what those organizations do versus like what a startup does, Steve Blanc, Four Steps to the Epiphany, there's basically two types of organizations.
00:04:22 Bill Bensing
One that executes a known business model and one that discovers business models.
00:04:27 Bill Bensing
Startups discover business models.
00:04:29 Bill Bensing
There's a lot of people in the shadow IT realms.
00:04:32 Bill Bensing
They want to discover things, right?
00:04:33 Bill Bensing
But they're inside of this cultural constraint of an operational model that's about executing unknown constraints.
00:04:39 Bill Bensing
I put a dollar in, I get a dollar 10 out, right?
00:04:42 Bill Bensing
That's what a lot of businesses are.
00:04:43 Bill Bensing
And that's where you get.
00:04:44 Bill Bensing
a lot of the rub, right?
00:04:46 Bill Bensing
It's where you get the, then not just because they're specialized, but you think these organizations are optimized to deliver a physical good or a service and to have low variability and high expectation and low, I mean low variation, but high expectation of I put a dollar in, I get a dollar 10 out.
00:05:04 Bill Bensing
And that's where a lot of the rub around shadow IT will come in these organizations.
00:05:08 Bill Bensing
And as you pointed out, like somebody like Red Hat,
00:05:11 Bill Bensing
Very different.
00:05:11 Bill Bensing
Everybody's delivering software, these types of services.
00:05:14 Bill Bensing
So everybody's ingrained in bringing those features, bringing those ideas back into the portfolio.
00:05:18 Bill Bensing
Whereas that's not necessarily a value of somebody who's, you know, collecting trash or like, you know, could be, you know, collecting trash, could be delivering physical goods.
00:05:27 Bill Bensing
That tends not to be types of value propositions they've traditionally relied upon.
00:05:33 Daniel McCarville
I think many people in the IT audit world, when they hear shadow IT,
00:05:38 Daniel McCarville
they're not necessarily thinking of the people in the teams at first, they're thinking of the technologies.
00:05:43 Daniel McCarville
So I could imagine an organization that licenses a tool.
00:05:47 Daniel McCarville
Maybe we licensed Claude, and then we've got people in our business who instead of using Claude, they go ahead and get ChatGPT and use it on the side, which is not licensed and did not go through all the right channels.
00:06:00 Daniel McCarville
That's a different concept of what shadow IT is, right?
00:06:02 Daniel McCarville
That's focused on the technology and not the people.
00:06:05 Daniel McCarville
What's the advantage in thinking of it the way you do by thinking about the people and teams?
00:06:10 Bill Bensing
So when you think about the people and teams, and I'm going to go back to my experience inside something like Boeing versus the technology.
00:06:16 Bill Bensing
Boeing IT, like unless it costs at least 10 million or more, you think about internal rates of returns, hurdle rates,
00:06:23 Bill Bensing
So I'm in the audit world, I got finance geeks out there that know those terms.
00:06:27 Bill Bensing
Like IT inside of something like that organization has a hurdle rate, an internal rate of return.
00:06:33 Bill Bensing
So if that thing's not, and this is an arbitrary value, $10 million in spend, they don't want to touch it, right?
00:06:39 Bill Bensing
And they're optimized to not touch that stuff.
00:06:41 Bill Bensing
So that means everything that's 10 million and below, which could be a lot of stuff, like for me, a lot of my things are basic PHP apps and to like basically collecting some data from a data warehouse, doing a bunch of stuff people would do on a spreadsheet, but doing it live.
00:06:54 Bill Bensing
in interaction with some of these systems.
00:06:56 Bill Bensing
So people have like a, I call it a procurement relationship system.
00:06:59 Bill Bensing
So they have, so they know things that are going on with their supply base in real time.
00:07:03 Bill Bensing
That's not a $10 million thing.
00:07:05 Bill Bensing
That's something like a Bill Bensing who has limited competencies.
00:07:09 Bill Bensing
And like back then, if I had Claude, holy cow, would I be dangerous?
00:07:13 Bill Bensing
Yes, a lot more dangerous than I was back then.
00:07:15 Bill Bensing
And when I say dangerous, I say dangerous in a good way.
00:07:17 Bill Bensing
But as you go through, because I can go into actually some of the outcomes that kind of stuff generated, which by the way, I built a small thing they're still using today.
00:07:24 Bill Bensing
And within the first six months, it saved a large program on the West Coast, $1,000,000 in direct procurement costs, $1,000,000, right?
00:07:33 Bill Bensing
As I'm going through, take the tools and technology way.
00:07:37 Bill Bensing
What was somebody like a bill doing?
00:07:39 Bill Bensing
somebody like a bill is driven to solve these problems because they experience them themselves.
00:07:44 Bill Bensing
They have an idea of how they can solve it.
00:07:46 Bill Bensing
And just by giving them whatever the tools are at competency, they can demonstrate what these solutions are.
00:07:51 Bill Bensing
And some of them hit, a lot of them don't, but some of them do hit.
00:07:55 Bill Bensing
And then to that perspective, separating the tools from the people, the ones that hit, they get rolled into a portfolio that IT can now do, like the value of it.
00:08:03 Bill Bensing
Let's talk about control from a perspective, like the biggest thing around startups, like most of them fail because they're experimenting.
00:08:08 Bill Bensing
And
00:08:09 Bill Bensing
Maybe the idea hits a market, but the market's not big enough to take it to grow over time.
00:08:14 Bill Bensing
That happens like if you think entrepreneurship outside and then intrapreneurship inside of an organization.
00:08:20 Bill Bensing
That's what the value of shadow IT is.
00:08:23 Bill Bensing
And this is also to the people who are against shadow IT and maybe folks that are listening that are the shadow IT people, really understanding those fundamental differences.
00:08:32 Bill Bensing
Because what you talk about, it's a bit of a symbiosis behavior, a yin and a yang.
00:08:36 Bill Bensing
If you're doing shadow IT to create more effective and efficient operations in different ways, that's great.
00:08:42 Bill Bensing
When you're doing it to try to explore all these tons of business models, now you're fighting against the grain of the organization.
00:08:49 Bill Bensing
So yeah, so that's, as you think through it, is about the people, less the tools.
00:08:52 Bill Bensing
The tools are the easier things.
00:08:55 Bill Bensing
Even though those annoy people, because those give tools give people like me the ability to do things they don't like to do, so they go straight to the tools.
00:09:02 Bill Bensing
Whether the tools are there or not, people like me are going to find ways to do this.
00:09:05 Bill Bensing
And so why not make it a form of control?
00:09:09 Daniel McCarville
Absolutely.
00:09:10 Daniel McCarville
So you got into there a little bit of what are the benefits of shadow IT.
00:09:14 Daniel McCarville
And let's come back to that more explicitly for a moment, because
00:09:17 Daniel McCarville
Many of the people listening here, they may be auditors and they may think shadow IT sounds like a dangerous thing.
00:09:24 Daniel McCarville
Or you might be the audit analytics person like I am, or you may have an audit analytics team and you may be mentally now reconfiguring that to think of them as shadow IT because they are outside of core IT doing those development tasks.
00:09:38 Daniel McCarville
Intrapreneurs try to bring value to their organization in much smaller scale than central IT does.
