Risk based auditing – again!

Yawn! We all know what this is, enough already!

Well, I have been thinking about this a little further and I am not sure that the debate is over. I think all CAEs would agree that major business programme and project assurance is important. Also that the internal audit function should have some level of engagement with this to ensure proper assurance is provided to the business.

Now is this a risk-based audit requirement? If we narrowly interpret risk based auditing as merely grounding a plan in some consideration of risk, then yes, of course. If we alternatively, but equally narrowly, interpret risk based auditing as focusing on the most risky areas of the business, then perhaps, no. How so? Well, most internal audit functions are relatively under-resourced (compared to non-executive board demands and the business), so risk based internal audit functions really only have resource to assure strategic level (significant) risks. Even this is likely to be over a number of assurance periods (normally years) not 100% coverage every year. So any focus on programme or project risks, unless strategic in their own right, is likely to be a focus on tactical level risks, a level that most internal audit functions are not resourced to tackle.

So is this another non risk based demand on internal audit to be added to all of the others (annual or audit period sufficiency, demand for financial assurance from stakeholders disproportionately, compliance assurance requirements, management assurance demands, specialist strands of audit risk e.g. IT, sufficiency of work within each component of periodic assurance opinion given e.g. value for money or governance)?

Well I think it depends. I have in my head a model of assurance based on risk levels. Risk for me is not really ‘managed’ i.e. actively addressed, at a strategic level. It is too esoteric and organisationally meaningless to be so. It may be summarised at this level (and for all sorts of reasons, for most organisations to do so is a little pointless, creating esoteric and disconnected-from-reality risks), but it is rarely actively managed there. That is because organisational structures are simply not oriented around strategic risks. Strategic risk cross cut professional, geographic and other operational silos. These risks, therefore, are managed at tactical, programme, project and operational (departmental) levels of the organisation. One can audit strategic risks by following the cross-cutting elements of these other levels to gain assurance over the overall organisational response to a strategic risk (the top down assurance approach), but one can also breakdown the strategic risks themselves into the tactical components.

Auditing at a tactical or ‘thematic’ level is what I call horizontal auditing. Looking at a cross-cutting risk (often a component of a strategic risk) as it crosses the organisation’s structural silos and boundaries. This also applies to programmes and major projects. After all why do businesses establish such things? Normally because there is a business need (or significant risk) outside of business as usual,  that requires additional management discipline, focus and resource management to ensure a business-critical outcome, that a formal project methodology brings. This analogy of auditing at levels similarly applies to departments. Why are silos and departments set up in organisations? Well, simply because a strand of specialist or geographic risks needs to be managed coherently. Delivery of the business objectives (and accompanying mitigation of risks) in a locale or professional silo if you like.

So back to where I started. Is programme or project risk assurance part of a risk based plan or not? The answer is yes, if you have an assurance plan that recognises that risk based auditing is at levels (strategic, tactical, programme, project and operational) and should prompt an audit response that is top down, sideways in and bottom up. This then prompts the question, how do you report different risk levels? (I feel another post coming on in due course); and also the perennial question of whether a risk based auditor focuses on high gross or high net risk (see previous posts on this debate).

For me the fundamental point is that just doing programme and project assurance because we CAEs think it feels like the right thing to do and to try to squeeze our current limited resources to do so, without having a paradigmatic and intellectual grounding and justification, is wrong. We should have a clear view where this fits within an overall clear view of what a risk-based approach to audit really is. Do you?

Credible hulk?

Just a little frivolity of mine noted on the twittersphere to start the week…! Not sure about internal audit ‘rage’ but the rest should be the role of good internal audit.

Internal audit – professional dysmorphia?

So we read in the UK IIA’s magazine this month about an internal auditor adding value by having people from the business involved in internal audit. In this case at Shell. http://auditandrisk.org.uk/features/he-can-be-sure-of-shell

Now this makes perfect sense. Of course an auditor will be able to have better risk based discussions if they understand in detail the business they are auditing. But read further. 85% of the audit team is rotated. That’s a huge amount. Where is the core audit skill, training and management there? Will this lack of audit skill really make the audit better?

But read further and it becomes clearer. ‘So we bring in experts whom we train to be internal auditors in six months’. Really? Is internal audit nothing more than a few skills or conflict resolution, report-writing, analytics and interviewing (as posited in the article)?

All of this is done to improve ‘credibility’. As somehow ‘just’ an internal auditor is not credible, or incredible (not in a good way). Look at the subtitle of the article on the front page about ‘how a constant flow of new recruits from the business helps internal audit generate value’. That is the gold (or black and gold) statement. Internal audit per se does not add value. Then if we are left in any doubt whether this view is taken in Shell we learn that the chief internal auditor has had a long career as an accountant in Shell. It is not possible to tell from the article or the internet, whether he is IIA qualified. I hope so, but the audit approach does not suggest a career auditor.

