You would have thought that an experienced CAE such as myself would have sorted this fundamental point by now. Not so because it is a complex question with lots of different actors and influences, all of whom want something different.
I have been prompted to debate this issue again because I have been following a path from internal audit to something more meaningful, more authentic, what I call ‘business assurance’. Why this strange title? Well, business assurance for me captures what it is internal audit should be doing, first offering assurance. Too many audit functions focus on providing ‘audit’. Like that famous t shirt print ‘look busy, Jesus is coming’, too many auditors look busy when the audit committee comes but are not doing anything meaningful. Why is this allowed to continue? It suits all major parties. Audit committees are happy, because they look as if they are doing their job. The only really test of the audit committee is if the organisation fails. If that happens audit committees are rarely held to account. They may even feel as if they are making a difference. Senior managers are happy. The audit ‘dance’ continues but does not really impinge on their day-to-day work of managing issues (note, not risks). Auditors are happy. They can deliver a process and there is no real pressure to deliver the right answer, just an answer. Many auditors are professionally trained to deliver audits rather than answers, so it would suit many audit services not to have that pressure.
Second business assurance focuses on the business. There are many types of risk, some are highly complex, some are prone to statistical models of probability, some are systematised. Business risk is the overall result of other specialist risks, it is the one that the audit committee should ultimately be focused on. Take health and safety risk (or hazard as they prefer to call it), this risk leads to business risks of fines, legal liabilities and repetitional damage. Business risks are not prone to statistical models, they involve people, too many variables to compute, something called ‘culture’ and require a person engaged and close enough to the organisation to understand organisational nuances. All of these can be assessed by a business assurance auditor.
So why does business assurance question the focus of assurance? Well it takes the internal audit proposition to its logical extent. Identify management and governance-set objectives; identify risks (positive and negative) to those objectives; evaluate controls and mitigating actions in place; makes suggestions and recommendations to address those risks an thereby improve performance and risk handling.
So within this process how should one focus on risk? Well one can take net risk. Focus on areas of institutional risk and risks to the achievement of the strategy. This would, however, ignore those areas of well-controlled risk, for example, payroll (big impact, big likelihood) but normally well controlled and locked down. It also makes the assurance plan produce outputs of limited or often weak assurance, large reports with lots of issues, and makes management grumpy about having to respond to problems. Second who determines risk. Ideally an objective and well-run risk management risk assessment shared by auditors, management and governing bodies (boards). Few organisations have this in reality and most CAEs have their ‘own’ assessment of risks and most management groups have their priorities and blind spots. So whose risk map should a net-risk-focused assurance plan use? Third, a focus on net risk will, necessarily, sometimes focus on areas of known net risk. Should auditors get stuck into areas of net risk? Would this become ‘consultancy’ work? Would the output simply tell the management team and governance structures what they already know? If it is high net risk will the auditor have the capacity to produce any more meaningful a solution than the managers who, by definition through risk exposure, are struggling with the risks themselves?
[I'm just going to take a moment out here to discuss my dislike of the consultancy versus internal audit argument. There is, in my view, very little difference between the two. The process set out above, of a risk-based audit, is consultancy by any other name, or at least it is what consultancy should be. The identification of organisational objectives; assessment of risks and opportunities; assessment of current position; and recommendation of solutions for managers to adopt. The only difference with internal audit is that managers commission and then, most likely, ignore the results of consultancy (particularly if the results challenge organisational group think). This is not the case for internal audit, the ability to ignore the results of audit is much more difficult when routed through an audit committee.
The other argument is that consultancy work challenges auditor independence. Nonsense. Independence and objectivity are functions of a mindset not payment structures or legal position. Most professional service firm audit providers are already fatally conflicted through the payment of fees to them for the work in the first place, the 'best not rock the boat with a challenging report argument'. It is in-house audit provider's very dependence on the corporate body that makes them more likely, in my view, to give the right objective answer in the long-term interests of the organisation.
The other, 'you can't review your own work' argument. Again nonsense. I see audit as an intellectual process. This process, repeated by me, may well challenge my previous views on an area and I can just as clearly be critical of my last reviews and suggestions for an area as anyone else. I am trained to think this way. Life and risk move on. Even the best academics, politicians, businessmen and any other party, evolve their thinking over time. I can admit my views and previous recommendations were wrong. Thus what is the issue here?
Let's consider actual consultancy here. Normally hideously expensive. Normally with disappointing or impractical outputs (how many consultancy reports have been buried for just being theoretical, impractical, and lacking in recognisable narrative and detail?). Normally not really saying what needs to be said, but what is politically able to be said. A consultant once said to me as I outlined what business assurance was, Why would you not want to give the client what they want, what if they don't want what you're saying?
So let's not confuse doing good work that gets to the bottom of something and is of meaningfully good high quality with something as consultancy. Good internal audit is just that, and needs capable and well-paid staff, of a level to challenge and work with management on a level playing field to tackle the risks and issues of the day.]
So then do you focus on only those risks managers believe are well controlled, a low-net risk strategy? Well plainly no. Gross risk is important here. If an area is inherently low-risk in the first place, why waste limited audit resource on it? This neither provides a drive for the reduction in net risk, nor the improvement to the handling of risk.
I would suggest, therefore, that the answer is to focus on gross risk, with an emphasis in the plan, on tackling those areas of high net risk (i.e. areas of weaker control). This should be in the assessment of the auditor, informed by the audit committee’s, management’s and institutional risk assessment’s views of the risk world. As a CAE I do need to ‘look busy’, to provide some assurance, even if I know intuitively that an area is well-controlled. I also need to ensure that I push for an improvement to risk-handling and reduction of net risk as this is the long-term metric (not audit) that a good internal audit function should be ultimately assessed by.