Professional precipice?

Tags

, , ,

Precipice-300x225

I think our profession is standing at a significant strategic stepping stone and crossing point. I think it has increasingly reached a decision point to decide where it wants to go. I am decreasingly convinced that the profession will make, what I think, is the right choice.

I have been extremely lucky in my career. I have worked under, and with, bosses that have earned my respect and have allowed me the space to interpret and develop my version of internal audit over the years. Do I think internal audit is and should be now, what I thought ten, five, or even two years ago? No, I don’t.

When I worked in a professional services firm it was before the national practice began to recognise that performance meant conformance. So I was able to develop my little bit of the internal audit practice, with the support of a commercial and pragmatic partner in the firm, into something that made sense to clients, that added value, that was less hung up on right and wrong and more on thinking about the world in much less formulaic terms. I had daily rates and margins and a consequence that then (now nearly ten years ago) have not been beaten now. When I fairly recently tendered out for some internal audit work I was actually being charged less than I charged.

When I then went on and headed up my own in house service, as a young CAE, I was able to build up, from scratch, what made sense. One can argue whether my client got it at the time, I suspect they didn’t, but I did it. I had two good bosses in succession, both of whom were high-class individuals who supported the engagement with audit and challenge and supported the development of a service that made some coherent and meaningful sense.

Now, in my current role, the quality of staff in my client organisation is really high. The leadership more so, and again I have had a chance to really aim for ideal and perfect. To be resourced and supported with senior management engagement and understanding (the most important resource) that is enabling me to take my thinking vision into something practical. In my current role I also have a fabulous team (all of them both collectively and all individually too). I am also bringing in some real talent to provide breadth and different perspectives too. They all really get the vision – a consultancy led service, without walls, without the dead hand of silly input rules and compliance, and most importantly without audit software! (a pet hate of mine). Just people that are understanding of the business, bring their own professional backgrounds and minds to challenge and support their management colleagues.

We actually audit the business (fancy!) i.e. if we were a food retailer, we look at the risks in the food chain, if we were a car manufacturer we actually review the risks to how cars are made. We don’t hide in the corporate back office (though these are important processes), we don’t hide in compliance checklists (counting fire extinguishers or compliance with office rules). We actually stand full square with the business and management team and think about what it is that really makes a difference to the business, adding our independence, governance risk and control mindsets to the mix.

Yet I have been lucky. I know so many CAEs who are limited by their firm’s software or file rules. Who count the inputs not the process or outputs. Who are not allowed to wander into things that really matter ‘no you can’t audit the business because you don’t have the knowledge!’. I have known some great CAE peers who have got it too. Who see beyond the Institute’s rules and compliance and the sense that anything thoughtful, meaningful and challenging is suddenly called consultancy. They, in their own ways have been cutting themselves some slack and space to develop good, meaningful, internal audit.

Yet when I see insights into a majority of CAE’s lives and indeed their own views, I am depressed and discomforted. Depressed that we as a profession continue, spectacularly, to miss the point. The point that you are only relevant if you work in the front office, that the world cannot be controlled by compliance and rules (banking, schools, government, IT etc – how many time must we learn this lesson?), that there is no right and wrong in risk auditing.

For we as a profession must stop measuring ourselves by our financial accounting origins. There is no IFRS for business risk. No right and wrong. We should stop measuring our inputs (we did this for we all came from firms that charged for their services), it is not an indicator of quality or performance. For the firms, despite pulling the intellectual and institute strings of our profession are actually not interested in internal audit. They are not internal for a start. They approach it as they do for controls testing for financial statements audits. They are priced out of the market, for to do a risk based audit of any quality takes time, high quality thinking and trained staff, that the firms simply cannot afford to deliver and manage the risk (what if we were ‘wrong’ and got sued?). If we take the UK, the big four firms are effectively priced out of market in the south and London; simply, they cannot make it pay. So this space it taken up by the lower quality and presumably less risk averse, second tier firms. So firm-provided internal audit is, generally, second tier quality and delivered (certainly in the UK). I appreciate these are generalisations and I have met a few firm-provided audit services that have bucked this trend. But I think my underlying point stands.

Yet we miss the real incentive for the firms to avoid allowing internal audit, as a profession, to blossom. That is that internal audit has the capacity to displace consultancy work, high margin, little-challenged, consultancy work. For a good in-house service has the capacity to deliver excellent results through having time, quality staff (without the burden of stratospheric charge out rates) and also context-dependent knowledge (that no firm, even in partnership) is ever able to really deliver. Hence whenever internal audit does something of quality it is ‘consultancy’. No. Forming a high quality, business and risk led view of business challenges and presenting three dimensional solutions is internal audit, not consultancy.

So why do I think this is important for the profession as a whole? Well I think it means that in-house services will always see outsourcing as competition (when it should not be), will define itself through a business and delivery model that only makes sense for the firms, and will allow the profession’s standards and rules to be dictated by external auditors – for we’re all ‘auditors’, right?  No we’re are not.The profession needs to develop a view that good internal audit is: internal; not bound by rules, but principles; measures quality as performance, not conformance; audits the front office; is part of a wider framework of controls and lines of defence; and most importantly begins to develop an approach to the world that stops considering it in a rules-based, right and wrong way.

