The Genesis of NAPE

What Happens When We Speak Different Languages?

What happens when tech professionals use the same words but mean completely different things? This is the puzzle Bill Bensing set out to solve when he created NAPE. He saw that terms like audit, assurance, and attestation were used without a shared understanding or a common mental model.

This confusion often caused problems in how teams work together to meet compliance and quality standards. So, NAPE was created to solve these problems by providing a common language and structured approach for compliance and quality standards.

Discovering the Problem: We Aren't as Correct as We Think

Bill realized this issue after co-authoring the book Investments Unlimited. The book talks about overcoming internal frictions in change management processes. He saw that tech professionals often use terms like audit and assurance without agreeing on their meanings, or having a common understanding of what it means to do an audit, or provide assurance.

This lack of a shared understanding makes it hard and expensive to check if an organization is following its own quality or compliance promises. Bill called this the Non-Falsifiable Problem. In science, an idea must be testable and proven wrong if it is incorrect.

However, in compliance, it's often unclear what the test should be, and the rules change depending on who is creating or managing the compliance checks. Compliance checks are the actions we take to make sure that companies are following laws, rules, and their own promises. Without clear tests, these checks can become confusing and inconsistent.

Bill began asking, "Is there another field outside of science that focuses on creating clear, testable rules?" While working with Clarissa Lucas, the author of Beyond Agile Auditing, he had an important realization.

The Epiphany: What Was Missing in Tech-Focused Compliance

Bill's work with Clarissa led to a few key discoveries:

1. The Audit Domain (Internal and External) was the field he was looking for. It already has structured ways to check if actions match claims.

2. His own understanding of audit was incomplete. What many tech professionals think of as audit is very different from what formal auditors do.

3. Tech-focused ideas about Governance, Risk, and Compliance (GRC) have very few formal rules for assurance and audit practices.

4. Organizations like the Institute of Internal Auditors, the American Institute of Certified Public Accountants, and the International Auditing and Assurance Standards Board have the structure and knowledge that tech-focused GRC practices lack for audit and assurance.

5. Concepts from these organizations are deep and complex. To convince tech professionals to adopt these ideas, they need to be easier to learn and use.

6. If done well, NAPE could help low-code developers (Citizen Developers/Shadow IT) and pro-code IT professionals automate compliance and assurance, making it less frustrating by providing a clear, structured process.

One of Bill's key realizations was that professionals in the 2nd (and possibly 3rd lines), like those working in governance, risk, and compliance, want to—and can—build their careers by advancing beyond just low-code drag-and-drop tools. Inspired by the IIA Vision 2035, he saw the potential for these individuals to become something more than low-code users. They can find a middle ground between low-code and pro-code, where they use more complex, yet still accessible, tools to automate and manage assurance tasks. This is where NAPE can empower the 2nd line, allowing for a deeper involvement in compliance automation without requiring advanced programming expertise.

How Do We Know What We Know is Compliant?

A big part of the problem is rooted in epistemology, which is the study of knowledge—how we know what we know. In compliance, this becomes important because much of what we do is based on assumptions and informal processes.

Bill realized that compliance often relies on two unclear questions:

1. How do I know that what you tell me is true and valid? – When compliance professionals get information, how can they be sure it's accurate?

2. How do you know that what you think is true and valid? – How can the people providing the information be certain of their own knowledge?

Bill saw that many compliance claims do not have a formal, repeatable way to be verified. This realization led to the creation of NAPE. NAPE is a structured way to "know what we know." It helps teams define clear procedures, test them, and make sure compliance activities are based on real, verifiable data.