Do organisations only ‘get’ internal audit when they mature?


, , , , , ,


So I had the pleasure of attending the UK Government’s Finance and Internal Audit Conference 2016 this week. I was not convinced linking the two separate professions was massively helpful, as it seems to perpetuate a myth that all accountants are auditors and that financial audit is the same as internal audit. I would argue my audit team has more in common with general management and policy colleagues than our financial ones. Heigh ho! It was good to have a gathering of my internal audit colleagues across HM Government, so in that sense a gathering will always have some value.

So why was I there? I had been invited to argue in formal debate about the motion ‘Internal Audit can deliver more value in a risk mature organisation’. I was asked to argue against this motion. I was happy to argue against as the motion presses on a number of weak points in the increasingly global, and in my view false, current paradigm of internal audit.

So the main argument for the motion (provided by a partner from PWC who I hold in respect) was that in a risk mature organisation internal audit is more valued, more engaged with, and can deliver more value to the management team as a result. In other words risk immature organisations are too immature for internal audit. Or that internal audit does not, or cannot, deliver as much or any value to risk immature organisations.

I think this proposition is clearly false. Internal audit with its unique attributes of: independence; objectivity; and purview across, into and at the top of, organisations; should add value to any organisation. Sure risk immature organisations are very hard work. Some are very challenging indeed. This does not mean internal audit does not add value, it just means internal audit has to work harder, better and clearer with those organisations. It’s true I faced a challenge back, that risk immature organisations would not resource internal audit. That’s true, but you only really need one talented and capable internal auditor. So if you run a small audit team (and there are lots of you that do), don’t feel marginalised. When I did it I forced value on the organisation, I was truly independent and said what I thought. That was not popular or necessarily engaged with, but it made a difference. For one of my previous clients I take credit that that organisation is safer, more customer focused, has a better built environment and generally has stronger processes and systems as a result of my work, even if it was not liked, or valued at the time.

The other obvious statement is that risk immature organisations present lots to go at. Lots of systems, processes, risks, strategies, governance and control issues to get your teeth stuck into. Doctors don’t spend a majority of their time with the healthy. Similarly having some low hanging fruit (or fallen off the tree rotting in the ground fruit) is a great organisation to be involved in. Lots of chances for IA to be relevant, valued, bring to bear IA’s unique attributes etc. As a CAE I love risk immature organisations. They present both a challenge and an opportunity – save the risk mature organisation for the few years before I retire!

So back to risk mature organisations. My biggest beef against this is that it takes it is not real. It’s the Disney position. It’s not real. Let’s be honest how many really mature organisations have you seen? Where the first line of defence is well organised and thinks in controls terms; where the second line is clearly structured and professionally organised and has a genuinely semi independent role from management; and a proportionately and sensibly resourced third line, which is 100% respected and listened to. No, me either.

That’s because this whole three lines of defence paradigm is nonsense. It describes a world the professional services firms would like to see, as it justifies their systems only, light-touch approach to audit (they don’t really distinguish between internal or financial statements audit – for surely risks only impact financial controls?!).

Yet real internal audit (and yes it has to be internal) needs to understand the culture and totems of the organisation. It needs to have a deep and rich understanding of how the organisation really works. For all organisations are not controlled by systems and processes. They might be in part, but the really significant risks are controlled by senior people, mostly using intuition (labelled as experience) and there is no real law or right and wrong objective knowledge in management. For why would we globally pay senior management so many times more than the average employee if organisations were just bags of systems? It’s because organisations are not bags of systems. They are complex, messy, human, full of people. So internal audit needs to audit systems and processes and controls, but it also needs to understand incentives, culture, politics (both capital and lower case ‘p’) to provide real and meaningful assurance.

So, if we take it back to the dominant paradigm of the three lines of defence. Clearly the three lines of defence is nonsense. It’s a model. Models are used to help us humans to simplify and understand more complex reality. They occasionally provide a basis for us to predict outcomes or causality. The very best provide an ideal that, if applied, will lead to success. Yet the three lines model does none of this. It is not predictive. It is not even clearly understood, outside of the banking sector where is it mandated. It is, therefore, neither law, nor observable fact. So I see it more like the Pirates’ Code in the Pirates of the Caribbean – ‘guidance’ not rules. I see it has a religious quality. You have to make a leap of faith to believe in it. Indeed I’ve even been told it’s some people’s Bible. It does have a cultist element to it. At best, its a typology of organisational activity. It tells us nothing about the detail of what goes on in each typological segment and gives no sense of the relative strengths, size, resourcing or value provided by each.

So let’s all move on and treat it as the basic typology it is please. For this three lines model, taken out of context, is what causes the motion such as this to even be talked about in relation to internal audit. It is this idealised model of a fake Disney reality of a pyramidal organisation with a big first line, smaller independent second line and tiny third line IA that limits IA. It limits IA to doing nothing. So when IA does any real analysis or consultancy or asks difficult questions it prompts the clarion call – ‘oh that’s a second line activity’. Nonsense – internal audit is very well placed to do proper consultancy. Not the imposing consultants usually do that is limited by management in scope and buried if it is not the preferred answer, but real consultancy that asks the right questions and provides the right answers that have to be dealt with.