So, can we, as CAEs begin to make this argument? I hope so, for it will have a virtuous circle of increasing respect for the profession, increase the quality of candidates we attract, improve pay, and really add value to our clients.

HR – defunct?

Tags

, , ,

c97b7b5fb5c47aeee18429ee3c261232

I am not sure if it’s the time of year or if I am just coming across a number of interesting and challenging articles at the moment. Here’s a fascinating one about HR: http://businessvalueexchange.com/2014/06/06/hr-department-defunct-digital-era/?utm_source=taboola&utm_medium=referral

The article’s argument is nicely summed up in this paragraph:

‘So critical was the role of a static workforce traditionally, that organisations employed an entire department to oversee it. The recruitment, retention and remuneration of the workforce was a methodical, process-driven effort that was staffed by a dedicated team and supported by a bunch of in-house systems. The new style of workforce calls for new styles of management and support. [...] we ask: Is the HR department defunct?’

Now in my career I’ve had a strange relationship with HR. In my youth the relationship was quixotic; I even, when I graduated, felt like I wanted to work in personnel (as it was called then). Yet during my life, as an employee and manager, I have found it to not live up to those ideals. Why? Well HR functions are not really trained in the things they are meant to do. They are not accountants so struggle to do budgets and financial planning of staff benefits. They are not lawyers, so struggle with HR legislation; they are not risk management trained, so struggle with HR risk management; they are not psychologists, so struggle with recruitment; so what they do – in many cases, is fall back on low quality administration. Now of course this is a characterisation, as an academic at a university once characterised them as ‘human remains’ view was.

Now we have the challenge from the article above. People and staff no longer follow detailed rules and processes. This makes sense in a knowledge economy and modern workplaces. So HR departments to oversee rules makes no business sense. Well I do buy this. Most HR departments I have met are overly prescriptive in preventative controls and weak on detective ones. There is always a gap in control whenever I have audited HR processes between what the central HR department thinks is occurring and what the line management are doing – always – every time. HR processes are always ‘rich pickings’ from an internal audit perspective. Why is this though? Well I believe it is that the HR, and personnel department before it, has wanted to see good HR practice embedded into line management. This is a position I agree with. Few HR departments have really found a way to make this happen, other than the application of hope, and even fewer have checked back in to really see if it is being embedded. This has been a constant in my career across clients, sectors, and geographies.

Yet I can name the really great HR people I have been supported by in my career, particularly as a manager. Those sensible people who can bypass the nonsense HR rules, be human (a trait you would have thought embedded into HR) and provide support. These are the people who recognise that HR skills and understanding the myriad of do’s and dont’s  is but a thin slice of a manager’s week, and that a little navigation and regular coffee and chat is really valuable. My clients’ HR departments have generally withdrawn back from supporting line management directly, as too much support denudes us as managers in the first line from learning and becoming better at it; learned helplessness if you will. A good HR business support manager will, in this model, intervene at just the right time and support a struggling manager. At my current client I have been lucky and identified a set of ‘good HR eggs’ who give me support as and when I need it.

I do think the HR profession needs to step back and articulate a new vision for its role, as suggested in the article. In particular to decide what skills it needs to really manage human resource in the 21st century. In particular it does need to have a greater grip of finance, of the law, of good recruitment. Most of all it needs to move away from means and focus on ends. Processes are there to provide frameworks, not straight jackets. The industry of grievances and investigations the profession allows (I accept legislation does not help with this) is not good. This needs to be taken back to common sense to allow people to be human and to make mistakes (for we are all intemperate, impatient, stressed, and even rude to our colleagues at times).

Overall though, my key entreatment to HR, is to be more socially scientific. To focus on culture, not rules; outputs, not process; people, not just human resource. Do I value the HR department and will it survive? Yes I value the ‘human’ bit of HR, and yes I think it will survive. My caveat is that this will only be if HR really takes a step back from practice and really looks with strong objectivity over the reality (not theory) of what it manifests as in most organisations. For HR is ultimately a thinking, not ticking, process. Certainly as an internal auditor this is the model I would suggest when I next review an HR process.

Internal audit: where are we now?

Tags

, , ,

prison-bars-590x354

I’ve been reviewing an article posted by Professor Andrew Chambers on the UK IIA’s website ‘where are we now? http://auditandrisk.org.uk/features/where-are-we-now

It’s a list of various rules from Basel to IIA practice advisories, to the IIA standards, to the US federal reserve. The intention of the article is to try to divine from various regulatory and standards interventions where internal audit, in role terms, is. I think it is a helpful aim, but the article lists a set of rules, there is not much analysis, apart from a statement at the end of the article:

‘There is little point having standards that are wholly aspirational with limited conformance, or standards that support the lowest common denominator of best practice.’

I agree with the second part, what is the point of a lowest common denominator of rules? I fundamentally disagree with the first element of it. Old school internal audit is uniquely obsessed with conformance and a scientific rules-based view of the world. But if we follow the conclusion a little further:

‘We need more public pressure on internal auditing to enhance the standard-setting process, the rigour of the Standards, their public interest and their general enforcement.’

