Mind the gap?


, , , , ,


Mindfulness and internal audit are not natural bed fellows. Let’s define it:

Mindful (comparative more mindful, superlative most mindful). Being aware (of something); attentive, heedful.

I think internal audit and auditors have a natural predisposition against being mindful. We are trained to be dispassionate and objective. We value not getting emotionally connected or engaged with the subjects we audit. We are naturally competitive. We as auditors are always looking for how something can be improved and looking for non compliance, fraud, error, sub optimality of any type. We are trained to be professionally sceptical. We don’t take things at face value and we challenge the status quo. All of these things incline us to be less mindful of our clients and colleagues.

When you become a CAE the tables are turned. Suddenly mindfulness is helpful and useful. As a CAE, I have written before on this blog about working out how reports and messages will ‘land’. A good CAE should be able to work out how their work will impact the organisations and individuals in the client organisation. I have in the past become frustrated by what I call fake mindfulness. That is, where people become bland, do not have opinions, are not open and honest with each other and see all feedback as criticism. Often management teams fall into this trap. This is not a good place for an organisation to be in, where honest and open debate is not allowed, promoted or engaged with. Sure not every decision can be endlessly debated and challenged, but equally no challenge leads to organisational atrophy and group think. It can be frustrating as a CAE to see problems that are not tackled all to avoid conflict or uncomfortable situations. Ultimately they can impact organisational culture and performance. There has been much written about the risk taking culture in Barclays and other banks, for example.

So in my view a good CAE must be able to deliver difficult and challenging messages. Some in our profession actually go into the personally brave mode, to tell organisations about serious problems and are threatened, harassed and sacked for doing so.

Yet a CAE must be both brave, honest and mindful. As I have progressed in my career I have come to understand the world is a lot greyer than I previously imagined it. The world is not black and white, right and wrong. Differences of opinion are to be celebrated, endorsed and validated and mutually acceptable. I have also come to understand organisations in greater depth and see people, not processes or systems, as the core of how organisational control works. This means understanding people.

As a CAE I also manage an audit team. This means managing people. People who are generally excellent and committed to excellence, but who all have lives, families, partners, health and social issues, pressures and stresses and different opinions. So the immediate prima facie reaction and consideration of staff issues I have learned is not always massively helpful.

As an example, I travel on planes a lot. At the end of the flight, once the plane has taxied into the stand, those in the aisle stand up and get their bags ready. they queue in the aisle to depart. I have a simple rule that rushing will not help, pushing past others is not useful, and for those by the window, being given a few moments to get up, put your coat on and get your back out of the overhead locker is really helpful. So I am mindful, on the basis of fairness to always stop the aisle queue when I am head of it and allow those in the row in front to get out. As I got up this evening a lady was by the window seat in the row in front. When the others in her row had all gone, she looked at me and paused. I simply gesticulated for her to feel free to get out and get her bag, stopping the aisle queue behind me. As she got up, I noticed she was disabled and walking took great effort. She was so grateful for my courteousness. I did not know she was disabled, she was sat down and had boarded the plane before I had. Yet I felt so much compassion and admiration for her and she descended the steps, with great difficulty, off the plane and then walked to the terminal. Had I not been mindful and courteous I would have felt awful had I pushed past or been grumpy to get off the plane.

So it is with audit clients and with team members. We should always try to anticipate or seek to provide space to understand that people are complex and have all sorts of things going on in their lives. This is not a charter for a less demanding or lower standards audit, but more a recognition that the world is complex and not simple, and that other, perhaps more plausible or difficult explanations, may emerge for issues risks or performance difficulties.

As another example, my audit teams travel internationally. They are away for up to two weeks, working and socialising with their colleagues. Now this is difficult territory. For in that space in the evenings my teams are neither fully in work, nor fully at home. They can be tired, stressed, sometimes ill and missing home. So we, as an audit team, need to cut our colleagues a little slack. Sometimes people are grumpy or relaxed and don’t stick to the same style they would in the office. This is fine as long as colleagues are mindful and understanding.

Whilst being mindful of others does not come naturally to us as auditors and I think modern management mindfulness, practiced to becoming organisationally bland, is unhelpful, I do think we should mind the gap between our training and our practice. Do you?

Second class?


, , , , , ,


So I have been thinking about three lines of defence. It is clear to me that this model and how it actually works in practice needs some very serious reconsideration. As I said in my original criticisms of the model Attacking the Three Lines of Defence that I found the differences between the third and second line less ‘rigid’ than many would have it from the model.

My contention is that the real divide between the third line and any other line is internal audit’s position as being independent and objective of the organisation. Some would have you believe that the difference between the second and the first line is that certain activities are management activities and that it is the activity, not the conditions under which it is done that defines the line it is in. These same proponents would also have internal audit painted into a small box of activity labelled as ‘assurance’; all items not recognisably audit, that appear to add value to the business, would be ‘consultancy’. This is done, we are told, with the noble intention of avoiding a conflict of interest and loss of independence.

