Scores on the doors?

"Strictly Come Dancing" judges

So what’s made me think or be inspired this week? It was another week where a single comment hit home. In this case – ‘as a leader you are being judged even when you’re at the company coffee cart’. It got me thinking because it is so true. As a CAE you have a number of audiences, the audit committee, senior management, middle management, operational management and of course, the audit team itself.

These are hugely different audiences. Now of course all CAEs know they are on view at the audit committee. Most CAEs, and I am sure I am no different, carefully manage the diet and messages of audit committee to ensure that I meet their expectations and future expectations. It is a set piece meeting. So of course I phrase things carefully, consider potential options and questions for response. I have also got into the practice, over the years, of having a pre-meeting so I can assist the audit committee chair to achieve their objectives for the meeting. I know how difficult being an audit chair can be – I’ve done it myself.

So, senior management. Of course one is thoughtful and prepared when speaking to them. First to meet their assurance expectations and needs. Second to provide a suitable challenge and support, working within the management risk appetite and agenda. Third to provide a space to have open, honest, candid, but also safe, conversations.

So for middle and junior management the CAE tries (I think) to have a more honest conversation. Again the messages are tailored, to support, but challenge, the management team. This is about understanding the risk challenge and narrative, but also about the extent to which a challenge can be raised. Here I try to really understand how it really  is. Otherwise internal audit can seem like the parachuting in of head office, ivory tower, 20:20 hindsight, so called ‘experts’. I like to think of internal audit as being more of a set of battle-worn realists who can translate between different layers of the organisation (not that I, or my team, always get this right).

So how do I feel judged as a CAE? What does this mean? It means you have to be all things to all people. It means you cannot be intemperate, or be too bold and strident in the way you express yourself. At the same time, however, I believe good leadership requires you to be authentic and human. I’ve written before about how difficult is it to balance self disclosure and authentic human behaviour with being a leader. There’s a great Harvard Business Review blogpost about it, see:

I think the answer, certainly when leading audit teams, is to foster human understanding of each other. For at the heart of my audit approach is a recognition that humans are complex, difficult, challenging and make mistakes. They make these because the world is difficult, complex and full of trade offs. So just as I believe that we as auditors should accept the human frailty we audit we should also accept each other as human beings that need support. This is particularly in my current team where we travel as teams and are often overseas, looking out for each other is not just good practice, but a necessary part of working together.

So perhaps audit teams do need to cut their CAEs a little slack, for one cannot be inspired by an automaton, but teams also want to feel that they are not ruled solely by a CAE’s whims and personal views, for therein lay the bonfire of process and equity. How do you, as a CAE, cope with being judged (even when buying a coffee)?


Leave a comment

Filed under Auditing, Internal Auditing, Leadership, Uncategorized

When the rivers run dry


So what has inspired me this week? Well a phrase a colleague used ‘well we will see if the rivers run dry’. This was meant to refer to the case when a client makes strategic or top level comments and promises about controls and strategies, but when you follow this river it gradually dries, turning into a brook or dry river bed. In particular this applies to the control framework – grand risk management promises fail to crystallise into a meaningful set of tactical and operational controls.

What a great a well-observed phrase. For often in the first set up meetings of audit a client will set out how things are meant to work; give you the sales and risk management narrative. I often find that it can happen to chief executives and top management individuals at clients over the year, where their understanding of the reality of control and risk mitigation below does not match the narrative they’ve been given or assured is the case.

So there is a key benefit of internal audit. Far from being critical of senior management, we are there to provide assurance that what they think is happening is indeed happening. So often it, however, it isn’t. This is not the fault of senior management. Junior staff rarely want to say how things really are, because they think it is career-limiting. So here we have the second benefit of internal audit – we are not in the management line, so being less sanguine about reality is not (or at least should not) be career-limiting.

Weak control is also not the fault of junior management and staff. Often the point is that you need to see cross departmentally and cross organisationally to see the complex web of processes and people that work, collectively, to mitigate risk. I would not fault senior management for not seeing this either. They do not have the time to test the logic, veracity and delivery of the complex web of controls. So here we have the third benefit of internal audit. We are the only people, with the time, practised skills, and remit, to test the complex web of organisational risk management controls.

So it is a role of internal audit to go into water divining mode and seek out the risk management controls? Yes of course it is. It is a key role of internal audit to test the control framework, in design and operation. How often have we found that you can stop at design – that will never work, even if applied.

You can only really see if a river has run dry if you follow it. To follow a river takes time, effort and skill. Most, if not all, internal audit functions are not resourced to follow every river. Of course it makes sense to follow the riskiest rivers (where the river is not fast or well flowing enough), but it also makes sense to look at those which are well and fast flowing to check that the flow is sufficient to arrest risk (high gross, but low net, risk situations).

