Issues or risks?


, , , ,


So I’ve come across a good blog post by Richard Chambers of the US  IIA. It’s worth a read because it puts to bed the idea of a static assurance plan. I think most CAEs only really value a static audit plan when it comes to two dimensional quality assurance (where variance is seen as bad and chasing days of audit resource seems to be all important).

In the real world most CAEs already change plans. We need to to make sense to a management team that is dealing with a constantly changing business environment. Anyway, who has an audit plan anyway? I would also have an assurance plan, for that is the currency we trade in, nobody wants an audit, they want assurance.

I do, however, have a significant problem with Richard’s blog post. The post argues internal auditors should be more responsive and move away from a static audit plan. I have found management teams I have dealt with, across my many career-long clients and across many industries, dealt with issues, not risks.

Internal audit, let’s be clear about it, should not good at dealing with issues. Issues require a quick response, quick analysis and action. Well first, internal audit is not able ,under professional standards, to take executive actions. Second, we are trained to analyse, review, assess from afar and think in risk terms. In other words we are forward looking, trying to look at what needs to happen in the medium to long term. But the real problem is that we, as internal auditors make great consultants, we have context independent and context dependent knowledge and have the ear of the top of the organisation and hopefully the respect, to sort things out. Where I have got involved in these things the input has been welcomed. I believe internal audit has made a real difference. There is a risk then, that the management team see internal audit as a troubleshooting, consultancy function, not an independent assurance function.

Clearly there is a balance between the two; the model of internal audit as an internal consultancy service; and as an independent assurance function. Now doing too much of either can create problems. Too much consultancy means too strong a focus on proximate risks and issues. Then internal audit is not providing assurance over risks, but sorting out today’s issues. If we as internal auditors get drawn into this position we should be pushing the risk management system to move the organisation onto a more risk management footing. i.e. shifting the balance of its organisational effort away from proximate issues and today’s risks, to look to the longer horizon.

The opposite, doing too much risk assurance is the static assurance plan model; being too focused on the horizon. Here we as internal auditors seem too remote, irrelevant and unhelpful and esoteric. The risk in this model is that the board and the senior management team do not see internal audit as relevant, and as delivering items of value. That path leads to small, ‘strategic’ audit teams, with little resource and little relevance.

So I think there needs to be a balance. This should make sense with the organisational setting, so should vary between clients and industries. A good assessment of risk assurance maturity will enable a CAE to get a sense of whether the organisation’s balance between dealing with risks and issues is right.

So can internal audit help with issues – yes we’re perfect for it. Should  we? Well yes, but in balance with risks. For ultimately humans and organisations are poor at managing risks, and love to focus on issues, so internal audit’s role as one of the few counter-weights to this natural centre of gravity is important.

I don’t buy the internal audit standards of not getting involved in management or the assurance of issues. Of course these are important, we should help to deal with issues and proximate risks, for this helps to make an argument for our relevance and our value and resources. So overall, I think Richard’s article is wrong, we should not audit at the pace of risks, for risks are slow. What we should do is balance the pace of issues compared to risks.

It would be really interesting benchmarking to see what pace i.e. balance between issues and risks auditing various audit functions do. Perhaps it could be the subject of research? So what’s your balance?

Internal Audit: A critical friend?


, , ,

IMG_3644.JPGJust a short post – I often hear, and have used myself, the phrase ‘internal audit is a critical friend’. I sort of believe that, but my thinking has moved on. I now think internal audit is a friend. For true friends are not critical. At least not all of the time. Friends are encouraging, helpful, supportive, have shared values and belief in you and will always have your best interests at heart.

I believe it is possible to be a friend critically, or to be critical as a friend. A friend however is not critical, they are constructive. You will not perceive a critique from a friend to be critical. Rather you will take it as constructive feedback.

So perhaps internal audit moves from being a critical friend to just being a friend? I do think there is a difference between internal audit’s form of accountability and review, and external auditor’s or regulator’s accountability and review. For if criticism is public and shared it is not likely to come from a friend, it is coming from an unfriendly source. A good friend will pull you aside and draw things to your attention in a safe and supportive way.

This feels much like the space internal audit should be in. For public accountability can be powerful, both destructive and constructive. But how much more powerful is a deliberative and constructive process that has the ability to be honest, cathartic and genuinely transformational?

For I have learned most from my best friends, they have had the courage to be truly honest, but fair. They have shaken me from view, opened my insight and genuinely created some cognitive dissonance that has moved me to evolve and improve.