Yet, if we redefine internal audit as assurance and consulting activity with the core attributes of independence and objectivity, rather than the activities themselves, what a much greater scope and world this gives internal audit. It is possible that organisations require and need independent assurance, not just for governors, but also as a normal organisational activity? Is it possible that organisations would benefit from a lot better, but also a lot more, of internal audit? Is it possible that organisations should consciously plan internal audit as part of a three lines of defence assurance model? In other words, is internal audit part of an organisation-wide eco system? I would contend on all of these – yes it is.

So to the second line of defence. This is always the most troubling one for me. Troubling to define. Troubling to resource. Troubling to deliver.

Why so? Well those who define the second line are often management. Management as a whole (assuming a level of homogeneity for the purposes of this debate) is spectacularly bad at defining and building systems of control. They simply do not do it, except in piecemeal ways, in response to crises and problems. Very few management teams, in my experience, actually see themselves as building systems of control. They are too distracted by issue management really to engage in risk management and too interested in the here and now to concern themselves about the tomorrow. Part of this may be management overload, but part of this may be that they simply are never trained to think in this way. I would recommend all senior managers do both an MBA and an internal audit qualification – for both equip you with the breadth of knowledge and thinking to undertake management governance (where you govern an organisation, rather than manage it).

Troubling to define. I think defining what is second line is too narrowly defined by most organisations now. There is some model of the second line as a risk management function. This is too limited a definition of this activity. Second line activities include, in my view, all corporate and professional functions owning the implementation of policy. Not necessarily implementing it themselves, but owning the responsibility to ensure it is successfully implemented in the organisation. I debate myself where line management fits within the model. In particular I debate whether senior successive layers of regional or cross departmental management should be seen as second line. This tactical layer of management could be regarded as successive layers of first or second line. I think it does not matter particularly, though I would define it as second line.

Troubling to resource. Where do second line people come from? Well if you have the narrower definition cited above, you end up with pseudo auditors and risk managers. The training routes and career routes for these talents in the second line are few and limited. So these functions tend to end up as pale imitations of internal audit functions, or as semi independent and disjointed from management, management teams. It is difficult to maintain their professional development – for what is their profession? Difficult to discipline – for what is the discipline they profess? Difficult to hire and replace – for from where would you get them?

Troubling to deliver. I’ve said that in an ideal world all three lines of defence would be not ‘light touch’ but ‘right touch’. In other words, they would be consciously designed and delivered, together, holistically. Yet most organisations are not mature enough in management or risk management terms to do this. So if there is not clarity I’ve seen second line functions squashed between the management first and internal audit third lines.

So do I think the difficulty in delivering the second line is problem. Yes and no. Yes where a sensible, coherent and consciously designed three lines is put in place and a second line does not deliver within it. Yes for those organisations have not designed their three lines of defence and no second line management function exists (probably no risk management and no second line controls generally). Yes where there is a small and weak third line internal audit function. Yet I think no, if the second line is conceptualised as a small risk function only and the second line concept is not given sensible space in which to operate. For a good first line should largely cover risk management. A good third line could cover independent challenge and assurance and independent assurance and support needs of the first line. In this limited circumstance I think the second line is of lessor importance.

I would emphasise my preference is for a proportionate, consciously designed and broadly conceptualised second line – one that is a genuine second line of the single management team – not a small pseudo audit function tacked onto management.

So I would ask – are you part of a sensibly designed three lines of defence?

The Peoples’ Audit?


, , , , , , , , ,


I wrote some time ago – and it is my most popular blog post – about Why internal audit is important. In this post I stated that organisations are simply not able to control and govern themselves with what Erica Schoenberger calls ‘strong objectivity’. This is the ability to be ultimately independent of one’s self in the corporate interest. In it I said ‘the executive turkeys are not willing, ultimately, to vote for Christmas, no matter how objective, strong or compelling are the reasons to do so.’

This was prescient. As we hear today about two scandals, first the peoples’ car – Volkswagen, appears not to be so people-oriented after all. BBC News – Volkswagen Second we hear about BBC News – Charities Regulation where even nice ‘fluffy’ charities cannot be trusted to behave as corporate entities, responsibly.

Now I am going to ask the usual question we auditors do – where was internal audit in Volkswagen? I ask this not to say that such a small bit of coding, in a chip in one car engine, could not be missed by internal audit – of course it could. I ask this because did internal audit not pick up the cultural controls that allowed such actions to be deemed acceptable? For let’s be clear, such actions would not be the actions of one rogue individual, they would not be signed off by one local manager in one small business unit, they are intentional fraud. So how far up the organisation, or from the top of the organisation, was the approval to commit, knowingly, fraud, approved? This says something much more about organisational governance, culture and control. Surely internal audit would pick this up across the business?

For charities, for the ones that are implicated in the UK review published today, fundraising is not a minor, marginal, activity. It is a major, business related, activity. It is core. So should internal audit have some understanding of the right or wrong ways to do fundraising and should it have reviewed the ethics of doing so? In my view, yes.

