What does the UK general election have to tell us about internal audit?


Well, at first glance, very little. Elections are, however, complex events and have a number of lessons to be drawn from them. Take, for example, the post-election arguments about the fairness of the system. In the UK we use the first past the post system. This means that the UK is divided into roughly equal geographic portions (constituencies) containing a similar number of voters, and that at each election, the candidate from the party with the most votes in each constituency wins. This means a margin can be as little as one vote. The fewest I understand was Glenda Jackson in London for Labour (54 votes). For the system’s detractors this is manifestly unfair. It means that many votes are wasted (i.e. voting for those not likely to win the election in a particular constituency); parties that don’t have geographically concentrated support are unlikely to win; and most challenging, that the system magnifies support for big parties creating the increased likelihood of stronger government.

The lesson for internal audit here is that I see the electoral system as being a bit like audit reports. Any electoral system is attempting to simplify the complex will of the electorate. Just as political parties do. They attempt to boil down a complex set of issues, challenges and choices, into a single vote for a single party. If I’m honest I could have made an argument to myself to vote for at least three of the main UK political parties.

Also electoral systems and resulting electoral campaigns promote two dimensional arguments, analysis and discourse. We as humans like to know the right from the wrong and innately struggle with the idea that there is a range of choices. We also like to personify difference and different opinions and give them meaning and social currency. So I don’t agree with politician X, or I would never agree or vote with politician Y. I have found this with internal audit. Internal audit is wrong. We are right. This project must continue because it is right. We as humans (internal auditors included) find those with alternative views difficult and challenging. This means it is difficult for us to really focus on what is going on. To consider the grey, to consider the nuanced and difficult choices we face in our professional and personal lives. Internal audit is at the organisational nexus of this.

Any electoral system simplifies reality. So the big criticism of the UK system is that it does this too much. How can 4.1m UKIP (a UK political party) votes result in 1 seat in the house of commons, and yet 1.5m Scottish National Party votes result in 54 seats? Yet this is to miss the point about how the system was designed. It was designed for a two or three party system. It was designed to provide a strong government. The UK system is adversarial, not collaborative and coalition based like the European systems. It requires parties to establish a broad base of support across a significant geographic swathe of the country and locks out small and marginal parties. This to me seems no bad thing. It also misses the point that coalition politics in the UK is intra-party. That is to say that coalition politics is live and well in the UK, it just exists intra party. The major political parties, Liberal (well until last week), Conservative and Labour are all coalitions themselves. They work to simplify choices, messages and proposals into their manifestos and campaigns, to make the electoral system itself do less work. Most European coalition systems take weeks or months to form stable government. The UK system does this ‘pre storming’ so that, post election, a government can get on with it.

So what does this tell me about internal audit? Well internal audit nomenclature is like the electoral system. It should provide the top management structures and the audit committee with a clear and unambiguous readout of the results of audit. Yet it should be understood as a simplification of reality and those using the top-level messages should understand this. 

Second, internal audit leadership is much like being a politician. You share the analysis with your publics and point of view and are just as likely to be personified as either ‘good’ ‘bad’ or something in-between. The message is personalised in the CAE. This is not necessarily right or fair, but it is true.

Third leading an internal audit team is like being the leader of a political party. It is to be head of a coalition. It is to make a set of messaging and delivery choices following strong internal debate and discussion. It is to head up a group of ambitious, bright, challenging and people with the need to both listen and lead in equal measure.

The final lesson from politics I want to draw is that colours matter. We as a profession use colour in our reports to indicate concerns, messages, focus etc. Just as colour and image matter in politics, they matter in internal audit. So in the wake of the euphoria or depression following the UK general election result, note that the UK has accepted the result, win or lose. Whatever we think about politics in the UK, we have had a smooth transition of power. This requires some maturity. Are your client organisations mature enough to accept your next audit result?

Crisis mode?


Sorry for not blogging for a few weeks, pressure of work, study and preparing for audit committee meetings has affected my writing time.

I am lucky to work for an international organisation that deals with international emergencies and humanitarian disasters. As such, whilst my organisation has built some resilience and capacity to be ready for these, as there is, inevitably, a pressure on the organisation each time this occurs.

I have written many times before that internal audit should be a part of the organisation that has a different focus from the management team. In particular, as internal audit is risk, not issue, focused, it should be forward looking. Being part of an organisation so focused on delivery and with a remit to both focus on, and allow, issue management however, how does a risk based internal audit function work in this context?

First there is the issue of resourcing. When an organisation is issue focused, it can be tempting to allocate resources purely to issue management. So why fund something that helps in the long term, where the direct benefit from the resources and issues is never immediately and clearly felt? Is the delivery of a service to help the organisation prevent something happening that may never have happened in the first place a good basis for funding?