It is the three lines model that limits IA in most organisations to overseeing the sausage machine, occasionally tasting the odd sausage, but assuming that risks are all ‘aggregatable’ to the top level of an organisation and testing those ‘strategic’ risks (they are not – risks are complex webs of detail, not one liners at a board level). It is this model and ideal paradigmatic approach we all are increasingly buying into that makes IA functions tiny. Would Volkswagen have doubled its IA resource to avoid its current woes? – I would argue yes and that it should.

IA is part of an eco system. It can and should be larger and better resourced in all organisations. It should do second line functions – or at least review in more detail further down organisational detail from an independent perspective. Most second line functions are weak and unclearly structured anyway – so some overlap is needed. Internal audit can and should add value to all organisations and I would argue good IA will add more value to risk immature organisations as we have access to the governance of the organisation to unblock the constipation that most risk immature organisations face.

For remember, at the end of the day when something goes wrong – this model we all buy into falls apart – no CEO ever asks ‘where was my first and second lines of defence’ they ask ‘when was it last audited and why did you not tell me’. 

2016 – a time to come out?

I am at that time of year when I think about the year that’s been and the year coming. I ask myself in relation to this blog – is it still doing what I wanted it to do when I started it in 2011? Am I still able to find the time and energy to do it? Should I continue to keep it semi-anonymous.

I started this blog as a place to debate, think, and discuss my changing and developing professional views of internal audit. Since 2011 I have been lucky to have two roles that have made it possible to grow and develop and, most importantly, to put my ideas into practice.

I also decided that I should make the blog anonymous. Not because I didn’t want to be held accountable for my views, but rather I did not want my background or personality to interfere in how my writing was perceived and my thoughts were considered by the blog’s readers. I am aware it is only semi-anonymous as it broadcasts via my Twitter and Linkedin accounts. Even so, I have been clear to make the blog generic, anonymous and accessible.

I think on this second point my views have changed. I am now working in an international role, for a respected client organisation, I have now had my service undergo a recent EQA, which, for the early draft report, has been very positive. I believe I have now had a chance to implement my ideas of internal audit at scale and proven, in practice, that my approach to internal audit does work. This has been with the fantastic support, engagement and  hard work of my team.

I think now, 2016, is the time to engage with my international colleagues and audience. I am also now turning my creative attention and energy to the other side of my responsibilities, counter fraud. I have successfully combined the two, but want to engage my international counter fraud colleagues in the debate and discussion about this work as well.

So – I am Anthony Garnett. I work as the Head of Internal Audit and Counter Fraud for the UK Government’s Department for International Development. I deliver audit and counter fraud services for the over £10bn the UK Government spends each year across the globe bilaterally and multilaterally (through the UN, World Bank and other development partners) to tackle poverty, instability and support fragile and conflict-affected states. My views on audit in this blog are, of course, mine, not my employer’s.

On balance the blog does still provide me a place to write about the challenges and thoughts I have. I still benefit from the opportunity to write about the challenges and thoughts I have about them. Writing is both cathartic and useful for me and I hope you, the reader, as you follow my journey.

The blog is still useful to chart my changing views. I still find working as a chief audit executive continues to provide me with new and varied challenges. This provokes me to think and grow, professionally and personally. So the blog is a good space to do this and I will keep going with it.

I think my need to engage with the international community and my international colleagues makes this blog a useful tool. I shall begin to express what I am learning from working globally and what it is telling me about internal audit across the globe.

The other thing I wanted to do it to deliver a platform to challenge internal audit orthodoxy. I wanted with this blog to put right the things I saw as nonsensical, bizarre or unchallenging woolly and poor thinking in internal audit. I think the internal audit profession still lacks this challenge and thought leadership in internal audit is thin on the ground. So I want to, in my own small way, to address this deficiency. I hope my blog has done this so far, but will focus on this more in 2016.

Finally on the energy point. I do find my current role immensely challenging and draining of my time and energy. I also moved from Scotland to London and am now London based, this was a tiring move and transition. I have an incredible team, a great deputy and senior management team. So I hope to be able to blog more in 2016 than I have done in 2015.

Thank you, as a reader of my blog, for following and continuing to follow my professional journey. I wish you all a happy new year and look forward to debating and discussing the finer points of this during 2016.

EQA happiness?


So it’s that time in every CAE’s life where their audit service gets its external quality assurance (EQA) review. Although I’ve been a CAE for over 10 years now, it’s the first formal contracted out EQA I’ve undergone (as a consequence of other processes being in place or timing with client organisations). In previous roles I had annual EQA reviews by peers. This time it is a full fully arm’s length assessment.