What does this tell us about internal audit as a profession more widely? First I think it reaffirms the importance of internal audit. Organisations cannot self govern. They need strong independent governance, audit and regulatory structures to ensure that they do not act in their own personal or even organisational interest. Of course we do not know the details or extent of the Volkswagen’s wrong doing – simply that there was wrong doing and that it could be very, very big – £4.6bn big according to today’s news. This could, of course, not just be Volkswagen, it could be other car manufacturers as well.

Second I think it reconfirms my view that internal audit is not some small rarefied  bubble in the organisation, testing the controls theory of organisations. It is a needed and core part of most organisations. It needs to see more, do more, interfere and intervene more. I have been having a debate on this blog with James Paterson and others who think my view of internal audit risks taking internal audit beyond its third line of defence position and, being more expansive and pervasive in an organisation, inherently weaken the second line of management control. I disagree and consider internal audit’s third line position does not mean it has to be small, weak, and review the theory of organisations. I see the third line position as one of objectivity and independence, not a prescription of reviewing just systems in theory or necessarily being small, marginalised and organisationally weak.

If Volkswagen had a well resourced internal audit, and had a stronger third line, with an interventionist position, then I think it could have spotted the £4.7bn disaster. That would pay for many years of very good internal audit even in an expanded third line form in my view.

I know those who hold to the established internal audit wisdom that organisations are run by first and second line management controls, by rational and organised organisational machines, and that internal audit’s role is to validate the correct and appropriate working of that machine, from a organisationally moral Mount Olympus will disagree with me. For me, however, organisations are not run like machines. People are not all rational. They are selfish, complex, self oriented and prone to moral relativism (I should say they can be amazing, honourable, giving and special too).

I believe internal audit’s unique proposition is objectivity, independence and its organisational position (between management and governance elements of the organisation). These can, and should, be applied at greater scale in most organisations. Why? because organisations cannot self govern. Layers of management are not independent of each other, they are one command chain. We learn time and time again that the lines of defence model, whilst a helpful typology, is not real – management cannot control or help themselves, even where it is organisationally rational to do so – otherwise someone would have calculated the fines per vehicle and decided whether to risk it in Volkswagen and decided no.

So I come back to my core point. Internal audit matters. Internal audit must be bigger, better, braver, and be seen as a normal functioning part of any organisation that is serious about wanting to be run properly. It must look deeper and more into its clients, this takes money and resource, but the payback (if only in fines avoided) must surely justify this leap of faith?  Are you ready to leap?

Royal internal audit?


, , , ,


So HM the Queen this week celebrates becoming the longest reigning UK (English, Welsh Irish and Scottish – does it still include France?) monarch in history. This is no mean feat. Such a period of service and stability for a nation is a real achievement. All the more so because polling suggests she is still loved and is popular amongst her people.

The role of the monarch according to the official website is that the Queen has the right ‘to be consulted, to encourage and to warn’ her ministers via regular audiences with the Prime Minister. She is an executive head of state but her powers are limited and are used sparingly. I suspect only the slower hand of history will provide a real insight into how much power she has exercised during her reign. There has been much commentary on the monarchy, including some that has said that she is the last in her line of monarchs, with the real challenge being at the end of her reign. These commentators suggest that the UK public will, at the end of her reign, spontaneously demand the end of the monarchy. Now no-one is pretending that a monarchy is not a historical anachronism, but if one wants to contemplate ending something then there must be an alternative promulgated and this is where the republican argument goes silent. What do they want? President Blair? President Brown? President Cameron? Hmmm.

For me the real benefit of the monarchy is its ability to be above politics. A lesson Queen Elizabeth’s successors should note. In this I think of HM Queen as a third line of defence in the UK political system. She is both part of the system, is recognised as a valuable and valid part of it, yet somehow detached from it. This gives her views power, insight, import and value. There is nothing to be gained and lost by HM Queen when she comments on an issue or gives advice. In this I imagine she acts a mentor to the many prime ministers she as worked with.

Internal audit has some of these elements. Being above the executive management fray and having quiet and informal access to the board and chief executive should provide a platform for internal audit to provide advice, support and guidance way beyond the formal and public audit reports it produces. For surely a quite independent word, judiciously selected, should have impact disproportionate to its cost and effort.

A good CAE should also use this power wisely. Picking up on the latest organisational spat or trend is not helpful, but having some more strategic and helpful insights is. For engaging in local organisational politics, as it would for HM the Queen, is unseemly and detracts from the organisational position internal audit occupies.

Much like HM the Queen, internal audit should be about the ‘organisational commonwealth’, not concerned with one sectoral interest or another. So whilst it is tempting for internal audit to be supporting the latest fads or trends, perhaps it is internal audit’s role to put these in a longer, longitudinal, trends. It has been said the HM the Queen’s old fashioned outlook, dress and values are beneficial. I think this is probably true. Her look, immaculate and well crafted, is a brand and a positioning of strength for the monarchy. So should CAEs dress similarly? No – but I do think considering a brand and its values is important. Values of ethical probity, a 100 percent commitment to independence, and a commitment to being balanced, fair and fully objective in its views. These are the old fashioned values that internal audit could use in its branding.

