It’s a marathon not a sprint

Tags

assurance processes, Internal Audit, internal audit function, internal auditor, internal auditors, leadership, management frameworks

I am an avid consumer of news. The global news is depressing and sad at present, nevertheless I think an understanding of the currencies and flows of global events is helpful context for life. So I engage, whilst at the gym, and with a reputable source, the BBC.

This story struck me in particular: https://www.bbc.com/news/world-asia-68738694 It’s a post event analysis of why the recent Taiwan earthquake did not cause so much damage, in contrast to the devastating earthquake in Turkiye or even in the last Taiwanese earthquake of 25 years ago. The article patiently and consistently narrates how a serious of coherent actions in relation to planning and building codes, backed up with consistent oversight and enforcement, also training of the population, building of sensors and establishing disaster response protcols mitgated the impact of this quake.

In a world where creating deep and lasting change seems hopeless and impossible, it is a good, and practical lesson in how this can, and should, be done. I consider the same is true within any signicantly complex or sized organisation. There is a need to take time to analyse the problem, set out some principles within which action can be organised, then develop a plan of consistent and coherent actions, deployed over time, to enable success. This for me is what a control framework is.

The internal audit profession, where it sees controls in either process, legal, or transactional terms, is only engaging with half of the point. Sure a rules-based approach is possible. McDonald’s, most airlines, miltary organisations, show it can be done. Most organisations, however, lack the resources, time, capability and need to enforce such a level of command and control. Most organisations rely on a mix of rules, legal controls, processes and cultural controls. Auditors must understand the latter in particular, for culture eats all other controls for breakfast. If the centre of cultural gravity of an organisation is towards X then it is highly unlikely that anything other than either being rigid in setting, overseeing and enforcing those controls, over an extended period of time, will make any difference.

So for me, I think a control framework is a complex web of activities, actions and processes that requires consistency and application over a period of time. That is not something we, especially in an internet world of immediacy and gratification, are willing to hear. In other words, good control to achieve a difficult or complex objective is likley a marathon, not a race.

Of course, there are things that can speed up change and enhance control. Prioritisation is one – focusing on an overall goal and making it visible and clear to everyone in the organisation. Being proactive and thoughtful about the cultural aspects of control – those that enforce and those that detract from the goal at hand. Good oversight – ideally by managment themselves, but supplemented by good third line oversight. Also a strong commitment to enforce those actions, especially when the actions or overall plan of work becomes tough, for example where money is limited, or the strategic horizon for the organisation is challenging. I recall when I first worked for a professional services firm, it had a strongly traditional male-dominated and toxic culture. This did not change through rules or training or internal communication. It changed when the organisation was brave enough to sack senior staff for not being more humane, diverse and modern in their approach to work. This sent a cultural signal that no amount of all staff emails could replicate. I am glad to report that I see professional services firms now, and corporates more generally, are beacons of diversity and commitment to humane workplaces. They benefit now from ‘seeing’ the many employees they never knew before and never attracted in great numbers previously.

So what’s my point here? My point is that a control framework is marathon, not a sprint. Big change takes time and, like the amazing results in Taiwan, is well worth the effort and energy expended. So next time you are doing an audit, audit longitudinally, not just at a point in time. Let me know how you get on!

Tags

assurance processes, Internal Audit, internal auditors, leadership, line of defence

I’d like to build on my last blog post about systems and systems thinking. It’s clear that building and maintaining systems is hard work. As an auditor we can see when our clients run out of energy and will to maintain and deliver systemic responses to risks or challenges. Often you see this in organisations that are large, bureaucratic and long-established, but I think it can happen in any organisation. It’s a sense that to oversee and enforce policies and standards is just too difficult or requires too much effort. As internal auditors I think it is our role to point out, push back and energise our clients against such complacency.

A good example is on safety standards. I imagine that following some of the very detailed requirements for operating an aircraft can become tedious. It’s that sense that this is bureaucratic. Keeping the exit row clear, making sure tray tables are up when taking off and landing etc. They don’t feel necessary when things are going well. Yet, they are essential when trying to empty a plane a pace when it catches fire, as in the recent example in the news at Tokyo airport. It’s the same for financial and procurement controls, though of course the circumstances are different. It’s the same for food safety standards in restaurants. Perhaps it doesn’t matter if an employee doesn’t wash their hands once, or food is not thrown out with clear in date rules a few times. Over time, however, the risk increases, and the one certainty about a risk is that, unmanaged, it eventually becomes an issue.

Just as systems can be effectively deployed to ensure things happen, they can be so deployed to ensure things don’t happen. Think about fraud or misconduct prevention. We have the now very public and celebrated example in the UK of the Post Office’s failed roll out of its accounting IT system, Horizon. If you had asked me as an oversight professional how likely it was that vast numbers of staff, systems, data controls, oversight and governance would have allowed, for such a long period, and to such a scale, the scandal that evolved; I would say unlikely. Yet it happened. That scale of collusion seems almost incredible.