00:09:44 Daniel McCarville
But what's the value that these shadow IT teams are bringing to their organizations?
00:09:49 Daniel McCarville
Why do we want them?
00:09:50 Bill Bensing
Validated assumptions.
00:09:53 Bill Bensing
How many people in the organization have an idea of what thinking goes better?
00:09:57 Bill Bensing
And how many times does it actually cause friction?
00:10:00 Bill Bensing
So shadow IT is a mechanism to validate and or invalidate to falsify assumptions about how to do things differently or do things better.
00:10:09 Bill Bensing
That's what I've always looked at is.
00:10:10 Bill Bensing
Now, because information technology is very malleable, it's an easy and quick way to do it as opposed to having to physically build stuff.
00:10:17 Bill Bensing
But that's the core value right there is validated falsifiability.
00:10:21 Bill Bensing
We'll put some big words around it, right?
00:10:23 Bill Bensing
Validated falsifiability, i.e.
00:10:25 Bill Bensing
being able to prove to people that what they think should happen, you have evidence that it should not happen that way or it cannot happen that way.
00:10:32 Bill Bensing
And that's why not everybody, by the way, should be part of Shadow IT or part of it.
00:10:36 Bill Bensing
I find like this is the driven people that want this stuff.
00:10:39 Bill Bensing
You empower them.
00:10:40 Bill Bensing
Like the best things people that I worked for ever did was just get out of my way.
00:10:45 Bill Bensing
They didn't have to support me.
00:10:47 Bill Bensing
They didn't have to be friction.
00:10:49 Bill Bensing
They just got out of my way.
00:10:50 Bill Bensing
And that's like, as you start to think through some of that, then people, then that's what the value is.
00:10:56 Bill Bensing
So yeah, getting out of some of these folks ways, letting them go through and prove to the organization that
00:11:03 Bill Bensing
what they think they know, because a lot of people think they know things, but it is not valid, it's invalid, or it's not supported.
00:11:10 Daniel McCarville
So if I were to summarize a little bit, what is the value of shadow IT?
00:11:15 Daniel McCarville
At the lowest level, there's a functional value, it sounds like, in that they produce tools that you want at a smaller scale than your purchasing department wants to procure or a smaller scale than your IT department wants to support, right?
00:11:29 Daniel McCarville
The economics there, for them, they need to focus on big projects, but your shadow IT teams can economize to smaller projects tailored to that domain explicitly.
00:11:39 Daniel McCarville
And then from there, there's maybe a organizational value in
00:11:45 Daniel McCarville
helping you validate your business model the way that you currently do business and then innovating that structure.
00:11:50 Daniel McCarville
Is that what I'm hearing?
00:11:51 Bill Bensing
Exactly.
00:11:52 Bill Bensing
A lot of people like to think the latter, those are the big dreams and going through some of the new things for the business.
00:11:58 Bill Bensing
but more of the former is the reality of shadow IT.
00:12:00 Bill Bensing
It's just doing stuff to better, to make operations less frustrating, whatever it may be, whatever those feelings are that makes you not want to, makes you want to go home at noon instead of like, kick it around until 5:00.
00:12:12 Bill Bensing
That's really the efficacy of shadow IT.
00:12:15 Bill Bensing
And frankly, as an organizational leader, that's where I want to focus them as well.
00:12:20 Bill Bensing
yeah, we've got the business we want to focus on.
00:12:22 Bill Bensing
There's things, there's possibilities there, but there's formal mechanisms like R&D that exists inside of businesses to find parallel and or new lines of business.
00:12:31 Bill Bensing
But the shadow IT in the organization, like efficacy and efficiency of how we operate.
00:12:38 Daniel McCarville
So there was a lot of really juicy stuff in there.
00:12:41 Daniel McCarville
I want to start off though with
00:12:43 Daniel McCarville
Why doesn't shadow IT happen sometimes?
00:12:46 Daniel McCarville
It sounds like such a good thing everybody would have it.
00:12:48 Daniel McCarville
But I'll tell you, in my career in audit analytics, I've heard from lots of CEOs, CFOs, chief auditors who say, I want this kind of innovation.
00:12:58 Daniel McCarville
I want people to blow up my processes and make them more effective and more efficient and change the way I do my work.
00:13:03 Daniel McCarville
And then it doesn't happen.
00:13:05 Daniel McCarville
So what holds them back from doing something like that?
00:13:08 Bill Bensing
I'm going to say these two things out front, and I'm going to ask you to help me keep me on track with this.
00:13:13 Bill Bensing
One is the formalities of letting people do this and then bringing it back in, but two is also the support.
00:13:19 Bill Bensing
So everybody says, a lot of leaders say, I want to do this.
00:13:22 Bill Bensing
But the one thing a lot of leaders don't understand is how to lead these people, how to guide these people.
00:13:27 Bill Bensing
This is not just let them go throw stuff at a wall and see what sticks.
00:13:31 Bill Bensing
You can do that, but you'll end up with just a bunch of stuff stuck into the wall and not making it back in.
00:13:36 Bill Bensing
There is, I think it's called Corporate Innovation.
00:13:38 Bill Bensing
It's a book.
00:13:38 Bill Bensing
If you're familiar with like the business model, business candidate books, I have to think of it.
00:13:42 Bill Bensing
I can't think of the name on the top of it.
00:13:43 Bill Bensing
It's called Corporate Innovation or whatever.
00:13:45 Bill Bensing
Anyways, it talks about building that flywheel of bringing it back in.
00:13:48 Bill Bensing
So while most organizations express the intent of wanting people to do this, they have not set up the structure to allow people to experiment, but then also provide small investments.
00:14:00 Bill Bensing
So at the end of the day, a lot of organizations have entitlement investments.
00:14:04 Bill Bensing
Every year they get their X millions of dollars.
00:14:06 Bill Bensing
But instead of entitlement, having these smaller, when I say VC type, I loosely say that, letting people prove certain thesises, like Marc Andreessen's onion model of risk.
00:14:16 Bill Bensing
Go look it up, it's amazing.
00:14:18 Bill Bensing
A startup is all about peeling layers of risk back at a time.
00:14:22 Bill Bensing
And he's got 15 he talks about.
00:14:23 Bill Bensing
And I think there's a video from him in the early 2000s at Y Combinator talking about this.
00:14:28 Bill Bensing
but like why do you get additional funding as you've peeled back risk, you've mitigated it, now there's additional funding to peel back other risks to mitigate, right?
00:14:35 Bill Bensing
And so as a leader listening to this, if you're just like, let them throw stuff at the wall, see what stick, that's gonna be the number one cause you can't, because you're not bringing it back into your main portfolio.
00:14:45 Bill Bensing
There's no way to say yes, and there's no way to say no.
00:14:48 Bill Bensing
Not saying either yes or no to something is the worst thing you can do for anybody, because now that's just void of information.
00:14:54 Bill Bensing
Now from a leadership perspective, let's go into the actual physical, how to make
00:14:58 Bill Bensing
make it happen.
00:14:59 Bill Bensing
This is also where some of the tools come back in.
00:15:01 Bill Bensing
So I'll go to the organization.
00:15:02 Bill Bensing
I stood up the Enterprise Architecture Organization at PODS, Portable on Amanda's Storage.
00:15:07 Bill Bensing
Didn't have one before then.