The second issue is more practical. Where is the role of internal audit during a crisis? Other corporate departments can get stuck in. A crisis will need resourcing, so finance, IT, HR and procurement will all be needed. The top management team will need be engaged in overseeing it all. It can feel in audit as if we get left out, left at home whilst others get involved.

Then there is the question of auditing emergency responses. How does one apply normal audit practice? Rules and compliance can be at best, weaker. Where these are broken, the organisation is likely to justify these on the basis of ‘need’. Also, of course, because internal audit is unlikely to have been there in the thick of it, it is difficult for us as auditors to challenge judgements made on the ground without that context.

What is the timing of this audit? During? At the end? Some time afterwards when the dust has settled? At the very least it needs to be soon enough after operations for the audit function to still have the relevant functions and management structures around to hold accountable. It also needs to be early enough to be before regulators get involved, so that the business can have a safe, sensible and genuine lessons learned conversation. It needs to be early enough that the audit trails of people and paperwork are in place to review. Fundamentally it needs to be timed to be meaningful.

Yet, there is a role for internal audit prior to this, to be a corporate service that adds value. It requires careful embedding into emergency response, it requires for internal audit to move into a continuous auditing mode and be flexible, and it requires for internal audit to be comfortable with risk based audit judgements.

Internal audit has unique attributes that other functions do not have, and that has real value during an emergency response in particular; independence and objectivity. The ability to float above the crisis, to provide an independent perspective and to help decision makers on the ground is important. The ability to think ahead to the accountability questions to be asked in due course is key. The skills we have in risk management, governance, accountability, commercial awareness, counter fraud and experience across the businesses we audit could all be brought to bear.

So why is internal audit always left at home in a cinderellaesque manner when crisis or emergency hits? Well partly because stopping and thinking is not always welcome in a crisis. There is a pressure to do, and be seen to be doing. Pausing and planning is not a welcome voice and viewpoint in such moments. Also I think people are aware that accountability standards do fall during a crisis. Call it an increase in risk appetite or a recognition that difficult accountability questions can always be batted back with a ‘it was a crisis’ response.

Then there is the practical element of internal audit discourse. Internal audit communicates in slower time, purposely, carefully, using a written medium. Who wants this in the middle of a fast-paced, fast-moving crisis? I wouldn’t.

So can we find a paradigm of internal audit that makes a difference in this environment? Can we present via slides? Can we contribute to daily action meetings and wash-ups? I think we can. I think we will need to reconceptualise what emergency and crisis-auditing looks like. I think we will need to move beyond the concept of continuous assurance into something more like normal audit, just on speed.

I think as a profession we can no longer idly stand aside in these events. I think we should be part of the core team. That will require a change in auditor and client mindsets however. Have you been part of, or seen crisis auditing? I’d welcome your comments below.

Appraising internal audit – impossible or merely difficult?


, , , , ,


I have been thinking about what makes a successful internal auditor. This is because my year end appraisal is due. I think it is difficult to appraise a CAE. We are perhaps the strangest job in any organisation.

First of all there is who is best placed to do it? Normally your line manager does it. This makes sense because they direct and control your work. They decide what good looks like. They define your objectives, resources and activities. A CAE, however, is meant to be independent of the management. The whole point is that the management chain does not define your objectives as a CAE, limit your activities or direct and control your work.

So then we turn to the non-executives, most particularly the audit committee. Most non executives only see a portion of the internal audit’s work, in a formal and presented setting. I’ve been lucky to work with some good chairs, in particular one, who spent time with me and the team to evaluate and understand what we did in some detail. In the main however, feedback and input into your work from a CAE is by exception as non executives do not see your work day to day.

Then there is the fact that most CAEs have a formal reporting line to the CEO, but in practical terms there is a ‘pay and rations’ line reporting relationship, most often to the COO or CFO. Either way, both the CEO and COO are unlikely to see the full panoply of an internal auditor’s or CAE’s work, particularly as internal audit moves away from just financial control ticking. We work across the organisation, top to bottom, side to side. So it is difficult, in a way not true for other managers in the business, to present your achievements and delivery.

Then there is the fact that internal audit works in both formal and informal ways across the business. If an internal audit function is any good, then it will provide a good source of informal support to the business. It should have a good database of knowledge and experience, and understand the overall strategic and corporate messages and contexts for local decisions. I would say I spend at least 30% of my time assisting the business in this way.

Perhaps the most odd thing about appraising a CAE is that being challenging, difficult and disruptive, is part of the role. A good CAE should avoid the management ‘group think’, the politics of the sayable and unsayable, the limitations placed on the rest of the business about asking challenging questions. To some extent a good CAE should receive a proportion of grumpy feedback. If they don’t, then I would argue they are not assisting the organisation to genuinely grow.