This, for me, makes the point that frameworks of control (which are systems) in fact embody very different types of controls. They comprise rational / legal / compliance controls. They comprise risk based, principles-based controls. Most crucially, however, they embody cultural controls. Culture eats not just strategy for breakfast, but also other types of control systems. For, if the culture is to turn a blind eye, or to ignore certain types of risks, or to allow certain types of behaviours, then no amount of training, advice, risk management, governance, will push that inclination back.

I have never worked at the UK Post Office, nor have I undertaken a detailed analysis of the Post Office in this tragic case. It seems to me, however, that culture played a key part in this. A while ago it was fashionable in internal audit circles to look at culture. I think largely on the back of the financial crash of 2008. Perhaps we, as the internal audit profession, should reconsider bringing this back into vogue. Understanding control frameworks, from a perspective of culture and cultural controls, as well as risk / principles-based and rational / legal controls should be embedded into our work as a matter of course. If I was an executive manager of a department of an organisation, hearing some independent view of controls and culture would be very important. It would be even nicer to hear it in the normal course of ongoing oversight work, rather than as a lessons learned report on the back of some corporate failure.

Yet, this requires internal audit to be braver. Courage is one of the new elements of the revised IIA Standards for 2025 (the subject of my next post). It requires internal audit to own the space of subjectivity and opinion forming. It requires internal audit to own its independence. It requires individual internal auditors and internal audit leaders to step into this space more and to be courageous. In some cases it will require tenacity to get to the bottom of something and not let initial signs and indications of problems go. In the case of the UK Post Office, I wonder if a brave CAE, being courageous, could have literally saved lives.

Without prefacing my remarks in my next blog post about the revised IIA Standards too much, I think the new Standards are a big step forward and have some really good things to place the profession in a good space. We can debate whether making internal audit a creature of the board is necessarily realistic or smart, but the inclusion, overtly, of courage is a very clever step.

So my conclusion from this post is that courage, and cultural review, are essential to good internal audit. Saying things ‘as they are’, rather than how people would like them to be, or how they would like them to be presented, is crucially important. Standard 1.1 requires professional courage – are you ready for this?

Systems thinking

Tags

assurance processes, compliance, cybersecurity, finance, Internal Audit, internal audit function, internal auditor, internal auditors, line of defence, Risk management, technology

As I come to the end of another year I have been reflecting a little. I have been particularly lucky in my career to have had some fantastic colleagues to work with. Many have been personally and professionally inspiring and, in turn, have brought the very best out in me (I hope). As my roles have been larger, in terms of scope, complexity, mandate, and international, I have grown as a professional. That then brought me into contact with even more colleagues who were inspirational, and so the virtuous cycle of professional growth has continued.

As I have come into contact with a greater range of colleagues and partners, I have realised that internal audit, as a profession, risks missing the bigger picture of independent oversight. By independent oversight I mean oversight that is independent of management. Conceptualised this way one is suddenly much more aware of the great number of actors in this space. For example, on the assurance side of organisations, evaluations; inspections; financial statements audits; grant or contract audits; IT audits and specialist assurance; external inspection units; regulators etc. On the integrity side of things: ethics; ombudsperson; investigations; legal counsel etc.

When I was a young CAE making internal audit excellent was the most important thing to me. Being independent was also, as I saw independence as the core differentiator for internal audit. As I’ve matured (I hope) as a professional and as a person, I’ve come to see a more complex world, where internal audit is only successful if it recognises that it is part of a wider system. And yes, I believe this does mean putting internal audit in its organisational context. You can think about this in three lines if that’s helpful, but at any rate, understanding what the client organisation’s management, governance and other stakeholders need and are trying to achieve, and putting the effort and energy of internal audit into that. In this post however, I want to comment a little on internal audit in the context of the other independent oversight providers in the independent oversight system, rather than the broader organisational context, as that’s for another post.

So why do I see a need for IA to engage with other oversight providers? First, IA is generally small. Small in terms of resources and small relative to its client organisations. So, in order to magnify its impact it makes sense to engage with other partners and parts of the organisation to share the heavy lifting of oversight. Second, IA is a very particular tool. It has its own distinct profession and distinct way of approaching problems. Depending on its formulation (and to some extent where the new IIA Standards end up) it can be a compliance tool, a thinking version of a compliance tool, a risk based compliance tool, or a independent form of risk based consultancy. These may not be the right tools for a particular oversight job, however. Assurance over a highly technical area may require technical inspector, say for airlines or tech companies, or chemical companies. Or the organisational challenge might be one of general management or strategic choices, where consultancy or evaluation is needed. The challenge perhaps might be one where the organisation, or parts of it, are highly sensitive. A public, formal, published internal audit process may not be a helpful solution. One can see a range of organisational challenges which IA is simply not well-suited to.