I think I have been relaxed about it. Not because I am insanely overconfident or arrogant, but because I have a constant hope that I can genuinely learn and improve what I do and how I do it. I am actually looking forward to someone wanting to engage with my thoughts, my world, my challenges, my views, and the future.

I am certain not everything is perfect, or that there are things that could be improved. I am however very comfortable with the building blocks of my service, the people that work with me. They are a motivated and hard working team. A team committed collectively and individually to being better and the best. Part of that is because we work for an organisation that tries to help and change the world. Part of it I would like to think is because I demand, and hopefully inspire, the best in all of my team.

I had the extreme pleasure to see another two members of my team qualify as a professional internal auditors. They have worked hard in tough work and home contexts to achieve their qualifications. They did this not for the status and label of the postnominal letters, but for their genuine edification. Seeing their genuine happiness at qualifying got me thinking about what makes me happy?

So as I reflected on my team’s ability to tackle issues and challenges collectively and to help and motivate each other, I also reflected on what makes me happy. Don’t get me wrong, being in a leadership role can be draining, tough, challenging and, at times, dispiriting. Yet it can also be awe inspiring too; to see people really grow and develop.

So another pleasure I have is seeing the effect of an audit report really transform thinking and development of others or client organisations. A good audit report should sometimes take a client’s breath away. At first because of the sheer cheek and audacity of it, or because it says the unsayable, or because it tackles the most difficult challenges, the most painful truths, or because it is balanced and helpful, or because it has listened and brought contextual analysis to the issues and risks at hand. Then later, because it prompts growth in clients organisationally and individually in their staff.

It also makes me happy to be working in a co productive manner on assurance reports with my team. I love shaping, challenging, being challenged and then coproducing fantastic audit products. I love working with bright and stimulating colleagues. They make my day when they are excellent.  I am happy to showcase the team I work with; they’re fabulous.

What else makes me happy as a CAE? I think adding value to my client. I evaluate success as what I bring to the client and how I improve the clients I work with. For in the final analysis, if we judge quality as performance rather than conformance, it should be what difference we make to our clients.

Auditing a Galactic Empire *spoiler alert*


, ,


So the Evil Empire of The Return of the Jedi has been supplanted and replaced with the First Order. The Death Star has been replaced with a planet-sized version of the weapon, Starkiller Base.

So I wonder, does the First Order have an internal audit department, and if I was CAE of it, would I have prevented their fate in the film? (let’s put aside the rather unpleasant references to fascist states of old and assume Galactic internal audit standards allowed me such ethical licence to work for the First Order).

I guess I would have had a look at governance first. Was the planning of the strategy suitably overseen and reviewed? Was it done through a reasonable process? Was there enough external challenge from non executive directors? Leader Snoke seemed to be a one man band and, whilst he listened to advice from a slightly younger Peter Cushing general replacement, General Hux, there were some dysfunctional governance processes. No three lines of defence here! He was also an absent leader, seemingly appearing from a distance in holographic form. So all in all I would like to think I would raise a number of challenges to the strategic planning and governance processes.

Let’s think about the starkiller base for a moment. This is a little like the IT systems we use in our galaxy. So I think it is well recognised that the ‘castle and moat’ approach to IT control is now well and truly dead. In particular the idea that one can prevent intruders and can prevent access, fully, seems a little fanciful. So the approach must be one of detect and respond.

We learn that the rebel alliance does not have any detailed plans for the base. They have a vague idea that the base has a weak point in its power system. They arrive at the base and sail through the shields at light speed as ‘they were not designed to stop light speed approaches’. That seems like a big hole to have in a firewall or shields. So who assured the shield’s design? Who looked over it and did a risk assessment. I suspect this wouldn’t have been a direct task of internal audit, but it would have been the role of internal audit to look at where other sources of assurance were, how the technical design was assured, was the assurance of high technical quality and independent? was the project completed within a reasonable project methodology? and did the project get signed off and approved as go live through a reasonable process?

We also identify an HR issue with the defection of one stormtrooper, FN2187 to become Finn. We see good controls being deployed with analysis over the defection, what controls were missing, and why the defection was not detected earlier, although Kylo Ren did seem to notice on Jakku, no other controls kicked in. So I would not, on a risk basis, think the first line management or the HR department of the First Order would have been at fault here. Nor do I think as the CAE for the First Order I would have picked it up.

It goes without saying that ethics processes and culture of the First Order would have been picked up by me as the CAE. The illegal and amoral acts of the organisation were pretty clear, as was the culture. So I think I would have thought carefully about being the CAE of such an organisation, and if I was, think carefully about whether I could stay. I suspect this is the real reason the CAE of the First Order does not make an appearance in the film; they did not have one appointed (!).