In the same vein, an audit function that does not receive at least some aggressive ‘shooting of the messenger’ is not delivering the right messages. I would say at least 20% of my reports are regarded and ‘completely wrong’ or not ‘how we recognise the business’ when first published. For me, sometimes this is a problem with the analysis, or the engagement of the team with the client, for which I am accountable. Most of the time it is because the report is, painfully, spot on. I have lost count of the times a ‘completely wrong’ report has either been adopted in full by the relevant report recipients six months later, or ignored and the risks stated have, unfortunately, crystallised as predicted. I guess a good CAE knows when something is just too right, or genuinely wrong, and amends and edits accordingly.

The role is contradictory and demanding: so you have a role (CAE) and function (internal audit) that is meant to be all-knowing yet cover the whole business; be both unpopular and popular; is appraised primarily by those it is institutionally set up to working independently with and sometimes hold to account; support change against all the challenges that any change brings; and work across the whole business whilst competing for attention with those management in the thick of the strategic priority areas of the organisation. Hmmm, a relatively tall order for any individual or function.

I think, however, the biggest issue is that internal audit is set up with a completely different lens and mindset to the management team. The internal audit function’s lens, is and should be, according to the International Standards of the Practice of Internal Auditing, risk based. So we trade not in the current, not in the accomplishment of the here and now, not in the delivery of lots of currency. We trade in the possible prevention of something that may not have occurred in the first place. In other words, we focus on risks, not issues, a totally different currency to the management team. This was the subject of my first substantive blog on this sitehttps://chiefauditexecutive.wordpress.com/2012/01/ and I still haven’t changed my mind on this since.

So we are a function and individuals that are the antithesis of management in practically every sense, yet we are all appraised within a management appraisal paradigm. Should we feel hard done to? Well not completely. A CAE still has to manage people and delivery business processes, run a department etc. A CAE still has to influence colleagues and organisations in the same way as our management colleagues do. We still have to balance our role with maintaining a permission to operate (we are not without accountability or any boundaries).

Yet we are unique and special (I think in a positive way). We are organisationally renaissance people, we need to be extra special to be appreciated. I am of the view that a good CAE should be noted, for both the irritation and plaudits for support they deliver. For both are good for any well governed organisation.

So when you are next appraised – are you being appraised as a manager or an auditor?

Inspiring individuals


, , , , ,

15_The Rev Dr..

So I learned today of the death of someone who inspired not just me but countless generations of young people. His name was Joe Cassidy, principal of St Chad’s College Durham, UK, of which I am an alumni twice over.

You don’t really reflect on how people impact on your social and professional lives until, sadly, they are gone. Joe was one of those few and special people that combined managerial skills and leadership with academic and teaching ability. He led a college community as a priest and academic and was able to provide a highly moral and inclusive view of the world. This was a view that he inculcated into the generations of Chadsmen he has seen pass through the College’s doors.

It is this moral sense and a sense of right that was not dogmatic or particularly pious in its expression. This is the reason why, in an increasingly atheist society, he was able to be relevant and impactful on those young students he worked with and supported in the College community.

It got me thinking about how he has impacted me. He was a tough manager, able to put his perspective across in a forceful, but polite and engaging way. Yet you never felt as if he’d won or you’d lost. More a sense of shared engagement with tough choices and issues.

He also created a sense of moral location. By that I mean he was able to communicate, in his words, but mainly through his actions, a sense of right and wrong. This was not a narrow dogmatic sense of right and wrong, as he was open to diversity of views and people.

This was very important to me professionally as I see internal audit and my role as an internal auditor as having, in some small way, a moral and ethical component. Whilst it is not for internal audit to judge right from wrong in pejorative or dogmatic way (for I and Joe recognised that the world is complex and there are very rarely moral absolutes) it is a recognition that business, as any other field of work, has to have some sense of societal and moral obligation. It has to work for us all as citizens of one global community.

For Joe, like the very best people I have known, was able to be influential without you knowing it; supportive without you feeling a sense of obligation; and most importantly able to bring a sense of perspective that puts the noise of life in its immediacy to one side. This is especially important as when you are a student (undergraduate or postgraduate) the world seems like a competitive race and short termism in choices can soon take over.

For that and all the many things he did, seen and unseen, I, and the many generations of Chad’s graduates, will miss him.

From my mentor – internal audit as organisational ethnography?


, , , , , ,


So I have a mentor. For any CAE out there I would suggest you do so too. I would suggest, like mine, they are excellent, experienced, and understand the area of audit and business you are working in.

In my recent chat to my mentor they provoked, using their objective viewpoint, my thinking about what I thought internal audit should do theoretically compared to practice. In other words they were able to see that the intellectual purity of audit has to be tempered by organisational reality.