So, in my view internal audit has lots of characteristics of a good monarchy. I also think, much like monarchy, really good internal audit is a British thing. It requires a sense of pragmatism, principles based thinking and a good deal of contingent thinking. Just like monarchy internal audit should flex and move with the times, but also balance  this against timeless values of ethics, standards, probity and a commitment to the very best it can be.

So how is your royal wave?

Three lines of defence and risk appetite


, , , , , , , ,


I have begun to think through how these two concepts interrelate. It is obvious that they must, as the three lines are a defence against risks’ crystallisation into issues within an organisation. Risk appetite is an organisation’s expression of how much risk it is prepared to tolerate, bear and take.

So, where do they interact? Most models of the three lines omit any conversation about risk appetite. The goal is to mitigate risk and prevent issues arising. Yet this is not the reality of organisations. Organisations clearly tolerate and deal with both risks and issues.

I have commented before on models of three lines, that is taking the three lines of defence model from some theoretical statement of absolutes and the law, and recognising it is model to simplify and help us understand the world of organisational risk and control. It is important to re-iterate that it is not the law or absolute requirements, it is just a theoretical model within which a set of real life choices need to be taken and applied.

I see a number of choices that I have enumerated before on this blog, see Audit Methodology and Heterogeneous Auditing. You can characterise these by shapes across the three lines – ‘n’, ‘u’ and ‘v’. So the lines of defence can all be pitched at different points. The lesson for internal audit in my view is that this organisational choice (or how it operates even if not consciously chosen) of model matters. In other words, internal audit as the third line, whilst formally independent of the rest of the organisation is, in fact, not. It is a third line. It is one of (at least) three. It makes no sense, therefore, for internal audit to be weak and have a light touch audit programme where the second line is proportionately weaker. Weaker audit functions rely on strong, systematised, management controls. If that is not culturally or functionally in place then internal audit is not serving its clients properly.

There is another layer to this lesson learning for internal audit. One that says that internal audit should be sited within a model of three lines that is organisationally appropriate. So I would expect for a systematised and organised business, such as an airline, to have an ‘n’ shaped model. As a passenger I would want an organisation with strong systems and rules, strongly and completely policed by a second line, with the whole model assured by a proportionate independent third line. Yet for a complex and heterogeneous operation, say a university or international development organisation I would want a system that allows flex and variation; to take account of local circumstances and to allow innovation.

So we’ve identified that the type of the organisation’s business affects the three lines, and that this, in turn, changes the role of internal audit. So what about risk appetite? Broadly the lower appetite for risk, the more controlled you would want the business. This would incline you towards a ‘n’ shaped model. A strong set of designed, extensive and centrally policed rules. Lots of ‘quality assurance’ of the conformance type. So internal audit in this model would spend time reviewing the system, the sausage machine. It would assume, if the machine was well designed and operating that the resulting ‘sausages’ are good.

The usual scientific model of internal audit, of conformance and compliance, here would be fine. This would have an interesting consequential effect on the model of internal audit. People would perhaps be less needing of complex subtlety and require less experience and academic qualities. You could have fewer of them, using data analytics and machines to test the machine. Risk based judgements would be fewer, as the risk judgements would be embedded into the machine. In reality you are less likely to attract the very best people, as the work would be less stimulating or interesting than policy work. The reporting would be more straightforward and less difficult to produce.

Compare this to an ‘u’ shaped model. You need bright, challenging, academic and thoughtful audit. You can have an almost completely risk based plan – there’s little need for compliance work. This requires more flexible reporting, engagement, support and co working with clients. The internal audit team would attract bright and enthusiastic people, the very best. Reporting would be complex, nuanced and take time. You would probably need an overall larger function to get suitable coverage of the overall heterogeneous portfolio.

So these models matter. They really matter to internal audit at its very soul and core.

Yet the world is more complex (as ever). So risk appetite varies by type of activity. So control over general activity is less likely to be as strong as say control over activity using complex financial instruments. HR controls may be lesser in some areas (say recruitment) and stronger over say people health and safety. So you have a complex picture of ‘n’s, ‘u’s, ‘v’s and any over shape you could imagine. As a consequence internal audit is not simply big, small, scientific, socially scientific, compliance or risk based.

Internal audit needs to interpret a complex multilayer picture of models of three lines of defence. Any service that does not have a clear understanding of and then a clearly articulated response is at risk of being misaligned to its task in my view. Do you?

Audit methodology


, , , , ,


Anyone who reads my blog over time (there must be some!) will know that I consider the heart of good internal audit to be its methodology. CAEs spend all of their time and  are professionally trained, to be dispassionate and objective, yet, in my experience, audit methodology is a subject that creates the most passion in most CAEs.