00:15:08 Bill Bensing
I stood it up.
00:15:09 Bill Bensing
And one of my things was to enable Shadow IT.
00:15:11 Bill Bensing
So the first thing I did, the basic thing, was get everybody their own SharePoint on their own domain.
00:15:16 Bill Bensing
And back then, this is when SharePoint 2016 came out.
00:15:18 Bill Bensing
So it was new.
00:15:20 Bill Bensing
It was basically like the cloud stuff was starting to happen in an organization.
00:15:23 Bill Bensing
I gave them their formal one, but I gave them an on-demand way to build what I called the ***** environments.
00:15:30 Bill Bensing
Go experiment, go do it, mess it up, and then if you blow it up, let me know.
00:15:35 Bill Bensing
We're going to issue you a new one.
00:15:37 Bill Bensing
And so for example, the pod sales and service organization, they actually built their own issue tracking system.
00:15:43 Bill Bensing
They were using spreadsheets and stuff like that.
00:15:44 Bill Bensing
They built it in SharePoint.
00:15:46 Bill Bensing
And then when it came time to do an ERP, they basically said, hey, look at what we're doing.
00:15:51 Bill Bensing
You want our requirements?
00:15:52 Bill Bensing
Here's exactly how we're doing it.
00:15:54 Bill Bensing
They had their own technically competent, now they weren't software developers or anything, but there were people who were interested in learning that.
00:16:00 Bill Bensing
Like that right there is the epitome.
00:16:02 Bill Bensing
And then ultimately that became the basis for requirements that fed back into an ERP system.
00:16:06 Bill Bensing
Similar on the financial side, like they were doing a bunch of stuff with Excel, Excel, not Excel, Access databases.
00:16:13 Bill Bensing
Give them the ability to learn.
00:16:15 Bill Bensing
So there's the two formal ways.
00:16:17 Bill Bensing
Formally in your organization, how do you build the cycle of when you identify the stuff, being able to incrementally fund it, and then also be able to cut it off so you say yes or no.
00:16:26 Bill Bensing
But the second is the physical infrastructure.
00:16:28 Bill Bensing
Back then, one thing we were working on is cloud was starting to come into organizations, was actually giving folks in the marketing organization, they're the ones that had software developers.
00:16:37 Bill Bensing
So by giving them sort of ways to work, and people know about Kubernetes and containers, I don't want to get geeky in this area, but like giving them environments, giving them access to a Git repo back in the day, I mean, this is 10 years ago, but like, and letting them just write software and deploy it and play with it.
00:16:52 Bill Bensing
Like those are the basic things that you can do.
00:16:54 Bill Bensing
And that's how you bring a form of control.
00:16:56 Bill Bensing
Because everybody wants to build this stuff.
00:16:58 Bill Bensing
They want to experiment.
00:17:00 Bill Bensing
And they're happy to do it within a set of boundaries of controls.
00:17:03 Bill Bensing
but giving that is how you can actually prove it.
00:17:04 Bill Bensing
So there's the two ways.
00:17:05 Bill Bensing
There's the organizational leadership management strategy, and then there is the physical ways to allow people to experiment within a bounds that is frankly sufficient for 90 to 95% of anything they could build anyways.
00:17:19 Daniel McCarville
Yeah, so if I'm imagining myself talking to this leader, this chief auditor, this CFO, whoever it is,
00:17:25 Daniel McCarville
and they say, I would love to innovate, I would love to find a better way of doing our work, then the two things to put to them is, on one hand, you enable it with tools.
00:17:34 Daniel McCarville
So you need to give people tools and environments and opportunities to innovate in a safe and constructive way, and maybe not worry so much about if the experiments don't work, just enable them to do the experimenting.
00:17:48 Daniel McCarville
And then on the business case, take their successes
00:17:52 Daniel McCarville
celebrate them, integrate them into your organization, because that's how you recognize and encourage further innovation.
00:18:00 Bill Bensing
I want to add a third that I didn't talk about in New York, you hit on the second.
00:18:03 Bill Bensing
Red Hat, big in community.
00:18:05 Bill Bensing
Build the community.
00:18:06 Bill Bensing
One thing we did was we found ways, as we saw people work, is could we get them to build presentations on what they did and how they solved it?
00:18:12 Bill Bensing
And could we get them to share with other people?
00:18:14 Bill Bensing
So outside of the IT organization of pods, there was a small amount of people between some of these organizations that had their food bar, Shareport environments, that they started creating like little
00:18:22 Bill Bensing
weekly, bi-weekly things of here's what we're doing in SharePoint and here's how we're doing it.
00:18:27 Bill Bensing
Like that right there, building those, are flywheel mechanisms inside of an organization.
00:18:32 Bill Bensing
So I'd say the third one is like, how do you know this is successful?
00:18:35 Bill Bensing
You see flywheel mechanisms happening because you may see a lot of failure and people may be like, hey, nine of the 10 things we do fail.
00:18:42 Bill Bensing
So this is failure overall.
00:18:43 Bill Bensing
No, if that was failure, then the VC world would never exist.
00:18:47 Bill Bensing
right?
00:18:48 Bill Bensing
It's going to be that one out of 10 that really makes a large difference, but you can't get out to that one out of 10 unless you're going through those, you know, those other nine ones that fail.
00:18:55 Bill Bensing
So to your point, yeah, it's building those, having those flywheel mechanisms and seeing those visible in work in your organization, that the manifestation of shadow IT doing great things for the organization.
00:19:08 Daniel McCarville
How do you see people typically doing this?
00:19:11 Daniel McCarville
Is it
00:19:12 Daniel McCarville
your existing staff, you enable them and empower them and they start innovating?
00:19:16 Daniel McCarville
Or do you need to bring someone with some new technology skills into the mix and that's how you start this kind of innovation?
00:19:22 Bill Bensing
A little bit of both, but I'll just call it the John Kotter approach, right?
00:19:27 Bill Bensing
And so for the John Kotter change manage type stuff, build a gliding coalition.
00:19:32 Bill Bensing
So the first thing I do is I go out to anybody regarding a competency
00:19:35 Bill Bensing
and be like, what do you wanna do?
00:19:37 Bill Bensing
I wanna do this, I wanna do this.
00:19:40 Bill Bensing
Are you willing to learn?
00:19:41 Bill Bensing
Possibly off-hours type learning, yes.
00:19:43 Bill Bensing
Then what I do is I fund their learning.
00:19:45 Bill Bensing
There's a company called Pluralsight.
00:19:46 Bill Bensing
But what I've done at every organization is I go through and I generate, I get Pluralsight subscriptions for these folks.
00:19:54 Bill Bensing
And what I do as a manager and leader is I actually build guided courses with the different things in there to get them where they need to go.
00:20:01 Bill Bensing
So to your point, yes, you have to support this.
00:20:03 Bill Bensing
You just can't let this sort of bubble out there.
00:20:05 Bill Bensing
But what I want to do is I'm going to build a guiding coalition.
00:20:07 Bill Bensing
I want to go find the people who have the problems and who have these solutions in their mind, but also have the want and the drive to try to build these outcomes.
00:20:16 Bill Bensing
And then what I'm going to do is I'm going to give them the support.
00:20:18 Bill Bensing
I'm going to give them the okay to make mistakes.