How can IA go about being helpful to coordinate and get the most out of independent oversight then? Well, there are a bunch of practical steps that can be taken. A coordinated oversight plan, ideally online and in real time. This helps plan the work and avoid practical space and time overlaps. A coordinated recommendations / outcomes tracker. This helps to share and make clear messages from the oversight community. It helps management to respond and senior management to see how things are going. Coordination meetings. People will often say things which they will not write down. So provide a forum as a safe place to share half developed thoughts and challenges amongst the oversight providers.

IA can go further though. It can look at the system itself. Is it a system? Does it work coherently? Is the balance / resourcing of oversight right (i.e., right types of oversight applied to the right issues)? Are there overlaps / duplications? Or are those overlaps sensible and make sense? (I’m a great believer in a fuzzy logic oversight system by the way, so overlaps are fine with me) Are the major issues of the day being tackled in the right way by oversight providers? Similarly is there too much oversight ‘ambulance chasing’ and not enough focus on the boring, but important, long term organisation strengthening type of oversight work? IA can, and should, also have a legitimate role to comment on the system as a whole – it has the skills and abilities to assess the effectiveness of systems, so serving up an assessment of this to particularly senior management, is a service IA is well-placed to provide.

So, at this time of new year’s resolutions, mine is that the internal audit profession lifts its eyes upwards and is less inwardly focused, instead taking a role to see oversight (both assurance and integrity) in systems terms. IA, when I was first a CAE, claimed the third line all for itself. I never thought that true then, and I don’t now. I do, however, see IA as having a critical role in the third (independent of management) line space to make sure oversight works to the benefit of its client organisations and their stakeholders.

Internal audit is boring

Having last blogged about how internal audit gives me real joy, this week I’m going to suggest it’s boring. No, it’s not because I’ve had a terrible few weeks at work, or that I’ve fundamentally changed my mind about internal audit, or that I was being in any way insincere about my views of internal audit. It is because internal audit, being fundamentally about internal control (which I define as managing to a target risk appetite), is boring.

It is de rigeur now for everything to be quick and easy. We have short snappy powerpoint slides. We have root causes – everything is about one or two simple changes. Science, evidence, rigour, is boring. We don’t read detailed documents and analysis any more. Decisions are taken by pictograms and impressionistic views. The world is flooded with marketing images, image over substance. I blame the internet, where everything appears possible, simple and immediate. We all, me included, suffer from a culture of expected immediate gratification.

As a person who has studied the concept of marketing in the past, I do understand and value how impressions, culture, values, image etc. play a much larger role in the success of organisations and their endeavours than they would have done, even as recently as the last century. The Apple corporation taught us the benefits of image and simplicity. Yet, it is the challenge of taking this simplicity and imagining that things really are that simple, that is the problem.

As an accountant, internal auditor and an MBA graduate, I can see the complexity in things. Over my many years working with clients I can see decisions taken in a world of simplicity unravel when confronted with reality. There is a whole public sector management academic literature around ‘wicked problems’, problems that are multi-faceted and difficult to tackle. Any modern organisation of any scale has these complexities in their internal and external environments. So how does / should internal audit react to and tackle these things?

Well, I think first of all, internal audit should continue to eschew the idea that everything is simple. That’s not to say internal audit shouldn’t try to look for the connections between issues, or attempt to analyse things to get to their root cause. It should not, however, pretend things are simple because they feel their clients are unwilling or unable to deal with the challenge of complexity. Nor, in my view, should internal audit fall in the what I call the ‘glibness trap’, where internal audit either just performs reportage of bunch of obvious-to-all issues, or uses AI or any other tool, to provide stultifying and banal traffic light reports that have little or no meaning (though I am a fan of a framework within which IA reports).

Internal audit should carve out some space for more in-depth, evidence-based, risk-based analysis. It should provide an executive summary to its reports of course, but should not be afraid to spend time weighing evidence and making connections to convert data, via analysis, into information. I am a great believer that individuals and organisations should spend at least 20% of each period thinking and analysing and 80% doing. How many times have we as auditors come to look at something and genuinely wondered how it got to the place we see in our work? I think the thinking space applies equally to internal audit.

So why do I think this is all boring? Well, any human endeavour takes a lot of consistent actions over a period of time. Yes it’s attractive to think we can lose weight by a miracle fat burning pill, or one or two exercises. The reality is it requires a consistent period of measured and sensible eating and regimen of exercise over an extended period of time. I fear the modern world, us as individuals and the political, administrative and corporate systems we have set up, are finding it increasingly difficult to engage in such work. Yes, it’s boring. Yes, it requires discipline. Yes, it is not going to make you or an organisation feel it has made a miracle step. It is, however, ultimately what moves the centre of gravity on any issue forward.