Why is this? Well I think it is because internal audit as a profession is principles based. There is no definitive right and wrong. No law or legally enshrined rules. This for my generation of CAEs, brought up and trained as external auditors, is challenging. It is challenging because financial statements are controlled by rules. Sure there are financial statements judgements, but in the main there is right and wrong. So many CAEs will create a view of internal audit and see that as definitively the only or ‘right’ way to do internal audit. They will bring this to their internal audit work and define a framework of rules to internal audit. Hence audit methodology creates so much passion.

As I’ve grown as an individual and as a professional I have come to see internal audit a paradigm, within which a significant range of choices and options can be taken. So risk based internal audit can be a number of different things. I have also learned that a client’s risk maturity can have an impact on the audit service, but not as much as the IIA or other internal audit commentators would have you believe. I think the real thing that drives internal audit methodology is the nature of your client’s business and how it creates its control environment.

As I’ve posited before, one could think about this in terms of the three lines of defence. In particular I’ve seen two broad models, the ‘n’ and the ‘u’ shaped model. For further commentary see my post  Heterogenous Audit. But these models of risk management and control are themselves founded on a fundamental view of the world. Is the world one susceptible to rules and right and wrong, or is more a set of principles based judgements? So what model your client adopts should affect your model of assurance.

I believe the world is too complex and difficult to be effectively run through rules. The building blocks of business, customers, employees and delivery, are all too complex to be controlled through rules. Any auditor that truly believes in a rules and controls based world is either thinking wishfully, or has not enough experience of how things really work and happen. For even in the most rational, ordered, and rules-based organisations, human intuition, judgements, and complexity manages significant risks.

So in my view audit functions, and the very best auditors in my view, see the world as being principles based. Sure have some rules. Have some rational order. Do not expect these to really control the significant risks to the business. I am working my way through a PhD looking at the marketing concept’s use in organisations. Now marketing is an economically rational, scientific process. So an organisation, you would expect, to consider the concept of marketing consciously and apply it in a rational and ordered way. During my study I’ve found that very few organisations have rationalised and ordered their marketing activities in any meaningful and conscious manner. So it is for risk and control frameworks. Very few organisations consciously consider, carefully design and meticulously deliver, their control framework.

So internal audit can continue to believe in the fantasy of perfect risk and control maturity, or it can instead work with organisations as they really are and build a sensible level of ambition and follow through, that makes sense in the client’s market and cultural setting.

So coming back to my original point. It makes little sense for a CAE and their audit function to not consider their client’s control context. It also makes little sense for internal audit not to have consciously considered and designed their methodology to match.

This has two significant consequences for internal audit in my view. First that internal audit must have consciously considered what its methodological standpoint is. This needs to be intellectually, conceptually, and in delivery terms. If an audit function cannot articulate this at a fundamental level, then I think the audit function must be prone to a high risk of failure. The second consequence is that internal audit as a profession must accept differences in methodology. These differences can be quite significant, as clients can be significantly different. So an audit function auditing a charity delivering international aid may look very different to one auditing a private sector airline business.

These methodological differences are important. Whilst all CAEs like to believe their methodology is the ‘right’ one, they must accept that the fact other CAEs have different methodologies must disprove this belief. Similarly all CAEs should have a clear articulation of why they do what they do, not just describe it. Being compliant with standards (principles based as they are) is just the start, it is a necessary, but not sufficient, explanation of an audit methodology.

So do I believe I have the ‘right’ methodological internal audit answer? No. I do have the start though, a clear rationale for the viewpoint, model and consequential internal audit practice I have adopted. Do you?

Agile, adaptive, serendipitous or out of control?


, , , , , ,


One of the greatest pleasures I get as an auditor is working in a cross–disciplinary way across my client organisations. This means I can be a marketer, IT person, HR person, finance etc. The way I do this is not to be an expert in each area, but to bring my professional expertise of being an auditor to each of these disciplines and areas of my client organisation. I do this primarily through being a qualified internal auditor (not chartered accountant – it’s not the same), but also through multidisciplinary myself, being a chartered accountant, holding a generalist MBA, also being qualified in risk management and IT audit.

I mention cross disciplinarity because as an auditor you can see this playing out in different professional areas of the business. So as a recent example, IT professionals have now discovered ‘agile’ systems development and also my international development programme management colleagues have discovered adaptive programming. The two are quite similar.

It’s difficult to find a good working definition of agile so I will attempt to define how I see it. For a good paper see US Govt: http://www.gao.gov/assets/600/593091.pdf Both agile and adaptive development to my mind have similar traits. They adopt short windows of work incrementally, are close to customers and beneficiaries, locate success in meeting customer and beneficiary needs and have less burdensome documentation, and frequently change direction. In other words it is an incremental and iterative, rather than a linear and process oriented way of delivering projects.

Agile is a process through which it is recognised that software systems need space to react, move, develop, iterate and incrementally develop. It works on the idea that most systems are still valuable with 80% of the functionality specified and do not need to be perfect. So instead of a linear process of specifying needs, then building them, testing them and releasing them, it provides for iterative loops until a good enough system is developed (i.e the ‘technical debt’ is paid off – the gap between the system and users’ requirements).

