First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Jim Comey and the practitioner’s dilemma

It is a practitioner’s dilemma when faced with challenges and facing down pressure to handle things in a way expected by higher ups.

practitioner’s dilemmaI have just finished reading A Higher Loyalty by Jim Comey, the former FBI Director.

It is an interesting book and I recommend it as long as you can approach it the same way you would approach any audit, investigation, or risk assessment: objectively, setting aside any bias you may have.

It is very easy to come to any situation with your mind at least half made up.

That is the path to failure when performing an audit, investigation, or risk assessment.

When reading a book such as A Higher Loyalty, cognitive bias[1] and confirmation bias[2] get in the way.

If you have already made up your mind when it comes to Comey and his actions, you need to set them aside and approach a book like this the way you would as a professional approach any other task.

Listen to all the information before making your assessment or decision.

I am not going to share my opinion on Comey or his actions, although I will have a couple of comments at the end of this post.

The book is interesting because he was in a number of positions and faced challenges similar to those many of us face.

Like us, he had to:

  • Speak truth to power
  • Try to act in the interests of the organization rather than those of his boss – and his own – making decisions and sharing information that those in a position of authority over him don’t want
  • Handle political pressure to act in way he believes is wrong
  • Work for people he considers put their interests ahead of those of the organization

I can remember several situations where I faced a dilemma. I hope that I made the right decisions, but frankly am not 100% sure.

  • As an audit senior in public accounting in the UK, I led the audit of a large defense contractor. The partner had told us that, despite the prevailing wisdom that you had to wait until a project was at least 60% complete, it was possible to perform a ‘cost-to-complete’ analysis as early as 20% into a fixed price contract. The idea is that if you can reasonable project a loss, a reserve for that loss should be booked. I followed his guidance and it was very clear, based on information from the project manager and senior engineer, that the company’s largest contract would suffer a multi-million pound loss that was material to the contract and the financial statements. I communicated that to the partner. He reviewed my work and agreed. But when he met (privately) with the finance director to press for the reserve, the partner gave in to the pressure. He told me to change the assessment but wouldn’t look me in the face. I did what I was told – what option did I have? (By the way, the loss was booked a year later.)
  • One of my responsibilities as a vice president in IT for a large financial institution was the development of a data center disaster recovery plan. One of the first steps was to define the baseline assumptions. The executive vice president who was my boss’s boss dictated that we were to assume that every employee we needed for the recovery would be available when needed at the recovery site. Further, there would be no difficulties moving between the off-site location where we kept our backups and the recovery site. I should tell you that the data center, the off-site backup location, and the recovery site (by mandate) would all be within 30 miles of each other in Southern California – a major earthquake zone. I protested to my boss, but he told me to go along. I did. What choice did I have? I documented the assumptions, got them signed off, and moved on.
  • As a recently appointed vice president of internal audit, my team and I completed the investigation of a complaint against a senior vice president (a third level executive). I had informed the chair of the audit committee when we started, but neither the CFO nor the CEO. When it came time to inform the audit committee that the investigation was completed and no wrongdoing identified, I informed the CFO and he called the CEO. The CEO was livid that he had not been told as soon as the (anonymous) allegation had been received. The CFO relayed the displeasure to me and instructed me that both he and the CEO must be informed promptly in future. I stood my ground, although I was weak at the knees, and informed the CFO that the proper protocol was to limit awareness of the allegation and investigation – and not inform top management. One of the reasons was that we did not want top management to change their opinion of the ‘targeted’ executive; too often, guilt is assumed. Another was that we needed to keep the matter secret to protect the company should the allegation prove to be without merit but the target’s prospects and reputation were damaged. This time, my view prevailed (I was not fired) but it certainly didn’t help my relationship with either the CFO or CEO.
  • A few years later at the same company, my team uncovered a series of financial statement frauds. Fortunately, none were even close to being material to the consolidated financial statements. Even so, the CFO came to me and told me that he was in the process of working with bankers to float a debt offering. They were nervous about the investigations. Could I stop, at least for a while? I stood my ground and he backed off, but further damage had been done.
  • The next year, I had another problem at that company. There was clearly a common root cause for the several financial statement frauds: local controllers and management perceived pressure from corporate to ‘make the numbers’. There was insufficient evidence of specific instructions along those lines, but I felt actions needed to be taken by the CFO and CEO and that the audit committee should be informed. The top executives were not at all pleased but agreed to back me up when I shared the news with the audit committee. When the board members reacted strongly and negatively to the news, the CFO and CEO sat and watched. I believe I did the right thing, but I could not remain with the company after this.
  • Several years later, I was the vice president of a software company responsible for both internal audit and risk management when it was announced that we were to be acquired. The management of the acquiring company dictated that we had to migrate from Oracle’s to SAP’s ERP within six months. I put my team to work helping management assess and address related risks, which were huge. But word came down from the buyer‘s CFO that we were to assume that there would be no finance or financial statement related risk. Of course, this was nonsense. I went along (in public) but did my best (in private) to monitor the risk. Frankly, I couldn’t do much because I knew none of the buyer’s finance team. I did inform my CEO, who would continue to lead the business post-acquisition, and my corporate controller, who would lead the acquired business’s finance function. Should I have done more?

As you can probably tell, all of these situations and challenges (and more) troubled me then and even now.

Did I maintain my integrity and professional responsibilities?

You can decide for yourself whether you would have made different choices to the ones I made – and the ones Jim Comey made.

Now for some thoughts on Comey:

  • He believed that he was acting with integrity and that he had a responsibility to make the decisions he did. He was willing to put his job at risk.
  • He believed that the Department of Justice and the FBI had to be free from undue influence from the President or others in the executive branch. BUT, he failed to stand up to the President and explain very clearly that position and the reasons for it.
  • He allowed himself to be intimidated by those in power.
  • He also did not enter into his relationship with Trump with an open mind. He had a clear bias, based only on what he saw on TV, that this was a man who lacked integrity and was a liar. Even though his preconceived notions about Obama changed once he met and got to know the man, his bias when it came to Trump didn’t help him at all.
  • Finally, he failed to build relationships with those around the President, As CAE, I knew the importance of building relationships at the top of the organization, not only with the CEO and CFO.

It’s not easy to be brave (enjoy the song).

I welcome your thoughts.

[1] A cognitive bias is a mistake in reasoning, evaluating, remembering, or other cognitive process, often occurring as a result of holding onto one’s preferences and beliefs regardless of contrary information. Psychologists study cognitive biases as they relate to memory, reasoning, and decision-making. Many kinds of cognitive biases exist. For example, a confirmation bias is the tendency to seek only information that matches what one already believes. Memory biases influence what and how easily one remembers. For example, people are more likely to recall events they find humorous and better remember information they produce themselves. People are also more likely to regard as accurate memories associated with significant events or emotions (such as the memory of what one was doing when a catastrophe occurred). (See

[2] Confirmation bias, the tendency to process information by looking for, or interpreting, information that is consistent with one’s existing beliefs. This biased approach to decision making is largely unintentional and often results in ignoring inconsistent information. Existing beliefs can include one’s expectations in a given situation and predictions about a particular outcome. People are especially likely to process information to support their own beliefs when the issue is highly important or self-relevant. (

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , ,

Comments are currently closed.