So what is my issue with this? It’s clearly a valued IA function. It works in a complex business. It is clearly sensible to have a guest auditor or rotation scheme. Well my issue is intellectual and more fundamental than that. It’s about the internal audit profession learning to have confidence in itself. It does not need to be something else to be of value.

First, let’s take the idea that internal audit is of no value per se. Well the knowledge that a guest auditor scheme brings is context dependent knowledge. That is experience, skills. In a business like oil I imagine understanding how stuff is ‘done’ is quite important. Internal audit is more than that though. It is also context independent knowledge, the ability to analyse, think about risk, be cold and detached, objective and independent. I suspect Shell pays a reasonable sum to consultants like Boston Consulting, Bain etc. Why? If you need context dependent knowledge to analyse a business, add value and be credible, why do this? It is because being professionally trained to analyse a business is important and is a skill of value in itself. The joining of context dependent and independent knowledge is a tough skill that few internal auditors (myself included) fully master, yet alone an oil engineer on a one year secondment.

Second the conceptualisation of internal audit as needing to really understand the business’ detail to be able to add value. Well, although I believe independence to be a state of mind, not fact, there is a sense in which that fresh challenge is missing when someone comes from the business. It doesn’t matter what the business is, or whether it is complex or not, we are all human and therefore carry with it a lens of understanding we gain through being socialised in a business. It takes strong professional training to fight this innate human tendency. Thus those from the business will have a view about ‘how things are done’. Some of the best auditors I have known have a great ability to play ‘dumb’, asking the most fundamental and ‘stupid’ questions that the business is either not able or not willing to ask itself. This is often the core value of a good internal audit function.

Third the model of internal audit as a business embedded and engaged is a good one. Here Shell do get this broadly right. The old ‘them and us’ management and internal audit model is unhelpful. But for a partnership and embedded model to work, both parties need to value themselves. I bet the finance team in Shell do not rotate their staff so much. They believe they can add financial control and value through using their professional skills without having 85% of their number as engineers on secondment in finance. So why not internal audit? Internal audit has value through its mindset; its wide-ranging coverage; its strategic, tactical and operational focus; its freedom from executive accountability (with its pre-destined focus on managing issues, not risk); its analytical, interview, influencing and reporting mindset; and its independent and objective mindset. Mixing the professional and technical silos in any business is good, but this must be balanced.

Fourth, what is it that general management bring to the table that is so much more than a professionally trained auditor? Most managers understand in detail their operational business, but often have few, or limited general management and professional management training. Does this not mean internal audit, with its wide-ranging, strategic and cross business coverage, professional business and risk training, and experience across the whole business, not a single professional or operational silo, should have at least something equal to bring to the table as the manager of a function or operation?

I am of course taking the article at face value (they are limited for space) and many of these points may well have been considered by the Shell team and overcome. My overriding concern is that internal audit, as a profession, must get more comfortable in its own skin. It must value itself without becoming either more like management or more like consultants. It is a ‘professional dysmorphia’ that will prevent the profession from self actualising in the long run.

Party time?

The non executive nature of internal audit can be problematic. This vexes many of my professional colleagues as it seems to stop them doing all sorts of things: re-reviewing their own work; getting usefully involved in project assurance; debating how frequent should auditing be before it becomes ‘management assurance’ as opposed to audit; and most tellingly being confident enough to have an opinion on the business as non experts.

So if we are non executive and we are non experts what do we bring to the party? Well if we allow our own insecurities as a profession and as individuals show, very little. I trained with one of the big four accountancy firms. Despite having my first three years telling me what I could and should do and file structures and sampling methodologies pushed down my throat, I survived this to make it to manager. Now, suddenly I found the game changed, it was not about what you couldn’t do, but what could you do. Can you ‘get things done’. The reward was not for being ‘right’ and ‘technically accurate’ but for social skills, responding to clients’ needs and making stuff happen through others (your team) and bureaucracy (even the private sector has that). I then took up the opportunity after that to head up my own in-house audit service. I took this not for the pay or reward (definitely not!) but for the chance to establish my own modern vision of internal audit without constriction and rules. Thankfully I had the benefit of an excellent colleague who went on the intellectual and experimental journey with me. We both studied with the IIA (use the UK one it has an excellent set of qualifications).

Yet the profession as a whole is still stifled by a need for rules and guidance, not a sense of pragmatism, adventure and contingent, principles-based delivery. For here is the key lesson in my view. A good CAE should have confidence. Not arrogance, as we are a fellow and complimentary part of the organisation’s governance and management structure. Think about managers for a moment. They have no rules – management has no intellectual orthodoxy or must-do approaches. No prescriptive rules. No even principles based international standards. Yet managers everywhere are held firstly responsible for all of the things we audit. To succeed in management you need a can-do attitude. A sense of confidence and self-belief. Not qualifications or rules.