So as I think about how internal audit should be in an ideal world, something I do every working day, I am more convinced that internal audit is more like a friend. For only with friends can we truly see ourselves as we are and evolve and grow.

How much of a friend are you to your clients?


IT assurance or not?


, , ,

view on blue sea through nautical porthole

So I had the benefit of a heads of audit course considering IT assurance last week. It was a good course and there were lots of ideas for me to take away. What came across  most strongly for me was the fact that internal audit’s IT assurance work has not really moved on much since I was a junior auditor.

What I mean by this is that IT assurance is conceptually behind. As I don’t believe in general internal audit work focusing on compliance and preventative and authorisation controls (the world is just much too complex and difficult to be controlled in this manner), so I don’t for IT controls; the IT world has moved on. IT assurance is no longer about a moat and castle approach, because IT is not like that. Modern IT to my view is about managing risk and accepting failure. i.e. there will be data loss, there will be hacking, there will be problems.

IT is different to most sorts of risk, as once you have a hole in the system, the whole lot can be compromised. I think of IT risk as being like an ocean liner, if a single porthole is left open, the whole lot is liable to sink. This is not like a physical risk (fire takes time to transfer from site to site), reputational risk takes time to take its toll, business risk takes time to spread from business unit to business unit.

So back to IT assurance, if the model of prevention and managing risk to nil and preventing attacks is gone, perhaps it is about better detection and event management? Having an appetite for IT risk is something we auditors don’t like to consider. We like the neat idea of all passwords being kept secret or no-one ever leaking data or being socially engineered to give access, or all coding to be perfect and not allow unauthorised access. Most companies, organisations, and individuals cannot afford such control and this level of control, if you want to speak to the outside world with your IT (which all organisations need to), is simply not possible in any case.

So I think we as internal auditors need a new paradigm for IT assurance, we need to think about it in risk management terms and we need to think about risk appetite. Can we segment our client’s data? Can we have zones of protection? Can we be clearer about how data and other IT assets are managed? Can we consider how computer systems will cope with disaster and recovery (which ones need critical back up etc)? For IT assurance is not about poking holes in our clients’ IT systems, for there will be holes, and the better and more technically savvy we are as auditors, the more we will see the holes. Just as the better we understand business management, specialist areas we audit, and our client’s businesses, we will see greater holes in the management effort. So can we move on and deal with IT audit in the same way we do for general business risk and not aim for perfect, but have an analytical view of priorities and what needs doing, compared to the cost and effort of doing so and the relevance or criticality to business objectives?

The other interesting thing about IT assurance is that we are still asking ourselves the same questions. Do we outsource or not? This seems such a binary way of thinking about IT assurance and also seems to let ourselves off the hook. For all auditors should understand IT, I studied for the UK IIA’s ITAC qualification because I felt I should know about IT for any audit. So what would I outsource? Not general IT assurance, for a good core audit team should be able to do this in any case. I think it should be the specialist IT and technical knowledge. It’s too expensive for any team to maintain on its own. Technical IT assurance makes no sense on its own however. It does not have the wider context-dependent business knowledge to understand the context for IT.

So what’s the solution? I think the solution is to combine a good IT-savvy internal audit function with specialist technical support. We also need to focus less on prevention and control and more about management of IT risk within an appetite. It is difficult to assess and assure IT risk, simply because a single coding error can make an entire system open to loss and risk. So when we next consider the porthole left open on the boat, let’s focus less on bolting it shut, but more on how we will detect its opening and manage the resulting flood!

IPhone 6: when is more actually more?


, , ,


I’ve been travelling again and, upon my return, the iPhone 6 Plus I’d ordered was around, waiting and ready for me to collect.

Now we’ve all heard the bend gate stories, the difficulty for Applephiles like myself to accept a ‘phone needs to be bigger than the previous versions. I took the plunge because the way I’ve used my ‘phone has changed. I make fewer and fewer calls. It is primarily my immediate access to the internet, to data, to information, to email, to my blog, to my online life. I take photographs and record my life in it. It reminds me to do things, tells me when I have not done things. It is my diary and notepad, my records, my books, my music player and my store of information.

So, when i considered what I actually want my ‘phone to do and what I value it for, I was happy to reconceptualise it as a ‘phablet’. Once I’d made this leap, it felt less like a big ‘phone and more like a small but acceptable minicomputer.

So how does this link to internal audit? Well I think organisations, and the profession itself, needs to reconceptualise internal audit. Less as an independent police force enforcing the organisational (and actual) law. Less in adversarial terms, less in a pseudo-scientific conceptualisation of right and wrong.