I see internal control as being like going to the gym. You have to work at it constantly, you never ever ‘get fit’. It is always a calibrated judgement and requires a consistent set of actions every day. It’s not something that is natural, or how most organisations and people act, so internal control requires positive, deliberate, activity to make it happen. Internal control only becomes a reality after some period of work towards a clear set of goals and alignment of a coherent set of actions behind them. It also requires fact-based oversight and monitoring to ensure it is occurring as intended.

If internal audit is to opine on internal control – i.e. the management of risk to a defined target risk, then internal audit, must therefore, be boring also. Internal audit must be able to give boring messages to its clients’ management teams that it is management’s job to manage, and that this requires, sadly, a boring regime of clear goals, clear coherent supporting actions, measured and overseen outputs and consistency over a period of time. Whilst these messages iare unfashionable and unwelcome, it is what internal audit, in 2023, in my view, should be focused on.

I welcome your thoughts – are you brave enough to be boring?

Internal audit joy

I am an experienced CAE. I have had a number of roles in the independent oversight landscape, in progressively more complex and large scale organisations. There have been a lot of challenges and difficulties. What has given me joy though? Would I recommend internal audit as a career? Is it a good place for talented people?

When I started in internal audit and oversight, it was always in the shadows. In the shadow of external, financial statements, audit. In the shadow of the finance function. In the shadow of risk advisory. In the shadow of consultancy. Yet, I still took up the challenge of being a CAE. Why?

I think simply because it is interesting and rewarding. First of all I have a low boredom threshold. I am not a person that can wake up on a Monday morning and motivate myself to do the same thing I did every Monday beforehand. So my absolute worst job would be to be a management accountant. No disrespect to management accountants, they do a wonderful and needed job. I could not imagine X number of month ends until I retire. I know lots of professional jobs offer variety. Variety of clients, variety of tasks and jobs. Internal audit, however has variety at its core. Even if you work with a single client (i.e. in-house), the variety of work that an organisation can offer is seemingly infinite. As a CAE you have more agency than perhaps as a team member – but I have always sought to give my auditors variety. It keeps them interested, motivated and broadens their skillsets. I love being a marketer on Monday, IT governance the next, HR the next. Of course an internal auditor is not an expert in each, but has a legitimate mandate to engage with professionals in each of these professions. So variety is something I would recommend to graduates.

Secondly, internal audit offers a holistic view of the organisation. When I did my MBA degree I loved seeing across the professional divides and the different organisational perspectives that each profession has. I can still tell, without being told, what profession the person I am talking to has, because those viewpoints are deeply embedded and are cultural. Put simply, HR sees the world in HR terms. Legal, risk, marketing and comms, IT etc. are the same. The best professionals in my view are those that have more than their narrow silo of training and have general business training as a supplement. Internal audit has to see the world holistically, as its day job is a bit of everything. Seeing strategic and organisational interlinkages is one of the key differentiators of the internal audit profession. I would caution, however, an internal auditor that has not broadened their skillsets can also have a strong intra-profession view also – which can be a weakness in some IA functions.

There are lots of oversight professions that coexist in organisations. I value each for their own backgrounds and what they bring. Grant auditors, financial statement auditors, risk management, evaluation, ombudspeople, ethics professionals and investigators. All are great oversight tools. Internal audit has, however, a mandate to be inclusive. It seeks to look at how the whole organisational picture adds up and form a view about whether it is greater, or at least effective, in the sum of its parts. This cross cutting remit is super complex, but also stimulating.

Thirdly, internal audit gives me joy through its ability to be strategic, tactical and operational. For a truly risk based audit needs to look at how risk really manifests in an organisation. It manifests through strategic challenges and objectives, that require cross organisational and cross cutting responses, that are consistently delivered on the ground operationally. Thus an auditor needs to be able to work at all three levels of an organisation. This requires a really broad based thinking ability and experience. Thankfully, a good internal audit function should provide that experience to any young professional.

Fourthly, internal audit is legitimised inquisitiveness and nosiness. Internal auditors are required to be critical, skeptical and to dig into the world around them. Internal auditors also have access to persons, papers and explanations as necessary to do their work. So they can wander into the most high-level, sensitive and challenging spaces. Not only is this interesting, it also provides often relatively junior staff with a high level of access early on in their careers. This is good for personal and professional development.

Fifthly, as long as an auditor is professional and polite, they have freedom of speech. They are able to, and should, challenge the organisational totems, sacred cows, and red lines, in a way that those in the management line cannot. Of course this power should be used responsibly and in the best interests of society at large, the clients’ stakeholders and the client themselves. What a joy to be able to give wonderful compliments and support to drive progress, or robust advice and sanction to avoid problems.

