IPhone 6: when is more actually more?


, , ,


I’ve been travelling again and, upon my return, the iPhone 6 Plus I’d ordered was around, waiting and ready for me to collect.

Now we’ve all heard the bend gate stories, the difficulty for Applephiles like myself to accept a ‘phone needs to be bigger than the previous versions. I took the plunge because the way I’ve used my ‘phone has changed. I make fewer and fewer calls. It is primarily my immediate access to the internet, to data, to information, to email, to my blog, to my online life. I take photographs and record my life in it. It reminds me to do things, tells me when I have not done things. It is my diary and notepad, my records, my books, my music player and my store of information.

So, when i considered what I actually want my ‘phone to do and what I value it for, I was happy to reconceptualise it as a ‘phablet’. Once I’d made this leap, it felt less like a big ‘phone and more like a small but acceptable minicomputer.

So how does this link to internal audit? Well I think organisations, and the profession itself, needs to reconceptualise internal audit. Less as an independent police force enforcing the organisational (and actual) law. Less in adversarial terms, less in a pseudo-scientific conceptualisation of right and wrong.

So how should it be conceptualised? How can this be different? Is the internal audit paradigm moving on? If so, to what? Well I think internal audit is something more. It is not about laws, not about adversarial battle, but a form of independent internal consultancy. For a good internal audit is challenging of the management and leadership team, it is a genuinely difficult process, but not a negative one, a conversational, helpful, open, dialogue and debating one. For the answers to modern organisational problems are not easy to divine. If internal audit is risk based (and we are required to be) we should not be helpful to management to sort out the current problems (for those are issues), we should be moving the debate onto the future, the choices we make, the debates we need to have for tomorrow (risks).

So should an organisation want internal audit as conceptualised now? No. I think organisations need to reconceptualise internal audit as above in a different way, as an internal, thoughtful, organisational challenge and consultancy. We need, as a profession, to make this leap too. Sure, most internal audit functions struggle to deliver consultancy work, we go to great lengths to differentiate it from audit (falsely in my view). We are steeped in rules, in checking and verification, not creative thinking, challenging, debate and have a naturally destructive and negative outlook on life. This does not need to be the case. We have the context dependent knowledge and, when suitably trained, the context independent knowledge to make a damn good job of consultancy.

I am always surprised by others’ surprise, when the internal audit function comes up with an insight and is able to deliver a great piece of work. I think they have either experienced two-dimensional internal audit of the compliance kind, or have not really registered the level of business and organisational insight afforded to an internal audit function by default.

Yet, audit teams I have worked in, with, and led, have been strong in their ability to deliver a unique viewpoint and insight. This is one that is borne of being a trained auditor. It is an insight fairly unique to internal auditors and a viewpoint that takes training to come to. It is this I look for in senior auditors I work with. This is not to say the management viewpoint is less valid, far from it, more that it is different. If the two viewpoints were similar then a good internal audit function would soon run out of insights, viewpoints, and value to add. This is not the case in my experience.

The other lesson I wanted to draw from the iPhone 6 Plus is that, sometimes, bigger is better. I know long-time readers of this blog will say that this does not match my usual mantra of ‘less is more’, or ‘fewer is better’. I believe in generally higher quality and less in quantity. Sometimes, however, more is simply more. Like my iPhone 6 Plus screen that is excellent and bigger, internal audit in most organisations is just too small to provide enough coverage. Fewer days, even if risk based (and most risk based plans are really justifications for resource that is too small as the third line of defence), are just too few. Most businesses I have worked with and in are complex, and have an international  component to them. You simply cannot audit them without getting into the detail and really understanding the real risks down ‘in the weeds’. Clearly there is a balance, and perfect should not be the enemy of efficiency, but most internal audit functions simply never get into the detail of the businesses they audit.

So my two thoughts are first, that organisations and the profession’s stakeholders should not be disappointed in internal audit for not being like an historical conceptualisation of  what the professional used to be. There is no point in judging internal audit as a ‘telephone’, when it does far more than make calls. Second and similarly, the profession’s current remit and responsibilities will in many, if not most, cases require internal audit to be, simply, bigger. <1% (and in many cases much less than that) of organisational spend on assurance is just not tenable in the context of most organisations, when that 1% needs to deliver assurance over the 100%.

So like the ‘phone, due to our evolving needs, expectations and use of it, has evolved paradigmatically, so internal audit within organisations should and is. Let’s embrace this change and judge ourselves and be judged by our stakeholders as something newer, better, and more fitted to the modern organisations we work so hard to support.

Good enough?


, , ,


So I’ve been on a city break holiday in Europe. I had the pleasure of flying on a budget airline. Not the cheapest airline but certainly in the cheap category. You get the idea – cheap flights means basic service, basic food, a take-it-or-leave it approach to flying. Now don’t get me wrong, it was okay. Sufficient. Adequate. Good enough.

Now the core elements of a good flying experience were there. A clean plane, operated safely, with smart staff and some food available on board. Yet it fell short. It fell short of the more expensive airlines. Little things mattered in the experience: the food was basic with poor choice and not enough to service the whole plane; the luggage was a free-for-all as people had chosen not to put luggage in the hold; seat space was smaller with no extendible headrest; and the staff were just not able to really empathise with the experience of customers.