So how should it be conceptualised? How can this be different? Is the internal audit paradigm moving on? If so, to what? Well I think internal audit is something more. It is not about laws, not about adversarial battle, but a form of independent internal consultancy. For a good internal audit is challenging of the management and leadership team, it is a genuinely difficult process, but not a negative one, a conversational, helpful, open, dialogue and debating one. For the answers to modern organisational problems are not easy to divine. If internal audit is risk based (and we are required to be) we should not be helpful to management to sort out the current problems (for those are issues), we should be moving the debate onto the future, the choices we make, the debates we need to have for tomorrow (risks).

So should an organisation want internal audit as conceptualised now? No. I think organisations need to reconceptualise internal audit as above in a different way, as an internal, thoughtful, organisational challenge and consultancy. We need, as a profession, to make this leap too. Sure, most internal audit functions struggle to deliver consultancy work, we go to great lengths to differentiate it from audit (falsely in my view). We are steeped in rules, in checking and verification, not creative thinking, challenging, debate and have a naturally destructive and negative outlook on life. This does not need to be the case. We have the context dependent knowledge and, when suitably trained, the context independent knowledge to make a damn good job of consultancy.

I am always surprised by others’ surprise, when the internal audit function comes up with an insight and is able to deliver a great piece of work. I think they have either experienced two-dimensional internal audit of the compliance kind, or have not really registered the level of business and organisational insight afforded to an internal audit function by default.

Yet, audit teams I have worked in, with, and led, have been strong in their ability to deliver a unique viewpoint and insight. This is one that is borne of being a trained auditor. It is an insight fairly unique to internal auditors and a viewpoint that takes training to come to. It is this I look for in senior auditors I work with. This is not to say the management viewpoint is less valid, far from it, more that it is different. If the two viewpoints were similar then a good internal audit function would soon run out of insights, viewpoints, and value to add. This is not the case in my experience.

The other lesson I wanted to draw from the iPhone 6 Plus is that, sometimes, bigger is better. I know long-time readers of this blog will say that this does not match my usual mantra of ‘less is more’, or ‘fewer is better’. I believe in generally higher quality and less in quantity. Sometimes, however, more is simply more. Like my iPhone 6 Plus screen that is excellent and bigger, internal audit in most organisations is just too small to provide enough coverage. Fewer days, even if risk based (and most risk based plans are really justifications for resource that is too small as the third line of defence), are just too few. Most businesses I have worked with and in are complex, and have an international  component to them. You simply cannot audit them without getting into the detail and really understanding the real risks down ‘in the weeds’. Clearly there is a balance, and perfect should not be the enemy of efficiency, but most internal audit functions simply never get into the detail of the businesses they audit.

So my two thoughts are first, that organisations and the profession’s stakeholders should not be disappointed in internal audit for not being like an historical conceptualisation of  what the profession used to be. There is no point in judging internal audit as a ‘telephone’, when it does far more than make calls. Second and similarly, the profession’s current remit and responsibilities will in many, if not most, cases require internal audit to be, simply, bigger. <1% (and in many cases much less than that) of organisational spend on assurance is just not tenable in the context of most organisations, when that 1% needs to deliver assurance over the 100%.

So like the ‘phone, due to our evolving needs, expectations and use of it, has evolved paradigmatically, so internal audit within organisations should and is. Let’s embrace this change and judge ourselves and be judged by our stakeholders as something newer, better, and more fitted to the modern organisations we work so hard to support.

Good enough?


, , ,


So I’ve been on a city break holiday in Europe. I had the pleasure of flying on a budget airline. Not the cheapest airline but certainly in the cheap category. You get the idea – cheap flights means basic service, basic food, a take-it-or-leave it approach to flying. Now don’t get me wrong, it was okay. Sufficient. Adequate. Good enough.

Now the core elements of a good flying experience were there. A clean plane, operated safely, with smart staff and some food available on board. Yet it fell short. It fell short of the more expensive airlines. Little things mattered in the experience: the food was basic with poor choice and not enough to service the whole plane; the luggage was a free-for-all as people had chosen not to put luggage in the hold; seat space was smaller with no extendible headrest; and the staff were just not able to really empathise with the experience of customers.

I wondered whether this was because the staff had never really experienced ‘good’? My holiday was in Paris. This is a classy city by any global standards. The place has good fashion, the good looking people, good food, wonderful architecture, and really knows how to retail! So if you are a company with staff who have never received competitors’ better service and good service in their personal or professional lives, are they able to really deliver it themselves? So CEOs can introduce rules like ‘smile at the customer’ or make sure all customers are offered a drink etc. People are not rules-based, so good customer service requires cultural change.