So does your audit team really wade often and deep enough?


Leave a comment

Filed under Internal Auditing, risk based audit

Audit for one?


Just a short post. So, I’ve been travelling again. This time somewhere not too bad. In fact a very pleasant destination in the greater scheme of things. Now anyone who travels for work will soon tell you that travel is not glamorous or pleasant. In fact it is the opposite. Tiring, stressful, exhausting etc etc. The very worst thing about travelling is when you are on your own.

Being away from home, especially in nicer places can be worse. You experience a nice city, or environment and miss your family all the more. The very worst, for-one experience is eating out. I’ve got better at it, but still not perfect. I take a book, or the iPhone, and can distract. Ultimately however the conversation and chat that is the real pleasure in having a meal is missing. It turns into a functional experience.

The real insight I had from this trip is how much harder audit is on your own. No one to challenge, support, cajole, cheer up or entertain you. E-connectivity helps. I have been able to ‘virtually pester’ my team whilst I’ve been away. This has been helpful. The evening chat, about risk, controls, audit opinions and general opinion-forming has been missing.

So audit for one? No not really recommended!


Filed under Uncategorized

Client engagement


I have often argued that internal audit is co-produced. That is, the ultimate product and benefit of internal audit, the reduction in unmanaged business risk, and independent assurance that this is the case, is co-produced with your client. Now this is not strictly true, in that whilst the process of producing independent assurance and reduction in unmitigated risk is cooperative between internal audit and management, the production of independent assurance is not. Otherwise it is not independent (by definition). Also the reduction in unmanaged risk is produced by management (as a result of good internal audit – hopefully).

The production process for internal audit is collaborative and co-produced. But what if internal audit and management are not in the same place? Does that make internal audit impossible to do? Well my twin brother (who wanted to be credited with these phrases – and they are uniquely his) who works in a consulting capacity has, in his many years, come across both great and less great, clients. He tells of one of those clients that, despite warning a particular project would not deliver, and despite making best efforts to support the client, the client was not interested. He then says he’s left essentially stating that ‘this project started out aiming to be gold plated, now there is not enough glitter to roll the turd of the project in’. He characterised this is trying ‘to sell smoke detectors to firefighters’. In other words, the client was not interested.

Now I’ve had that experience with my clients in the past, and I am sure any internal auditor with any reasonable set of experience will have come across this approach. Even within clients you get differing levels of engagement.  Now of course, as an auditor, it is sometimes pleasurable to warn of something and have the ‘told you so’ moments when it goes wrong (one audit team I worked with had a dance to accompany this). I take greater pleasure, however, in helping a project or strategy take off and make a real difference. This is all the more so when the client is doing something I believe in.

Ultimately, though, it is difficult to deal with a client that is not interested. What does internal audit do in this case? Withdraw? Ignore the position? Force change through? Well I guess it requires a cross-client approach, perhaps get the board involved (they generally are engaged in assurance matters), work with senior management. I think, in the final analysis, if a client is just not interested, it is internal audit’s moral and ethical role to continue to put pressure on that client to better risk manage, to improve its operations, and deliver its own strategies. Does this mean internal audit moves from being a community policemen to a full-on officer of the law? Yes, I think so.

There are strategies to deal with this before you get to this stage though. Identify areas where internal audit can make a difference. Then sell the (hopefully positive) results to the senior management team or those that are not interested. Really challenge those areas that are not interested. Send a note of your views and then back this up in time, pointing out how issues could have been avoided with early intervention. Also ask to be involved in big projects and strategies as they occur. You can then steer and add value during, rather than being the 20:20 hindsight person afterwards.

So do we as internal auditors always sell smoke detectors to those wanting only to fight fires? No, not all the time, but if you do, have the strength and conviction (and use the uniquely powerful position of internal audit to say the unsayable) to extol the benefits of smoke detection. For ultimately we’re here to save our clients’ arses, not kiss them! (a phrase borrowed from another dear friend of mine!)

Leave a comment

Filed under Internal Auditing, Uncategorized

The Boeing 747: risk management success or failure?


I watched an interesting programme on television that celebrated the building of the 747, an unlikely success story by all accounts – it was meant to play second fiddle to Boeing’s supersonic jet (only the UK and France’s Concorde ever made it to be built). What interested me about it was how the 747 was so big, so expensive, that it nearly pushed Boeing to the bring of financial disaster.

This got me thinking about risk management. Does this, therefore, represent risk management success or risk management failure? In other words was it the presence of good risk management that enabled a calculated risk and ambitious strategy to be delivered that took over, or was it a lucky escape from the near disaster of an unmanaged, uncalculated risk? Well I am not close enough to the Company or its history to know, but either way good proximate risk (read issue) management was required at the final stages, not least with the engines.