00:20:22 Bill Bensing
A lot of these people, half the time, they just need to hear, yes, you're approved to mess stuff up.
00:20:27 Bill Bensing
And guess what?
00:20:28 Bill Bensing
You can spend hours of your day messing stuff up, right?
00:20:31 Bill Bensing
So that's all they really need.
00:20:33 Bill Bensing
This is the getting out of the way.
00:20:35 Bill Bensing
So from there, to answer a bit of both, there's a bit of both.
00:20:38 Bill Bensing
Do I need to bring formal technology people in?
00:20:40 Bill Bensing
No.
00:20:41 Bill Bensing
The person though that is designing and helping to upskill, they should be very dominant in technical competencies.
00:20:48 Bill Bensing
So they should be technically a software leader interested in building these other folks.
00:20:52 Bill Bensing
So if I were to bring somebody in, that's where I'd bring somebody in at.
00:20:57 Bill Bensing
because you need to build that guide there.
00:20:59 Bill Bensing
I did it at Red Hat, I did it at Pods, then at almost every single company I've been in.
00:21:03 Bill Bensing
But as you go through, but yeah, so to answer your question, it's a bit of both, but that's also from the leader.
00:21:07 Bill Bensing
This is where focused investment comes in.
00:21:09 Bill Bensing
It's not a lot of money, and you're not asking a lot of people to spend weeks at a time just doing stuff, but what you're doing is you're enabled these inherent drives in these folks by giving them the space to explore, letting the people who have the problems and ideas go explore those.
00:21:24 Bill Bensing
And then basically building these formal mechanisms to bring those ideas and everything back in to review them.
00:21:29 Bill Bensing
Because you got to remember, like startups, the best form of revenue for a startup is actually customers, is not investment flow, it's a customer.
00:21:38 Bill Bensing
And why?
00:21:38 Bill Bensing
Like, yeah, it's money, but getting customer feedback, and that's the whole thesis of Steve Blanc and his force absolute epiphany, is getting out of the office and getting feedback.
00:21:46 Bill Bensing
By you as a leadership organization structuring those mechanisms, you're now building in formal feedback to ensure that this
00:21:54 Bill Bensing
that they're not going, that the course they're going on is the value-added course, that they're discovering where value is.
00:22:01 Bill Bensing
And when I say feedback mechanisms, it's not if you're a leader that thinks you're omniscient and you're just telling them, no, it doesn't work that way, that's not the feedback.
00:22:09 Bill Bensing
You're now being more Socratic.
00:22:10 Bill Bensing
You're looking at and asking the questions, how do you know that that's valuable?
00:22:15 Bill Bensing
Falsify, give me falsifiability or prove to me, you know, what is, prove to me that is the value, that type of stuff to keep them
00:22:23 Bill Bensing
guided in their directions.
00:22:25 Daniel McCarville
I think there's a lot of really interesting cultural stuff in there because as auditors, we spend all day, every day criticizing the things that we see.
00:22:34 Daniel McCarville
And we do that constructively to provide value to those processes.
00:22:38 Daniel McCarville
But there is sometimes a tendency to internalize that message and then feel like everything you do has to be perfect the first time or it could never possibly work.
00:22:49 Daniel McCarville
But there's a little bit of a lesson here in it's okay to innovate.
00:22:51 Daniel McCarville
It's okay if your tools work 80% of the time, because that's still bringing a lot of value and we can enable people to bring that new value.
00:22:59 Daniel McCarville
I want to transition just a little bit here.
00:23:02 Daniel McCarville
Let's speak directly to those auditors.
00:23:04 Daniel McCarville
They're out there auditing.
00:23:05 Daniel McCarville
They hear shadow IT and they see risks.
00:23:08 Daniel McCarville
And because I'm in the insurance industry, I'm going to be more specific and say we're talking about hazards.
00:23:12 Daniel McCarville
These are risks that can only ever be a bad thing.
00:23:15 Daniel McCarville
What would you tell those auditors to maybe
00:23:18 Daniel McCarville
enable them to look at shadow IT slightly differently.
00:23:21 Bill Bensing
So dear auditors, I'm going to help you help yourselves by helping the first line first off know they're the first line at the end of the day.
00:23:28 Bill Bensing
And I'm going to give you a way to do it in what I'm going to call, I call this Binsing's three systems model.
00:23:33 Bill Bensing
So being a little more humble, let's call it the EVO phases, exploration, validation, and operation.
00:23:40 Bill Bensing
As an auditor, you are trained, which an auditor is very, when I say auditor, I'm going to separate auditor for somebody who just executes, right?
00:23:48 Bill Bensing
Somebody who just executes to a large degree, and I'm gonna take formal engineers off the plate at this point in time, 'cause formal engineers understand the yin and yang of execution and risk management.
00:23:59 Bill Bensing
Execution folks, a lot of the time it's, they're told to jump how high, go fast, and they just keep going with irregard to whatever the uncertainties are, right?
00:24:09 Bill Bensing
Now, I'm gonna say complete reckless regard, but that's why you see on the audit side, the risk side, there's fear.
00:24:17 Bill Bensing
And so actually, what I love about the three lines model and you start thinking of a difference is like, teach people, the thing about auditability is verifiability.
00:24:25 Bill Bensing
A lot of these execution folks have never learned, they could be in industry for 30 years, what it means to prove beyond their own mind that this thing is what it's supposed to be, right?
00:24:36 Bill Bensing
Or it's good, like what does it mean to actually prove, to verify and validate what this is?
00:24:42 Bill Bensing
The best thing the third line can do is to help the first line understand that.
00:24:46 Bill Bensing
And when it comes to the shadow IT, this is where I bring in sort of these three phases, exploration, validation, and operation.
00:24:52 Bill Bensing
So as an auditor, looking at shadow IT as a mechanism for exploration, you can mitigate the risk by putting some constraints around it, which basically is like let that exploration phase happen.
00:25:05 Bill Bensing
Because to a large degree, the output of that, which will go into the validation, there's a boundary between that.
00:25:09 Bill Bensing
At that boundary, start to help the folks on the front line understand what they need to do to sort of identify what risks and uncertainties that should be mitigated before it goes into validation.
00:25:19 Bill Bensing
Now, exploration is literally somebody like Bill's got an idea in their head.
00:25:23 Bill Bensing
Can they make that work?
00:25:25 Bill Bensing
It's just mechanistically, can you make it work?
00:25:27 Bill Bensing
Don't get in their way.
00:25:27 Bill Bensing
Stay out of their way.
00:25:28 Bill Bensing
Let them mechanistically make it work within some level of sandbox.
00:25:32 Bill Bensing
Environment, so there is no second-order effect, but really, in exploration, there is no second-order effect beyond what that person who's creating this thing is.
00:25:40 Bill Bensing
Now, once you get into the stage of validation, that's when you start to bring other people, like, say, Bill's created this thing, he's proved he can make it work, now he's got Daniel, now he's got somebody else who's like, I'm interested in trying that.
00:25:52 Bill Bensing
where you can come in, and this is sort of in line with Vision 2035, right?
00:25:55 Bill Bensing
So I know there is the, like, I'm the independent auditor, but there's also the other side of that, I have the auditing expertise that I can coach the organization and how to verify and validate when it comes to risk.