If we consider security processes, often neglected by internal audit as being ‘specialist’ I think I would have had a look at these. The film suggests that various individuals were allowed to wander about the base with little in the way of detection, including a former prisoner. This all seems a bit lax to me. I do often suspect that security is 80% deterrence and 20% actual control. So perhaps this is a timely reminder for me in this galaxy to refresh my view of this critical area.

Health and safety seems somewhat lax. So as the Starkiller planet begins to collapse, and it seems to do this over some time, there is no great exit of staff, though some senior staff seem to take off quickly. I wonder what fire alarms, damage alarms, escape pods or equivalent were installed? This should have been assured by the project assurance over the project that built it, so I would be disappointed that so few staff appeared to escape from final destruction of the base.

So all in all my conclusion is that the First Order is probably unaudited. The third line of defence would not be effectively put in place in any case, as the governance and senior management processes appear to be missing for it to graft effectively into the organisation. I think, the First Order got what they deserved for such an absence! 

It does make me think what uniform I would have for the audit and counter fraud teams in the First Order. I think it has to be something to mark out the independence of the audit team – so plain white stormtrooper uniforms would not cut it – thoughts on a postcard (or in comments below) please!

Vanilla crunch


, , , , ,


So there is always a balance in audit. A balance between summary and detail. Evidence and efficiency. Cost and value. As a CAE I feel this balancing act most acutely when deciding where to pitch a report. A report should try to tell the broadly ‘right’ story (I don’t believe in absolute right and wrong, only relative versions). Yet within this broadly right story, there are a set of messages, the tone of messages, and how tough the message is and how it might prompt or prevent change in your client (the ultimate point of audit).

There is a balance then between being ‘tough’ and making a report ‘crunchy’ enough to deliver the message forcefully enough to get noticed and create change; and the need to be ‘vanilla’ enough to deliver the message in a way that will be heard, will be respected, will be engaged with, and will not appear critical. The vanilla crunch balance is one that I wrestle with.

I have to be honest, it’s not always one that I get right. Sometimes when I think something is fairly obvious and no one could possibly disagree or challenge the narrative, the report lands with a hard crunch. Other times when I think the message is quite complex, or a difficult context for change and improvement of controls is needed, I find that I pitch the report too softly and it does not prompt the debate and discussion it needs to.

So what factors do I consider when deciding on the vanilla crunch. Well being an ‘internal’ internal auditor helps. I am cognisant of the current management and organisational narratives, pre-occupations, cultural norms and totems. These are essential elements of ‘soft knowledge’ to be able to decide whether a message is one that will be understood, individually, collectively and organisationally. I will also try out messages with the top of the organisation. Socialise some findings very early on to find out whether there is a strong need to course correct or change my strategy. My audit team has a reports ‘rating panel’ consisting of the senior management team. This provides a logic check against my individual perception, brings to bear our full internal audit department knowledge of the organisation, and ensures that reports are consistent irrespective of the drafting and reviewing team.

I do find that the ability to understand and connect to top organisational politics is one that is often limited to the CAE. I am not sure why. Perhaps it is because top level peer to peer conversations only occur with the CAE. If a CAE is any good, they should be treated as a helpful sounding board for senior officers of an organisation in any case. So I encourage my senior auditors and audit team to engage in organisation-wide conversations and client conversations. These are essential so that, when you are writing your assurance report or presentation or message in whatever form, that you are considering how the audience will react.

I would caution about being too client-oriented. Some of the best reports in terms of final outcomes and change have come from the most challenging ‘crunchy’ reporting. Sometimes an audit team, and CAE must tough it out to get a sensible position. Don’t forget, the CAE and the internal audit function are the only points of real organisational accountability and change and are uniquely placed being both independent but internal to deliver vanilla crunch. For regulation is a blunt and tough tool. Yes it can stop the worst excesses or organisations and risk, but as the dialogue is normally played out ultimately in public, there is an adversarial and closed nature to the process. It is not a conversation, more crunch and no vanilla.

So if we reflect on our personal experiences, the most significant change has come from someone we trust telling us difficult messages. Our best friend, a family member, a trusted partner. Why? I think because there is an openness to really listening that is not open to those less trusted.

So how do you deliver optimal vanilla crunch? I think it is not, as so many auditors and audit reports try, to wrap up bad news in sugary coatings or cotton wool. Nor is it necessarily about balancing the report with ‘well on one side this, and the other that’. These approaches merely obfuscate and confuse the storyline.

It is about deciding, before putting pen to paper, fingers to keyboard, or slides to projector, what the actual storyline is and then telling it in an authentic and straightforward way in language and cultural totems the client organisation will understand. You really do need to be internal to an organisation to do this effectively.

I find the more straightforward, logical and most importantly authentic, a narrative is, the more crunch can be delivered whilst maintaining enough perception of vanilla to make it be adopted and engaged with by your clients.

So how do you deliver your vanilla crunch?

Mind the gap?