Here’s where I really disagree with Professor Chambers. The last thing we (by we I mean the internal audit community) need is to put lots of public pressure on us with ever greater rules. It is typical of yesterday’s internal audit generation to have a rules-based view of internal audit. We are lucky that our rules-based leaders of our profession cannot agree on the rules, so the IIA standards have remained resolutely principles-based, despite efforts to change it by the regulators listed in this article.

For the reality is that there is no body of knowledge, right and wrong, for internal audit, like there is for medicine or law, so a rules-based approach makes no sense. Internal audit is not the pale and ill-defined shadow of external audit. It is a completely different profession. We may share the name ‘auditor’ but we must, as a profession, stop rules-based external, financial statements, auditors from defining their compliance regime on us.

I bewail the US’s rule based culture being established as the dominant paradigm for internal audit. Thankfully the UK is better than most at resisting this culture. The British have been excellent over centuries to work with what works and not obsess over the rules. We’ve never written down our constitution, rather used culture and values. What is it to be British has constantly changed yet with some underlying sense of what way is ‘up’.

If we take the small insight into the Basel banking audit rules in this article I am glad I don’t work in banking audit – all of those ‘shoulds’, ‘should nots’ ‘must’ ‘must nots’. The world is moving quicker and is more complex. A rules-based view of the world jars with this and makes no sense.

Another point – internal audit does report to the board as the article says, but is not a puppet of it. Boards can fail as much as management. Internal audit is there to look after the body corporate, if a bad set of governors (directors) are in place, then internal audit should stand up to them as much as a bad management team. I also take issue that Professor Chambers says the IIA standards don’t require engagement or overall opinions from internal audit’s work. It does, for example in standard 2410. It caveats this with ‘where appropriate’. This is a good principles based rule set in my view.

So in answer to the article’s question – where are we? Well I think we are a profession that has a generational gap. I would identify three, possibly four, generations of internal audit. First an audit universe, rule based, obsessed, two dimensional compliance audit. Second a more risk based, from an audit universe, audit, with some sense of beginning to see beyond compliance (perhaps doing ‘consultancy’ as well as audit). Third a fully risk based audit service that sees the world in socially scientific terms and as an internal form of consultancy. The fourth is a variation on the first, a financial compliance ticker. That’s how I imagine banking audit or US-based audit service. Perhaps my blog readers can propose their own typology of generational types?

My point is that this article is an old school version of internal audit, of type 1 perhaps 2. Why worry about the rules? How about internal audit as having a risk based work allocation and reporting framework, populated by bright people challenging how rules are being mitigated and managed? If you like, a form of organisational consultants?

So overall, the article is not a hit with me. In fact whilst it picks up lots of interesting points, it comes to the wrong conclusion. Not more rules please! – but more thinking and more good old British adaption, principles and a contingent approach. Free internal audit!

Whistleblowing – another thing internal audit cannot do?

Tags

, , ,

a-whistle-004

Well here’s a missive from the UK Chartered Institute of Internal Auditors I missed. It’s in their January 2014 publication Whistleblowing and Corporate Governance: The Role of Internal Audit in Whistleblowing. Find it on their website http://www.iia.org.uk I think the UK institute generally gets things right, it is principles based, not overly prescriptive, thoughtful and considered, and has a sense of realism. Here though, I think they’ve got things wrong.

The argument from the Institute is that:

 ‘the responsibility for establishing and operating effective internal whistleblowing procedures lies with the executive, reporting to the board. but given the potential conflicts of interest the executive will need to devolve the day-to-day running of the process to a function that is considered to be independent.’

Okay this sounds fine so far (and I think whistleblowing should be a governance function, independent of management, because it is the management team that people are blowing the whistle on) I wonder what party within the organisation is able to provide independence from management and has an understanding of governance, risk and experience of reporting and investigations? I wonder…? The Institute continues:

‘internal audit’s independence from the executive and objectivity give it the potential to be involved in whistleblowing arrangements, e.g. in a triage role, as a channel of communication or carrying out investigations.’

Ah, spot on! Makes sense. Independent third line of defence, nested within the governance framework, good links to the audit committee and the board, well placed, skilled staff to undertake the work. Then it all goes wrong in my view:

‘but boards require assurance that the organisation’s whistleblowing policies and procedures are effective in achieving the appropriate outcomes. internal audit cannot give that assurance if it is directly involved in managing or carrying out those procedures.’

Why? I guess because internal audit cannot self review. Okay I buy that. But then boards require assurance that their assurance arrangements are suitable and adequate (another third line of defence and independent-of-management activity provided by internal audit). Yet a periodic EQA (every five years) suffices. So the Institute continues with its worry:

‘internal audit should therefore either provide assurance to the board or play an integral part in the process of internal whistleblowing in their organisations.’ 

So yet another thing internal audit cannot do for fear of not being independent! We cannot review anything twice, we cannot do consultancy, we cannot do risk management and now we cannot link counter fraud and fraud assurance! But what is the real worry from the Institute as this all sounds theoretical?:

‘boards need to ensure that internal audit’s involvement in whistleblowing does not undermine its ability to carry out its prime assurance functions and that it has the necessary skills and resources.’