Interfering with the intellectual purity of audit is something I am always uncomfortable about. It always feels to me that organisations should do the right thing on a principled basis, irrespective of organisational politics etc. This is something I have had professionally drilled into me in my big four professional services firm audit training. For the task there was always to get the ‘right’ answer. Right was always defined in terms of accounting and auditing standards (all of which provide a basis in law of what must and should happen).

Internal audit is, however, a much more complex activity and proposition. As I, and my career, have evolved and I became an internal auditor (which for the record is completely different role from external (financial statements) audit), I realised that there is no right and wrong. Well at least I took a realist ontological and epistemological position that there is a macro right and wrong, but that the right can have a number of legitimate interpretations.

But the leap my mentor helped me to take was to recognise that internal audit needs to take account of the organisation, its culture, its capacity and its ability to deliver what needs to happen. Internal audit’s role is to be ethnographic (a social science and anthropological research term that means studying a group of humans and their behaviours as part of the group, whilst remaining objective and independent of it as a researcher).

So internal audit is about: divining what needs to happen (the right / wrong answer); divining what the organisation can do possibly do; divining what the organisation is willing to do; and then forming a set of suggestions that work with this. In other words, internal audit becomes a problem solver using its ethnographic position.

So the CAE and senior management team whose roles do seem a little esoteric and disconnected from day to day audits, actually have a complex social and intellectual task. This is of working with the organisation and assessing not just what the audit work is telling them, but also of how to manage its delivery in the organisation to effect positive change.

So if an auditor is an ethnographer, where should internal audit pitch its findings? Is it something that professionally should be ‘pitched’. i.e. is it the role of internal audit to decide how far to challenge an organisation? Our institute has little formal advice on this matter. In fact this is, I think, the biggest challenge I have found as an CAE. If a CAE challenges too much the organisation pushes back, too little and the audit team feels their findings are not being pushed enough by the CAE and the CAE loses credibility with his / her team. Also too little challenge risks not pushing an organisation beyonds its comfort zone to make it grow and get better.

So there it is, the biggest real challenge a CAE faces. Balancing challenge. Yes a CAE has to develop a good audit methodology. Yes they have to develop an audit team that picks out the findings. The core challenge is always to balance challenge and deliver the messages from internal audit work in a way that an organisation can digest. For the first line of criticism when something goes wrong always seems to be ‘where was audit’ (rather strange since audit is the third line of defence). I think too few management colleagues appreciate that a CAE has to be ‘right’, so they are not open to criticism if things go wrong, yet deliver a message in a way that promotes organisational change and development.

For ultimately a CAE is not meant, in role terms, to be popular. Too many people confuse this with professional respect, i.e. ‘I don’t like or agree with the CAE, therefore they can’t be performing well’. For me, a good CAE, is not necessarily popular. They say the unsayable, point out the difficult, address the ignored, champion the marginalised, push the counterfactual.

I am lucky that I have generally worked with senior management teams that get the real value of audit. They value and engage with its challenge and support the different perspective brought by internal audit. It takes a good dose of internal audit objectivity for management teams to support and endorse this approach.

So how far does ethnography feed into your audit approach? How do you pitch your findings?

Risk control and assurance – single or multiple paradigms?


, , , , ,


I’ve been thinking about technical audit methodology this week. So a little bit of a dry post, but one I hope will be of interest.

So I’ve got to thinking about risk, control and assurance. How do these concepts overlap and how should they play out in an audit methodology? For those that know me I am a CAE obsessed with audit methodology. Why?; because it is the foundation upon which the audit discourse, the audit work, the audit team, is bound together. For if you start out with something that makes no sense, how can you use that to persuade others, in particular management, or governors of the organisation?

So risk. A simple concept. The UK HM Treasury’s Orange Book is still the best exposition of it I’ve seen. Gross risk, risk mitigation, leading to net risk. Simple. I have always thought of risk mitigation action to be control. Yet my thinking is evolving in this matter. More of this in a moment.

Let’s consider assurance. In a risk-based assurance model, the one I use, I take assurance to be the converse of risk. I appreciate this is not ideal, but the wider industry concept within which my audit service operates requires equation of risk in a converse way with assurance. So, for example, high risk equals high uncertainty; this leads to less assurance. i.e. I, as an auditor, can provide you with less assurance over something I consider to be uncertain (risky). Conversely, I can provide high assurance over something certain.