I wonder, if I was auditing Boeing in the 1960s whether I, as an auditor, would have helped or hindered this project. First I guess I would have focused on the higher net risk and priority project, the supersonic plane (as the 747 was seen as a secondary project at the time). So in that sense I would not probably have spent enough audit attention on it. Second I guess  I would have wanted to see the business case and whether this 747 project stacked up. I suspect I would have been quite sceptical. It was bigger than anything ever previously built, required the world’s biggest building to be built, in which to make it, had only one order for 25 ‘jumbos’ from PanAm at its inception, and was built on a large section of forest near Seattle (so in these days would have taken a hit from an environmental perspective). Third the project was so big it was all embracing for the Company. The programme stated that at one point it was burning £20m of cash per day with no income stream in sight. I suspect, therefore I would have given the report a red risk rating (i.e. high risk).

Whether I would have given it a tick for controls as designed and operated (that I assess against Company risk appetite) would have been very much driven by the top executive group’s views over whether the project was a risk the Company was willing to take. At the time the top executive group (from the programme) seemed to get cold feet half way through, but by that point were too committed financially to back away. So perhaps it would depend on when the project was audited. I would reflect the company risk appetite (now below the project’s actual risk) so conclude crosses on project as designed and operated.  I would want to be commercial in m y audit thoughts and recommend that the Company had little choice but to see it through, and quickly.

From the surviving project leaders’ testimony on the programme, it seemed that safety, engineering and other programme controls were well operated. So if I audited the project management cycle, as a separate package of assurance I suspect I would form a positive view.

I guess the programme and reflecting on it about what I would add as an auditor, made me think. Do I promote risk aversion in my work? I hope not, but recognise the very human nature to avoid risk (at least once pointed out) and to avoid a red (even if no value judgement is attached to the red, it merely reflecting net risk). I would be very clear, for me, the risk taken would be an absolute judgement (as far as anyone can be absolute in a socially scientific world), but the acceptability of that risk would be as stated by senior management and the board. So here an audit is less about compliance ticking of controls, much more about understanding complex webs of risk, and assessing whether the argument for them and understanding of what is driving them, is reasonable; reasonable being determined by the senior executive and board.

I have been lucky to work for clients who make an outstanding and unique contribution to the world, through innovation and doing the new. So my audit regime I think must reflect that aim and client raison d’être. Does this mean I should shy away from pointing out risk, especially high net risk? Well I think, no. I should, however, be highly cognisant of the manner and way I do it, to avoid risk aversion. For a risk averse organisation is also potentially inefficient, ineffective and certainly not innovative enough to last in the long term.

So my audit view on the 747. Probably a risk management success. A project changed the whole flying game in less than 24 months. It worked and has been a long-proven well-designed machine. I would like to think that I, as an auditor, would have helped to give assurance  to the organisation to take risks, for as the 747 project discovered, it takes bigger brakes (in this case air ones) to enable a plane to fly faster, so it is with organisations, the better informed about risk it is the more it can take.

Leave a comment

Filed under Internal Auditing, risk based audit

Radio Four or Three auditing


For those readers of this blog that are not UK-based, Radio Four is a voice and news radio service, and Radio Three is a classical music radio station provided by the British Broadcasting Corporation (BBC). I use this as proxy to describe anything I regard as being of high quality. e.g. that’s the Radio Four of cars or the Radio Four of clothes etc. The reason I like Radio Four (and indeed Radio Three) is because they are just great. Things happen. Quietly. Without fuss. Without advertisements (they’re publicly funded). They are good at what they do and whatever they tackle is just done properly, particularly in comparison to the private sector.

In effect BBC radios Four and Three are cornerstones of civilisation for me as self confessed middle class (or at least middle class aspirant) UK citizen. I would put other services and brands in the same bracket, Waitrose food, John Lewis department stores, British Airways air travel, Aston Martin cars, Trickers shoes etc etc. For the ultimate version, try an Anglican English Cathedral evensong (religion but with fabulous music and not too much religion imposing) I think they all, for me, represent a something uniquely British – the very best, well done, well delivered and world class.

So why this jingoistic apologia for Britishness? (well it’s nothing about the upcoming Scottish independence vote, though clearly we’re better together. Scots are great, so are the English (and Welsh and Irish), but as the British we are world-beating). It is because internal audit does not really have brand differentiation. We assume all internal auditors are capable, are equal. Clearly this cannot be the case. When I worked for a professional services firm we, as a big firm, had a good reputation, better than smaller competitors. But even across the big firms it was difficult to identify the competitive edge or brand of the internal audit providers in the market. So why is internal audit not prone to such competition and differentiated branding? The car market provides similar services (cars that allow you to get from A to B) but one can tell instantly whether you would want an Audi, BMW, Mercedes, Ford, Nissan or other for your car (subject to budget). Surely audit services can be differentiated?