, , , , ,


Mindfulness and internal audit are not natural bed fellows. Let’s define it:

Mindful (comparative more mindful, superlative most mindful). Being aware (of something); attentive, heedful.

I think internal audit and auditors have a natural predisposition against being mindful. We are trained to be dispassionate and objective. We value not getting emotionally connected or engaged with the subjects we audit. We are naturally competitive. We as auditors are always looking for how something can be improved and looking for non compliance, fraud, error, sub optimality of any type. We are trained to be professionally sceptical. We don’t take things at face value and we challenge the status quo. All of these things incline us to be less mindful of our clients and colleagues.

When you become a CAE the tables are turned. Suddenly mindfulness is helpful and useful. As a CAE, I have written before on this blog about working out how reports and messages will ‘land’. A good CAE should be able to work out how their work will impact the organisations and individuals in the client organisation. I have in the past become frustrated by what I call fake mindfulness. That is, where people become bland, do not have opinions, are not open and honest with each other and see all feedback as criticism. Often management teams fall into this trap. This is not a good place for an organisation to be in, where honest and open debate is not allowed, promoted or engaged with. Sure not every decision can be endlessly debated and challenged, but equally no challenge leads to organisational atrophy and group think. It can be frustrating as a CAE to see problems that are not tackled all to avoid conflict or uncomfortable situations. Ultimately they can impact organisational culture and performance. There has been much written about the risk taking culture in Barclays and other banks, for example.

So in my view a good CAE must be able to deliver difficult and challenging messages. Some in our profession actually go into the personally brave mode, to tell organisations about serious problems and are threatened, harassed and sacked for doing so.

Yet a CAE must be both brave, honest and mindful. As I have progressed in my career I have come to understand the world is a lot greyer than I previously imagined it. The world is not black and white, right and wrong. Differences of opinion are to be celebrated, endorsed and validated and mutually acceptable. I have also come to understand organisations in greater depth and see people, not processes or systems, as the core of how organisational control works. This means understanding people.

As a CAE I also manage an audit team. This means managing people. People who are generally excellent and committed to excellence, but who all have lives, families, partners, health and social issues, pressures and stresses and different opinions. So the immediate prima facie reaction and consideration of staff issues I have learned is not always massively helpful.

As an example, I travel on planes a lot. At the end of the flight, once the plane has taxied into the stand, those in the aisle stand up and get their bags ready. they queue in the aisle to depart. I have a simple rule that rushing will not help, pushing past others is not useful, and for those by the window, being given a few moments to get up, put your coat on and get your bag out of the overhead locker is really helpful. So I am mindful, on the basis of fairness to always stop the aisle queue when I am head of it and allow those in the row in front to get out. As I got up this evening a lady was by the window seat in the row in front. When the others in her row had all gone, she looked at me and paused. I simply gesticulated for her to feel free to get out and get her bag, stopping the aisle queue behind me. As she got up, I noticed she was disabled and walking took great effort. She was so grateful for my courteousness. I did not know she was disabled, she was sat down and had boarded the plane before I had. Yet I felt so much compassion and admiration for her and she descended the steps, with great difficulty, off the plane and then walked to the terminal. Had I not been mindful and courteous I would have felt awful had I pushed past or been grumpy to get off the plane.

So it is with audit clients and with team members. We should always try to anticipate or seek to provide space to understand that people are complex and have all sorts of things going on in their lives. This is not a charter for a less demanding or lower standards audit, but more a recognition that the world is complex and not simple, and that other, perhaps more plausible or difficult explanations, may emerge for issues risks or performance difficulties.

As another example, my audit teams travel internationally. They are away for up to two weeks, working and socialising with their colleagues. Now this is difficult territory. For in that space in the evenings my teams are neither fully in work, nor fully at home. They can be tired, stressed, sometimes ill and missing home. So we, as an audit team, need to cut our colleagues a little slack. Sometimes people are grumpy or relaxed and don’t stick to the same style they would in the office. This is fine as long as colleagues are mindful and understanding.

Whilst being mindful of others does not come naturally to us as auditors and I think modern management mindfulness, practiced to becoming organisationally bland, is unhelpful, I do think we should mind the gap between our training and our practice. Do you?

Second class?


, , , , , ,


So I have been thinking about three lines of defence. It is clear to me that this model and how it actually works in practice needs some very serious reconsideration. As I said in my original criticisms of the model Attacking the Three Lines of Defence that I found the differences between the third and second line less ‘rigid’ than many would have it from the model.

My contention is that the real divide between the third line and any other line is internal audit’s position as being independent and objective of the organisation. Some would have you believe that the difference between the second and the first line is that certain activities are management activities and that it is the activity, not the conditions under which it is done that defines the line it is in. These same proponents would also have internal audit painted into a small box of activity labelled as ‘assurance’; all items not recognisably audit, that appear to add value to the business, would be ‘consultancy’. This is done, we are told, with the noble intention of avoiding a conflict of interest and loss of independence.