I wondered whether this was because the staff had never really experienced ‘good’? My holiday was in Paris. This is a classy city by any global standards. The place has good fashion, the good looking people, good food, wonderful architecture, and really knows how to retail! So if you are a company with staff who have never received competitors’ better service and good service in their personal or professional lives, are they able to really deliver it themselves? So CEOs can introduce rules like ‘smile at the customer’ or make sure all customers are offered a drink etc. People are not rules-based, so good customer service requires cultural change.

I think airlines are a bit like audit functions. Internal auditor’s customers only really receive one provider, like flying one airline all the time. So it is for auditors working in these functions. They do not really experience others’ versions of internal audit. That’s why, when a new head of audit is appointed, they change the function as a first port of call, because they refresh the perspective on the service and change it with that insight.

I am reminded of another example of this issue with an email from the Scottish regional IIA of the UK IIA, inviting me to attend a training programme on internal audit reporting. I think my service’s internal audit reports are great, modern, helpful, well-written and focused. Yet what if best practice is much better or much different? It is difficult to tell, being locked into the day-to-day business of delivery of an assurance service. What if my service is just ‘good enough’?

Well benchmarking helps, reading blogs and the work of others helps. I think the key thing is to have a good non executive chair of audit committee and management sponsor. I have been, and continue to be, lucky in my career to have the highest quality of people supporting me in these roles; really high quality individuals. These are able to really challenge and support the CAE in their role.

I would like to think that internal auditors, and CAE’s, as hopefully good practitioners of the profession, are able to be objective and independent enough to put themselves into their customers’ shoes, to get a sense of their perspective and make their audits better than ‘good enough’. I hope and trust that I manage this too.

So are you able to really empathise with those whom you work with? Are you able to know when good enough is not good enough?

Turf wars?


, , ,


So here’s an interesting blog post on the global Institute of Internal Auditors’ website: https://iaonline.theiia.org/internal-audit-is-in-the-midst-of-a-great-war

It’s about internal audit fighting a turf war for its space in the corporate world, with compliance, legal and other corporate functions. I’ve had this at various points in my career. Various parties that claim to be better at providing assurance, or better at understanding the management team and providing advice.

Who are these parties? Well, external audit, who I’ve often seen to be treated with greater respect than the internal audit function. Usually by chairs of audit committees that have come from that background, or who have never really been internal auditors or worked with a good internal function before. It always surprises me that internal audit, who are the audit committee’s and senior management’s eyes and ears, are not respected or used as much as they could be.

The other are advisors. Normally from external companies, who reject the detailed and context-specific knowledge that internal auditors bring to the table. I suspect because although they may have context independent knowledge, they know they really lack knowledge of the business. I have, however, worked well with firms that can use internal audit to get a good result from their work.

Second line control functions have also challenged. They often have a remit for control, but without the truly independent function remit and the discipline of internal audit, they lack the structure to really make a difference.

The most challenging are management functions, often those slightly detailed from the front line business, often based in finance, HR, IT or other support function, who think internal audit ‘knows nothing’.

Yet all of these challenges have come to nothing. Why? Well because they lack the core attributes of internal audit, independence and objectivity. I also think they lack discipline of good internal audit. It is the systematised and organised, risk-based, consideration of the business. Good internal audit is used to working at the edge of its ignorance, can apply basic principles and common sense, and put the findings in a knowledgeable, context-dependent, context. It is also used to understanding things quickly and effectively and picking up what matters.

Now clearly a weak internal audit function will play second fiddle to other corporate compliance functions. In my view, however, a good audit function will always find suitable corporate space in which to work. Internal audit has a unique value proposition and this should, all things being equal, win through.

So are you or your function facing a turf war? If so, don’t engage, just be good. Just be better. Just be an excellent internal audit function. For excellence in internal audit can make a significant difference to any organisation and if the organisation doesn’t recognise it, it doesn’t deserve its auditors!

Standards changes?


, , ,


The international IIA has thought about updating its international standards again (or is consulting to do so). See on the IIA’s website Proposed Enhancements to the Institute of Internal Auditors International Professional Practices Framework. (IPPF) (4 August 2014). Or has it? The document states:

The RTF is not proposing changes to the content or ongoing relevance of the following IPPF elements: The Definition of Internal Auditing; The Code of Ethics; The International Standards for the Professional Practice of Internal Auditing (Standards); Currently existing guidance (Practice Guides/Practice Advisories/Position Papers).

So if none of this is changing – what is? Well the ‘enhancements’ include the introduction of a new mission statement for internal audit; codification of the status of advisories, guidance and position statements within a framework and nomenclature; and the setting out of core principles for the practice of internal auditing.

So let’s consider these in turn. The mission statement seems like a good place to start. The mission of internal audit is stated as:


This all seems sensible. It is intuitive, it is helpful. Is it internal audit though? What is unique to audit as opposed to say IT, marketing or HR? I guess the assurance and the objectivity. I think the one missing component is ‘independent’. For this marks IA out from any other professional function in any organisation. It is nice, for once, for internal audit to be defining itself in positive terms, i.e. what it can do, not what it cannot. My post Whistleblowing; Another thing internal audit cannot do? takes issue with the profession’s propensity to be defined in negative terms.