Adaptive programming is quite similar. In international development the variables creating the ‘wicked problems’ preventing development are too many and numerous to calculate in advance with any reliability. So why not try something, then adapt it as you go along, and, once working, scale it up? Most projects are not linear, so why not be upfront about it recognise it.

So the common challenge in these two approaches is control. Control because the way organisations control things is through management approval, normally on a hierarchical and linear basis, of a set plan. This plan is then prioritised and resourced and the party that is approved to deliver it has a set of inputs (resources) from which processes to deliver outputs and then ultimately outcomes, related to the original objectives, are delivered. Variances to budgets, processes, outputs and outcomes are then measured and value for money and success are then delivered.

This command and control process does not work well in the context of adaptive or agile programming. Programmes are not well understood at commencement; the starting point varies considerably from the potential range of end points. Variances provide poor, if any, indicators of performance; value for money is extremely hard to judge until the final completion of the programme.

So is adaptive or agile work simply poorly controlled or does it recognise our human nature and allow for complex problems to be solved? As an auditor, but also a socially scientific auditor, I am torn. My professional training tells me that control should be established, that order and documentation make sense. Anarchy cannot be allowed to reign. Yet the social scientist in me, a realist one at that, tells me that this makes better sense of the real world. People, organisations and problems are messy. Why not be realistic and remove the linear planning processes we put in place to manage it? The same arguments are deployed in international and IT development as are deployed for research. Namely – you cannot plan research, you cannot know where you will end up at the beginning of a project.

Yet more scientific disciplines seem to manage. House builders, architects, physicists, manufacturers and many other disciplines seem to be able to design, build and deliver things from the outset and use budgets, input process and output measures to control the activities. These are also complex things. Boeing builds complex aeroplanes. Mercedes complex cars. So why should IT, international development and academic research be any different?

I guess as a socially scientific auditor I see a position in between. I see adaptive, agile, serendipitous activities as valuable. Valuable as part of a portfolio. A minority part of a portfolio. All universities, companies, international development NGOs and IT functions need some space to be creative. Space to allow freedom to adapt and change. This is where the truly imaginative and creative breakthroughs will occur. But most organisations will need to balance this. They will need to justify the use of the resources applied. They will need to be able to have overall value for money. High risk (in the uncertainty sense) high return (in the innovation sense) processes are fine, but you need some lower risk but still substantial return projects to balance this out. Any organisational portfolio that only comprises these elements will fail at some point; it is just a matter of time.

So is serendipitous, adaptive or agile work auditable? Sure. First question – is it suited to the task? i.e. does the project need something that mostly works or 100% works. I would not like to see agile work on airplane construction for example. Second question – are these types of project too significant at a portfolio level? If the they are, the organisation is put at significant risk of failure. Third question – If it fails, can the organisation cope with all of the impacts? For this think not just financial, but also legal, political and most importantly, reputational. Reputation risk is difficult to predict and even more difficult to control. Fourth question – is the project controlled? For being adaptive, agile, or serendipitous is not being out of control. I would expect to see excellent risk management. Constant updates to paperwork in an efficient manner. A really strong audit trail of decisions taken and escalation of decision making where they required it.

So I would argue that these flexible methods, applied well, in context, in proportion, by the very best people the organisation has to offer, can be perfectly well controlled. It can be equally well audited with an auditor with the right mindset.

My experience tells me that too often though, these structured methodologies are taken to be a lack of structure, a relaxing of control, a lack of suitable accountability, and too often they are done with others’ resources without recourse to the funder. For the methodology is never a justification for poor control, only different control. As auditors we will need to lighten up, be less scientific and more flexible, for these are spaces in which independent, intelligently applied, internal audit has a legitimate and helpful remit.

So when is your next agile, adaptive or serendipitous audit?

Heterogeneous auditing


, , , , , , , , ,


As an auditor I’ve spent nearly the whole of my career at the edge of my ignorance, and I’ve loved it. Almost every review I’ve done is new. For when you see people and organisations in their full, wonderful and frustrating complexity, not the simplified representation of reality a systems audit approach would have you believe, everything is new.

Sure, in my junior audit days I did financial statements and data audits. Yes they were repetitive and dull in places. Long checklists of things to ensure were ‘right’. Yet, when I was put as a junior on internal audits outside of these areas, I noticed that people, not paper or processes, controlled organisations. I noticed that personalities came into play. I noticed that people have differing perspectives. I noticed the difference between low and high performing organisations and departments was people.

Two things I look for in a new auditor for my team are common sense and an ability to engage with, and understand, people. Now common sense is a misnomer. Common sense is anything but. Common sense is an ability to take a step back from something and ask the blindingly obvious questions that are not blindingly obvious to others. It is an ability to say – I don’t understand this, it doesn’t stack up, explain it to me – without feeling embarrassed, ashamed or ignorant.