Yet, if we redefine internal audit as assurance and consulting activity with the core attributes of independence and objectivity, rather than the activities themselves, what a much greater scope and world this gives internal audit. It is possible that organisations require and need independent assurance, not just for governors, but also as a normal organisational activity? Is it possible that organisations would benefit from a lot better, but also a lot more, of internal audit? Is it possible that organisations should consciously plan internal audit as part of a three lines of defence assurance model? In other words, is internal audit part of an organisation-wide eco system? I would contend on all of these – yes it is.

So to the second line of defence. This is always the most troubling one for me. Troubling to define. Troubling to resource. Troubling to deliver.

Why so? Well those who define the second line are often management. Management as a whole (assuming a level of homogeneity for the purposes of this debate) is spectacularly bad at defining and building systems of control. They simply do not do it, except in piecemeal ways, in response to crises and problems. Very few management teams, in my experience, actually see themselves as building systems of control. They are too distracted by issue management really to engage in risk management and too interested in the here and now to concern themselves about the tomorrow. Part of this may be management overload, but part of this may be that they simply are never trained to think in this way. I would recommend all senior managers do both an MBA and an internal audit qualification – for both equip you with the breadth of knowledge and thinking to undertake management governance (where you govern an organisation, rather than manage it).

Troubling to define. I think defining what is second line is too narrowly defined by most organisations now. There is some model of the second line as a risk management function. This is too limited a definition of this activity. Second line activities include, in my view, all corporate and professional functions owning the implementation of policy. Not necessarily implementing it themselves, but owning the responsibility to ensure it is successfully implemented in the organisation. I debate myself where line management fits within the model. In particular I debate whether senior successive layers of regional or cross departmental management should be seen as second line. This tactical layer of management could be regarded as successive layers of first or second line. I think it does not matter particularly, though I would define it as second line.

Troubling to resource. Where do second line people come from? Well if you have the narrower definition cited above, you end up with pseudo auditors and risk managers. The training routes and career routes for these talents in the second line are few and limited. So these functions tend to end up as pale imitations of internal audit functions, or as semi independent and disjointed from management, management teams. It is difficult to maintain their professional development – for what is their profession? Difficult to discipline – for what is the discipline they profess? Difficult to hire and replace – for from where would you get them?

Troubling to deliver. I’ve said that in an ideal world all three lines of defence would be not ‘light touch’ but ‘right touch’. In other words, they would be consciously designed and delivered, together, holistically. Yet most organisations are not mature enough in management or risk management terms to do this. So if there is not clarity I’ve seen second line functions squashed between the management first and internal audit third lines.

So do I think the difficulty in delivering the second line is problem? Yes and no. Yes where a sensible, coherent and consciously designed three lines is put in place and a second line does not deliver within it. Yes for those organisations that have not designed their three lines of defence and no second line management function exists (probably no risk management and no second line controls generally). Yes where there is a small and weak third line internal audit function. Yet I think no, if the second line is conceptualised as a small risk function only and the second line concept is not given sensible space in which to operate. For a good first line should largely cover risk management. A good third line could cover independent challenge and assurance and independent assurance and support needs of the first line. In this limited circumstance I think the second line is of lessor importance.

I would emphasise my preference is for a proportionate, consciously designed and broadly conceptualised second line – one that is a genuine second line of the single management team – not a small pseudo audit function tacked onto management.

So I would ask – are you part of a sensibly designed three lines of defence?

The Peoples’ Audit?


, , , , , , , , ,


I wrote some time ago – and it is my most popular blog post – about Why internal audit is important. In this post I stated that organisations are simply not able to control and govern themselves with what Erica Schoenberger calls ‘strong objectivity’. This is the ability to be ultimately independent of one’s self in the corporate interest. In it I said ‘the executive turkeys are not willing, ultimately, to vote for Christmas, no matter how objective, strong or compelling are the reasons to do so.’

This was prescient. As we hear today about two scandals, first the peoples’ car – Volkswagen, appears not to be so people-oriented after all. BBC News – Volkswagen Second we hear about BBC News – Charities Regulation where even nice ‘fluffy’ charities cannot be trusted to behave as corporate entities, responsibly.

Now I am going to ask the usual question we auditors do – where was internal audit in Volkswagen? I ask this not to say that such a small bit of coding, in a chip in one car engine, could not be missed by internal audit – of course it could. I ask this because did internal audit not pick up the cultural controls that allowed such actions to be deemed acceptable? For let’s be clear, such actions would not be the actions of one rogue individual, they would not be signed off by one local manager in one small business unit, they are intentional fraud. So how far up the organisation, or from the top of the organisation, was the approval to commit, knowingly, fraud, approved? This says something much more about organisational governance, culture and control. Surely internal audit would pick this up across the business?

For charities, for the ones that are implicated in the UK review published today, fundraising is not a minor, marginal, activity. It is a major, business related, activity. It is core. So should internal audit have some understanding of the right or wrong ways to do fundraising and should it have reviewed the ethics of doing so? In my view, yes.