So let’s consider the principles – thank goodness that the profession has gone down a principles rather than rules based approach. So what are they? As stated in the IIA paper they are:

  1. Demonstrates uncompromised integrity.
  2. Displays objectivity in mindset and approach.
  3. Demonstrates commitment to competence.
  4. Is appropriately positioned within the organization with sufficient organizational authority.
  5. Aligns strategically with the aims and goals of the enterprise.
  6. Has adequate resources to effectively address significant risks.
  7. Demonstrates quality and continuous improvement.
  8. Achieves efficiency and effectiveness in delivery.
  9. Communicates effectively.
  10. Provides reliable assurance to those charged with governance.
  11. Is insightful, proactive, and future-focused.
  12. Promotes positive change

Let’s take these in turn. 1) yes that’s fine but integrity is not a binary, digital, thing. It can be a matter of judgement. I’m not sure how you would qualify it and at a principles level it may not make sense to qualify it. I do think this will need some form of view underpinning it.

2) Yes fine. I agree with the mindset bit. This is not just about silly rules of can’t review things previously looked at or lines of reporting etc. It is about mindset and then the application of this mindset.

3) This one is problematic. Being committed to competence sounds weak. Even a poor performer can be committed to competence. Also what is competence? Context dependent or context independent knowledge of the area being audited, or the ability to audit the area, i.e. a competent auditor. I think this needs a) strengthening, to be more definitive, and b) being clearer about what competence means.

4) Yes I agree. I would change authority to be seniority or position. Otherwise there are issues of being ‘in authority’ i.e in an executive role, which is a no no for a CAE.

5) I sort of get what this means but am unclear what this means in detail, and whose definition of strategy. The CEO’s? The Board’s? What is their strategy is to be amoral or unethical, should the CAE align to them or be independent? Perhaps better to say support ‘work towards the enterprise’s reasonable business objectives?’ Also the enterprise word is used here when organisation is used elsewhere. I would use one or the other throughout.

6) Hmm – another one that is difficult. It is difficult to define significant and adequate in this context. Again it might be one that needs thinking about at a level below principles. The principle makes sense though.

7) 8) 9) Yes fine. They all need definition clearly, but as principles they makes sense.

10) This one is more challenging. Does IA always provide assurance to those in charge of governance? I would argue, sometimes it is funders, or regulators or ultimately taxpayers. Perhaps this needs the addition of ‘and relevant stakeholders’?

11) Yes – sounds like a bit of a utopian comment that is difficult to argue with. Future focused could be more carefully phrased at ‘risk rather than issue focused’. This is probably the most helpful for me in my job, as the temptation is to get wrapped up in current ‘crises’.

12) Yes – as a principle it is difficult to argue with. I think this needs to be more specific though. Perhaps positive organisational change?

So, all in all, the ‘motherhood and apple pie’ principles are fine. They need some tweaking and working through at a layer below principles, but they make sense.

So this leaves the nomenclature changes for guidance and supporting advisories. Yes this makes sense. First to establish a change from mandatory and strongly recommended to required and recommended. It is either something that should be done or not. I would suggest the fewer items fall into mandatory the better. We can all interpret principles in a meaningful manner in our contexts and should do so if we are to make the change the principles require.

The removal of position statements from the guidance, either category, is helpful. Particularly as the IIA has a habit of getting unhelpful (read wrong) answers in these (see my recent post Whistleblowing; Another thing internal audit cannot do? about the UK IIA’s view of whistleblowing activities). The proposition is that these are aimed outside of the profession at its stakeholders. Why? What if a CAE makes a complex judgement to adopt x or y position and this reasoned professional decision is contrary to the position statement? I think all guidance should be aimed at the profession, as the profession has the right skills to adopt, amend or discount the position as shown.

As for the clarity over which guidance is mandatory or not, I welcome the retraction of mandatory to apply to the IPPF, definition and ethics only. Internal audit is not a right and wrong profession and the fewer rules are set down the better. It is also consistent with a principles based approach adopted (now we have principles!).

So overall, the profession guidance and framework I think is much clearer following this paper, and I welcome the principles, as it firmly establishes a principles based approach. I recently disagreed with Professor Andrew Chambers over the rules versus principles issue (see Internal Audit: Where are we now?) and I think the IIA here has been supportive of my principles-based approach.

So how would I encapsulate these changes – well not much change really. A mission that is common sense; a tidied up framework for guidance; both underpinned by clearly articulated principles. Has this changed my audit world? No, not really, but at least the profession is resisting ‘pseudo scientification’ and adopting a principles based approach to life. We occupy a wide ranging, complex, and ever changing position in most organisations and I think these approaches should allow space for the profession to evolve.

Professional precipice?


, , ,


I think our profession is standing at a significant strategic stepping stone and crossing point. I think it has increasingly reached a decision point to decide where it wants to go. I am decreasingly convinced that the profession will make, what I think, is the right choice.

I have been extremely lucky in my career. I have worked under, and with, bosses that have earned my respect and have allowed me the space to interpret and develop my version of internal audit over the years. Do I think internal audit is and should be now, what I thought ten, five, or even two years ago? No, I don’t.

When I worked in a professional services firm it was before the national practice began to recognise that performance meant conformance. So I was able to develop my little bit of the internal audit practice, with the support of a commercial and pragmatic partner in the firm, into something that made sense to clients, that added value, that was less hung up on right and wrong and more on thinking about the world in much less formulaic terms. I had daily rates and margins and a consequence that then (now nearly ten years ago) have not been beaten now. When I fairly recently tendered out for some internal audit work I was actually being charged less than I charged.

