I think our profession is standing at a significant strategic stepping stone and crossing point. I think it has increasingly reached a decision point to decide where it wants to go. I am decreasingly convinced that the profession will make, what I think, is the right choice.
I have been extremely lucky in my career. I have worked under, and with, bosses that have earned my respect and have allowed me the space to interpret and develop my version of internal audit over the years. Do I think internal audit is and should be now, what I thought ten, five, or even two years ago? No, I don’t.
When I worked in a professional services firm it was before the national practice began to recognise that performance meant conformance. So I was able to develop my little bit of the internal audit practice, with the support of a commercial and pragmatic partner in the firm, into something that made sense to clients, that added value, that was less hung up on right and wrong and more on thinking about the world in much less formulaic terms. I had daily rates and margins and a consequence that then (now nearly ten years ago) have not been beaten now. When I fairly recently tendered out for some internal audit work I was actually being charged less than I charged.
When I then went on and headed up my own in house service, as a young CAE, I was able to build up, from scratch, what made sense. One can argue whether my client got it at the time, I suspect they didn’t, but I did it. I had two good bosses in succession, both of whom were high-class individuals who supported the engagement with audit and challenge and supported the development of a service that made some coherent and meaningful sense.
Now, in my current role, the quality of staff in my client organisation is really high. The leadership more so, and again I have had a chance to really aim for ideal and perfect. To be resourced and supported with senior management engagement and understanding (the most important resource) that is enabling me to take my thinking vision into something practical. In my current role I also have a fabulous team (all of them both collectively and all individually too). I am also bringing in some real talent to provide breadth and different perspectives too. They all really get the vision – a consultancy led service, without walls, without the dead hand of silly input rules and compliance, and most importantly without audit software! (a pet hate of mine). Just people that are understanding of the business, bring their own professional backgrounds and minds to challenge and support their management colleagues.
We actually audit the business (fancy!) i.e. if we were a food retailer, we look at the risks in the food chain, if we were a car manufacturer we actually review the risks to how cars are made. We don’t hide in the corporate back office (though these are important processes), we don’t hide in compliance checklists (counting fire extinguishers or compliance with office rules). We actually stand full square with the business and management team and think about what it is that really makes a difference to the business, adding our independence, governance risk and control mindsets to the mix.
Yet I have been lucky. I know so many CAEs who are limited by their firm’s software or file rules. Who count the inputs not the process or outputs. Who are not allowed to wander into things that really matter ‘no you can’t audit the business because you don’t have the knowledge!’. I have known some great CAE peers who have got it too. Who see beyond the Institute’s rules and compliance and the sense that anything thoughtful, meaningful and challenging is suddenly called consultancy. They, in their own ways have been cutting themselves some slack and space to develop good, meaningful, internal audit.
Yet when I see insights into a majority of CAE’s lives and indeed their own views, I am depressed and discomforted. Depressed that we as a profession continue, spectacularly, to miss the point. The point that you are only relevant if you work in the front office, that the world cannot be controlled by compliance and rules (banking, schools, government, IT etc – how many time must we learn this lesson?), that there is no right and wrong in risk auditing.
For we as a profession must stop measuring ourselves by our financial accounting origins. There is no IFRS for business risk. No right and wrong. We should stop measuring our inputs (we did this for we all came from firms that charged for their services), it is not an indicator of quality or performance. For the firms, despite pulling the intellectual and institute strings of our profession are actually not interested in internal audit. They are not internal for a start. They approach it as they do for controls testing for financial statements audits. They are priced out of the market, for to do a risk based audit of any quality takes time, high quality thinking and trained staff, that the firms simply cannot afford to deliver and manage the risk (what if we were ‘wrong’ and got sued?). If we take the UK, the big four firms are effectively priced out of market in the south and London; simply, they cannot make it pay. So this space it taken up by the lower quality and presumably less risk averse, second tier firms. So firm-provided internal audit is, generally, second tier quality and delivered (certainly in the UK). I appreciate these are generalisations and I have met a few firm-provided audit services that have bucked this trend. But I think my underlying point stands.
Yet we miss the real incentive for the firms to avoid allowing internal audit, as a profession, to blossom. That is that internal audit has the capacity to displace consultancy work, high margin, little-challenged, consultancy work. For a good in-house service has the capacity to deliver excellent results through having time, quality staff (without the burden of stratospheric charge out rates) and also context-dependent knowledge (that no firm, even in partnership) is ever able to really deliver. Hence whenever internal audit does something of quality it is ‘consultancy’. No. Forming a high quality, business and risk led view of business challenges and presenting three dimensional solutions is internal audit, not consultancy.
So why do I think this is important for the profession as a whole? Well I think it means that in-house services will always see outsourcing as competition (when it should not be), will define itself through a business and delivery model that only makes sense for the firms, and will allow the profession’s standards and rules to be dictated by external auditors – for we’re all ‘auditors’, right? No we’re are not.The profession needs to develop a view that good internal audit is: internal; not bound by rules, but principles; measures quality as performance, not conformance; audits the front office; is part of a wider framework of controls and lines of defence; and most importantly begins to develop an approach to the world that stops considering it in a rules-based, right and wrong way.
So, can we, as CAEs begin to make this argument? I hope so, for it will have a virtuous circle of increasing respect for the profession, increase the quality of candidates we attract, improve pay, and really add value to our clients.