00:26:08 Bill Bensing
So taking that version of it and coming in and working, helping them to identify between exploration and validation,
00:26:15 Bill Bensing
what it means to identify where the uncertainties are, because most of the time they've never truly been asked to do that.
00:26:20 Bill Bensing
Or, I take it back, if they've been asked, they've never been given any clear mechanism on how to do that.
00:26:26 Bill Bensing
It's like giving a child some pieces of wood, a hammer and nails and saying, go build a birdhouse.
00:26:31 Bill Bensing
I mean, they've seen birdhouses, so they know what they look like, but to get from that raw material to that finished product,
00:26:38 Bill Bensing
They've never seen it happen before.
00:26:39 Bill Bensing
So that's, I mean, I don't want to call, I don't want to call first liners children because I mean, even though my wife would call me a big kid, I am a first liner.
00:26:46 Bill Bensing
It's just sort of like in that same vein.
00:26:49 Bill Bensing
But if you go to that validation, this validation step is now I'm bringing other people in, right?
00:26:53 Bill Bensing
I have second order effects that, you know, Daniel's data, I could do something wrong with it.
00:26:57 Bill Bensing
So, but it's still, it's not an unrisked environment.
00:27:00 Bill Bensing
The people that are coming in and interacting with this thing in the validation phase,
00:27:04 Bill Bensing
there is an admission on their part that they know that there are risks inherent and there are uncertainties inherent to their interaction with whatever is being done.
00:27:13 Bill Bensing
And so that's where you have that level of risk mitigation.
00:27:15 Bill Bensing
But the biggest one is going from validation to operation.
00:27:18 Bill Bensing
And that's where a lot of auditors can get involved because that's what people always tend to think, whether it's an auditor or even a tech person.
00:27:25 Bill Bensing
I've been in many IT organizations, have these people work for him, for me, and they're just like, no, they can't touch it unless they do 100% right.
00:27:31 Bill Bensing
And I look at it and I'm like, you can't do 100% right.
00:27:34 Bill Bensing
Why would we
00:27:34 Bill Bensing
expect everybody else to do that.
00:27:36 Bill Bensing
So it's like, so like these unreasonable expectations, but what's the reality?
00:27:39 Bill Bensing
It creates this burden.
00:27:41 Bill Bensing
But by having this exploration, validation, and operation phase, what you're doing is you're weeding out mechanistically, can I even get it to work?
00:27:49 Bill Bensing
If you can't get it to work, it doesn't go to validation.
00:27:51 Bill Bensing
Now that it's in validation, is it actually something just more than Daniel and Bill can find useful?
00:27:56 Bill Bensing
Are there people there?
00:27:57 Bill Bensing
Is there a justified reason to put resources into scaling this beyond two, three people, maybe a team?
00:28:04 Bill Bensing
If there is, cool, we'll get an operation in each of those boundaries.
00:28:07 Bill Bensing
represents a time for auditors to come into play from a consultative and coaching perspective, even to help build this out of the organization.
00:28:15 Bill Bensing
Think about combined assurance from the combined assurance approach.
00:28:18 Bill Bensing
Building and helping to blueprint and grow towards sort of a level of combined assurance in a graduated way that you can allow exploration to happen.
00:28:24 Bill Bensing
But as it goes into an operational reality, you are building control, not saying controls, but you are building control
00:28:33 Bill Bensing
along this path to operations, and then you have your operational control standards.
00:28:38 Daniel McCarville
So let me see if I can translate in my own words those 3 steps and what internal audit is doing here.
00:28:44 Daniel McCarville
In the exploration phase, this is where you're generating the use cases, generating ideas, and just looking at your work and saying, can I do it better?
00:28:53 Daniel McCarville
I think audit does have a really interesting role there in that as the auditor, you see
00:28:58 Daniel McCarville
all of the business process in your organization.
00:29:01 Daniel McCarville
You've seen the portfolio of technologies that this one team who are not engineers, who are not IT experts, they have no notion of these things.
00:29:10 Daniel McCarville
So you're in a really great place to help them explore how they could solve their problems.
00:29:16 Daniel McCarville
That's not an audit finding, it's not an audit opinion, but it could be some darn good consulting.
00:29:21 Daniel McCarville
And then in the second phase, when we're validating, that sounds like more of a traditional auditing perspective of, you're up there taking swings, you're trying to improve your business world.
00:29:32 Daniel McCarville
Are you effective?
00:29:34 Daniel McCarville
Are you managing risk?
00:29:35 Daniel McCarville
Are you doing all of these things to make sure that this is safe for our organization?
00:29:40 Daniel McCarville
And then in the third phase, it sounds like that's more of a broader rollout.
00:29:44 Daniel McCarville
How do we maximize the value and get this out to all of the people who could get value from it?
00:29:50 Bill Bensing
Yeah, I think it's pretty accurate.
00:29:52 Bill Bensing
And just read back to you, like in that operational phase, I think that's where the auditor puts on the traditional independent hat, right?
00:29:57 Bill Bensing
It's now to get across that boundary from validation operation, you need to bring that independent perspective in.
00:30:03 Bill Bensing
But as you pointed out, like in the second one, the validation, you take the independent hat off and you're basically, you're consulting saying, hey, we need to get to
00:30:10 Bill Bensing
higher level of fidelity to get over this, that's where you're really cooperating.
00:30:13 Bill Bensing
So when you think about what you talked about, the first two levels of cooperation, and in operational, you're cooperating around the true tenets of managing risk and uncertainty, that audit was founded to verify.
00:30:24 Bill Bensing
And then to your point on the exploration phase, they see a whole swath of things.
00:30:28 Bill Bensing
They have ideas, maybe they have the competencies to bring in, maybe not, who knows?
00:30:33 Bill Bensing
But I can tell you right now, it's never one independent genius that does this stuff.
00:30:37 Bill Bensing
It may be one person that pushes that boulder up the hill till it rolls back over them.
00:30:41 Bill Bensing
but there's always people with them working together.
00:30:44 Bill Bensing
And exactly the auditor could be the seed that grows that, finds a build type who just can't sit on his hands and says, hey, I got this idea.
00:30:52 Bill Bensing
I see you like to write some of that software stuff.
00:30:54 Bill Bensing
How about you bring your Claude code over here and we look at this thing and see if you could prototype me something, right?
00:30:58 Bill Bensing
That right there.
00:30:59 Bill Bensing
And what is the point of audit?
00:31:02 Bill Bensing
To reduce uncertainty and mitigate risk.
00:31:04 Bill Bensing
And if you think about risk, risk is not just threats, it's opportunities.
00:31:08 Bill Bensing
And so now this is where audit expands
00:31:11 Bill Bensing
and brings these additional, because everybody says they want to add business value.
00:31:14 Bill Bensing
I hate that term business value, because business value basically means I just want to figure out how to do something.
00:31:18 Bill Bensing
So people are not going to like my term on that.
00:31:19 Bill Bensing
But that's actually like, what does it mean to add business value right there?
00:31:22 Bill Bensing
And I think you've nailed all three of them.
00:31:23 Bill Bensing
That's exactly where the value from audit can be driven at each of those phases.
00:31:27 Daniel McCarville
I guess to use a little bit of the auditing vocabulary, the terms of art, maybe in that validation stage, we're looking at the design of the process and the design of the controls to ensure that they can be verified.