When I then went on and headed up my own in house service, as a young CAE, I was able to build up, from scratch, what made sense. One can argue whether my client got it at the time, I suspect they didn’t, but I did it. I had two good bosses in succession, both of whom were high-class individuals who supported the engagement with audit and challenge and supported the development of a service that made some coherent and meaningful sense.

Now, in my current role, the quality of staff in my client organisation is really high. The leadership more so, and again I have had a chance to really aim for ideal and perfect. To be resourced and supported with senior management engagement and understanding (the most important resource) that is enabling me to take my thinking vision into something practical. In my current role I also have a fabulous team (all of them both collectively and all individually too). I am also bringing in some real talent to provide breadth and different perspectives too. They all really get the vision – a consultancy led service, without walls, without the dead hand of silly input rules and compliance, and most importantly without audit software! (a pet hate of mine). Just people that are understanding of the business, bring their own professional backgrounds and minds to challenge and support their management colleagues.

We actually audit the business (fancy!) i.e. if we were a food retailer, we look at the risks in the food chain, if we were a car manufacturer we actually review the risks to how cars are made. We don’t hide in the corporate back office (though these are important processes), we don’t hide in compliance checklists (counting fire extinguishers or compliance with office rules). We actually stand full square with the business and management team and think about what it is that really makes a difference to the business, adding our independence, governance risk and control mindsets to the mix.

Yet I have been lucky. I know so many CAEs who are limited by their firm’s software or file rules. Who count the inputs not the process or outputs. Who are not allowed to wander into things that really matter ‘no you can’t audit the business because you don’t have the knowledge!’. I have known some great CAE peers who have got it too. Who see beyond the Institute’s rules and compliance and the sense that anything thoughtful, meaningful and challenging is suddenly called consultancy. They, in their own ways have been cutting themselves some slack and space to develop good, meaningful, internal audit.

Yet when I see insights into a majority of CAE’s lives and indeed their own views, I am depressed and discomforted. Depressed that we as a profession continue, spectacularly, to miss the point. The point that you are only relevant if you work in the front office, that the world cannot be controlled by compliance and rules (banking, schools, government, IT etc – how many time must we learn this lesson?), that there is no right and wrong in risk auditing.

For we as a profession must stop measuring ourselves by our financial accounting origins. There is no IFRS for business risk. No right and wrong. We should stop measuring our inputs (we did this for we all came from firms that charged for their services), it is not an indicator of quality or performance. For the firms, despite pulling the intellectual and institute strings of our profession are actually not interested in internal audit. They are not internal for a start. They approach it as they do for controls testing for financial statements audits. They are priced out of the market, for to do a risk based audit of any quality takes time, high quality thinking and trained staff, that the firms simply cannot afford to deliver and manage the risk (what if we were ‘wrong’ and got sued?). If we take the UK, the big four firms are effectively priced out of market in the south and London; simply, they cannot make it pay. So this space it taken up by the lower quality and presumably less risk averse, second tier firms. So firm-provided internal audit is, generally, second tier quality and delivered (certainly in the UK). I appreciate these are generalisations and I have met a few firm-provided audit services that have bucked this trend. But I think my underlying point stands.

Yet we miss the real incentive for the firms to avoid allowing internal audit, as a profession, to blossom. That is that internal audit has the capacity to displace consultancy work, high margin, little-challenged, consultancy work. For a good in-house service has the capacity to deliver excellent results through having time, quality staff (without the burden of stratospheric charge out rates) and also context-dependent knowledge (that no firm, even in partnership) is ever able to really deliver. Hence whenever internal audit does something of quality it is ‘consultancy’. No. Forming a high quality, business and risk led view of business challenges and presenting three dimensional solutions is internal audit, not consultancy.

So why do I think this is important for the profession as a whole? Well I think it means that in-house services will always see outsourcing as competition (when it should not be), will define itself through a business and delivery model that only makes sense for the firms, and will allow the profession’s standards and rules to be dictated by external auditors – for we’re all ‘auditors’, right?  No we’re are not.The profession needs to develop a view that good internal audit is: internal; not bound by rules, but principles; measures quality as performance, not conformance; audits the front office; is part of a wider framework of controls and lines of defence; and most importantly begins to develop an approach to the world that stops considering it in a rules-based, right and wrong way.

So, can we, as CAEs begin to make this argument? I hope so, for it will have a virtuous circle of increasing respect for the profession, increase the quality of candidates we attract, improve pay, and really add value to our clients.

HR – defunct?


, , ,


I am not sure if it’s the time of year or if I am just coming across a number of interesting and challenging articles at the moment. Here’s a fascinating one about HR: http://businessvalueexchange.com/2014/06/06/hr-department-defunct-digital-era/?utm_source=taboola&utm_medium=referral

The article’s argument is nicely summed up in this paragraph:

‘So critical was the role of a static workforce traditionally, that organisations employed an entire department to oversee it. The recruitment, retention and remuneration of the workforce was a methodical, process-driven effort that was staffed by a dedicated team and supported by a bunch of in-house systems. The new style of workforce calls for new styles of management and support. [...] we ask: Is the HR department defunct?’

