How Internal Auditors Can Think Like Elon Musk in Three Simple Steps

Use this approach in your internal auditing practices to skyrocket your effectiveness.

Challenge: Many internal auditors don't have a approach for problem-solving that they can consistently apply to their internal auditing and audits. This can lead to irregular and/or unreliable conclusions and findings.

The Fix: Learn how to apply First Principles to your auditing, to think and reason at a whole new level.

During your audits, you will encounter some sophisticated systems, advanced technologies, intricate strategies, and more. Often, problems or root causes are buried within these complex systems. In fact, sometimes the complexity itself is the problem.

Without a structured approach to thinking and reasoning, navigating these complex systems and identifying problems can be a challenge.

The First Principles approach offers such a structure and it can help you navigate these complex systems, find problems that others don't see, and come up with more efficient and effective solutions.

Also, utilizing First Principles in thinking or reasoning will give you a competitive edge. While you  have figured out the issue and devised the solution, others will be stuck on first base.

But applying it to your internal auditing isn't easy. It will take some work and practice. So, we'll start by defining it.

What is First Principles Thinking?

First Principles reasoning or thinking is a strategy employed by some of the brightest and/or most successful individuals in the world. Elon Musk is possibly its most well-known advocate.

The concept has its roots in physics. It can be defined as a method where one deconstructs problems into fundamental elements or basic building blocks, asks probing questions, and uncovers basic truths. It's about dividing facts from assumptions and then creating a whole new perspective or understanding from the ground up.

Here's a brief, three-step structure to to get you started.

1. Challenge your assumptions
2. Deconstruct the problem into its fundamental principles
3. Come up with entirely new solutions from the ground up

#1: Challenge Your Assumptions

First, you need to recognize that your understanding, or what you believe you know about a system or a problem, is often based on misconceptions or so-called 'facts'. List out all of your assumptions.

For instance, in internal auditing, auditees or internal auditors often reference best practices or industry standards. You'll even hear how it's simply "doing things they way it's always been done". These are examples of the existing beliefs, methods, or practices that have guided auditors and auditees in the past.

Let's take a specific example.

Suppose you're examining the controls over electronic data transfers, say between two servers or locations.

Start by looking at what are the assumptions that others are making. In this case, the assumptions (possibly what the auditee is telling you) could be that:
• the current data transfer method is the only practical option;
• the data is encrypted and hence secure; and
• regulatory standards are being met.

Awesome. You've achieved step one.

#2: Deconstruct the problem - break it into its fundamental principles

Now let's deconstruct each assumption. Let's try and discover the underlying truths. This is where you tear apart and evaluate each assumption; where you ask 'why' until you discover those truths.

• Why is the current data transfer method seen as the sole option? Perhaps because it's always been utilized, or the IT department is most comfortable with it. The first principle here is that data must be efficiently and reliably transferred between servers.

• Why do we believe the current data encryption provides adequate security? The answer could be because it meets current industry norms or regulations. The first principle is that data must be safeguarded from unauthorized access during transmission.

• Why do we presume regulatory standards are being met? This might be based on previous audits or reassurances from the IT department. The first principle is adherence to all relevant laws and regulations.

Awesome. Now, we’ve identified our assumptions, questioned each one, and discovered the underlying truths or first principles.

# 3: Devise new solutions from the ground up.

Now, take each first principle and brainstorm new solutions.

• Could there be alternative data transfer methods that might be more efficient or reliable?

• Should additional security measures be implemented, such as multi-factor authentication or extra encryption methods, beyond what's mandated by industry standards? This would add another layer of protection even if the encryption was compromised.

• Regarding regulatory compliance, could more regular checks be conducted, or an external audit be commissioned to validate internal findings?

By dissecting the assumptions and contemplating the problem from first principles, you could potentially formulate more efficient solutions to ensure better data security during server transfers. This could lead to improved security and compliance, and might even pinpoint efficiencies that can enhance system performance.

This is just a basic example to illustrate the process. Imagine the possibilities if you could fully adopt this method on every audit test. Not only will your efficiency at spotting conditions skyrocket, but you'll also be proposing solutions that others couldn't have envisioned.

There's no limit to where you can apply it. Here are a few examples.

1. Risk Assessment: Internal auditors can use first principles to evaluate risk by considering the basic causes of potential issues and assessing the efficacy of controls designed to mitigate those risks.

2. Process Evaluation: Internal auditors can use first principles to evaluate processes by breaking down intricate procedures into smaller, more manageable components and assessing each part based on fundamental principles.

3. Control Testing: Internal auditors can use first principles to test controls by scrutinizing their fundamental design and ensuring they're based on sound and internal control principles.

4. Root Cause Analysis: Internal auditors can use first principles to identify root causes by considering the basic drivers of the issue and determining the most probable cause.

5. Auditing Best Practices: Internal auditors can use first principles to evaluate and develop best practices in internal auditing by considering fundamental principles like objectivity, independence, and risk-based thinking.

A final note on First Principles. They can be a powerful tool when applied to questioning procedures; procedures that have always been done a certain way, but no one really knows exactly why. For example, as internal auditors, we encounter scenarios in both the auditee organizations and audit organizations where the justification for certain procedures is "that’s how we’ve always done it".

There are perhaps an unlimited number of processes and procedures that exist where, if you ask why it's done a certain way, there's no logical response. Sometimes, instead of admitting they don't know, people will cite "best practices" or "industry standards"; but they cannot provide any evidence that these standards or practices actually justify their actions.

Likewise, when you start digging into the "why", you'll sometimes discover that technology has evolved, rules or regulations have shifted, priorities have changed, and so on; but nobody has taken the initiative to update the procedure based on new information.

In summary: leverage the First Principles framework to question everything. Implement it in all your daily activities as an internal auditor. Use it to identify and solve auditee challenges. Apply it to improve your audit organization's operations. Once you fully implement it First Principles and start applying it to everything you do, I think you'll be happy with the results. In fact, you might even be able to 2X your results.