00:31:40 Daniel McCarville
And then in the operation phase, we're looking at in their performance, were they actually performed correctly according to design?
00:31:48 Bill Bensing
Amen.
00:31:49 Bill Bensing
And I'll even go one further, standardizing design across all of it.
00:31:53 Bill Bensing
Because this is one of my things, and I write about this, I'm writing about some of this thing is like, when you have very differing standards, you increase your probability of at least one failure, more source of risks you put in there.
00:32:02 Bill Bensing
And a control is also a source of risk at the end of the day.
00:32:06 Bill Bensing
And so more standardization across that.
00:32:07 Bill Bensing
So I want to sort of pull a little further what you're saying.
00:32:10 Bill Bensing
If you
00:32:10 Bill Bensing
You can use the EVO phases to actually more standardize some of this, help to standardize the technology, standardize the process, standardize the control designs.
00:32:18 Bill Bensing
You reduce variability.
00:32:20 Bill Bensing
Variability reduction is risk reduction.
00:32:22 Bill Bensing
You're doing your job.
00:32:24 Daniel McCarville
Yeah, you know, that's a good thing to bring up too, because although there's a lot of positives to shadow IT, they do operate outside of the ordinary.
00:32:33 Daniel McCarville
SDLC, Software Development Lifecycle, they do operate outside ordinary change management and ordinary IT general controls.
00:32:41 Daniel McCarville
So there are hazards there.
00:32:44 Daniel McCarville
What would you see as the key hazards and maybe what are the most beneficial ways to address those?
00:32:49 Bill Bensing
So you're right.
00:32:50 Bill Bensing
They have hazards, but the hazard isn't the shadow IT itself.
00:32:53 Bill Bensing
The hazard is the lack of the integration of bringing them from evaluate, from exploration to validation to operation.
00:32:59 Bill Bensing
If you just want to sort of stiff arm them and keep them out there, expect them to keep doing what they're doing, and expect to keep seeing the hazards.
00:33:06 Bill Bensing
But pull the stiff arm out, bring them on in, and teach them how to be part of the delivery team, and you'll see that things change quickly.
00:33:13 Bill Bensing
Because these individuals, they all have professional pride.
00:33:16 Bill Bensing
They all have this drive to want to solve and create.
00:33:19 Bill Bensing
And
00:33:19 Bill Bensing
you say, hey, to get to this next phase, I need to do X, Y, and Z, a lot of the time, maybe it's a bellyache for some of them to start with.
00:33:26 Bill Bensing
But a lot of time, it's like, you gotta get to phase two.
00:33:27 Bill Bensing
Here's how you get to phase two.
00:33:28 Bill Bensing
Give them a clear path.
00:33:30 Bill Bensing
Then the hazards start to disappear.
00:33:32 Daniel McCarville
Yeah, you know, I'm impressed kind of in my daily life too, where when you reach out to IT and you start telling them what you want to do, they will be more than happy to help you.
00:33:43 Daniel McCarville
So if you're in shadow IT, if you're in audit analytics or any other similar kind of role,
00:33:49 Daniel McCarville
If you call up your IT function and you say, I'd really like a GitHub repository, can you teach me to use GitHub?
00:33:56 Daniel McCarville
They will be over the moon happy to tell you because they recognize the tremendous value of those kinds of controls.
00:34:04 Daniel McCarville
They want you to also get that value.
00:34:07 Daniel McCarville
So it doesn't have to be a scary thing.
00:34:09 Daniel McCarville
My experience is, yeah, IT would be more than happy to bring you into that world of a better controlled, better engineered solution.
00:34:16 Bill Bensing
You're absolutely right.
00:34:17 Bill Bensing
And I want to speak to earlier, we were talking about the flywheel.
00:34:19 Bill Bensing
Like this is the mechanism, dear CIO, D, CFO, dear CEO.
00:34:23 Bill Bensing
You don't need to put on formal things.
00:34:25 Bill Bensing
What you need to do is have, well, you can have a formal path, but have informal pathways.
00:34:28 Bill Bensing
Like you don't need to stand up these lunch and learns once a quarter to talk about some of the stuff you could if you want to.
00:34:32 Bill Bensing
But what I tend to find is having that open door policy that says, here is our shadow IT open door policy.
00:34:38 Bill Bensing
You're experimenting with the stuff.
00:34:39 Bill Bensing
We want to enable you.
00:34:41 Bill Bensing
We'll tell you about some of the stuff we do and the capabilities, but at some point in time, you need to come forward and ask us as well, like, how do we get there?
00:34:46 Bill Bensing
there.
00:34:46 Bill Bensing
And then to your point, like geeks love to geek.
00:34:49 Bill Bensing
A lot of the information, a lot of the IT people, they learn stuff too, because here's the thing is like a lot of folks in IT, they like their tools and they really jump around to jobs and play with their tools.
00:34:57 Bill Bensing
provide that as a mechanism.
00:34:59 Bill Bensing
And as we can talk about control or risk mitigation, to your point, that is a form of a control.
00:35:05 Bill Bensing
Think about change processes and change management.
00:35:07 Bill Bensing
I could make this a broader argument for that as well, making that part of your change process as well.
00:35:12 Bill Bensing
Like you're not just changing the software, but you're also changing the people too.
00:35:15 Bill Bensing
And so you are de-risking and reducing uncertainty by bringing everybody up to a minimum level of understanding to deliver
00:35:22 Bill Bensing
less hazardful solutions.
00:35:25 Bill Bensing
You don't have zero hazard solutions, but you less within the bounds of tolerances you as an organization are willing to accept.
00:35:32 Daniel McCarville
So reflecting a little bit on what you just said and maybe some other themes throughout this whole conversation, what I'm absorbing, and you haven't exactly said this, but the source of our risk is people and the things that we do and the choices that we make.
00:35:47 Daniel McCarville
So the best way to manage that risk is to engage
00:35:50 Daniel McCarville
people as people, not through formal processes and procedures, not just by changing the technologies, but just by helping us all to do our best.
00:35:59 Daniel McCarville
Is that part of the message here?
00:36:01 Bill Bensing
It's part of the message.
00:36:01 Bill Bensing
And I think that's like, that's my call to action for internal audit right now, engaging the people to do the people.
00:36:06 Bill Bensing
There's, I'm gonna be a little selfish.
00:36:08 Bill Bensing
I'm working on something right now I call the combined assurance model.
00:36:10 Bill Bensing
Like if you look at the King 3, like it has the big overlapping names for combined assurance.
00:36:15 Bill Bensing
But one thing I've realized is missing is I'll use the word standard specifications.
00:36:18 Bill Bensing
Like you said, engaging the people for the people.
00:36:21 Bill Bensing
There's a lot of lack of specificity when you go from a control objective down to like some level of control procedure.
00:36:26 Bill Bensing
What does it mean to actually meet that control?
00:36:28 Bill Bensing
What's measurable about that, right?
00:36:30 Bill Bensing
And so working with and across those to bring this idea of a control standard, and then to your point of like the resources, the people, resources, these are mitigations, having clear standards.
00:36:39 Bill Bensing
is the source of mitigation.