So actually the concern is more about resourcing and how doing counter fraud work will draw away resource. But why, most internal audit functions are under-resourced in any case. So why should this make a massive difference? I despair that we as a profession take far too much time to discuss what we cannot do and won’t do, all for fear that our precious independence might be compromised. This is only compromised if we allow it to happen. I can re-review my work, have a different view from my last one, challenge myself. Just as our management colleagues can do as well.

Why are we different? We are different because we as a profession have this pseudo-scientific view of the world that assumes we must be right. I think this comes from our professional origins as external auditors, where opining on accounts would be a materially right and wrong answer (as there is a defined body of law and rules to test the correctness of the opinion against). Also coming from accountancy firms where we (the firms) would get sued if we got it wrong. But internal audit is not a science and in risk there is no right or wrong. So why continue with this strange, and plainly wrong in day to day risk management experience, notion?

So let’s continue with the Institute’s missive:

‘where internal audit is not playing a direct whistleblowing role it should provide assurance on the effectiveness of the system and procedures to the board. it also should have the right to be informed of all whistleblowing reports so that it can consider what impact they have on its overall opinion to the board concerning risk management and internal control in the organisation.’

So internal audit either provides assurance or helps to deliver counter fraud. Well what about the Institute’s 2004 position on risk management? Internal audit can do all sorts of risk management things, as long as it vests risk treatment decisions with the relevant management or governance function. So why have counter fraud in a position that is inconsistent with that?  So again, following the Institute’s line of argument:

internal audit should be able to reserve the right to carry out investigations into the incidents raised in whistleblowing reports as part of its work on giving assurance about internal controls. however, it is not the job of internal audit directly to detect or prevent corrupt practices. this is for executive management.’ 

Yes I think it makes sense for internal audit to follow the fraud risks highlighted by counter fraud work. I agree it is management’s role to prevent and detect corruption (and presumably fraud). But wait for the final, I think, confused, bit of thinking in this paper:

‘internal audit’s role can include promoting whistleblowing best practice, testing and monitoring systems and advising on change where it is needed. but the ultimate operational responsibility for whistleblowing procedures lies with executive management reporting to the board.’

No. Having said earlier in the paper that counter fraud work (including whistleblowing) should be independent of management, it completes the argument by saying that is now a management task, overseen by governors. I suspect this muddled thinking lies the heart of the ban on internal audit doing it. If counter fraud was a management function and not a third line governance function (as it should be) then I could buy the argument of the Institute, but it isn’t. For as the Institute recognises itself when it takes a step back and asks – what do we want?:

‘What do we want?

boards must be accountable for ensuring effective whistleblowing procedures are in place that guarantee confidentiality and anonymity and avoid conflicts of interest. Where internal audit is involved in the procedures for whistleblowing the board should ensure:

• there is a separate, independent mechanism to provide assurance on the effectiveness of the whistleblowing procedures

• internal audit’s main functions and wider assurance roles are not compromised

• internal audit is properly resourced in terms of staffing and skills’

Overall then this paper has a strange argument that is not consistent with the Institute’s stance on risk management, is not internally consistent, is driven from an external auditor’s perspective of scientific right and wrong and is cites unrelated worries, such as resourcing of assurance.

If we actually step back and consider the position afresh. Management cannot perform counter fraud and whistleblowing as presumably the whole reason these complaints are raised are because management has not responded or has done something wrong. So it is naturally a third line, independent activity, best delivered by an independent third party and overseen by a governing body. Internal audit is the perfect party to do it. It can do this without compromising independence by providing investigations that are for senior management or governing body (depending on the significance of the issue) to respond to. In other words the risk treatment decision is vested with senior management as overseen by the governing body, but the investigation is, and is seen to be, independent. Internal audit then can more holistically link fraud controls and fraud risk, inform its wider work plan and join up the forensic detailed talents of the counter fraud team with the fraud assurance and wider business assurance team. To divide the two is false and makes no sense. The two feed each other and are symbiotic.

In my view the Institute should review this paper, reconsider it, and reissue a more helpful paper.

Internal Audit: Friend or foe?

Tags

, , ,

Facebook_friend_or_foe

So I have been at my client and host organisation’s two day leadership conference. My client and host organisation is high performing, and full of bright and capable leaders. I am always reticent to go to these events, however. Not because I am shy or retiring (I consistently score an ENTJ on Myers Brigg’s assessments), but because I still have this sense that internal audit should be independent of management.

This got me thinking. I’ve been invited to the event because my top management group see internal audit as a valuable corporate function as like any other corporate function. The director of HR, Director of IT, Director of Operations etc were all there. It is true that I am not close knit with either the corporate business functions or the core business functions. As a community they have a lot of common thoughts, challenges, and experience they share, and they form a close knit community. As an international organisation it is often one of the few times the whole leadership is in one geographic location. So perhaps my isolation is because I do work to one side of the business and they really do need these leadership events to share, form a community and jointly learn. It is one of the few times they see across the business, I forget this, as from my vantage point I see across the business all year.