Yet we know that this definition emphasises the level of certainty (and to some extent, proximity) of risk above the impact. So if risk is a factor of both, the level of uncertainty (including proximity) and level of impact of not achieving objectives, then assurance can well be described as the converse but not necessarily so. i.e. high risk could be high impact but low uncertainty, yet under this model it would be equated with low assurance. We know also that assurance is about the ability of the auditor to form a view as well. So I could, for example, fully assure you that the risks are high. Here assurance is detached from the risk measurement itself and linked to the level of work being done.

So my risk based audit methodology as I currently use it, links risk and assurance and treats them and converse factors, even though this is not perfect (in an ideal world I would simply ascribe risk).

So where does control feature? In my risk-based model as I currently have it, control is equated with risk mitigation. So good control is adequate risk mitigation. In my model I recognise risk appetite. So I form a view of net risk and apply no pejorative judgement to it at all. Risk is risk, be it high or low. Whether it is ‘good’ or ‘acceptable’ or not, is entirely a matter of risk appetite. So in a high risk appetite area of the business (with risk appetite defined by my client’s governance body and then applied by the management team) controls as designed and applied are deemed adequate when net risk is below the defined risk appetite.

This works fine until you come to something that is poorly controlled (perhaps with few or weak controls) but it is low net risk (and most probably low gross risk). You are then presented with a choice of nomenclature. Do you go with the intellectually pure, risk based, interpretation. If it is low risk and risk appetite is, say medium, even though something is badly controlled it presents little risk? So something coded ‘yellow’ or ‘green’ is deemed acceptable even where the control system is a mess? Hmm difficult. You want to message the lack of control in your report, but your risk based reporting is oriented around risk. So something low risk must be coded as such.

This is made much worse by most audit services’ methodological maps of risk. For those that colour reports in a risk based way (i.e. referenced to risk, rather than a pejorative judgement about control – the red is bad, green is good, methodology as I call it) if you use a single scale for the whole organisation you quickly get into a mess. So most things in most organisations do not matter. Organisations are too big and complex and rarely is any risk an organisationally significant one. The natural portfolio hedge sees to that. So your non compliant process x will not kill off the organisation. We get around that in my service by having four risk layers. This allows smaller, tactical and operational processes to have ‘reds’ of their own.

Even a multilayered risk map process does not save you from the quandary of some poorly controlled things simply not being significant in risk terms. Indeed in a purely risk based organisational world, you would not seek to mitigate low gross or net risk items further, so you could argue a weak control system is appropriate. Yet the audit committee and the management team do want to know what items are simply non compliance and poor management control, rather than a complex and ultimately debatable net risk exposure point.

So cue a controls judgement. Where something is not high net risk, it could be poorly controlled. So is a control view, independent from a risk view? I have held in my audit methodology that this is not the case, as I have equated risk mitigation with control. So control is a relative concept and is grounded in risk. So control adequacy is mitigation of risk within a defined risk appetite.

Yet I do feel I need to have a way of dealing with poor controls in a risk based audit methodology. I currently cope with this through ascribing a low risk appetite to enable me to say something low net risk is inadequately controlled. The classic example is financial control. Most organisations have a low risk appetite here, so a weak, say payroll system, even if low net risk, would get a ‘yellow’ with a negative view of controls as designed and operated.

The other way of dealing with this is control awareness. This would flag how well control was delivered in an area of an organisation, irrespective of risk, to be within a defined risk appetite. So poor control, even if it led to low risk, would receive a negative view. This detaches control from risk though.

I am still working through my thinking on this and would appreciate any thoughts and suggestions – what do you think?

Management and audit – two sides of the same coin or different currency?


, , ,


As a CAE I am required to attend the audit committee. It is something I have done for a majority of my professional career and it is something that has always been professional and personal challenge. It never seems to get any easier.

One thing the audit committee process does is force me to work with my management colleagues. I cannot produce audit committee papers on my own. I need the management engagement, support and response to make the audit committee process work. This presents a professional challenge, for it is the time when I act most like my management colleagues, i.e. using persuasion, collaboration, cross working, shared effort, as opposed to the arguably more detached and institutionally created, demanding approach to audit. I can demand to audit (of course one doesn’t, one works collaboratively, but I could demand to be able to audit). I cannot demand a suitable management response.

In discussing reports and audit results I do have perhaps a more liberal and relaxed approach than that of many of my CAE colleagues. I don’t see the draft audit as fixed and to be ‘responded to’. I see it as a starting point for a conversation, debate and discussion about risk and challenges. I see audit findings as a shared challenge and set of questions that internal audit and the management team should debate and discuss potential solutions to. So in some ways we face the same problem but from different sides of the coin.

Yet, for every audit committee in every client I have ever worked at and with, getting management responses and producing audit committee papers on a timely basis, has been a chore and hard work. At some point the conversation needs to stop and response be provided. I sometimes think this is because we (as auditors) and managers do sometimes linger in the old world of audit being an accountability and checking mechanism. The audit report is seen as a gaming process, to be batted backwards and forwards until a negotiated settlement that is not too ‘critical’ of the management team and will be seen positively by the audit committee as such, is published.