Finally, internal audit is present in almost all sectors and globally. So the ability to have all of the above joy-sparking attributes, is present in most places. So if you’re passionate about fashion, airlines, international development, government, manufacturing – whatever it is – you can access this via the internal audit route.

So as I reach the end of another busy and varied week, would I recommend an internal audit career to a young and talented person? Absolutely.

What sparks joy for you?

Second and third lines and oversight

Tags

Internal Audit, internal audit function, internal auditor, internal auditors, line of defence

Despite my attempts to move away from my core blogging theme this year onto more diverse and discrete subjects, the overall theme of the profession being in some existential, self-reflecting, inflection point mode for 2023 seems to be valid still. So I am going to go with it.

The thought leaders of our profession are all seemingly aware that the almost surreal certainty the IA profession has had over the last 30 years is now to be replaced with a distinct sense of a need to make a choice. It is a need to make a choice about where the profession sits yes, vis a vis other professions (accountancy, risk, evaluation, audit) but much more importantly where does it sit within the constellation of corporate functions. In this case vis a vis, finance, HR, marketing, IT, treasury, oversight, risk managment, comms etc.

For if internal audit is to be ‘internal’, and I’m great believer that it should always be, then its organisational position is crucial and matters. I think IA has made the argument successfully that IA should be a third line function – i.e. independent of management. The practical manifestation of this, especially but not exclusively in the private sector, can be variable, for example reporting to the COO or CFO. Where IA has made much less headway is in the claim that the third line is only IA. The main reason for this is that it puts other internal to the organisation but independent of management functions in limbo. They are neither regulatory nor are they second line, a term I have always taken to mean management functions independent of line management but part of the corporate oversight. To confuse the picture further, the banking sector tends to create a range of so-called second line functions as independent of management , risk management, compliance, corporate investigations. Some models say IA is the third line, others that it is providers of independence assurance.

Put simply, the corporate landscape, even or especially with the application of the three lines model, is confused. I am increasingly seeing team management getting very confused about what all of these functions do and their standing. It is all becoming a big wall of ‘oversight’. In addition, different business sectors have their own traditions and structures. I have worked across a range of private, public, financial and government sectors and they all have interesting corners of interest in organsitional structure. For example, public sector organisations, particularly those with programmes to deliver public policy often have evaluation. This is a form of objective review that exists in first and second line management – commissioned by management but delivered by a team separate from them, and as a corporate oversight function a la internal audit. Aside from positional similarities its professional modus operandi is to ask big questions of policy and ‘are we doing the right things’ questions. This is markedly different from IA but helpfully complementary to it. To take another example, we can consider corporate investigations of staff / contractor misconduct. In my current sector these sit in a clear third line, independent of management, space, which to my mind makes sense but they are not providers of assurance as the three lines model would hold. For other sectors, including the private sector, these functions are either done by HR or a separate, second line, function. You could argue that banks’ model of having say corporate investigations as a second line, but independent of management, model therefore makes sense as it is a non assurance providing but independent function. To my mind though this then blurs the role of others, say risk management, who have a role to both support team mamagent to delivery better risk management, but provide a measure of independent review of line management’s reivew of it.

My personal preference is to see the second line as a corporate, independent of line management, but not corporate management function. The third line can then be more clearly understood as a those functions independent of management with a line to the board. This makes more sense of the public sector’s use of evaluation, independent investigations functions, ethics and ombuds offices etc. often under the umbrella of an overall oversigth provider, in my case inspector general.

I don’t think, therefore, that the IA’s best strategy is to wait until either the three lines model, or a new theory of corporate organisation takes root and becomes generally accepted. For in the interim period, likely a long time, IA will float about in a sea of uncertainty. What IA needs is some mechanism or hook on which to have a profession-wide debate to discuss and align around a common position. If only there was some process or global document that could prompt this…

So this brings me to my clarion call for the year. Please can we, as a global profession, take the opportunity of the new IA Standards to have this debate. Given the various thought leaders of the profession have raised a bunch of concerns about the draft, including my core observation that the Standards are missing a clear purpose for internal audit, can we perhaps pause their implementaton by a year and have a good debate on it?

I am genuinely happy for everyone that exists in a world of certainty, either professionally or personally. In many ways I am jealous of such people. All I can see, across a range of areas in 2023, is uncertainty. If IA is doing its job properly this should be fertile space for a good risk-based IA function to add real value to its clients.

So, is it time for a the profession to debate our corporate role? Do you have clarity of where you fit within your client?

Artificial internal audit (AIA)

Tags

Internal Audit, internal audit function

Here’s a blog post I’ve been pausing to write about, but have known I’ll need write something about at some point. Given the speed of AI’s march, sooner would seem better than later.