Yet, whilst internal audit’s isolation can be understood for theoretical and practical reasons, the audit function is relevant to the leadership discussions, and we were mentioned in despatches throughout the two days. Some to comment on their last audit (both positively and negatively), others to seek out an audit (yes that does happen!), some to discuss current audit and counter fraud issue of the day. So if the audit function is relevant, why does it still feel uncomfortable for me? I guess because I always feel I am intruding, sometimes into private grief, sometimes private joy. Perhaps this is a good thing that the business does see internal audit as separate and different?

Having had great conversations about risk management, counter fraud measures, general quality assurance and other assurance- related elements together over the two days, I know internal audit is a relevant function. Perhaps I need to turn the question around – why would your chief assurance and counter fraud officer not be in the room? I may be in the governance strata of the organisation or third line, but this does not make me any less a part of the ‘team’, albeit a slightly different one.

I guess it all comes down to your model of internal audit. If you see audit as a competitive them and us, and you see the world as right and wrong, and perceive independence to mean a lack of engagement, then I should be both uncomfortable and remove myself from the position. Yet I feel part of the team, I think I am there to stand full square with my management colleagues to help, in my independent way, the organisation and them to face and manage the challenges and risks they face. I don’t see the relationship as one of conflict or competition. I certainly don’t see audit as right or wrong.

Yes I do feel independent, I do feel as if I can be part of something in an independent manner. I don’t buy the old school internal audit locked away and not being part of the team. I do buy fierce independence, but independence of action and thought, not silly structural or procedural independence. For it is that very dependence on our client organisations that gives us a good understanding of the clients we work with, and the opportunity to add value to the business in a range of ways.

So will I still feel awkward at other meetings or this same meeting next year? perhaps, just a little, but I hope that my colleagues will understand and value the independence as expressed by this awkwardness, this provides to my work and the different perspective it brings. For that reason I hope I will be valued enough by colleagues to continue to have airtime and presence at management events.

Risk based audit?

Tags

, , ,

risk-based_security_approach

I’ve been training some of my team this week and inducing new auditors into my department. This is always a cathartic experience as it makes me confirm and challenge my thinking about what good internal audit and risk based internal audit is.

The bit that I find most interesting is when I work through what a risk based audit is. A risk based audit to me is much more than using risk to select the area for review. For being risk based means risk should pervade the whole approach. So in my audit construct I use risk not only to decide and select where to go (and not some two dimensional risk universe, but a more socially scientific, complex understanding of risk – see my previous post on audit universes for my views of these) but also to report.

I report based on net risk. Why? Primarily because I aim my work at senior management and governance bodies of my client. So clearly they should be focused on risk exposure. Yes we report low net risk and high gross risk areas for the governance and senior management groups should be aware where they rely heavily on the control framework. I also use four layers of risk, for otherwise a single scale (we use a four point scale) is not subtle enough to deal with most organisations. For operational stuff that is important is not big enough ever to affect the strategic (i.e. a project is too small to affect the whole organisation, so risks at an organisational level will all be in the green – because the project is down in the organisational weeds). This approach however allows me to look at stuff that matters, to look at the micro and extrapolate to the macro by doing so. It also means I can assist and work with the management team and my client organisation to inculcate and develop risk awareness and consideration at all levels of the organisation.

I can hear the challenge now – why is internal audit working at less than the strategic level? Well a number of reasons. First, strategic risks do not exist (they are aggregations or portfolios of tactical and operational risks) so to meaningfully audit them you need to break them down into smaller, organisationally meaningful, chunks. Second strategic risks are simply too complex, too intermingled, too esoteric, to evaluate in a single audit. So big questions and risks need to be broken down into smaller questions and then linked to the organisational structures that mitigate them. Occasionally the odd strategic risk may be sensibly audited as a whole; I’m thinking of major change initiatives or major organisational wide projects. In the main you need to break the questions and the and control frameworks into auditable chunks and work packages in my experience though.

So if you report on a net risk basis you get into the colour or report rating problems.You have then a number of choices. Let us assume you have a four point risk rating. Say red through to green. You could fix the ratings by pejorative judgement, that is red is high risk, thus it’s bad and green is low risk and is good. Then you say anything red is bad because it is out of control, anything green is good because it is controlled. But then where is risk appetite in this? Do you flex that scale by a moveable risk appetite or not? If you flex it, then you can have green reports that mean ‘good’ but actually refer to high risk, where an organisation’s risk appetite is high, and the converse give a red report where risk is in fact green and low level. If you do this your risk ratings are no more than judgements about good and bad, not actually a statement of risk at all, for red could refer to high and low risk depending on risk appetite.

To get around this you could say we will not flex the ratings for risk appetite, i.e. high risk is orange or red, and low risk is green and yellow. It is not really encouraging a good and sensible client risk management system if risk is fixed around a fixed risk appetite. For no client either intends, or in reality, has a fixed risk appetite. So this is meaningless  and makes no sense from an audit perspective. It also has a false view that risk is meant to be reduced to green – why would any organisation want to do this in all cases? What a waste of money. It may also not be possible.

It also struggles with the idea of risk layers. So it can only work at one layer – presumably strategic. So not only is it a problem to manage to audit risk meaningfully, but it is a problem that it forces the client to manage all strategic risk to green. Successful organisations take and have risk profiles that are different.