I think airlines are a bit like audit functions. Internal auditor’s customers only really receive one provider, like flying one airline all the time. So it is for auditors working in these functions. They do not really experience others’ versions of internal audit. That’s why, when a new head of audit is appointed, they change the function as a first port of call, because they refresh the perspective on the service and change it with that insight.

I am reminded of another example of this issue with an email from the Scottish regional IIA of the UK IIA, inviting me to attend a training programme on internal audit reporting. I think my service’s internal audit reports are great, modern, helpful, well-written and focused. Yet what if best practice is much better or much different? It is difficult to tell, being locked into the day-to-day business of delivery of an assurance service. What if my service is just ‘good enough’?

Well benchmarking helps, reading blogs and the work of others helps. I think the key thing is to have a good non executive chair of audit committee and management sponsor. I have been, and continue to be, lucky in my career to have the highest quality of people supporting me in these roles; really high quality individuals. These are able to really challenge and support the CAE in their role.

I would like to think that internal auditors, and CAE’s, as hopefully good practitioners of the profession, are able to be objective and independent enough to put themselves into their customers’ shoes, to get a sense of their perspective and make their audits better than ‘good enough’. I hope and trust that I manage this too.

So are you able to really empathise with those whom you work with? Are you able to know when good enough is not good enough?

Turf wars?


, , ,


So here’s an interesting blog post on the global Institute of Internal Auditors’ website:

It’s about internal audit fighting a turf war for its space in the corporate world, with compliance, legal and other corporate functions. I’ve had this at various points in my career. Various parties that claim to be better at providing assurance, or better at understanding the management team and providing advice.

Who are these parties? Well, external audit, who I’ve often seen to be treated with greater respect than the internal audit function. Usually by chairs of audit committees that have come from that background, or who have never really been internal auditors or worked with a good internal function before. It always surprises me that internal audit, who are the audit committee’s and senior management’s eyes and ears, are not respected or used as much as they could be.

The other are advisors. Normally from external companies, who reject the detailed and context-specific knowledge that internal auditors bring to the table. I suspect because although they may have context independent knowledge, they know they really lack knowledge of the business. I have, however, worked well with firms that can use internal audit to get a good result from their work.

Second line control functions have also challenged. They often have a remit for control, but without the truly independent function remit and the discipline of internal audit, they lack the structure to really make a difference.

The most challenging are management functions, often those slightly detailed from the front line business, often based in finance, HR, IT or other support function, who think internal audit ‘knows nothing’.

Yet all of these challenges have come to nothing. Why? Well because they lack the core attributes of internal audit, independence and objectivity. I also think they lack discipline of good internal audit. It is the systematised and organised, risk-based, consideration of the business. Good internal audit is used to working at the edge of its ignorance, can apply basic principles and common sense, and put the findings in a knowledgeable, context-dependent, context. It is also used to understanding things quickly and effectively and picking up what matters.

Now clearly a weak internal audit function will play second fiddle to other corporate compliance functions. In my view, however, a good audit function will always find suitable corporate space in which to work. Internal audit has a unique value proposition and this should, all things being equal, win through.

So are you or your function facing a turf war? If so, don’t engage, just be good. Just be better. Just be an excellent internal audit function. For excellence in internal audit can make a significant difference to any organisation and if the organisation doesn’t recognise it, it doesn’t deserve its auditors!

Standards changes?


, , ,


The international IIA has thought about updating its international standards again (or is consulting to do so). See on the IIA’s website Proposed Enhancements to the Institute of Internal Auditors International Professional Practices Framework. (IPPF) (4 August 2014). Or has it? The document states:

The RTF is not proposing changes to the content or ongoing relevance of the following IPPF elements: The Definition of Internal Auditing; The Code of Ethics; The International Standards for the Professional Practice of Internal Auditing (Standards); Currently existing guidance (Practice Guides/Practice Advisories/Position Papers).

So if none of this is changing – what is? Well the ‘enhancements’ include the introduction of a new mission statement for internal audit; codification of the status of advisories, guidance and position statements within a framework and nomenclature; and the setting out of core principles for the practice of internal auditing.