What does this tell us about internal audit as a profession more widely? First I think it reaffirms the importance of internal audit. Organisations cannot self govern. They need strong independent governance, audit and regulatory structures to ensure that they do not act in their own personal or even organisational interest. Of course we do not know the details or extent of the Volkswagen’s wrong doing – simply that there was wrong doing and that it could be very, very big – £4.6bn big according to today’s news. This could, of course, not just be Volkswagen, it could be other car manufacturers as well.

Second I think it reconfirms my view that internal audit is not some small rarefied  bubble in the organisation, testing the controls theory of organisations. It is a needed and core part of most organisations. It needs to see more, do more, interfere and intervene more. I have been having a debate on this blog with James Paterson and others who think my view of internal audit risks taking internal audit beyond its third line of defence position and, being more expansive and pervasive in an organisation, inherently weaken the second line of management control. I disagree and consider internal audit’s third line position does not mean it has to be small, weak, and review the theory of organisations. I see the third line position as one of objectivity and independence, not a prescription of reviewing just systems in theory or necessarily being small, marginalised and organisationally weak.

If Volkswagen had a well resourced internal audit, and had a stronger third line, with an interventionist position, then I think it could have spotted the £4.7bn disaster. That would pay for many years of very good internal audit even in an expanded third line form in my view.

I know those who hold to the established internal audit wisdom that organisations are run by first and second line management controls, by rational and organised organisational machines, and that internal audit’s role is to validate the correct and appropriate working of that machine, from a organisationally moral Mount Olympus will disagree with me. For me, however, organisations are not run like machines. People are not all rational. They are selfish, complex, self oriented and prone to moral relativism (I should say they can be amazing, honourable, giving and special too).

I believe internal audit’s unique proposition is objectivity, independence and its organisational position (between management and governance elements of the organisation). These can, and should, be applied at greater scale in most organisations. Why? because organisations cannot self govern. Layers of management are not independent of each other, they are one command chain. We learn time and time again that the lines of defence model, whilst a helpful typology, is not real – management cannot control or help themselves, even where it is organisationally rational to do so – otherwise someone would have calculated the fines per vehicle and decided whether to risk it in Volkswagen and decided no.

So I come back to my core point. Internal audit matters. Internal audit must be bigger, better, braver, and be seen as a normal functioning part of any organisation that is serious about wanting to be run properly. It must look deeper and more into its clients, this takes money and resource, but the payback (if only in fines avoided) must surely justify this leap of faith?  Are you ready to leap?

Royal internal audit?


, , , ,


So HM the Queen this week celebrates becoming the longest reigning UK (English, Welsh Irish and Scottish – does it still include France?) monarch in history. This is no mean feat. Such a period of service and stability for a nation is a real achievement. All the more so because polling suggests she is still loved and is popular amongst her people.

The role of the monarch according to the official website is that the Queen has the right ‘to be consulted, to encourage and to warn’ her ministers via regular audiences with the Prime Minister. She is an executive head of state but her powers are limited and are used sparingly. I suspect only the slower hand of history will provide a real insight into how much power she has exercised during her reign. There has been much commentary on the monarchy, including some that has said that she is the last in her line of monarchs, with the real challenge being at the end of her reign. These commentators suggest that the UK public will, at the end of her reign, spontaneously demand the end of the monarchy. Now no-one is pretending that a monarchy is not a historical anachronism, but if one wants to contemplate ending something then there must be an alternative promulgated and this is where the republican argument goes silent. What do they want? President Blair? President Brown? President Cameron? Hmmm.

For me the real benefit of the monarchy is its ability to be above politics. A lesson Queen Elizabeth’s successors should note. In this I think of HM Queen as a third line of defence in the UK political system. She is both part of the system, is recognised as a valuable and valid part of it, yet somehow detached from it. This gives her views power, insight, import and value. There is nothing to be gained and lost by HM Queen when she comments on an issue or gives advice. In this I imagine she acts a mentor to the many prime ministers she as worked with.

Internal audit has some of these elements. Being above the executive management fray and having quiet and informal access to the board and chief executive should provide a platform for internal audit to provide advice, support and guidance way beyond the formal and public audit reports it produces. For surely a quite independent word, judiciously selected, should have impact disproportionate to its cost and effort.

A good CAE should also use this power wisely. Picking up on the latest organisational spat or trend is not helpful, but having some more strategic and helpful insights is. For engaging in local organisational politics, as it would for HM the Queen, is unseemly and detracts from the organisational position internal audit occupies.