Now in my career I’ve had a strange relationship with HR. In my youth the relationship was quixotic; I even, when I graduated, felt like I wanted to work in personnel (as it was called then). Yet during my life, as an employee and manager, I have found it to not live up to those ideals. Why? Well HR functions are not really trained in the things they are meant to do. They are not accountants so struggle to do budgets and financial planning of staff benefits. They are not lawyers, so struggle with HR legislation; they are not risk management trained, so struggle with HR risk management; they are not psychologists, so struggle with recruitment; so what they do – in many cases, is fall back on low quality administration. Now of course this is a characterisation, as an academic at a university once characterised them as ‘human remains’ view was.

Now we have the challenge from the article above. People and staff no longer follow detailed rules and processes. This makes sense in a knowledge economy and modern workplaces. So HR departments to oversee rules makes no business sense. Well I do buy this. Most HR departments I have met are overly prescriptive in preventative controls and weak on detective ones. There is always a gap in control whenever I have audited HR processes between what the central HR department thinks is occurring and what the line management are doing – always – every time. HR processes are always ‘rich pickings’ from an internal audit perspective. Why is this though? Well I believe it is that the HR, and personnel department before it, has wanted to see good HR practice embedded into line management. This is a position I agree with. Few HR departments have really found a way to make this happen, other than the application of hope, and even fewer have checked back in to really see if it is being embedded. This has been a constant in my career across clients, sectors, and geographies.

Yet I can name the really great HR people I have been supported by in my career, particularly as a manager. Those sensible people who can bypass the nonsense HR rules, be human (a trait you would have thought embedded into HR) and provide support. These are the people who recognise that HR skills and understanding the myriad of do’s and dont’s  is but a thin slice of a manager’s week, and that a little navigation and regular coffee and chat is really valuable. My clients’ HR departments have generally withdrawn back from supporting line management directly, as too much support denudes us as managers in the first line from learning and becoming better at it; learned helplessness if you will. A good HR business support manager will, in this model, intervene at just the right time and support a struggling manager. At my current client I have been lucky and identified a set of ‘good HR eggs’ who give me support as and when I need it.

I do think the HR profession needs to step back and articulate a new vision for its role, as suggested in the article. In particular to decide what skills it needs to really manage human resource in the 21st century. In particular it does need to have a greater grip of finance, of the law, of good recruitment. Most of all it needs to move away from means and focus on ends. Processes are there to provide frameworks, not straight jackets. The industry of grievances and investigations the profession allows (I accept legislation does not help with this) is not good. This needs to be taken back to common sense to allow people to be human and to make mistakes (for we are all intemperate, impatient, stressed, and even rude to our colleagues at times).

Overall though, my key entreatment to HR, is to be more socially scientific. To focus on culture, not rules; outputs, not process; people, not just human resource. Do I value the HR department and will it survive? Yes I value the ‘human’ bit of HR, and yes I think it will survive. My caveat is that this will only be if HR really takes a step back from practice and really looks with strong objectivity over the reality (not theory) of what it manifests as in most organisations. For HR is ultimately a thinking, not ticking, process. Certainly as an internal auditor this is the model I would suggest when I next review an HR process.

Internal audit: where are we now?


, , ,


I’ve been reviewing an article posted by Professor Andrew Chambers on the UK IIA’s website ‘where are we now? http://auditandrisk.org.uk/features/where-are-we-now

It’s a list of various rules from Basel to IIA practice advisories, to the IIA standards, to the US federal reserve. The intention of the article is to try to divine from various regulatory and standards interventions where internal audit, in role terms, is. I think it is a helpful aim, but the article lists a set of rules, there is not much analysis, apart from a statement at the end of the article:

‘There is little point having standards that are wholly aspirational with limited conformance, or standards that support the lowest common denominator of best practice.’

I agree with the second part, what is the point of a lowest common denominator of rules? I fundamentally disagree with the first element of it. Old school internal audit is uniquely obsessed with conformance and a scientific rules-based view of the world. But if we follow the conclusion a little further:

‘We need more public pressure on internal auditing to enhance the standard-setting process, the rigour of the Standards, their public interest and their general enforcement.’

Here’s where I really disagree with Professor Chambers. The last thing we (by we I mean the internal audit community) need is to put lots of public pressure on us with ever greater rules. It is typical of yesterday’s internal audit generation to have a rules-based view of internal audit. We are lucky that our rules-based leaders of our profession cannot agree on the rules, so the IIA standards have remained resolutely principles-based, despite efforts to change it by the regulators listed in this article.

For the reality is that there is no body of knowledge, right and wrong, for internal audit, like there is for medicine or law, so a rules-based approach makes no sense. Internal audit is not the pale and ill-defined shadow of external audit. It is a completely different profession. We may share the name ‘auditor’ but we must, as a profession, stop rules-based external, financial statements, auditors from defining their compliance regime on us.

I bewail the US’s rule based culture being established as the dominant paradigm for internal audit. Thankfully the UK is better than most at resisting this culture. The British have been excellent over centuries to work with what works and not obsess over the rules. We’ve never written down our constitution, rather used culture and values. What is it to be British has constantly changed yet with some underlying sense of what way is ‘up’.

If we take the small insight into the Basel banking audit rules in this article I am glad I don’t work in banking audit – all of those ‘shoulds’, ‘should nots’ ‘must’ ‘must nots’. The world is moving quicker and is more complex. A rules-based view of the world jars with this and makes no sense.