So let’s consider these in turn. The mission statement seems like a good place to start. The mission of internal audit is stated as:


This all seems sensible. It is intuitive, it is helpful. Is it internal audit though? What is unique to audit as opposed to say IT, marketing or HR? I guess the assurance and the objectivity. I think the one missing component is ‘independent’. For this marks IA out from any other professional function in any organisation. It is nice, for once, for internal audit to be defining itself in positive terms, i.e. what it can do, not what it cannot. My post Whistleblowing; Another thing internal audit cannot do? takes issue with the profession’s propensity to be defined in negative terms.

So let’s consider the principles – thank goodness that the profession has gone down a principles rather than rules based approach. So what are they? As stated in the IIA paper they are:

  1. Demonstrates uncompromised integrity.
  2. Displays objectivity in mindset and approach.
  3. Demonstrates commitment to competence.
  4. Is appropriately positioned within the organization with sufficient organizational authority.
  5. Aligns strategically with the aims and goals of the enterprise.
  6. Has adequate resources to effectively address significant risks.
  7. Demonstrates quality and continuous improvement.
  8. Achieves efficiency and effectiveness in delivery.
  9. Communicates effectively.
  10. Provides reliable assurance to those charged with governance.
  11. Is insightful, proactive, and future-focused.
  12. Promotes positive change

Let’s take these in turn. 1) yes that’s fine but integrity is not a binary, digital, thing. It can be a matter of judgement. I’m not sure how you would qualify it and at a principles level it may not make sense to qualify it. I do think this will need some form of view underpinning it.

2) Yes fine. I agree with the mindset bit. This is not just about silly rules of can’t review things previously looked at or lines of reporting etc. It is about mindset and then the application of this mindset.

3) This one is problematic. Being committed to competence sounds weak. Even a poor performer can be committed to competence. Also what is competence? Context dependent or context independent knowledge of the area being audited, or the ability to audit the area, i.e. a competent auditor. I think this needs a) strengthening, to be more definitive, and b) being clearer about what competence means.

4) Yes I agree. I would change authority to be seniority or position. Otherwise there are issues of being ‘in authority’ i.e in an executive role, which is a no no for a CAE.

5) I sort of get what this means but am unclear what this means in detail, and whose definition of strategy. The CEO’s? The Board’s? What is their strategy is to be amoral or unethical, should the CAE align to them or be independent? Perhaps better to say support ‘work towards the enterprise’s reasonable business objectives?’ Also the enterprise word is used here when organisation is used elsewhere. I would use one or the other throughout.

6) Hmm – another one that is difficult. It is difficult to define significant and adequate in this context. Again it might be one that needs thinking about at a level below principles. The principle makes sense though.

7) 8) 9) Yes fine. They all need definition clearly, but as principles they makes sense.

10) This one is more challenging. Does IA always provide assurance to those in charge of governance? I would argue, sometimes it is funders, or regulators or ultimately taxpayers. Perhaps this needs the addition of ‘and relevant stakeholders’?

11) Yes – sounds like a bit of a utopian comment that is difficult to argue with. Future focused could be more carefully phrased at ‘risk rather than issue focused’. This is probably the most helpful for me in my job, as the temptation is to get wrapped up in current ‘crises’.

12) Yes – as a principle it is difficult to argue with. I think this needs to be more specific though. Perhaps positive organisational change?

So, all in all, the ‘motherhood and apple pie’ principles are fine. They need some tweaking and working through at a layer below principles, but they make sense.

So this leaves the nomenclature changes for guidance and supporting advisories. Yes this makes sense. First to establish a change from mandatory and strongly recommended to required and recommended. It is either something that should be done or not. I would suggest the fewer items fall into mandatory the better. We can all interpret principles in a meaningful manner in our contexts and should do so if we are to make the change the principles require.

The removal of position statements from the guidance, either category, is helpful. Particularly as the IIA has a habit of getting unhelpful (read wrong) answers in these (see my recent post Whistleblowing; Another thing internal audit cannot do? about the UK IIA’s view of whistleblowing activities). The proposition is that these are aimed outside of the profession at its stakeholders. Why? What if a CAE makes a complex judgement to adopt x or y position and this reasoned professional decision is contrary to the position statement? I think all guidance should be aimed at the profession, as the profession has the right skills to adopt, amend or discount the position as shown.

As for the clarity over which guidance is mandatory or not, I welcome the retraction of mandatory to apply to the IPPF, definition and ethics only. Internal audit is not a right and wrong profession and the fewer rules are set down the better. It is also consistent with a principles based approach adopted (now we have principles!).