Much like HM the Queen, internal audit should be about the ‘organisational commonwealth’, not concerned with one sectoral interest or another. So whilst it is tempting for internal audit to be supporting the latest fads or trends, perhaps it is internal audit’s role to put these in a longer, longitudinal, trends. It has been said the HM the Queen’s old fashioned outlook, dress and values are beneficial. I think this is probably true. Her look, immaculate and well crafted, is a brand and a positioning of strength for the monarchy. So should CAEs dress similarly? No – but I do think considering a brand and its values is important. Values of ethical probity, a 100 percent commitment to independence, and a commitment to being balanced, fair and fully objective in its views. These are the old fashioned values that internal audit could use in its branding.

So, in my view internal audit has lots of characteristics of a good monarchy. I also think, much like monarchy, really good internal audit is a British thing. It requires a sense of pragmatism, principles based thinking and a good deal of contingent thinking. Just like monarchy internal audit should flex and move with the times, but also balance  this against timeless values of ethics, standards, probity and a commitment to the very best it can be.

So how is your royal wave?

Three lines of defence and risk appetite


, , , , , , , ,


I have begun to think through how these two concepts interrelate. It is obvious that they must, as the three lines are a defence against risks’ crystallisation into issues within an organisation. Risk appetite is an organisation’s expression of how much risk it is prepared to tolerate, bear and take.

So, where do they interact? Most models of the three lines omit any conversation about risk appetite. The goal is to mitigate risk and prevent issues arising. Yet this is not the reality of organisations. Organisations clearly tolerate and deal with both risks and issues.

I have commented before on models of three lines, that is taking the three lines of defence model from some theoretical statement of absolutes and the law, and recognising it is model to simplify and help us understand the world of organisational risk and control. It is important to re-iterate that it is not the law or absolute requirements, it is just a theoretical model within which a set of real life choices need to be taken and applied.

I see a number of choices that I have enumerated before on this blog, see Audit Methodology and Heterogeneous Auditing. You can characterise these by shapes across the three lines – ‘n’, ‘u’ and ‘v’. So the lines of defence can all be pitched at different points. The lesson for internal audit in my view is that this organisational choice (or how it operates even if not consciously chosen) of model matters. In other words, internal audit as the third line, whilst formally independent of the rest of the organisation is, in fact, not. It is a third line. It is one of (at least) three. It makes no sense, therefore, for internal audit to be weak and have a light touch audit programme where the second line is proportionately weaker. Weaker audit functions rely on strong, systematised, management controls. If that is not culturally or functionally in place then internal audit is not serving its clients properly.

There is another layer to this lesson learning for internal audit. One that says that internal audit should be sited within a model of three lines that is organisationally appropriate. So I would expect for a systematised and organised business, such as an airline, to have an ‘n’ shaped model. As a passenger I would want an organisation with strong systems and rules, strongly and completely policed by a second line, with the whole model assured by a proportionate independent third line. Yet for a complex and heterogeneous operation, say a university or international development organisation I would want a system that allows flex and variation; to take account of local circumstances and to allow innovation.

So we’ve identified that the type of the organisation’s business affects the three lines, and that this, in turn, changes the role of internal audit. So what about risk appetite? Broadly the lower appetite for risk, the more controlled you would want the business. This would incline you towards a ‘n’ shaped model. A strong set of designed, extensive and centrally policed rules. Lots of ‘quality assurance’ of the conformance type. So internal audit in this model would spend time reviewing the system, the sausage machine. It would assume, if the machine was well designed and operating that the resulting ‘sausages’ are good.

The usual scientific model of internal audit, of conformance and compliance, here would be fine. This would have an interesting consequential effect on the model of internal audit. People would perhaps be less needing of complex subtlety and require less experience and academic qualities. You could have fewer of them, using data analytics and machines to test the machine. Risk based judgements would be fewer, as the risk judgements would be embedded into the machine. In reality you are less likely to attract the very best people, as the work would be less stimulating or interesting than policy work. The reporting would be more straightforward and less difficult to produce.

Compare this to an ‘u’ shaped model. You need bright, challenging, academic and thoughtful audit. You can have an almost completely risk based plan – there’s little need for compliance work. This requires more flexible reporting, engagement, support and co working with clients. The internal audit team would attract bright and enthusiastic people, the very best. Reporting would be complex, nuanced and take time. You would probably need an overall larger function to get suitable coverage of the overall heterogeneous portfolio.

So these models matter. They really matter to internal audit at its very soul and core.

Yet the world is more complex (as ever). So risk appetite varies by type of activity. So control over general activity is less likely to be as strong as say control over activity using complex financial instruments. HR controls may be lesser in some areas (say recruitment) and stronger over say people health and safety. So you have a complex picture of ‘n’s, ‘u’s, ‘v’s and any over shape you could imagine. As a consequence internal audit is not simply big, small, scientific, socially scientific, compliance or risk based.

Internal audit needs to interpret a complex multilayer picture of models of three lines of defence. Any service that does not have a clear understanding of and then a clearly articulated response is at risk of being misaligned to its task in my view. Do you?


Get every new post delivered to your Inbox.

Join 304 other followers