So my solution is to fix the risk scale i.e. risk is risk, red is red, green is green. High risk is always reported as red irrespective of risk appetite. There is no pejorative audit judgement on this, for red could be either good or bad, depending on risk appetite.  Then I provide an opinion over whether the controls as designed and operated are either adequate or inadequate i.e. whether they bring net risk below or above the risk appetite. This requires additional work to establish the appetite with the management team, but it is possible to establish through conversation and dialogue. This process is then replicated at each risk level. This opinion is split into design and operation (i.e. does risk mitigation actually appear reasonable, and then does it actually occur?). All of this enables the opinion to be quite nuanced, linked to risk appetite and operate at various levels of the client organisation with sensitivity.

The second order problem is that many auditors conflate assurance and risk – so they are not clear if they are talking assurance or risk. So we have words like ‘full’ ‘partial’ ‘limited’ etc. So the wording of ‘risk ratings’ seems to refer to how much assurance is there. Now this works if you take the risk rating as absolute as above. i.e. risk ratings are an anodyne description of risk or if you fix risk appetite i the middle of the scale. I also think this only works if you take ‘assurance’ in this context to mean assurance available from management systems under review. So something high net risk would be low management assurance and vice versa. If you don’t report risk as absolute and flex according to risk appetite this link breaks down. i.e. if you have red to mean bad (and flex bad according to risk appetite) then the link to management assurance from systems being the converse of net risk, breaks down.

Another take on assurance would be assurance provided by the auditor; that is assurance can be fully provided by the auditor of high or low risk. I think the approach of assuring management systems makes more sense as the purpose of audit is to inform clients and assure clients over their systems, even if the assurance statements feel a little clumsy.

So why report on net risk and risk base reporting? I think this is because, for me, the purpose of internal audit is to bring to senior management and the board’s attention, the risk exposure of the organisation and the assurance available from management systems. That is then a truly risk based system.

How do you risk base your audit?

 

Against the prevailing wind?

Tags

, , ,

SailingIntoTheStormI have been to the cinema to see the film Belle. So as not to spoil it for you, it is about a black lady and her role in British society in the 18th century and the challenges she faced. This is not just within a society that still tolerated the abomination of human slavery, but also one that was highly status and class-oriented.

The point that struck me about the film, and it is a good film all round, was the stand taken by Belle and her guardian, the then Lord Chief Justice, against slavery and the prevailing views of society at the time. I pondered whether this required extreme courage on the part of the Lord Chief Justice, and risked his professional status, standing and respect.

That then brought me back to being a CAE. I recalled how hard it has been in my career to take a view that prevails not just against an organisational and senior management view but also against the underlying professional view. I have done this is the past over health and safety, where I came up with what I thought made much more sense as a delivery model, splitting delivery of health and safety oversight from delivery, but leaving expertise in each camp.

I have also done so in less obvious and dramatic ways over all sorts of issues. I have believed in the assessments I have made, but not to the point that I think I have all of the answers, but more a belief that the challenge is of value of itself. The strong objectivity that internal audit has I often take for granted and don’t really understand why others cannot see things afresh.

I had a good example recently the other way that taught me how this happens. I was trying to explain my audit approach in plain English. A member of my team wrote an excellent paper, another reviewed it, I then attempted it again. A member of the management reviewed it and had a go, and just used a simple clear way to explain it. I was surprised at my inability to see beyond my audit technical bubble.

So if it is a natural thing for us to lose our own objectivity does this make, coming back to my original point, the CAE’s job to really, fundamentally, challenge, difficult? Yes, I think so. It is very difficult to take an alternative view, as humans I think we are naturally conflict avoidant; hence group think and other phenomena.

So should a CAE raise a challenge to convention, really go against the prevailing view in a fundamental way? Yes, definitely. It behoves a CAE to do this, because they are best placed to do it. I’ll let you into another secret, in a number of cases, when I have done it, I have not only made a lasting difference to my clients, but actually provided cover for others, of the same opinion, to have confidence to express it. Yes I have been proven wrong in cases, and I cannot foresee the future, but no organisation can truly say, working through a challenging opinion, responding and justifying it, is not of value in itself. For at the very least, it can make the status quo more justified and grounded in analysis and consideration, and that, for almost all organisations, is no bad thing.

What do we mean by risk?

Tags

, ,

RiskJaws

Here’s an interesting question. What is risk? Risk to what? I’ve always taken business risk to mean risk to an organisation’s objectives. Risks that opportunities and actions in pursuit of those objectives are not taken and that the actions taken do not ensure the achievement of those objectives. The UK Government’s definition via HM Treasury’s Orange Book is:

‘uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance.’

The real question is that of the boundary. The boundary of risks to what? The Orange Book makes clear that this flows from an organisation’s objectives. It also makes clear that the public sector has more complex, public good, objectives. I wonder if the confusion over boundary comes when a government department has a policy role, i.e. they are making policy for the country and public as a whole. Does then the risk not distinguish between this wider remit and the more specific business plan remit?