My first awareness of AI, beyond science fiction films, was Mike Jacka’s post on LinkedIn, likely from his blog, I can’t recall. It set out a perfectly plausible short executive narrative from an internal audit report on procurement. The big reveal at the end was something called ‘ChatGPT’ produced it. From that point onwards, it was clear to me that AI has real power to disrupt oversight, including internal audit, in a way that nothing really has for the last 20 years of my career.

Perhaps I am an atypical internal auditor in that I like to see orthodoxy and rules challenged, particularly when they are not meaningful, in organisational contexts. For me it is better to have something meaningful and effective that has a centre of gravity or behavior, need, culture etc rooting it to become consistent, deliverable and operational. So the prospect of something disrupting internal audit as a profession does not particularly fill me with fear or dread. I also recognise that AI has exactly the same impact for all corporate and organisational functions.

Also, my blogging theme for this year has been about IA as a profession being at a tipping point. So the global institute’s look at the purpose of internal audit is both needed and helpful. Given AI will disrupt it in any case why not wrap this into the discussion? The whole thing might be serendipitous.

Like most people reviewing AI, I am still trying to work out its contours. Not only does it seem to be evolving quickly in terms of capability, but organisations are rushing headlong to use it. There is a sense that if you’re not using AI you will be left behind. This has a similar feeling to the introduction of the internet back in the day, where I remember the professional services firm I worked for was convinced this would change life overnight. I have to say, many of the predictions they made at the time may have taken time to be felt (c.20 years), but they have been felt on business, society, politics, culture and the whole of society.

Like the internet, I think whilst the technology of AI will proceed quickly, its real world impacts might be a bit slower – though not as slow as the internet took to impact I’m sure. Also like the internet I don’t think AI brings universal benefits – not least some of the dire warnings from those who created the technology and companies asking for regulation, which almost never happens.

Being a boring internal auditor I do think all organisations should understand what AI is being used, how and where, and have a corporate view of it, including some meaningful impact and risk assessment on the business. What will benefit? What will need to be different? What will not benefit? Some businesses will lose their markets, as all technologies render something redundant. Who are the equivalents of the producers of video tapes or CDs when online streaming arrived, in the AI context now? There are also insufficient ethical and moral debates going on in most organisations, rather AI work is being driven by a FOMO (fear of missing out) approach.

I’ve had a dabble in AI. Like most I do not claim any deep knowledge of it, but I recognise that I must become a competent user of it at least. I see the tools and ‘apps’ using AI coming out everyday. Some of those will stand the test of time, others not. We should try them and see what works. Like others I’ve produced some basic documents and asked some basic risk questions. At present I feel underwhelmed. It’s a little bit like reading a written test during a recruitment process. Boiler plate stuff, without the deep knowledge and context. Nothing particularly wrong – though I understand AI is not above making facts up to support its narrative – but also nothing particularly insightful.

That brings me back to internal audit. A lot of internal audit output is already a bit like AI-produced material. Nothing wrong with it, but somehow non-specific and not grounded in real contextual insight. A lot of this comes from those IA functions required to publish externally, i.e. you don’t want to crystallise the real risks by reporting them publicly. The resulting output, negotiated between executive management and IA, will most likely therefore also have this same sense of boiler plate writing.

So there is something that requires somehow internal audit to move up the oversight value chain. It is the real testing of organisation’s controls over the risks to its objectives, in the full human, cultural, organisational context, that feels like where IA might settle after round one of AI. For IA generates content whereas AI (at present) consumes and structures it. At the moment organisations are still run by humans, so the understanding of humans and how they do that should, in my view, still be required and IA is right to do that.

Given how long IA took to adjust to IT and digital data (and still is, in my view), I am sure IA will need to do a quicker and better job of understanding AI. It seems just as IA and oversight bodies get used to the idea of evidence being digital, we have to get used to the idea of these data being fake. This will play havoc with investigations work and Audit work alike.

I think a lot of us in the IA profession have got used to a period of relative stability which is about the come to an end. The IIA Standards exposure draft reflects that uncertain future to some extent, seeking to retreat to processes and procedures that somehow feel comforting. I think, however, discomfort is going to be the new feeling for the rest of the 2020s and I think leaders of the profession are going to have to get comfortable with it.

I guess I will need to write more on this in due course, and may look on this post as being strangely prophetic or pathetic in its musings in due course. So I ask, how discomforted are you?

Time and place

Tags

Internal Audit, internal audit function, internal auditors, line of defence

My thinking about internal audit’s place in the world and the corporate setting has evolved over time. I consider myself to be very lucky to have been a professional chief audit executive, in charge of my own team, for a very long time, since 2006.