So overall, the profession guidance and framework I think is much clearer following this paper, and I welcome the principles, as it firmly establishes a principles based approach. I recently disagreed with Professor Andrew Chambers over the rules versus principles issue (see Internal Audit: Where are we now?) and I think the IIA here has been supportive of my principles-based approach.

So how would I encapsulate these changes – well not much change really. A mission that is common sense; a tidied up framework for guidance; both underpinned by clearly articulated principles. Has this changed my audit world? No, not really, but at least the profession is resisting ‘pseudo scientification’ and adopting a principles based approach to life. We occupy a wide ranging, complex, and ever changing position in most organisations and I think these approaches should allow space for the profession to evolve.

Professional precipice?


, , ,


I think our profession is standing at a significant strategic stepping stone and crossing point. I think it has increasingly reached a decision point to decide where it wants to go. I am decreasingly convinced that the profession will make, what I think, is the right choice.

I have been extremely lucky in my career. I have worked under, and with, bosses that have earned my respect and have allowed me the space to interpret and develop my version of internal audit over the years. Do I think internal audit is and should be now, what I thought ten, five, or even two years ago? No, I don’t.

When I worked in a professional services firm it was before the national practice began to recognise that performance meant conformance. So I was able to develop my little bit of the internal audit practice, with the support of a commercial and pragmatic partner in the firm, into something that made sense to clients, that added value, that was less hung up on right and wrong and more on thinking about the world in much less formulaic terms. I had daily rates and margins and a consequence that then (now nearly ten years ago) have not been beaten now. When I fairly recently tendered out for some internal audit work I was actually being charged less than I charged.

When I then went on and headed up my own in house service, as a young CAE, I was able to build up, from scratch, what made sense. One can argue whether my client got it at the time, I suspect they didn’t, but I did it. I had two good bosses in succession, both of whom were high-class individuals who supported the engagement with audit and challenge and supported the development of a service that made some coherent and meaningful sense.

Now, in my current role, the quality of staff in my client organisation is really high. The leadership more so, and again I have had a chance to really aim for ideal and perfect. To be resourced and supported with senior management engagement and understanding (the most important resource) that is enabling me to take my thinking vision into something practical. In my current role I also have a fabulous team (all of them both collectively and all individually too). I am also bringing in some real talent to provide breadth and different perspectives too. They all really get the vision – a consultancy led service, without walls, without the dead hand of silly input rules and compliance, and most importantly without audit software! (a pet hate of mine). Just people that are understanding of the business, bring their own professional backgrounds and minds to challenge and support their management colleagues.

We actually audit the business (fancy!) i.e. if we were a food retailer, we look at the risks in the food chain, if we were a car manufacturer we actually review the risks to how cars are made. We don’t hide in the corporate back office (though these are important processes), we don’t hide in compliance checklists (counting fire extinguishers or compliance with office rules). We actually stand full square with the business and management team and think about what it is that really makes a difference to the business, adding our independence, governance risk and control mindsets to the mix.

Yet I have been lucky. I know so many CAEs who are limited by their firm’s software or file rules. Who count the inputs not the process or outputs. Who are not allowed to wander into things that really matter ‘no you can’t audit the business because you don’t have the knowledge!’. I have known some great CAE peers who have got it too. Who see beyond the Institute’s rules and compliance and the sense that anything thoughtful, meaningful and challenging is suddenly called consultancy. They, in their own ways have been cutting themselves some slack and space to develop good, meaningful, internal audit.

Yet when I see insights into a majority of CAE’s lives and indeed their own views, I am depressed and discomforted. Depressed that we as a profession continue, spectacularly, to miss the point. The point that you are only relevant if you work in the front office, that the world cannot be controlled by compliance and rules (banking, schools, government, IT etc – how many time must we learn this lesson?), that there is no right and wrong in risk auditing.

For we as a profession must stop measuring ourselves by our financial accounting origins. There is no IFRS for business risk. No right and wrong. We should stop measuring our inputs (we did this for we all came from firms that charged for their services), it is not an indicator of quality or performance. For the firms, despite pulling the intellectual and institute strings of our profession are actually not interested in internal audit. They are not internal for a start. They approach it as they do for controls testing for financial statements audits. They are priced out of the market, for to do a risk based audit of any quality takes time, high quality thinking and trained staff, that the firms simply cannot afford to deliver and manage the risk (what if we were ‘wrong’ and got sued?). If we take the UK, the big four firms are effectively priced out of market in the south and London; simply, they cannot make it pay. So this space it taken up by the lower quality and presumably less risk averse, second tier firms. So firm-provided internal audit is, generally, second tier quality and delivered (certainly in the UK). I appreciate these are generalisations and I have met a few firm-provided audit services that have bucked this trend. But I think my underlying point stands.