So for internal audit. We share manny of the resources as senior management have to address and tackle the management problems of the business. We have a broad remit; cross cut at a strategic, tactical and operational level; have access to the senior people and governors of the business; are able to say and write what we think; and are able to look at a wide set of skills and activities to address problems. Yet we have something more. Freedom from accountability for the results; a systematised and disciplined view of the world; a good understanding of finance and risk; a requirement to formalise our thinking within a reported format; a need to form opinions and step back from day to day activity.

This is what internal audit brings to the party. Management with an intellectual and rigorous structure. I come back to where I started. The key lesson I have learnt is to have confidence in myself and my profession. I have learnt time and time again that a good internal audit review will be prescient and meaningful. How many times have I predicted something will go wrong and, eventually, it has. This re-inforces my view that as generalist and inexperienced I feel at the start of each review, that managers are in exactly the same position. They may internalise the language, social totems and symbols of their work, but this gives them problems, not advantages, when solving an organisations’s problems. This baggage can be a barrier, not assistance to move forwards. Internal audit’s obsession with objectivity and independence is helpful and welcome, because it keeps us sharp.

So what stops internal auditors bringing this value to the party? Confidence. Have confidence in common sense. It is not common. It is the key thing internal audit brings. So go forth and take the confidence with you!

Report ratings?

At various points in a CAE’s career you get chances to review the way you do things, either in a new role, or after a quality assurance review, or when you see something you like that another auditor does. I’ve written here in previous posts that I think the audit report is the key product. Yes I know we can report in other ways, presentations, online, verbally, through the medium of mime (okay I’ve not tried the last one yet), but the audit report is still a core product.

But what makes a good audit report? Well auditing standards are suitably vague; the performance standard’s requirement for each engagement to ‘where appropriate, contain internal auditors overall opinion and/or conclusions’ and ‘communications must be accurate, objective, clear, concise, constructive, complete and timely’. But what makes a good conclusion? In particular I want to focus on the idea of a conclusion. What should the assignment report’s conclusion look like in a risk based audit world?

I’ve always sought to report based on the client’s net risk. That is to risk rate the report according to the assessment of net risk. Does this mean that the report does not provide assurance? Can you rate a report in assurance? Well perhaps, but shouldn’t every report give full assurance? i.e I, as the CAE, should be able to provide full assurance over the opinion provided (or limit it if it does not have suitable work to support the scope of the opinion given). In other words I could give you full assurance that risk is badly managed. Similarly I could provide limited assurance over the fact that something is well managed. Does this mean the report would be red or green rated? Or by providing limited assurance am I really trying to say that I can assure you, client, that your systems provide you with no assurance? Strange.

For me the important thing is that clients manage their risk. So a report assuring them from an independent perspective over that risk status is valuable in my view. It focuses the management team and audit committee on net risk (which is ultimately the purpose of risk management). Assurance should always be full (in that the assurance should be full over the scope of the review being undertaken). Is the adequacy of risk an audit view or not? Well I believe it is both, It should be grounded in the client’s risk appetite, as independently considered by the auditor. Thus it is both the view of the auditor and the view of the client.

The second issue is how to deal with issue of smaller and larger scopes of audit. Clearly the risk even if poorly managed from something small is still small. Thus how does a single scale cope with this? I would suggest that it copes by having different risk levels. Thus a high net risk operational report is a medium risk tactical report and low risk strategic report. This takes time to train auditors, clients and audit committees to appreciate but makes perfect logical sense. It also helps to focus the auditor and the auditee on the real scale of things being assessed.

So what do you think? Have you reviewed your reporting recently?

Value from internal audit

This is a topic I have covered a few times, not least to express my view that internal audit is value adding in its own right, without any consultancy or other value added activities on top of audit. I was reminded of what is of value by an experience I had this weekend.

I was at a coffee shop for lunch and the whole experience was poor. Poor welcome, long wait, dirty table, weak menu, and finally a very poor lunch. The bill did not relate to the value of the offering. What I could not explain or understand, even more than the general systematic faults in the coffee shop’s systems, was how a substandard, thrown together plate of food, could be despatched.

As a CAE the equivalent is the sending out of a substandard audit report. When am I under the most pressure to do this? Well, if an auditor has not given me enough time to review a report, or in a period before an audit committee when reports need to be delivered, or if the fieldwork was done badly and it is embarrassing or expensive to supplement or repeat it.

Now my view is that a CAE should never send out a substandard ‘dish of food’. For just as in the case of a restaurant the bad food will be remembered longer than the slight wait or even bad service. I would never go back to a restaurant with bad food even if the place, service, timing, cleanliness etc was excellent. I think this is the same with audit and audit reports. So in my view the audit report is all important.