Being an internal auditor is a privilege. It affords an interesting career. It enables a strongly cross-cutting view of any organisation, from strategic to operational, cross functional, and global. As I have a low professional boredom threshold, so being an internal auditor has suited me well. No other part of an organisation, apart for senior non-executive management, affords such a vantage point. It does this without the operational burden of executive responsibility. For me, therefore, its the perfect mix of being able to think, theorise, influence, improve and quality assure the client organisations for which I have worked.

I have also been super privileged to work for organisations that have amazing missions. Not for me the single objective of profit maximisation, but the more complex public service and multifaceted worlds of organisations driven by difficult, but worthy, missions. This makes being an internal auditor in these organisations hugely interesting. There is no single, financial and measurable metric of performance, rather a complex web of choices, trade offs, and moral and ethical dilemmas.

Even when I started my career, internal audit was not straightforward. Yes of course compliance was easy – management set out rules, were those rules followed in practice – the rules themselves talked about defined, clear and measurable processes, mostly financial, which could be aggregated into a single statement of internal control. Internal audit even then was reaching out to ‘add value’ by analysing how these rules were applied in practice.

Yet, when I started my career it was clear that for internal audit to be valuable it had to somehow step into the world of management. Not in executive terms – that’s a clear no-no – but in terms of somehow helping management with the daily experience of their lives. Management had to make difficult choices, often with limited resource, unclear or limited data, capacity and people challenges, with an ever changing external world, most especially customer or stakeholder demands. Internal audit had to be credible and meaningful in this space.

Internal audit’s answer to that, in the late 1990s and early 2000s was to be ‘risk based’. Of course, the IIA Standards did not really define this well, as the Standards, certainly in iterations prior to the current exposure draft, were purposely vague. This allowed a broad church of thinking and practice to flourish. The UK IIA, now Chartered, put out some guidance papers, but thinking on what it is to be risk based seemed to get stuck at the concept of an ‘audit universe’. This cut the client organisation into manageable pieces (auditable entities) and then ordered the pieces into ‘risk’ order. This was primarily a complex set of scoring that did little more than slightly amend the order a relatively knowledge person could achieve with the application of five minutes of common sense. Of course the measures of risk were typically gross measures, not net, and took almost no account of organisational objectives or the current control environment or the target or intended risk level of the organisation.

This approach followed very much the ‘follow the money’ adage which, whilst not always wrong, especially on fraud or misconduct investigations, in audit terms really become obsessed with size. I’ve learned however that risk in most organisations is managed through a combinations of rules, processes, people and culture, which are not always about size. Risks as really managed in organisations are also rarely simple and two dimensional and are managed by a range of actions, large and small, tangible and intangible, across an organisation, and require a range of coherent actions to manage them. In other words, risks are more likely to be a thousand cuts, through a thousand control weaknesses, mediated through people and culture. Auditing an organisation, brick by brick, doesn’t cut it.

In my current role I have a specific mandate to coordinate all independent-of-management oversight, and independent-of-management integrity response (i.e. fraud response and investigations). Some of these components sit directly within my control, others not. It’s always been very clear to me that internal audit does not, and cannot, exist in a vacuum. It is part of the wider organisational structure, both within the independent third line entities, and external independent oversight entities and the three lines, including ERM but also HQ corporate functional oversight.

Coming to that realisation, you understand internal audit is but one tool to be used in this space. A good CAE should map and understand how second, third and external oversight fit together. Internal audit should, without taking a dogmatic approach, be able to flex to fill the spaces other providers cannot. For those internal audit functions that include a corporate investigations function understanding the map of integrity providers, ombudspersons, regulators, HR, legal, ethics offices etc. is also important.

I am now, some number of years into my career as an internal auditor, realising that internal audit has come of age and has an invaluable corporate space to occupy. I also see that, and this is my blogging theme for this year, now is a critical tipping point for the IA profession to really think about its raison d’etre.

The IIA exposure standards, given the challenges highlighted by many in their current construction, provide the IIA with a real opportunity to start a meaningful debate about what the strategic purpose and role of internal audit is. This section is blank in the exposure standards at present. I think a good place to start is to understand the space it occupies in reality in many organisations and to try to induce how organisations are using IA at present. That might provide a clue about what is going well and what needs to change. Perhaps the Global or UK institute might step up to the plate here?

Bored or Board of internal audit?

Tags

Internal Audit, internal audit function, internal auditors

Continuing my theme for my blogs this year on internal audit professional angst, I want to give some thought to the relationship between internal audit and the Board (or equivalent governing body).

As an internal audit professional I have always had a measure of ambivalence in my relationship with the Board. I have seen the current IIA Standards and their clear, formal and periodic links to the Board via the Audit Committee. I have, however, interpreted them as a little ambivalent. As a CAE I have always seen the relationship with the audit committee as a key one to be nurtured. After all IA is the key tool, independent of management, that gives the audit committee the ability to do its job of oversight.

