Arthur Miller on Auditing

Updated from the original published on June 22, 2010

A little known fact about that great American playwright Arthur Miller is that, when not busy shacking up with Marilyn Monroe, he spent much of his time writing some of the most incisive articles on audit and auditors ever written. Why then, you might ask, have I not heard of them? Why have I not read them? You probably have.

Here are just three examples from two of his plays:

Arthur Miller on… how not to conduct an audit assignment

Miller realised that investigations don’t always go according to plan. Inevitably all forms of investigation are inquisitorial to an extent, audits less so than most. When they really go wrong is when it becomes about allocating fault – or worse, management finding a scapegoat so you don’t need to address more deep rooted problems. Auditors have a challenge – how to review the effectiveness of internal controls without staff taking it personally, and without management taking hold of audit findings and using them to justify a poor course of action that looks good but doesn’t address the issue. How do we make sure, even in organisations that are prone to assessing blame first and asking questions later, that our role is a constructive one, not a destructive one? Save us from being used for a witch hunt!

The Crucible is the story of how some young girls in Salem, Massachusetts, tired of a rather restrictive lifestyle, decided to have a bit of fun but found themselves at the centre of a witch hunt that resulted in a climate of fear, recriminations, and punishment – despite no real crime having been committed.

Arthur Miller does not tell us how to get it right. But he does show clearly what happens when the investigator gets swept up in the atmosphere and carried away. He shows what happens when auditors are not clinically objective. He shows what happens when those with the chance to determine future events are emotional and critical, rather than rational and understanding.

An objective person, looking at the Salem situation impartially and with an objective viewpoint, would quickly have identified the sad absurdity of it, as indeed the reader does. Was something wrong? Yes, but it was a minor infringement resulting from deep-rooted problems that are never addressed. A reminder then of the importance of objective and accurate reporting that goes no further than the evidence allows and is not open to interpretation to suit the whims of management. And, perhaps, reflecting on on root cause - which can often be rooted in organisational culture and history.

Arthur Miller on… user security

The elephant in the cupboard as far as user logical security is concerned is modern password control. More specifically, what happens when controls become excessive is that they cease to be effective – staff (and nice young girls) rebel against them. This is often a concern with controls in organisations – when do you stop? Arguably with passwords we’ve taken it too far.

First, we had passwords. Then unique user accounts. Then minimum numbers of characters. Then compulsory 90-day password changes. So far so sensible, but we kept going. Eventually, we had compulsory 30-day password changes of passwords of least 356 characters including no less than seventeen ASCII characters not present on a standard keyboard, using no character used in the past 52 years (OK, I’m exaggerating just a little – but I’m sure you get the point). Passwordless options are better, but everyone still insists on futile password changes.

Back to the Crucible here then – a group of girls whose actions, in almost any other society would be been considered perfectly normal. Such was the degree of over-control at that place and time, their small rebellion against an overprotective society escalated to serious disciplinary action that was surely unwarranted. Had society not been as restrictive, though young girls would have had a bright future. If we were less restrictive, would we actually be safer? Is it less risky to have eight character passwords changed every year (or never) than complexity requirements and 30 days changes, because staff will remember their passwords and not write them down? Probably. Is it better to have weaker passwords in people’s heads than stronger passwords on post-it notes and in staff diaries? Sometimes. Is 2FA better than making life difficult, and would we all be happier if things were simpler for us as users? Definitely.

Arthur Miller on… career development

Turning then to the subject of happiness, one that is close to every auditor and auditee’s heart. Arthur Miller offers those of us who choose to pursue a career a cautionary tale about aspirations, achievement and the reality of work. The play? Death of a Salesman of course, arguably his greatest work.

Willy Loman is an ordinary man. As a young man he considers traveling abroad to seek his fortune, but sees what a successful career can offer a suitable person and decides to pursue that, instead. He sets his goals, and follows them. An example to all, then? Not exactly. Mr Loman was never meant for a corporate career. However, he never realises this. When those around him give him the opportunity to see, he turns it down. A message then to those of us who are pursuing a career over a working lifetime, to pause for thought and listen. If we’re not getting where we’re going, or not enjoying it, is it really what we want to do? Are we really auditors, are are we just auditing? The price for getting it wrong, suggests the talented Mr Miller, can be high.

For the future: Have you spotted the messages for auditors in ‘A View from the Bridge’? Victim of a witch hunt? No idea what I am talking about? Let me know, and see if you’re right in a future post.