Yet we miss the real incentive for the firms to avoid allowing internal audit, as a profession, to blossom. That is that internal audit has the capacity to displace consultancy work, high margin, little-challenged, consultancy work. For a good in-house service has the capacity to deliver excellent results through having time, quality staff (without the burden of stratospheric charge out rates) and also context-dependent knowledge (that no firm, even in partnership) is ever able to really deliver. Hence whenever internal audit does something of quality it is ‘consultancy’. No. Forming a high quality, business and risk led view of business challenges and presenting three dimensional solutions is internal audit, not consultancy.

So why do I think this is important for the profession as a whole? Well I think it means that in-house services will always see outsourcing as competition (when it should not be), will define itself through a business and delivery model that only makes sense for the firms, and will allow the profession’s standards and rules to be dictated by external auditors – for we’re all ‘auditors’, right?  No we’re are not.The profession needs to develop a view that good internal audit is: internal; not bound by rules, but principles; measures quality as performance, not conformance; audits the front office; is part of a wider framework of controls and lines of defence; and most importantly begins to develop an approach to the world that stops considering it in a rules-based, right and wrong way.

So, can we, as CAEs begin to make this argument? I hope so, for it will have a virtuous circle of increasing respect for the profession, increase the quality of candidates we attract, improve pay, and really add value to our clients.

HR – defunct?


, , ,


I am not sure if it’s the time of year or if I am just coming across a number of interesting and challenging articles at the moment. Here’s a fascinating one about HR:

The article’s argument is nicely summed up in this paragraph:

‘So critical was the role of a static workforce traditionally, that organisations employed an entire department to oversee it. The recruitment, retention and remuneration of the workforce was a methodical, process-driven effort that was staffed by a dedicated team and supported by a bunch of in-house systems. The new style of workforce calls for new styles of management and support. [...] we ask: Is the HR department defunct?’

Now in my career I’ve had a strange relationship with HR. In my youth the relationship was quixotic; I even, when I graduated, felt like I wanted to work in personnel (as it was called then). Yet during my life, as an employee and manager, I have found it to not live up to those ideals. Why? Well HR functions are not really trained in the things they are meant to do. They are not accountants so struggle to do budgets and financial planning of staff benefits. They are not lawyers, so struggle with HR legislation; they are not risk management trained, so struggle with HR risk management; they are not psychologists, so struggle with recruitment; so what they do – in many cases, is fall back on low quality administration. Now of course this is a characterisation, as an academic at a university once characterised them as ‘human remains’ view was.

Now we have the challenge from the article above. People and staff no longer follow detailed rules and processes. This makes sense in a knowledge economy and modern workplaces. So HR departments to oversee rules makes no business sense. Well I do buy this. Most HR departments I have met are overly prescriptive in preventative controls and weak on detective ones. There is always a gap in control whenever I have audited HR processes between what the central HR department thinks is occurring and what the line management are doing – always – every time. HR processes are always ‘rich pickings’ from an internal audit perspective. Why is this though? Well I believe it is that the HR, and personnel department before it, has wanted to see good HR practice embedded into line management. This is a position I agree with. Few HR departments have really found a way to make this happen, other than the application of hope, and even fewer have checked back in to really see if it is being embedded. This has been a constant in my career across clients, sectors, and geographies.

Yet I can name the really great HR people I have been supported by in my career, particularly as a manager. Those sensible people who can bypass the nonsense HR rules, be human (a trait you would have thought embedded into HR) and provide support. These are the people who recognise that HR skills and understanding the myriad of do’s and dont’s  is but a thin slice of a manager’s week, and that a little navigation and regular coffee and chat is really valuable. My clients’ HR departments have generally withdrawn back from supporting line management directly, as too much support denudes us as managers in the first line from learning and becoming better at it; learned helplessness if you will. A good HR business support manager will, in this model, intervene at just the right time and support a struggling manager. At my current client I have been lucky and identified a set of ‘good HR eggs’ who give me support as and when I need it.

I do think the HR profession needs to step back and articulate a new vision for its role, as suggested in the article. In particular to decide what skills it needs to really manage human resource in the 21st century. In particular it does need to have a greater grip of finance, of the law, of good recruitment. Most of all it needs to move away from means and focus on ends. Processes are there to provide frameworks, not straight jackets. The industry of grievances and investigations the profession allows (I accept legislation does not help with this) is not good. This needs to be taken back to common sense to allow people to be human and to make mistakes (for we are all intemperate, impatient, stressed, and even rude to our colleagues at times).