Another point – internal audit does report to the board as the article says, but is not a puppet of it. Boards can fail as much as management. Internal audit is there to look after the body corporate, if a bad set of governors (directors) are in place, then internal audit should stand up to them as much as a bad management team. I also take issue that Professor Chambers says the IIA standards don’t require engagement or overall opinions from internal audit’s work. It does, for example in standard 2410. It caveats this with ‘where appropriate’. This is a good principles based rule set in my view.

So in answer to the article’s question – where are we? Well I think we are a profession that has a generational gap. I would identify three, possibly four, generations of internal audit. First an audit universe, rule based, obsessed, two dimensional compliance audit. Second a more risk based, from an audit universe, audit, with some sense of beginning to see beyond compliance (perhaps doing ‘consultancy’ as well as audit). Third a fully risk based audit service that sees the world in socially scientific terms and as an internal form of consultancy. The fourth is a variation on the first, a financial compliance ticker. That’s how I imagine banking audit or US-based audit service. Perhaps my blog readers can propose their own typology of generational types?

My point is that this article is an old school version of internal audit, of type 1 perhaps 2. Why worry about the rules? How about internal audit as having a risk based work allocation and reporting framework, populated by bright people challenging how rules are being mitigated and managed? If you like, a form of organisational consultants?

So overall, the article is not a hit with me. In fact whilst it picks up lots of interesting points, it comes to the wrong conclusion. Not more rules please! – but more thinking and more good old British adaption, principles and a contingent approach. Free internal audit!

Whistleblowing – another thing internal audit cannot do?


, , ,


Well here’s a missive from the UK Chartered Institute of Internal Auditors I missed. It’s in their January 2014 publication Whistleblowing and Corporate Governance: The Role of Internal Audit in Whistleblowing. Find it on their website http://www.iia.org.uk I think the UK institute generally gets things right, it is principles based, not overly prescriptive, thoughtful and considered, and has a sense of realism. Here though, I think they’ve got things wrong.

The argument from the Institute is that:

 ‘the responsibility for establishing and operating effective internal whistleblowing procedures lies with the executive, reporting to the board. but given the potential conflicts of interest the executive will need to devolve the day-to-day running of the process to a function that is considered to be independent.’

Okay this sounds fine so far (and I think whistleblowing should be a governance function, independent of management, because it is the management team that people are blowing the whistle on) I wonder what party within the organisation is able to provide independence from management and has an understanding of governance, risk and experience of reporting and investigations? I wonder…? The Institute continues:

‘internal audit’s independence from the executive and objectivity give it the potential to be involved in whistleblowing arrangements, e.g. in a triage role, as a channel of communication or carrying out investigations.’

Ah, spot on! Makes sense. Independent third line of defence, nested within the governance framework, good links to the audit committee and the board, well placed, skilled staff to undertake the work. Then it all goes wrong in my view:

‘but boards require assurance that the organisation’s whistleblowing policies and procedures are effective in achieving the appropriate outcomes. internal audit cannot give that assurance if it is directly involved in managing or carrying out those procedures.’

Why? I guess because internal audit cannot self review. Okay I buy that. But then boards require assurance that their assurance arrangements are suitable and adequate (another third line of defence and independent-of-management activity provided by internal audit). Yet a periodic EQA (every five years) suffices. So the Institute continues with its worry:

‘internal audit should therefore either provide assurance to the board or play an integral part in the process of internal whistleblowing in their organisations.’ 

So yet another thing internal audit cannot do for fear of not being independent! We cannot review anything twice, we cannot do consultancy, we cannot do risk management and now we cannot link counter fraud and fraud assurance! But what is the real worry from the Institute as this all sounds theoretical?:

‘boards need to ensure that internal audit’s involvement in whistleblowing does not undermine its ability to carry out its prime assurance functions and that it has the necessary skills and resources.’

So actually the concern is more about resourcing and how doing counter fraud work will draw away resource. But why, most internal audit functions are under-resourced in any case. So why should this make a massive difference? I despair that we as a profession take far too much time to discuss what we cannot do and won’t do, all for fear that our precious independence might be compromised. This is only compromised if we allow it to happen. I can re-review my work, have a different view from my last one, challenge myself. Just as our management colleagues can do as well.

Why are we different? We are different because we as a profession have this pseudo-scientific view of the world that assumes we must be right. I think this comes from our professional origins as external auditors, where opining on accounts would be a materially right and wrong answer (as there is a defined body of law and rules to test the correctness of the opinion against). Also coming from accountancy firms where we (the firms) would get sued if we got it wrong. But internal audit is not a science and in risk there is no right or wrong. So why continue with this strange, and plainly wrong in day to day risk management experience, notion?

So let’s continue with the Institute’s missive:

‘where internal audit is not playing a direct whistleblowing role it should provide assurance on the effectiveness of the system and procedures to the board. it also should have the right to be informed of all whistleblowing reports so that it can consider what impact they have on its overall opinion to the board concerning risk management and internal control in the organisation.’

So internal audit either provides assurance or helps to deliver counter fraud. Well what about the Institute’s 2004 position on risk management? Internal audit can do all sorts of risk management things, as long as it vests risk treatment decisions with the relevant management or governance function. So why have counter fraud in a position that is inconsistent with that?  So again, following the Institute’s line of argument:

internal audit should be able to reserve the right to carry out investigations into the incidents raised in whistleblowing reports as part of its work on giving assurance about internal controls. however, it is not the job of internal audit directly to detect or prevent corrupt practices. this is for executive management.’ 