Yet I see it differently. I see audit as a collaborative, shared, cathartic approach, where the value is less in whether the audit report is intellectually or scientifically ‘right’, but whether the process of debating it has really moved our collective (audit and management) thoughts forward. In other words does it prompt change, or a conscious and comfortable adoption of the status quo (both are appropriate outcomes)?

Also don’t see a particular need for an audit report to be agreed at the point of publication. Yes, broadly you don’t want diametrically opposed positions, but does the challenge and debate of an audit report need to be settled at the point of audit committee publication. I would say not. The reason I say this, is because the very best auditors look forward into the future or ask the really big questions. This is the real value of a good internal audit function. They say things the management discourse has not yet got to, or is not yet current currency. So for example, in the Tesco context, the internal audit function should have said, ‘look our business model is becoming unsustainable in a fundamental way here, and I see the pressures (albeit small at this point) beginning to show’. That may have saved Tesco a lot of its current stress. Most of my best audit reports have said, years before the risks became issues, what the real problems were. The management team have looked back at the original audit report and valued it retrospectively. My previous boss accused me of having a crystal ball, I explained that I simply knew that unmanaged risk will, eventually, somehow, become a set of issues.

I don’t really see management as being fundamentally different from audit. We both face the same complex, messy, world, and this world does not get easier and less challenging. So a good audit report should really push the debate on, push the organisation to adopt a position, and be seen as an organisational, process, a risk management debate. It should not be seen as an criticism and judgement of individuals, for control environments are almost never ascribable to a single business unit or process, and never at the level of an individual.

So why then do audit committee papers push two parties with a collaborative and joint interest to adopt such different positions? I suspect it has to do less with how the auditor or individual manager thinks about audit (many now have much more modern views than the traditional inspection model). I suspect it is a fear about whether others  still see the audit model in those terms. So do the audit committee members see it as a process of compliance inspection? What about our publics and stakeholders? Again, in reality, a lot of modern audit committees don’t see internal audit in those terms, they are on board with a more collaborative approach.

Yet, whilst modernity is beginning to come to audit practice, it is still difficult to see this in public audit discourse. Our institute is still obsessed with independence and objectivity. It still sees this divide in absolute terms, and in prima facie, two dimensional, terms. For independence is a state of mind, not a set of rules and processes. In pushing this divide it pushes audit and management teams apart. Instead of being two sides of the same coin, it forces us to be different currencies.

So next time you are preparing your audit papers and thinking about why the process is difficult, perhaps take comfort in that a good audit approach pushes and organisation, and that no one likes to be pushed. So are you the other side of the coin or a different currency altogether?

Adaptive audit


, , ,


Last week I attended a conference of international development professionals discussing adaptive programming (or projects – for those outside the internal development world). For a short readout see: https://dfid.blog.gov.uk/2013/10/21/adaptive-programming/

Adaptive programming is a sort of ‘agile’ project methodology for aid programmes, in others words, a contingent, try as you go, methodology for seeing ‘what works’, in international development.

Unlike IT, international aid is solving genuinely complex problems, or ‘wicked problems’ for which the causes of the failure of development or continued poverty are multifaceted and difficult to pin down. For example, is poor nutrition in a country due to barriers to economic development, lack of basic resources, cultural issues, poor political and state governance, or a complex messy combination of all of these? I would suspect the latter. If so, how can any programme of international aid make a difference to this?

Standard programmes require a clear definition of the problem, clear designed solution, and then systematic, orderly, well controlled, project implementation of the solution.

Just as this is being recognised as not possible in IT programmes (i.e. you cannot predict 100% of the problems in advance) then similarly this is the more so in development programmes. IT’s solution is agile – a reflexive, adaptive, contingent approach to solving the problem, with many learning loops within a non linear process. Adaptive programming (I have interpreted) is the same thing in an international aid context.

So where’s the relevance for internal audit? Well, internal audit in its traditional form is great at assuring standard, linear, projects. You review the process and design of the process – will it deliver a good project? So most organisations would have some familiarity with PRINCE2 (I’ve not seen anyone really apply PRINCE2 by the way). Fabulous – you can send junior staff to look at a book of rules, if the programme is complex, send a more senior auditor (who can take some judgement or view of the rules). Then tick it and report non-compliance.

What about adaptive programming though? A vague project plan, lots of changes, lots of judgements, a lack of evidence (save implementation results). This requires auditors who are happy to work ‘off piste’ and work without a rulebook. So what do they rely on? Common sense? – we know this is in short supply. Also, whose ‘common’ sense is it? When an auditor is unclear what way is ‘up’, how can they audit in this environment? For surely all adaptations can be appropriate?