I also look for raw intelligence and analysis. I look for the capacity to think. This is not just locked into the brightest and best from the top universities, it is a way of thinking, an approach to life. It is something that someone either has the ability to do or not. Sure I’ve managed to get those with latent and hidden talent to develop and engage it, but I’ve never been able to teach someone to think. Perhaps other CAEs have, I’m afraid I’ve failed at that. I would welcome stories about how other have managed to do this.

So I consider the ability to engage with organisations in their heterogeneous complexity as crucially important to a good audit. This is uncomfortable for audit. Auditors are used to ignoring people and the soft stuff of organisations. We audit rules, systems; definite things. I know many good auditors and functions that will nuance an audit message, or provide ‘between the lines’ the true position. You read their reports, however, and they point out ‘suboptimal’ areas, things that could be ‘enhanced’, areas of ‘potential uncertainty’ and whatever other euphemistic phrases we get taught at audit school. Yet, when you get the authors of those reports in a pub, with a pint, then they will tell you how it really is. They will tell you the people they think are excellent and those that are, conversely, dreadful. They will provide a detailed and rich organisational narrative that is really genuinely able to explain how things really are. I can assure you, in most organisations, they are suboptimal in my experience.

So how do we, as leaders in our profession, move internal audit discourse into a more reflexive space? How do we enable organisations to benefit from our structured yet rich and contextual analysis? How can we move to getting our professional discourse to be more disco and less royal court-style gavotte?

I would suggest that the Institute is recognising this as well. Richard Chambers in his blog (www.iaonline.theiia.org/blogs/chambers ) is messaging that internal audit needs to change. He is moving (not before time from a British perspective) to the new principles-based approach, enshrined in the new 2015 IPPF – Professional practices framework). This requires internal audit to be less straightjacketed, more nimble, more flexible, and less obsessed with structural independence (instead focusing on real independence – which in my view is a state of mind). He even thinks it may be time to open up the conversation about internal audit helping in second line functions.

This is all helpful from my perspective. This change agenda makes sense. It chimes with the reality us CAEs face and seems to recognise that most second line functions struggle as they are somewhere between management and the professional discipline of internal audit.

Yet internal audit discourse has a long way to go to become engaged with this level of debate. In the meantime, the demand from the first and management lines of our client businesses for professional assurance becomes ever more. Yet the profession, or us as leaders of it, remains too nervous to make the leap into becoming a corporate audit function. Our precious independence remains a barrier to prevent us being more than just a niche provider of machine based auditing somewhere above the organisation but below the board. It is this that is now preventing the profession from self-actualising.

So what is my solution? To allow the profession more space to be independent but also be the corporate assurance function. This would enable a scaling up of internal audit to provide decent coverage of the organisation, not a high level audit of a mythical process machine. It will enable us to engage with the real first line of the business, its projects, risks, and programmes. If you conceptualise the three lines of defence as ‘N’ or ‘U’ shaped, the former being how most organisations are – weak first line, strong central controls and processes, and weak and small internal audit function, then we need to evolve to be ‘U’ shaped. We need to have strong risk-aware intelligent first line business activities, with a light principles-based second line, and a strong, risk based intelligent internal audit function. This will provide the real support and challenge to a business, yet ensure the framework of control (a light principles-based second line) is engaged and effective within the business. It is this approach that will ensure real engagement of internal audit, allow it to be resourced enough to be sustainable, provide interesting and rewarding career options, and take internal audit into the fascinating and real heterogeneity of our client organisations.

How heterogeneous are you?

Audit reports – a measure or shackle of output?


, , , ,


In some senses the pace of change in internal audit during my career has been fast. In the UK the profession has matured, taking Royal Chartership and is no longer the internal financial controls work overseen by the CFO. Yet in other ways the pace of change in the profession has been slow.

Take the idea that we produce audit reports. Audit reports are the measure of output, the measure of the department, the core product of any audit department. Yet we blindly still worry about how many of these things we’ve produced by the end of the year and compare to our annual plan. Any variance from the annual plan is seen as bad and we will stand or fall on the plan.

Now all CAEs know that setting the annual plan is challenging. I don’t for one minute want to say that the annual plan is unimportant, it is not; for one should always have a work ‘budget’ that gives some sense of planned work, some sense and working through of how it is going to be delivered, and some sense of defining what ‘success’ at the end of the year looks like. The annual plan and the number of reviews is only one element though.

There are a number of obvious points that bear stating. Not all reports are the same. Not the same in terms of scope, complexity, size, organisational importance, political sensitivity or value. Some of the most hard-hitting and transformational pieces of work have been ‘small’ when reported, but taken significant work, effort, negotiation and, frankly, blood, sweat and tears, to produce.

Second one needs to look carefully at the audit report classifications to look under the numbers. Not all reports are equal. So a full risk-based assurance report of a significant process, area of the business, strategic risk or policy, is likely to represent some significant effort. A short review of a specific question or subset of any of those units is likely to be a lot less effort. A grant audit and opinion is much less, as they have a short standard audit report format, a workschedule (so less thinking) and less effort all around. CAEs, like me, will spin the outputs to suit our year end performance narrative. So be aware at taking things at face value. So do we have clear classifications of full scope risk based assurance report; limited scope review; grant opinion; advice note etc? No. I would encourage CAEs in their annual or periodic reports to do so, to enable better quality comparative views to be taken.