I have been exceptionally lucky to work with some great audit committee chairs, who understood the role of the audit committee vis a vis the board, and vis a vis management. The audit committee, though is in some measure independent of the board, is also a creature of it, and is firmly ‘team governance’. Also of course, particularly in the public sector, IA is but one oversight provider, so the audit committee has a range of oversight clients. So that direct relationship with internal audit can be one of many for the audit committee.

The Standards have also been a little bit ambivalent about the relationship between the Board and the IA. Yes, of course there is the formal approval of mandate, the formal approval of the board for a range of IA steps and processes, the accountability of IA to the board through the audit committee. There was, however, in the Standards, a strong recognition that IA also has ‘Team Management’ as its client. Ultimately IA and the board are both oversight of management structures, but the Standards recognised that IA had a strong and equally important, in particular to senior executive management, relationship. It is still the case the IA has a strong reporting relationship often with (ideally) the organisation’s chief executive or (less common and less ideal) the CFO.

As a long serving CAE I, like many other CAEs, have had to balance that careful relationship with management and governance. Whilst teams management and governance are getting on well, this is less of a problem. When those horses part ways, IA risks being stuck holding the reins of the chariot between the two. From experience that is not an easy place to be.

So, to the new, proposed, IA Standards. These appear to push IA into a team governance, oversight and regulation space. To my mind the strength of the Standard’s provisions in this regard risk being problematic. They risk driving a firm wedge between IA and management. A good CAE and good IA function, to my mind, is a bridge between management and governance. They ‘oversee’ or ‘ garden’ the governance of an organisation to make sure the organisation, as a corporate vehicle, is able to self regulate and be effective. It is this subtlety that many experienced CAEs deliver, that is unseen and unnoticed by many, that is critical to effective functioning of their client organisations. It is also the difference between a junior and more experienced CAE. I know in my first CAE post it took me some time to understand and deploy an effective intervention in this regard.

I know a range of thought leaders in the profession are finding the draft IIA Standards challenging, and I think I would add this board relationship aspect of IA to the pile of things to be considered deeply before finalising the revised standards.

I am a passionate believer in the power good IA can bring to any organisation. This subtlety and link role between teams governance and management is absolutely critical in my view, and should not be disturbed by any revised IA standards lightly.

So how subtle are you?

Governance, again!

Tags

Internal Audit, internal audit function, internal auditor, internal auditors

So as we reflect on another round of corporate failures, this time in the banking sector, we see once again that governance is the issue. Yes, sure the regulators are partly to blame – but controlling a global industry from outside of corporate entities, via a set of global or country-wide rules, is not easy. One size does not fit all when it comes to regulation. It doesn’t matter what the regulator is regulating – schools, childcare, policing etc. the regulator can only go so far.

So I read, with interest, Andrew Edgecliffe-Johnson’s piece in the European edition of the Financial Times. He points out that the two American banks at the centre of the recent problems had poor governance. Not just weak governors, or governors that were a little below par, but obviously weak governance. At Silicon Valley Bank, for example, none of the risk committee had relevant banking expertise, though one had experience of the premium wine industry. In Signature bank three of the CEO’s relatives were employed. On the back of these facts (assuming Andrew is correct) then I would add another question – Where was internal audit?

We’ve been agonising as a profession in the last few weeks, prompted by the issuance of the draft IIA standards, about internal audit’s purpose. For me, internal audit’s purpose is clear. It is to be the guardian of good governance. It should exist to provide the regulators and stakeholders of any organisation, in any industry or field of operation, with assurance that the organisation is well-run, efficient, effective, well controlled, and operates with good governance. Internal audit, being inside the organisation, but independent from it, should have the detailed knowledge and independence to call out these issues. Perhaps if IA had done so for some of these banks, then they might exist now.

We can all point, in our industries and business areas, at organisations that have failed. Sure some failed due a complex set of circumstances that only became visible with the benefit of hindsight, for example those companies that got left behind by technology, or a significant change in customer demands. For most, however, they fail due to egregious governance, or business failures, usually driven by self interest for higher returns without considering the related risk. This is a space where a dispassionate internal audit function can add value. It can point these things out without fear or favour, to management, governance and regulators alike.

Now I don’t see internal audit filling a space of being an internal regulator. An internal audit function, in my view, will not be successful if it becomes the policing function of an organisation. Internal audit is at its most effective as a partner and trusted advisor, willing to point out problems when needed in a supportive and encouraging space. IA must sometimes however be brave (a point in the new exposure draft of the Standards) if necessary to protect all of an organisation’s stakeholders.

As I suggested in my last blog post, and those throughout this year so far, the IA profession is at a bit of a crossroads. It does seem to need to find its purpose in life. Do we need any more hints before we take up this important mantle?

Please IIA Global – have a proper debate about IIA’s purpose, and add it to the new Standards!