Well as ever, and consistent with my audit mantra, internal audit needs to move away from being scientific. There is no definitively right and wrong in the real world. Yet I am not ready to sacrifice the idea of things being wrong or unreasonable, totally. For then internal audit becomes nothing more than an impressionistic, artistic, other voice in the organisation. For if all decisions are right, no matter the results, outcomes, resources expended, or risks taken, then your basic rules of governance collapse.

What I mean by this is that governance is about direction and control. The board, or equivalent, and senior management need some framework to do this through. They need a framework to approve and control activity within. Normally this is the risk framework, i.e. the organisational and management risk appetite. This is expressed in many forms, finance delegations, formal risk delegations, key controls and authorisations, policies, legal restrictions etc.

So I, as an internal auditor want a framework, however lacking in granularity and however much adaptive flexibility it has, to be consciously applied in an organisation. The auditing of this framework is adaptive auditing. Yet when a business is introduced to adaptive auditing, that is an audit function that is happy to see adaptability applied in context and does not want to see a rules-based culture imposed, the business struggles to adapt to adaptive audit.

It must be odd for many in management teams for an internal auditor to not only accept a lack of rules-based compliance, but to be wanting to see this model applied in practice. But let’s be clear, adaptive programming and the demands of an adaptive audit, can be challenging. In particular I think agile audit, adaptive programming or any non-rules based method of management, require more control, not less. It requires a clear articulation of the current position at any point in time – that is a justification for the current control environment. It also requires a clearer view of why things are where they are at present, a clearer view of how success will be monitored, and a clearer view of the what would need to change to provoke further control changes.

So this is what I mean by adaptive programming requiring more control not less. It requires as more conscious articulation of the programme. It requires a better audit trail of previous decisions. It requires a more thoughtful justification of the programme.

Similarly adaptive audit is much harder to manage and deal with. Auditors are taking judgements. This therefore requires a higher quality of auditor. More work to co-produce reports (although ultimately they are independent). More work and higher levels of management engagement during an audit to discuss complexity and difficulty. More openness and honesty about risk and ultimately, failure.

So are you and your client organisations ready for adaptive management and adaptive audit? I would say a lot of organisations have a way to go. It fundamentally requires the audit and management relationship to be reset. No longer an adversarial game, but a collaborative effort to face complexity and challenge together. This will require some sanguine understanding of risk and audit by regulators, governing bodies and senior management.

Are most clients I have worked with ready for this grown-up relationship? Some, but not many. It is the line between artistic chaos and socially-scientific control frameworks that is difficult to pitch. This will vary and cannot be always clearly articulated. If we can open ourselves to trying this model though, it would benefit both audit and management teams alike.

Objectively speaking…


, , ,

 Value Proposition - Objectivity

I am cracking my way slowly through a PhD – bizarrely in marketing (don’t ask – it’s a subject that fascinates me and is I think a much neglected concept to be studied critically). As part of this I am working with three case study organisations. They are very diverse, large, complex and high performing (in their fields of expertise). It is nice to be able to spend some quality time with some diverse organisations.

What has struck me in various conversations is how all organisations need a critical eye. They need a party that is knowledgable, confident and capable of understanding how the organisation really works to challenge them. This challenge needs to be done after the manner of a friend – robust and direct, but with understanding and compassion.

So many organisations reach out for this robust and critical challenge that really says what needs to be said, but struggle to obtain it. They employ consultants who tell them what they want to hear (they are the people paying of course), or tell them nonsense (because they have not really understood the question / organisational context). Or they submit to inspectorates with reporting and agendas that will play out in the public domain, meaning the result is either made bland or are driven by other organisation’s views of the world. Both of these methods of feedback can, of course, work. Yet in practice they do struggle to consistently and helpfully challenge organisations in a way that enhances, builds and moves their client organisations on.

I believe good internal audit can do this. Good internal audit, that is accepted by the client organisation as a friend. For only once an organisation loses its inhibitions can it truly have an honest and open discussion with its internal audit service and itself.

Yet accepting this level of feedback is tough. Tough for the organisation as a whole, tough for the individuals within it (many of whom believe criticism will be career limiting). Most of all tough for those who govern the organisation. For it is difficult to accept that something you direct and control is suboptimal, let alone, poor performing, and those charged with governance are accountable for the organisation’s failings after all.

Yet this is also tough for internal audit. As a CAE my preference is to deliver thin reports, spreading good and positive assurance news. Shorter to draft, easy to quality assure, easier to deliver, positive response from all parties etc etc. Being a challenging, difficult, bad news-delivering, argumentative, stroppy CAE is not easy nor enjoyable! Choosing which items to deliver and in which order – much more challenging and difficult.