But what adds value in an audit report? I have been on a lean auditing course and this seemed to suggest that the smallest, fewest, simplest, report should be issued. Focus only on what the customer wants. I think this is flawed, as internal audit is a professional service and the customer views are important, but there are cases when the message needed, not wanted, needs to be given. For me the key point of value in an internal audit report is the veracity of the opinion. Being ‘right’ (or as right as one can in a social science setting – see the previous posts on research assumptions) is important. No one will remember the slight delay in issuing the opinion if the resulting report is well-written with the right opinion.

Conversely, I suspect all CAEs are risk averse. A CAE incurs greater risk from issuing a wrong opinion than issuing the correct one; no matter how difficult the opinion is for the client organisation to deal with. You can be sure that if something goes wrong and it has been audited previously, the first call is ‘where was internal audit?’.

What other items are of value in internal audit reports? Clarity, a good executive summary (by that I mean something that summarises complex messages, required actions, without over simplifying or making them two dimensional), a clear risk based opinion and a sense of proportion.

Report writing is the biggest challenge I have faced as a CAE. It is an art, not a science. It is one I wrestle with constantly and one I always learn new things about. Writing a good report takes time, effort and practice, but in my view it is well worth the effort.

Whither risk based audit?

I wonder if we’ve all moved on from this? Is it like risk management for managers, yet another fad that is theoretically possible to do, but hard to achieve in reality. As a consequence we all give up on it and move on. So for risk based internal audit, for those internal auditors that ever got there (and I doubt many did – as it requires an extreme level of risk maturity) perhaps we have all given up?

No no-one would admit that. Try going to an audit conference and saying I do a non-risk based audit. Career suicide! Yet is that what we’ve all settled for? Some cognisance or nod towards risk, yet lacking in the courage to really examine how risk based we really are, unable to acknowledge that all sorts of factors influence audit plans, not just risk.

First of all I don’t believe the myth that risk based internal audit needs a risk mature client. Why? Internal audit is meant to be independent, so why not have an independent assessment of risk? After all internal audit is in just as good a position as the senior management team to assess risk – why not use our assessment?

Second I believe that a fully risk based audit belies the human and organisational reality of most clients. If you fully risk base an audit you will, obviously, go for the big problems, the unresolved risks, most probably the big current issues. How sustainable is this as an audit and assurance plan? If you think about it as a diet of assurance for an audit committee, you effectively feed them big, heavy, issues. This is a rich and indigestible diet of non assurance that eventually tires and exhausts an audit committee and the accompanying management team. Now this approach makes sense intellectually, for if you tackle the big issues, then the big risks, you drive down risk systematically (assuming the audit committee are effective in forcing appropriate and timely management responses). In reality, however, it makes audit a challenging and tiring experience for all involved.

The Institute (CIIA) seems to have stopped talking about risk based audit as indeed so have we all. I think it thinks (as perhaps we all do) that we have this risk based audit thing sorted and organised. Presumably the Institute feels the same. I am not sure though. I have seen a number of internal auditors and internal audit approaches. They all claim to be risk based, but some still have what I would regard as either non, or intellectually weak, risk based justifications. Only this week I saw on the Institute’s home page a question about the potential use of an ‘audit universe’. Now there is nothing wrong with this, but this is a debate from well over eight years ago. Most audit universes are glib, two dimensional and meaningless. They are a nod to risk-basing an audit plan but not really understanding the complexity of risk.

The reality of a real risk based audit plan is that it is composed of the hard factors (cash, process, location, size, complexity etc) but the soft social factors (people, culture, politics, personalities etc). Risk in an organisation, particularly the veracity and quality of an organisation’s response to it, is a complex melting pot of a myriad of social factors. In this, any mechanised risk model, will necessarily seem two dimensional and glib. So for me, a risk based audit plan is one that is constantly working through a lens of risk. Using this as an analytical framework to inform and deliver audits and assurance. In effect the audit and assurance plan is the risk assessment. Each audit constantly adds more depth, colour and meaning to the internal audit risk assessment. It is for this reason that CAEs gain such a depth of knowledge of organisations because the audit and assurance plan is a constant researching of our client organisations. Always in my view trust a good CAE’s opinion, they will know how things really work. The best risk assessment work I do is sitting in department’s offices and getting a sense of how things really work – why? because you see the social interactions and meet the personalities in the department.

So to conclude I think the risk based audit approach issue is far from resolved at a profession level. Certainly at an audit service level. I am not one who thinks that one ‘risk based approach’ is wrong and another right, we don’t need a straightjacket of rules, but come on, we a profession are still a long way from even a set of principles. We need to keep talking about this.