Overall though, my key entreatment to HR, is to be more socially scientific. To focus on culture, not rules; outputs, not process; people, not just human resource. Do I value the HR department and will it survive? Yes I value the ‘human’ bit of HR, and yes I think it will survive. My caveat is that this will only be if HR really takes a step back from practice and really looks with strong objectivity over the reality (not theory) of what it manifests as in most organisations. For HR is ultimately a thinking, not ticking, process. Certainly as an internal auditor this is the model I would suggest when I next review an HR process.

Internal audit: where are we now?


, , ,


I’ve been reviewing an article posted by Professor Andrew Chambers on the UK IIA’s website ‘where are we now?

It’s a list of various rules from Basel to IIA practice advisories, to the IIA standards, to the US federal reserve. The intention of the article is to try to divine from various regulatory and standards interventions where internal audit, in role terms, is. I think it is a helpful aim, but the article lists a set of rules, there is not much analysis, apart from a statement at the end of the article:

‘There is little point having standards that are wholly aspirational with limited conformance, or standards that support the lowest common denominator of best practice.’

I agree with the second part, what is the point of a lowest common denominator of rules? I fundamentally disagree with the first element of it. Old school internal audit is uniquely obsessed with conformance and a scientific rules-based view of the world. But if we follow the conclusion a little further:

‘We need more public pressure on internal auditing to enhance the standard-setting process, the rigour of the Standards, their public interest and their general enforcement.’

Here’s where I really disagree with Professor Chambers. The last thing we (by we I mean the internal audit community) need is to put lots of public pressure on us with ever greater rules. It is typical of yesterday’s internal audit generation to have a rules-based view of internal audit. We are lucky that our rules-based leaders of our profession cannot agree on the rules, so the IIA standards have remained resolutely principles-based, despite efforts to change it by the regulators listed in this article.

For the reality is that there is no body of knowledge, right and wrong, for internal audit, like there is for medicine or law, so a rules-based approach makes no sense. Internal audit is not the pale and ill-defined shadow of external audit. It is a completely different profession. We may share the name ‘auditor’ but we must, as a profession, stop rules-based external, financial statements, auditors from defining their compliance regime on us.

I bewail the US’s rule based culture being established as the dominant paradigm for internal audit. Thankfully the UK is better than most at resisting this culture. The British have been excellent over centuries to work with what works and not obsess over the rules. We’ve never written down our constitution, rather used culture and values. What is it to be British has constantly changed yet with some underlying sense of what way is ‘up’.

If we take the small insight into the Basel banking audit rules in this article I am glad I don’t work in banking audit – all of those ‘shoulds’, ‘should nots’ ‘must’ ‘must nots’. The world is moving quicker and is more complex. A rules-based view of the world jars with this and makes no sense.

Another point – internal audit does report to the board as the article says, but is not a puppet of it. Boards can fail as much as management. Internal audit is there to look after the body corporate, if a bad set of governors (directors) are in place, then internal audit should stand up to them as much as a bad management team. I also take issue that Professor Chambers says the IIA standards don’t require engagement or overall opinions from internal audit’s work. It does, for example in standard 2410. It caveats this with ‘where appropriate’. This is a good principles based rule set in my view.

So in answer to the article’s question – where are we? Well I think we are a profession that has a generational gap. I would identify three, possibly four, generations of internal audit. First an audit universe, rule based, obsessed, two dimensional compliance audit. Second a more risk based, from an audit universe, audit, with some sense of beginning to see beyond compliance (perhaps doing ‘consultancy’ as well as audit). Third a fully risk based audit service that sees the world in socially scientific terms and as an internal form of consultancy. The fourth is a variation on the first, a financial compliance ticker. That’s how I imagine banking audit or US-based audit service. Perhaps my blog readers can propose their own typology of generational types?

My point is that this article is an old school version of internal audit, of type 1 perhaps 2. Why worry about the rules? How about internal audit as having a risk based work allocation and reporting framework, populated by bright people challenging how rules are being mitigated and managed? If you like, a form of organisational consultants?

So overall, the article is not a hit with me. In fact whilst it picks up lots of interesting points, it comes to the wrong conclusion. Not more rules please! – but more thinking and more good old British adaption, principles and a contingent approach. Free internal audit!


Get every new post delivered to your Inbox.

Join 276 other followers