00:36:41 Bill Bensing
So absolutely, I look at this as a call from the combined assurance approach for internal audit because this is, I mean, I get a little meta with some of this, but I mean, at the end of the day, what is assurance?
00:36:50 Bill Bensing
It's just verifying and validating you're doing what you say you're doing.
00:36:53 Bill Bensing
How do you delineate what you're doing?
00:36:55 Bill Bensing
And that comes down to helping, when you talk about the people, helping the people, help them delineate what it is they're doing.
00:37:02 Bill Bensing
And that way you can provide assurance and you can be an independent, you can have an independent objective opinion of whether they are doing what they say they're doing and if it is valid.
00:37:11 Daniel McCarville
So if I start doing shadow IT things and I start developing tools to make my world better, whether I'm an auditor or a salesperson or, you know, mechanic, whatever it is that I do, right?
00:37:24 Daniel McCarville
I think 1 pervasive fear that I hear from people is I'm going to build these tools and they're going to take my job and then I'll be unemployed.
00:37:32 Daniel McCarville
How reasonable is that fear?
00:37:34 Bill Bensing
Unreasonable because it's quite the opposite.
00:37:36 Bill Bensing
I'm going to build these tools and now you become accountable and responsible for managing them.
00:37:40 Bill Bensing
Here's the number one drawback to anybody who wants to do the shadow IT thing.
00:37:43 Bill Bensing
You build it, you own it.
00:37:45 Bill Bensing
If you want it to go forward, this is like anything in most organizations, you have the idea, you build it, you own it, you need to drive forward.
00:37:50 Bill Bensing
Actually, the one thing that optimized me for doing some of the startup stuff I'm doing and building go-to markets and things like that is having to push my own stuff forward in an organization.
00:37:58 Bill Bensing
So no, it's not going to take your job back.
00:38:01 Bill Bensing
Actually, be ready for it.
00:38:03 Bill Bensing
You're most likely going to have to own it for a long time until it becomes something that is truly pass-offable, if that's a word, and you can truly pass it off, right?
00:38:11 Bill Bensing
And so, in what is it, when you think the
00:38:15 Bill Bensing
on crossing the chasm, I can't Jeffrey, Jeffrey for his name, but crossing the chasm, the high technology adoption curve, you get, you basically get to what's called a full product offering.
00:38:25 Bill Bensing
And so to, no, these things aren't going to.
00:38:27 Bill Bensing
Right now with things like Claude and whatnot, you have the ability to create at speeds that nobody's ever created for.
00:38:34 Bill Bensing
Now, just because you can create doesn't mean it's valuable or it's going to create an outcome.
00:38:38 Bill Bensing
But no, you're not going to lose your job.
00:38:40 Bill Bensing
Frankly, you may be put in a different position.
00:38:42 Bill Bensing
So as I did this through my career, I talked to my wife about this.
00:38:45 Bill Bensing
Every time I did this career, I grew up in the ability to go higher in the organization because now I had to take on more accountability and more responsibility.
00:38:53 Bill Bensing
So quite the opposite.
00:38:55 Bill Bensing
You build it, you own it, don't expect anybody else to own it.
00:38:58 Bill Bensing
But also at the same point in time, once it becomes valuable, as I say, valuable people do valuable things, that's why they became valuable people.
00:39:04 Bill Bensing
And so that right there is now, you're not gonna lose job and it's gonna create more work, not less work, just a different type of work.
00:39:13 Daniel McCarville
And maybe part of the lesson there is that the tool builder is much more employable and has much better prospects than the tool user.
00:39:21 Bill Bensing
If you have domain competency
00:39:23 Bill Bensing
and you have building capabilities, you're dangerous at the end of the day, regardless of whether you have Claude or whatnot.
00:39:29 Bill Bensing
This is one thing I've seen throughout my career.
00:39:31 Bill Bensing
The ability for somebody to understand a domain deeply, and I'm not saying PhD level deep, I'm just saying probably master's degree deep, right?
00:39:38 Bill Bensing
And then the ability to actually build a solution that solves that, you will do valuable things as an outcome, which will make you a valuable person, which will continue like in your career.
00:39:49 Bill Bensing
And so I look at that from a lot of competencies as well.
00:39:52 Bill Bensing
Like if you're a domain expert and you have auditing competencies, like talk about going in and having those deep domain understanding so you can go help people actually root out some very specific causes of uncertainty and risk in some of these areas.
00:40:04 Bill Bensing
And it's not just doing the traditional audit opinion. It's like, hey, when you're building, you are changing, you are modifying, you are mutating. You are taking sand and putting it into glass at the end of the day and taking that glass and making it into a pretty sculpture or a window. Like that's the essence of building.
00:40:19 Daniel McCarville
So to operationalize that a little bit, I hear from people all the time who see that data analytics is great. They want to become analytics people. They want to get into what you were calling shadow IT, but what we might call audit analytics.
00:40:33 Daniel McCarville
And they say, should I start by learning Tableau? Should I learn SQL? Should I learn any of these various technologies? And I think the advice I'm hearing from you would be something more like, well, instead of learning to use the tool, learn something like data modeling, data engineering, inference, like learn these broader disciplines and then using the tool comes with it.
00:40:57 Bill Bensing
You hit it. So I'll get back to the first principle. So I think there's a bit of a yin and yang. Don't learn the tool or think you can learn the tool and you understand the first principles. A lot of tools are abstractions of the principles. So use the tool to learn the principles behind what you're doing. But don't think that just by using or adopting this tool, you are now this thing. Because to your point, if I take the tool away from you, can you still operate? If I give you pen and paper, it may take you 20 times as long to do it, but can you do it?
00:41:26 Bill Bensing
And that's how you know you know it. If you understand the first principles, by the way, there's a book called, I think it's Model Thinking, highly recommend reading that. If you understand the first principles around what you're doing, then you are dangerous. When tools come, when you have tools, you're now one at one, you know, you were two X dangerous, one plus one equals three. So to that point, as you're going through and learning, absolutely agree. Don't hinge on the tool.
00:41:51 Bill Bensing
But you can use the tool as a way to learn the first principles. And I think that's key with some people, because as you're going through, and you just sometimes as a human, we need a way to get our hands onto it. Tools gives us the ability to get our hands on, but don't stop at the, oh, I did it, so now I know it. No, like now take the tool away. Can you do it without the tool? And if you can, now you know that you're a builder.
00:42:13 Daniel McCarville
Absolutely. I think that's a pretty empowering message too.
00:42:17 Bill Bensing
I'm biased because I'm talking about it, but you're absolutely right. I think that's the most empowering thing. And this is maybe let's get a little meta here. A little thing is like a lot of people think other people are standing in their way. The reality is they're not. Most people don't even know you exist.
00:42:28 Bill Bensing
right? And so it's one of those things when it comes to some of the builder things, like when you can do that, is truly how you build value. You understand a domain competency. You can use a tool because you understand the first principles to build something or deliver something that doesn't exist in the way that it could generate some type of good return for somebody. And I'm not just talking about money. It's always like, I could give more time back to Daniel if I could get him and a lot of people him like this using this, right? And so it's like, yeah, to do important things, to be an important person, do an important thing.