Yes I think it makes sense for internal audit to follow the fraud risks highlighted by counter fraud work. I agree it is management’s role to prevent and detect corruption (and presumably fraud). But wait for the final, I think, confused, bit of thinking in this paper:

‘internal audit’s role can include promoting whistleblowing best practice, testing and monitoring systems and advising on change where it is needed. but the ultimate operational responsibility for whistleblowing procedures lies with executive management reporting to the board.’

No. Having said earlier in the paper that counter fraud work (including whistleblowing) should be independent of management, it completes the argument by saying that is now a management task, overseen by governors. I suspect this muddled thinking lies the heart of the ban on internal audit doing it. If counter fraud was a management function and not a third line governance function (as it should be) then I could buy the argument of the Institute, but it isn’t. For as the Institute recognises itself when it takes a step back and asks – what do we want?:

‘What do we want?

boards must be accountable for ensuring effective whistleblowing procedures are in place that guarantee confidentiality and anonymity and avoid conflicts of interest. Where internal audit is involved in the procedures for whistleblowing the board should ensure:

• there is a separate, independent mechanism to provide assurance on the effectiveness of the whistleblowing procedures

• internal audit’s main functions and wider assurance roles are not compromised

• internal audit is properly resourced in terms of staffing and skills’

Overall then this paper has a strange argument that is not consistent with the Institute’s stance on risk management, is not internally consistent, is driven from an external auditor’s perspective of scientific right and wrong and is cites unrelated worries, such as resourcing of assurance.

If we actually step back and consider the position afresh. Management cannot perform counter fraud and whistleblowing as presumably the whole reason these complaints are raised are because management has not responded or has done something wrong. So it is naturally a third line, independent activity, best delivered by an independent third party and overseen by a governing body. Internal audit is the perfect party to do it. It can do this without compromising independence by providing investigations that are for senior management or governing body (depending on the significance of the issue) to respond to. In other words the risk treatment decision is vested with senior management as overseen by the governing body, but the investigation is, and is seen to be, independent. Internal audit then can more holistically link fraud controls and fraud risk, inform its wider work plan and join up the forensic detailed talents of the counter fraud team with the fraud assurance and wider business assurance team. To divide the two is false and makes no sense. The two feed each other and are symbiotic.

In my view the Institute should review this paper, reconsider it, and reissue a more helpful paper.

Internal Audit: Friend or foe?


, , ,


So I have been at my client and host organisation’s two day leadership conference. My client and host organisation is high performing, and full of bright and capable leaders. I am always reticent to go to these events, however. Not because I am shy or retiring (I consistently score an ENTJ on Myers Brigg’s assessments), but because I still have this sense that internal audit should be independent of management.

This got me thinking. I’ve been invited to the event because my top management group see internal audit as a valuable corporate function as like any other corporate function. The director of HR, Director of IT, Director of Operations etc were all there. It is true that I am not close knit with either the corporate business functions or the core business functions. As a community they have a lot of common thoughts, challenges, and experience they share, and they form a close knit community. As an international organisation it is often one of the few times the whole leadership is in one geographic location. So perhaps my isolation is because I do work to one side of the business and they really do need these leadership events to share, form a community and jointly learn. It is one of the few times they see across the business, I forget this, as from my vantage point I see across the business all year.

Yet, whilst internal audit’s isolation can be understood for theoretical and practical reasons, the audit function is relevant to the leadership discussions, and we were mentioned in despatches throughout the two days. Some to comment on their last audit (both positively and negatively), others to seek out an audit (yes that does happen!), some to discuss current audit and counter fraud issue of the day. So if the audit function is relevant, why does it still feel uncomfortable for me? I guess because I always feel I am intruding, sometimes into private grief, sometimes private joy. Perhaps this is a good thing that the business does see internal audit as separate and different?

Having had great conversations about risk management, counter fraud measures, general quality assurance and other assurance- related elements together over the two days, I know internal audit is a relevant function. Perhaps I need to turn the question around – why would your chief assurance and counter fraud officer not be in the room? I may be in the governance strata of the organisation or third line, but this does not make me any less a part of the ‘team’, albeit a slightly different one.

I guess it all comes down to your model of internal audit. If you see audit as a competitive them and us, and you see the world as right and wrong, and perceive independence to mean a lack of engagement, then I should be both uncomfortable and remove myself from the position. Yet I feel part of the team, I think I am there to stand full square with my management colleagues to help, in my independent way, the organisation and them to face and manage the challenges and risks they face. I don’t see the relationship as one of conflict or competition. I certainly don’t see audit as right or wrong.

Yes I do feel independent, I do feel as if I can be part of something in an independent manner. I don’t buy the old school internal audit locked away and not being part of the team. I do buy fierce independence, but independence of action and thought, not silly structural or procedural independence. For it is that very dependence on our client organisations that gives us a good understanding of the clients we work with, and the opportunity to add value to the business in a range of ways.

So will I still feel awkward at other meetings or this same meeting next year? perhaps, just a little, but I hope that my colleagues will understand and value the independence as expressed by this awkwardness, this provides to my work and the different perspective it brings. For that reason I hope I will be valued enough by colleagues to continue to have airtime and presence at management events.