It is tempting then for risk management in a government context to be managing the risk to the country as a whole. This, however, then makes risk management in an organisational setting much more problematic. For no country or government has the power or the risk management capacity to really manage the world’s risks. I would suggest therefore, that it would be appropriate to partition a risk management system between managing the macro risk (be it political, economic etc) and the business plan of the government to deal with that. That way, organisationally, you can exercise the organisation’s risk management system to manage organisational risk, a task it is better suited and more capable of doing. As long as the macro is mapped to the micro elements of the system this would then work I think.

The other relevant risk boundary question for us as internal auditors is one of our ability to manage them. This is an old chestnut as far as my blog is concerned and one I have thought about a few times. For the cry goes up from the audited business that internal audit does not have the skills to really understand business risk. As soon as we begin to ask real risk based audit questions this becomes difficult and one of professional challenge to those audited. So how can internal audit really challenge an experienced HR, IT, estates, music, food, international development, surveyor or whatever other professional and ask meaningful questions?

One answer is to tool up internal audit departments with those professionals and then train them to audit. This I think makes sense for the core elements of the business for the client. In my current role it makes sense for me to have a range of guest auditors from the business that really understand the business and can add this context-dependent information to their work. This, however, taken too far is not helpful. Not only does it signal that internal audit is not a worthy skill set in the first place, something I do not agree with. Second, it makes internal audit no more than a management self review – whither objectivity and independence? In other words, where is the context independent knowledge the the ‘strong objectivity’ to ask the really difficult questions outside of professional and organisational group think?

There is however, a need for internal audit not to seem two dimensional and a poor reflection of the professions it audits, however. I do not buy the idea that internal audit can audit anything per se. This argument is normally grounded in the idea that you can audit process. So audit the rules (that management set because they know what they are doing professionally).

This is, simply, not risk based. For what if the rules are rubbish? What if the management decisions and frameworks of control and delivery don’t really mitigate risk? Audit is just a compliance police in this model. This is not risk based, not thinking, not rewarding for the internal auditor and most importantly not risk based for IA standards purposes. More than this, the world is social and most business operations (to form a truly risk based opinion) need to look beyond the rules. They need to look, with professional judgement, at whether the rules are the right ones. i.e. are we doing the right things? Much more than this, lots of businesses and their operations are simply not prone to systematised controls. This is true of governments. Their work is heterogenous in the main, not systematised, complex, social, political and difficult. Simple rules do not apply.

So how can internal audit be credible in this world? Pushed by stakeholder expectations to omni-competent, yet, challenged by the business for being two dimensional, crass, and not understanding. Well I think first internal auditors the world over need to be better. They need to be brighter, more intelligent, the very best thinkers. In short they need to be consultants and consultancy standard. This requires better pay. Better marketing to the brightest and best of our youth. The profession needs
to be clear about what good internal audit is to its recruits. It’s not finance, not a shadow of accounting, not pseudo consultancy, it’s the very best of all of these. It is risk analysts and business consultants using context dependent and independent knowledge to engage with managers in a peer-to-peer conversation about risk.

Where I have had engagement of a management leader, the very best leaders in my view do engage, an audit is able to really challenge, not in a win-loss way, but in a conversation. It can really move a department, process, culture or activity forwards. All good businesses need excellent internal audit. We are the disruptive influence that promotes growth and change.

So does this mean internal audit can audit anything? Of course. But this is not in the facile, compliance, or process manner that some mean it in. It is through acting more like organisational consultants, something in my view, very few internal audit functions are really up to. As CAEs we really need to ask ourselves – are our teams really able to do this? Do we have the breadth and depth of skills to do this work? If not, document what you have and fill those gaps. For the time is coming when someone will ask – what does internal audit really contribute? If it’s just low level compliance and checking and not fundamental challenge and consultancy style work then you should be concerned.

Team audit

Tags

, , ,

team

Building the perfect audit team is challenging. For any team needs the skills to match the task it is given. Yet as risks and organisations change constantly and as the massive demands on internal audit change, so the challenge is very significant for CAEs like myself.

If I was auditing an audit team I would suggest that a skills audit is required. A formal skills matrix, identifying the talent needed and then mapping the current talent in the team. I have written before about a core of a team being ‘super auditors’, but this I mean MBA generalist but core auditors, that really understand audit practice, supplemented by other types of auditors, finance auditors, IT auditors, marketing auditors etc.

I have modified my views now though. I now head up a counter fraud team. They have made the link between control and fraud risk for me, in a way I had not fully appreciated before. Also the proposition of linking counter fraud detailed analysis and analytical views, with more systems-based assurance thinking, presents a really interesting proposition and a powerful combination. It makes sense, in my view, of both the fraud and assurance work of my department, in a way that, individually, they do not.

I have also come to really appreciate diversity. Not just because of the moral and ethical imperative of it (that is a given and core belief of mine) but because different approaches, views and directions make such a strong combination. I have compliance-detailed approaches, broad-thinking strategic thinkers, systematic thinkers, creative writers, structured writers in my team. They are all different to me and challenge me (in a good way) to look at problems differently. I now run my reports and opinions past a number of different thinkers to get them picked apart and challenged. So in a skills matrix types of thinker is important.

