I’ve been travelling again and, upon my return, the iPhone 6 Plus I’d ordered was around, waiting and ready for me to collect.
Now we’ve all heard the bend gate stories, the difficulty for Applephiles like myself to accept a ‘phone needs to be bigger than the previous versions. I took the plunge because the way I’ve used my ‘phone has changed. I make fewer and fewer calls. It is primarily my immediate access to the internet, to data, to information, to email, to my blog, to my online life. I take photographs and record my life in it. It reminds me to do things, tells me when I have not done things. It is my diary and notepad, my records, my books, my music player and my store of information.
So, when i considered what I actually want my ‘phone to do and what I value it for, I was happy to reconceptualise it as a ‘phablet’. Once I’d made this leap, it felt less like a big ‘phone and more like a small but acceptable minicomputer.
So how does this link to internal audit? Well I think organisations, and the profession itself, needs to reconceptualise internal audit. Less as an independent police force enforcing the organisational (and actual) law. Less in adversarial terms, less in a pseudo-scientific conceptualisation of right and wrong.
So how should it be conceptualised? How can this be different? Is the internal audit paradigm moving on? If so, to what? Well I think internal audit is something more. It is not about laws, not about adversarial battle, but a form of independent internal consultancy. For a good internal audit is challenging of the management and leadership team, it is a genuinely difficult process, but not a negative one, a conversational, helpful, open, dialogue and debating one. For the answers to modern organisational problems are not easy to divine. If internal audit is risk based (and we are required to be) we should not be helpful to management to sort out the current problems (for those are issues), we should be moving the debate onto the future, the choices we make, the debates we need to have for tomorrow (risks).
So should an organisation want internal audit as conceptualised now? No. I think organisations need to reconceptualise internal audit as above in a different way, as an internal, thoughtful, organisational challenge and consultancy. We need, as a profession, to make this leap too. Sure, most internal audit functions struggle to deliver consultancy work, we go to great lengths to differentiate it from audit (falsely in my view). We are steeped in rules, in checking and verification, not creative thinking, challenging, debate and have a naturally destructive and negative outlook on life. This does not need to be the case. We have the context dependent knowledge and, when suitably trained, the context independent knowledge to make a damn good job of consultancy.
I am always surprised by others’ surprise, when the internal audit function comes up with an insight and is able to deliver a great piece of work. I think they have either experienced two-dimensional internal audit of the compliance kind, or have not really registered the level of business and organisational insight afforded to an internal audit function by default.
Yet, audit teams I have worked in, with, and led, have been strong in their ability to deliver a unique viewpoint and insight. This is one that is borne of being a trained auditor. It is an insight fairly unique to internal auditors and a viewpoint that takes training to come to. It is this I look for in senior auditors I work with. This is not to say the management viewpoint is less valid, far from it, more that it is different. If the two viewpoints were similar then a good internal audit function would soon run out of insights, viewpoints, and value to add. This is not the case in my experience.
The other lesson I wanted to draw from the iPhone 6 Plus is that, sometimes, bigger is better. I know long-time readers of this blog will say that this does not match my usual mantra of ‘less is more’, or ‘fewer is better’. I believe in generally higher quality and less in quantity. Sometimes, however, more is simply more. Like my iPhone 6 Plus screen that is excellent and bigger, internal audit in most organisations is just too small to provide enough coverage. Fewer days, even if risk based (and most risk based plans are really justifications for resource that is too small as the third line of defence), are just too few. Most businesses I have worked with and in are complex, and have an international component to them. You simply cannot audit them without getting into the detail and really understanding the real risks down ‘in the weeds’. Clearly there is a balance, and perfect should not be the enemy of efficiency, but most internal audit functions simply never get into the detail of the businesses they audit.
So my two thoughts are first, that organisations and the profession’s stakeholders should not be disappointed in internal audit for not being like an historical conceptualisation of what the professional used to be. There is no point in judging internal audit as a ‘telephone’, when it does far more than make calls. Second and similarly, the profession’s current remit and responsibilities will in many, if not most, cases require internal audit to be, simply, bigger. <1% (and in many cases much less than that) of organisational spend on assurance is just not tenable in the context of most organisations, when that 1% needs to deliver assurance over the 100%.
So like the ‘phone, due to our evolving needs, expectations and use of it, has evolved paradigmatically, so internal audit within organisations should and is. Let’s embrace this change and judge ourselves and be judged by our stakeholders as something newer, better, and more fitted to the modern organisations we work so hard to support.