Yet, if an internal audit function can get its client organisations into a good space where both parties take the pejorative element out of internal audit and the process of review, then there is a better outcome to be achieved. This requires both parties to see issues and risks in objective terms, to accept that both risks and occasionally issues, arise in a resource constrained, complex and challenging world. If internal auditing can be seen as a collaborative process to lay bare reality, with a view that the process itself, even before an outcome, is cathartic and useful, then internal audit can really leverage its USPs (unique selling points).

For internal audit is uniquely, independent and objective, yet engaged, interested, supportive, and understands its client organisations. So, objectively speaking, where else, either inside or outside of the organisation, do you get this confluence of unique features?

So when I am in conversation with an organisation and they ask for a source of objective but supportive review and challenge – I shall say – look no further than an excellent internal audit service.

Supply chain auditing – a step(s) too far?


, , ,

spanish python

A few weeks ago the BBC documentary programme, Panorama, published a programme containing allegations about Apple’s supply chain. http://www.bbc.co.uk/programmes/b04vs348 Not really news I hear you say? Apple has long been accused of having poor supply chain practices, ranging from poor workers’ rights through to poor environmental or social records.

The Panorama programme, in case you missed it, made allegations that despite the public commitment of Apple to clean up its act, it actually had not done so. In particular it alleged that one of its supplier factories in China worked its workers such that they slept on the production line. Also that tin got into its supply chain from child and illegal mine practices in Asia.

Now it is not for me to form a view on these allegations. I am sure there are others who are closer to this than me and who know the industry better. Apple of course can afford to do better, but also attracts disproportionate criticism in a way that other companies do not. So I suspect the allegation probably has a truth somewhere between the two extreme views.

What interested me, as an auditor however, was why the auditing practices put in place by Apple had not seemed to address the problem. The supplier’s factory in particular talked about having forms for ‘Apple’s auditors to review’. With staff being forced to sign forms as a proxy for accepting a briefing or for their assent to signing away their employment rights. Why did Apple’s auditors accept this and not challenge it?

This reminded me of when I was a junior auditor working in a professional services firm. We used to audit further education colleges in the UK. There was a scandal that a college had made up what was called ‘franchise’ or ‘community provision’ – that was courses that were delivered by commercial partners, charities or businesses in the community to bring education to hard-to-reach students.

My firm led in the provision of spot checks. These were short visits of up to one hour and they would be unannounced. The idea being that you would verify a sample of activity and prove, or not, their existence.

As a junior auditor, it was my task to do these. It was a chore. Driving to out of the way places. We had a big checklist and we had to check the register and the registration data held by the college. There was a mathematical sampling formula that set out the number of spot checks to be done and the partners that should be visited.

I learned a lot from these. First it built up my social skills. As a rather sheltered graduate from a middle class background, it was a shock to wonder into crisp or sandwich factories and speak to adult learners (by the way I would not buy a cheap shop-made sandwich even now! – nor eat a cheap sausage roll from a bakery – but’s that’s a different audit story).

It also taught me to open my eyes. It taught me to think beyond the checklist, beyond the story being told to me. Even now I look for cars in the car park. The language used by interviewees. What they are wearing (my current colleagues notice my observation skills). In one place the small ‘learning shop’ located in a small rural shopping centre seemed okay. It had a small room, two computers, a member of staff, college brochures etc. Yet, when I got back to the office and asked about the total enrolments for the year, I was told a number that could not have been serviced by the small shop I saw.

I learned that tidy records meant higher, not lower, fraud risk. I learned to be critical and testing of clients. I learned to, politely, bring people back to the points I was asking (otherwise the 45 minutes allowed for the spot check could drag on for hours). I learned to interview diverse types of people, those outside of my professional auditor experience.

The real point of all of this is that it is perfectly possible to audit and tick boxes. Don’t get me wrong, sometimes spot check visits felt like they were ticking boxes, not adding value. But audit around the checklist. Join up the dots. Aim for the higher skills marks, and they can become powerful vehicles.

In my current role it is difficult, as it is in most organisations, to oversee supplier risk. To know how far down your supply chain reputational risk extends is tough to decide. the big lesson for me though, and perhaps for Apple post Panorama, is to throw away the forms and the checklist auditing, and to send good quality, critical and intelligent experienced auditors to do spot checks – preferably unannounced.

This is the type of auditing I love. Noticing the detail. Really challenging the consistency across different data sets. And yes – it is a uniquely audit skill. For management are often too naive or trusting, in a way that we auditors (and me from my spot checks many years previously) are not.

How challenging are you of your supply chain?


Get every new post delivered to your Inbox.

Join 289 other followers