The other balance I would have is between experience (context dependent knowledge) and thinking ability (context independent knowledge). For both are needed. Knowledge in a pure form, without the experience to contextualise it is not helpful. So experience without the ability to think beyond it is equally unhelpful. So I would suggest a CAE needs a team that ideally has a good mix and encourages all members of the team to keep up their CPD (so context independent knowledge) and training (context dependent skills and knowledge). I am most proud of my CAE record in this with all people I have worked with really pushing themselves and their abilities forwards. There is nothing harder, or worth more respect, than a person who works full time and manages study too.

So, having thought about professional background, personality types, and training and experience what else should a CAE look for? I would suggest personality. This is really difficult for a CAE. What is the right balance? Should team fit be identikit? i.e. all the same. Well again I would suggest diversity, but diversity around a common understanding and shared set of professional understandings, moral and ethical understandings and common professional standards. For me good team fit means pulling in the same direction. It means having a set of principles that underpin decisions and actions taken. As a CAE I want to know the many complex decisions my team takes every day, are done with the same considerations and same likely outcome as I would take, if I made every decision. That is the ‘right thing’ is done. This is the bond of trust we hold in our teams as a CAE and they to us.

So would my internal skills matrix control work – actually yes, I think it would. I would heartily recommend all CAEs adopt the approach and think consciously about the skills mix they need in their teams. This is not a nice to have but core to a successful audit function in my view.

Ratings rage

Tags

, , ,

48372786

Norman Marks who often has insightful and helpful things to say about internal audit has commented on audit reports, see http://normanmarks.wordpress.com/2014/05/16/a-satisfactory-audit-report-is-unsatisfactory/ One particular comment stuck with me:

‘Internal auditors need to stop hiding behind rating systems and use the full capabilities of the English (or other language) to inform their stakeholders.’

I agree with this to some extent. We have all had ‘ratings rage’, where the message is lost with some clients behind a colour or risk rating descriptor. I do think, however, that just plain English descriptors do not provide a structure of comparability, of metrics based assessment, that provides a hook on which busy senior managers and non executive audit committee members can understand the world. So if I take my assurance work at my clients, I have put the contextual, English messages, in each assurance report. Yet at the year end, when I come to issue my annual opinion (where it has always been a regulatory requirement) I have wanted to have some sense of what I have found during the year. A qualitative professional judgement is fine, but it requires something  a little more structured to support it. This semi-structured approach to the world, a socially scientific approach, where the complexity of a social world is not boiled down to fake scientific accuracy, nor given no explanative structure through artistic description, feels right.

So, do I support internal audit’s ratings systems? Yes, but a qualified yes. I support it as long as it has intellectual consistency. Part of this is my slight OCD tendency (I like things to be tidy and defensible, intellectually). Part of this is because audit committees are (rightly) very demanding of CAEs. They will unpick something that makes no sense. If I cannot defend or explain the report and its rating systems, how can I expect an audit committee to accept and value the reports it is given.

Interestingly Norman’s post is actually about being critical of most rating systems. In particular he is pointing out that ‘satisfactory’ makes no sense unless it is related to risk appetite. In my ratings systems  we are risk based, that is we describe (without value judgement) an objective view of net risk. For that is what a risk based audits really should do in my opinion. If this is blindly related to assurance or a value judgement over these, then this will present a problem.

So is high net risk good or bad? Well I would argue it depends on risk appetite. Clearly at an organisational level, high net risk is bad, unless the owners or key stakeholders of the whole organisation want to  risk their investment. At an assignment level it can be good or bad. So, as part of an organisational portfolio, a R&D department will be wanting to take risk. A particular business unit may want to take risk. So for audit to say ‘red is bad (high net risk), you need to put in better controls’ this has a value judgement. What if you want to take risk? Internal audit is not there to make organisations either ignore, hide, or feel embarrassed about risk. It should be there to make the organisation more open  and accepting of taking managed risk.

So what about assurance? Well, something that is high net risk also has the corollary low assurance over the achievement of objectives. So X scope of review is high net risk, therefore low assurance can be taken from the systems. But, surely, this again is not either bad or good, it depends on your risk appetite. Risk can be independent of the control system as well however. So something low net risk might be due to a natural risk hedge through a portfolio effect, but this is not really a statement on the control framework. It is a natural control over risk. So you could offer a ‘green, low net risk’ opinion but still conclude the control system is weak. You could also conceptualise assurance as being independent of the risk control system. So I could fully assure you that net risk is high. Assurance is then a measure of confidence in the work offered.

All of these things matter. Perhaps not to most managers who will not look beyond the tick or the cross or the colour. But to the audit committee, to the audit trail of opinions offered, to the ability to focus clients on risk. All of this matters. To me anyway! So next time you face ‘ratings rage’ be clear in your own mind about what it is you’re saying and why.

Internal audit for me should not lose the discipline of rating and quantifying its work. It is a key reason why good internal audit is better than consultancy, for it has a structure to express itself and give the work meaning. But it is a discipline that takes time, effort and work. Writing and doing audit work is fine, forming an opinion is the hardest bit in my view. For a narrative report can never be ‘wrong’ we (particularly us CAEs) put our necks on the line, that is what we are paid to do. For that is why internal audit matters.

Follow

Get every new post delivered to your Inbox.

Join 267 other followers