00:42:58 Daniel McCarville
Yeah. I've spent a little bit of time directing your ideas to the audit analytics person, because I think it's really interesting for them to reconceive of what they do as shadow IT. And it's a really productive way to rethink that role. But now to get back to the core auditors who are out there auditing IT activities or business activities that they have developed their own systems, right? The auditor is going to be concerned, like you've already described, about are risks being controlled? Are the controls being
00:43:27 Daniel McCarville
implemented and operated the way they're supposed to, how do you strike a balance between wanting to deliver those observations where maybe those controls aren't designed well and aren't being operated effectively, while also recognizing that actually what you're doing is really valuable and I don't want you to stop?
00:43:46 Bill Bensing
So by saying that, if I were to read, make sure I understand the question. Let's say I'm the auditor and I'm providing an independent analysis that is not designed well, but I want you to keep going. Like I'm telling you it's not designed well, but I don't want you to stop. I want you to keep going. Is that sort of...
00:44:02 Daniel McCarville
I want you to improve. I think sometimes when people hear, you know, my controls aren't designed well or I'm not operating them successfully, it's like discouraging.
00:44:12 Daniel McCarville
So how do you deliver that message without discouraging people from innovating more?
00:44:18 Bill Bensing
So this is where the partnership aspect comes in. And so this is where, because I'm on the front line and that third line, I think this is where some of the rub comes. There's a time to be independent, objective, and there's a time not to be. When you're assessing and doing the opinion, be truly independent and objective about it. But when you're like, hey, I don't want you to stop, that's when you have to cross a line.
00:44:35 Bill Bensing
And so as we go through this, there's a balance to walk, but also when you talk about design of controls, I can tell you the 1st and the second line, which really doesn't exist that should know how to do this stuff, they have no clue. And so this is where like to help the third line help themselves, they need to help the first line. And so having the ability to snap that line somehow and have it organizationally acceptable,
00:44:57 Bill Bensing
I think having what I would call, just call audit engineering teams, right? I'll just brought, because everybody likes a new, everybody likes a new term and it belongs to something called an audit engineer team. What that audit engineer team does, or let's call it governance engineering, right? They step out of the independent, and so maybe every nine months they're doing independent audits. Then they snap alliance, and the next nine months they're not doing audits, they're actually listening to what their peers audited, and they're teaching the people, and they're saying, okay, we're not gonna have you stop, but I'm gonna teach you, and I'm gonna help you what it looks like to design controls.
00:45:26 Bill Bensing
And I'm gonna show you what it means to be verifiable and validatable. And I'm gonna help you. I'm going to, it's not holding your hand. I'm gonna be part of the team. You're great at software. You personally are great at software. You personally know the domain. Like you have a team and I'm gonna be part of the team that helps to balance the risk perspective along with the operational perspective. And if you think about that from like a governance engineering team perspective, that right there is a socio-technical model that an organization can use.
00:45:56 Bill Bensing
And it's not outside the bounds of anything. Actually, I think things like Vision 2035, I've seen stuff from PCOAB, like this idea of getting closer and collaborating, that is a physical implementation of collaboration. Snap Align, you've gone from issuing opinions to now listening to your, what are your peers' opinions and helping these people understand what it means to design. So you're in the design perspective, you're helping them. It's not just issuing another independent opinion. You are designing, you may be codifying. So from the audit analytics perspective, you may be writing a little Python to do something.
00:46:26 Bill Bensing
You're getting your hands dirty in ways you've never got your hands dirty.
00:46:30 Daniel McCarville
Yeah, I think part of what I'm hearing there is historically that kind of collaboration. And when I say historically, I don't know what I mean. Prior decades, these kinds of conversations have happened at a high level. The chief audit executive or the audit vice presidents meet with the chief technology officer and tell them what it means for a control to be designed well.
00:46:53 Daniel McCarville
But there's another dimension here where the operational IT people, but maybe the operational shadow IT people, need to have contact with auditors so that they can be coached and learn what effective controls look like. Not just to test them, but to tell them what it even means for a control to be successful.
00:47:14 Bill Bensing
first, just to define what the heck of control is, I can tell you right now, your shadow IT person, as they come through, when they hear the word control, they're not thinking what you're thinking. Same thing with the word control between third line and first line. Like, yeah, you use the word control with the shadow IT in the first line, they're gonna look at you and be like, they're gonna giggle, be like, what are you talking about? So absolutely, I think that is even more key.
00:47:34 Daniel McCarville
Well,
00:47:35 Daniel McCarville
Is there anything we haven't talked about here that we probably should?
00:47:39 Bill Bensing
Wow, no, I think we've covered everything. I mean, at the end of the day, if I were to try to sum a couple things up, it's, you know, as things are moving faster, coordination, I won't say collaboration, collaboration is expensive, but coordination is key. As an internal auditor in the auditing industry, understanding how to increase coordination across all three lines, first off, let the first and second line actually know there's three lines at the end of the day. Like it's a great model.
00:48:05 Bill Bensing
Like that is key. So driving coordination, understanding that there is the risk, there's operational execution and risk mitigation as a yin and a yang, and then crossing those lines to go help people understand. But also like from a John Cotta perspective, just start building a guiding coalition to drive that change. This change does not happen from, unless there is highly incentivized top-down change, which rarely it happens.
00:48:31 Bill Bensing
It's not going to happen unless it happens usually from a middle, out, or a bottoms-up perspective. That's a reality everybody's got to come to grips with. And everybody complains that they want this institutionalized, but the best things I've ever done have never been directed towards me. They've been me seeing problems and reaching across the aisle and being like, hey, I have this idea and this solution, and then being humble enough to listen to everybody complain about their stuff.
00:48:54 Bill Bensing
So at the end of the day, that's a bit of the message there. So as the first side, if to help the third line help themselves, they have to help the first line and the second lines understand what their roles and accountabilities are. Because as we get to moving, like you talk about Claude as, especially in the software in this realm, as execution just becomes so high in variation, high in variability and high in volume, shadow IT is your first control at the end of the day. If you can't enable those types of people and organizations,
00:49:24 Bill Bensing
to help you help themselves so they understand what validation and verification looks like, what it means to be auditable, then you're never, you're always going to face the same problems that you have. And the thing is, they're going to 10, 20X worse, your queues are going to back up, and it's just going to be, I mean, I could say just like that's just like that downward spiral.
00:49:43 Bill Bensing
So at the end of the day, you've talked about it, Daniel, like you have a perspective, you have a burden of knowledge. Overcome that burden by going and helping these folks. Drive these formal organizations, build these flywheels. You don't have to be granted okay by your CAE. Just dear CAEs, if you see it, get out of their way. At best, give them a little money to help them, right? Give them some guidance, give them some, you know, whatever it may be. But I think that's my key takeaway, my key message to everybody across the industry.
00:50:14 Daniel McCarville
thanks for joining us here.
00:50:16 Bill Bensing
Thanks for having me on.
00:50:18 The IIA
Ready to strengthen your audit work with analytics, automation, and AI? Well, join the IIA's AAAI virtual conference on April 7th. You'll hear practical strategies, real-world insights, and earn up to 9 CPE credits, plus a bonus AI nano course included with registration. Learn more at the iia.org.
00:50:41 The IIA
If you like this podcast, please subscribe and rate us. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or at the iia.org. That's T-H-E-I-I-A dot O-R-G.