Risk based audit?


, , ,


I’ve been training some of my team this week and inducing new auditors into my department. This is always a cathartic experience as it makes me confirm and challenge my thinking about what good internal audit and risk based internal audit is.

The bit that I find most interesting is when I work through what a risk based audit is. A risk based audit to me is much more than using risk to select the area for review. For being risk based means risk should pervade the whole approach. So in my audit construct I use risk not only to decide and select where to go (and not some two dimensional risk universe, but a more socially scientific, complex understanding of risk – see my previous post on audit universes for my views of these) but also to report.

I report based on net risk. Why? Primarily because I aim my work at senior management and governance bodies of my client. So clearly they should be focused on risk exposure. Yes we report low net risk and high gross risk areas for the governance and senior management groups should be aware where they rely heavily on the control framework. I also use four layers of risk, for otherwise a single scale (we use a four point scale) is not subtle enough to deal with most organisations. For operational stuff that is important is not big enough ever to affect the strategic (i.e. a project is too small to affect the whole organisation, so risks at an organisational level will all be in the green – because the project is down in the organisational weeds). This approach however allows me to look at stuff that matters, to look at the micro and extrapolate to the macro by doing so. It also means I can assist and work with the management team and my client organisation to inculcate and develop risk awareness and consideration at all levels of the organisation.

I can hear the challenge now – why is internal audit working at less than the strategic level? Well a number of reasons. First, strategic risks do not exist (they are aggregations or portfolios of tactical and operational risks) so to meaningfully audit them you need to break them down into smaller, organisationally meaningful, chunks. Second strategic risks are simply too complex, too intermingled, too esoteric, to evaluate in a single audit. So big questions and risks need to be broken down into smaller questions and then linked to the organisational structures that mitigate them. Occasionally the odd strategic risk may be sensibly audited as a whole; I’m thinking of major change initiatives or major organisational wide projects. In the main you need to break the questions and the and control frameworks into auditable chunks and work packages in my experience though.

So if you report on a net risk basis you get into the colour or report rating problems.You have then a number of choices. Let us assume you have a four point risk rating. Say red through to green. You could fix the ratings by pejorative judgement, that is red is high risk, thus it’s bad and green is low risk and is good. Then you say anything red is bad because it is out of control, anything green is good because it is controlled. But then where is risk appetite in this? Do you flex that scale by a moveable risk appetite or not? If you flex it, then you can have green reports that mean ‘good’ but actually refer to high risk, where an organisation’s risk appetite is high, and the converse give a red report where risk is in fact green and low level. If you do this your risk ratings are no more than judgements about good and bad, not actually a statement of risk at all, for red could refer to high and low risk depending on risk appetite.

To get around this you could say we will not flex the ratings for risk appetite, i.e. high risk is orange or red, and low risk is green and yellow. It is not really encouraging a good and sensible client risk management system if risk is fixed around a fixed risk appetite. For no client either intends, or in reality, has a fixed risk appetite. So this is meaningless  and makes no sense from an audit perspective. It also has a false view that risk is meant to be reduced to green – why would any organisation want to do this in all cases? What a waste of money. It may also not be possible.

It also struggles with the idea of risk layers. So it can only work at one layer – presumably strategic. So not only is it a problem to manage to audit risk meaningfully, but it is a problem that it forces the client to manage all strategic risk to green. Successful organisations take and have risk profiles that are different.

So my solution is to fix the risk scale i.e. risk is risk, red is red, green is green. High risk is always reported as red irrespective of risk appetite. There is no pejorative audit judgement on this, for red could be either good or bad, depending on risk appetite.  Then I provide an opinion over whether the controls as designed and operated are either adequate or inadequate i.e. whether they bring net risk below or above the risk appetite. This requires additional work to establish the appetite with the management team, but it is possible to establish through conversation and dialogue. This process is then replicated at each risk level. This opinion is split into design and operation (i.e. does risk mitigation actually appear reasonable, and then does it actually occur?). All of this enables the opinion to be quite nuanced, linked to risk appetite and operate at various levels of the client organisation with sensitivity.

The second order problem is that many auditors conflate assurance and risk – so they are not clear if they are talking assurance or risk. So we have words like ‘full’ ‘partial’ ‘limited’ etc. So the wording of ‘risk ratings’ seems to refer to how much assurance is there. Now this works if you take the risk rating as absolute as above. i.e. risk ratings are an anodyne description of risk or if you fix risk appetite i the middle of the scale. I also think this only works if you take ‘assurance’ in this context to mean assurance available from management systems under review. So something high net risk would be low management assurance and vice versa. If you don’t report risk as absolute and flex according to risk appetite this link breaks down. i.e. if you have red to mean bad (and flex bad according to risk appetite) then the link to management assurance from systems being the converse of net risk, breaks down.

Another take on assurance would be assurance provided by the auditor; that is assurance can be fully provided by the auditor of high or low risk. I think the approach of assuring management systems makes more sense as the purpose of audit is to inform clients and assure clients over their systems, even if the assurance statements feel a little clumsy.

So why report on net risk and risk base reporting? I think this is because, for me, the purpose of internal audit is to bring to senior management and the board’s attention, the risk exposure of the organisation and the assurance available from management systems. That is then a truly risk based system.

How do you risk base your audit?



Get every new post delivered to your Inbox.

Join 273 other followers