I have always taken the approach, once I led my own team as a CAE, that branding and differentiation is important. I have always pitched the audit at being high quality, high capability. Why? Well internal audit is a disproportionally small part of most organisations, so it must be good to make any impact at all. Second the demands on internal audit functions now mean it needs to be excellent to deliver the breadth and depth of role it is increasingly being asked to do. Third, internal audit is meant to be an independent part of an organisation. As such it needs to clearly brand itself as such. The look, feel, quality of documents should be tangibly different to the rest of the organisation. Thankfully in most organisations a half decent grasp of Microsoft Office is enough to achieve this.

So when my audit team gripe that I like a specific blue, or a specific point spacing between bullets and a house style, I show them the lessons I learned at the big four. A green dot, blue square, orange and brown lettering all provide that basic comfort that branding is meant to, an assurance of comfort and quality. This stuff does matter.

But core to any audit function is being right. This the core to an audit brand. Not being 100% right, nor arrogantly assuming that audit has the right opinion and view of all matters (my blog talks about the fact that I do not believe in 100% right, the world is full of greys). It is ‘right’ in the sense of not being ‘wrong’, that is manifestly wrong, getting the wrong opinion. For an audit brand is about having the supporting evidence, thoughtful analysis, appropriate combination of context dependent and context independent knowledge brought to bear to a problem or challenge. For as one buys an expensive car on the promise of trouble free motoring, one purchases a good internal audit service with the expectation of a strong, thoughtful, challenging, independent, but contextually understanding and supportive ally to improve the organisation’s risk management and delivery of business outcomes.

So one wants a strong brand, but not one that shouts or is over the top (for example commercial radio with its loud advertisements or discount airlines with their gaudy colours and equally gaudy service) but a quiet reassuring brand. As soon as something enters my internal audit function, I want it to enter the advertisement and noise free world of a high quality internal audit service, and emerge much the better for the experience.

Is this easy to achieve? No. For quality is not cheap and quality is not easy to ensure. As a CAE however, I would feel I let myself down if I did not at least aim for it. So when you last interacted with your internal auditor, was it Radio Four or not?

Leave a comment

Filed under Uncategorized

Audit talent


I have been thinking about the war for audit talent. I think, when I started in the internal audit profession, it was easy to recruit internal auditors. First of all it was clear, you needed accountants. For internal audit was about financial compliance checking. So you listed your Consultancy Committee of Accounting Bodies (CCAB) qualifications criteria. You most probably did not bother with IIA qualifications. All decent candidates trained in the accountancy firms, and who bothered with internal audit qualifications? Really only dyed in the wool internal auditors. So, stick to CCAB accountants, part qualified for junior roles and fully qualified for senior roles. All sorted.

But now the world has changed. Internal audit does not do just accounting it does business risk. So what is the right qualification for now? Well I’ve now qualified with IIA qualifications, both chartership and IT auditing. That’s because the internal audit profession has grown up in my view, it has become something separate from the accounting profession. If the profession now does business risk, it really needs a broad set of supporting qualifications. I’ve chatted before about this and concluded we need a professional qualification supported by an internal audit professional qualification. Of course it makes sense that a broad based set of reviews needs a broad based set of context independent knowledge.

As I’ve become more experienced in my role, I’ve come to realise that one needs a broader set of skills and people. In other words I’ve come to appreciate diversity. Diversity in terms of experience, age, background, experience, ethnicity, professional background, sexuality etc. What I don’t need as a CAE is to be surrounded with identikit auditors, that is, more of me. When I worked in a professional services firm those years ago, I did not appreciate how similar we all were. From a small pool of universities, small range of social backgrounds, small range of ambitions and aims etc.

I have a great audit team now, really diverse, really different and really challenging; in a good way. They challenge me and challenge my views. That is good. For my audit opinions need to be challenged. They need to be argued against, for that is what strengthens them. I hope that I do the same for them too.

So this brings me back to what am I looking for? I guess nowadays I’m just looking for the ability to think, outside of the box, outside of convention, outside of their own space and thoughts. So, when I am looking, I think I am looking for someone I don’t already have in my team. This could be in terms of profession, or personal background, or personality type. I refreshed my training on unconscious biases this week. It reminded me that we all simplify the world through stereotypes and that these stereotypes bias us towards particular people and away from others. One of the potential solutions was to get others, with different perspectives, to challenge and calibrate our thoughts.

So when I’m looking for a talented auditor, perhaps I need to think broadly, for if internal audit is a broad church, so should my audit department be.

Leave a comment

Filed under Uncategorized