Third, there is a question over whether we should use the audit report as a unit of measurement at all? The global CEO of the IIA, Richard Chambers, argues we should audit ‘at the pace of risk’, meaning the world is fast moving and so should we be. So is the slow, report unit-based, world most CAEs live in still fit for purpose? Should we be auditing continually (or is this second line management?).

Well on one side I think it makes sense for audit reports to be considered more in their wider form, assignments. One output from an assignment is the assignment report, sure. There are a range of other assignment outputs, however. I like to consider an audit assignment to be for life, not just for the audit. So my team don’t walk away having delivered the report, we stand shoulder to shoulder with our management colleagues to help them solve the issues and risks we’ve identified with them. This makes sense if audit is to deliver the value we truly can bring to organisations. It also means that audit is less of a scary process or wringer to be put through, and more of an ongoing piece of consultancy.

Yet as a CAE I need to be able to support the allocation of resources provided to me at the end of each year and commencement of the next, so being clear about what outputs have been delivered is really important. So I would always want to capture any significant support (not just assignment reports) in some way. So I believe the real politik of most organisational resourcing processes requires audit reports to be counted, bagged and tagged.

Would I like a world where the audit function was judged less by outputs and more by outcomes? Sure. Would I like the lack of accountability given to other functions (finance, HR, IT, marketing, PR, etc) to be applied to internal audit? Yes – for equity purposes (although I would rather see proper accountability applied to all of them).

So are we going to see a move away from audit reports: a move to continuous assurance; slide packs; multimedia presentations; or assurance through the medium of modern dance? Hmm possibly, though my ability at the latter may not be up to par. I would however like to defend the audit report. It is hard work. It is a well crafted, deliberate and purposeful intervention. It feels less ephemeral than management slide packs. It has to be well-written, stand the test of time, and be both intellectually rigorous and stimulating. So I would always judge an auditor and an audit function by the core, risk based, audit reports; for that is the core mark of an internal audit function and its quality. Should we count how many of these are produced by an internal audit function? Yes. It matters.

So how many have you produced?

Models of effective internal audit?


, , , ,


The UK’s IIA has produced a policy report thinking about models of effective internal audit. It is entitled Models of Effective Internal Audit: How to organise a successful internal audit function.

I have to say I didn’t find this terribly helpful. In the preface Dr Peters, CEO of the UK’s IIA does state that this report is to ‘inform rather than judge’. When you review the report it seems to describe various audit functions across the public and private sectors and some in between. The report lacks some basic elements. First a description of what ‘effective’ looks like. Second any reasonable justification or rationale for the case studies chosen.

The lack of analysis or analytical description is very disappointing, and renders the report largely useless. What we have is a serious of high level descriptions of the audit services themselves, some in more advertisement form, with some pros and cons, all of which I would expect my audit trainees to be able to list out for the studies selected.

There is no sense of how the services map to their respective clients, nor what benefits are particularly useful, or what makes sense in their businesses. Nor are there any generic issues or themes drawn from the case studies. The real benefit of case studies, the rich data, the soft data, the cultural data, is not included. Most disappointing of all is the fact that I know, or have experienced in my career, the quality of service from a number of the selected case studies services, and I would not regard them necessarily as paragons of high quality delivery.

We are told that the Institute’s conclusion is ‘that there is no right or wrong way to deliver internal audit’. Well that is clearly nonsense. There must be a right and wrong way – otherwise why have an Institute? There may be no single right way to deliver internal audit, but that’s a different argument.

So what can we glean from the report? Well they do list some attributes that could be used to measure success of internal audit. These are: knowledge of the client; specialist expertise; flexibility of risk responsiveness; confidence of senior management; RBIA and an agreed audit methodology; advice and guidance through consultancy; consistency of service delivery; co-ordination with other assurance providers; effective teamwork; career development opportunities; and commitment to quality. Well who would argue with all of these? It’s a bit motherhood and apple pie.

So if we think about the examination question – what does good internal audit look like? Let me try to set out what I think it looks like. I think it is internal. The real strength of internal audit is to link a contextual and deep understanding of the client organisation with context independent knowledge (technical ability) brought with organisational independence. I’m sorry, but externally provided internal audit simply does not provide this context-specific knowledge. Being internal makes a real difference to the quality of the service provided because it means you can be independent, but part of the organisation. You can have difficult conversations with the client organisation as ‘one of them’. This is important. This provides permission to operate and a greater engagement with what you are saying as an audit function.

Second I would suggest a good audit function moves away from financial controls auditing. Most organisation’s risks are not around financial controls and reporting. They are in the first line of the business. No organisation, with the possible exception of Enron, died from financial reporting risk. Most die because their underlying business model falls apart in some way. So SOX and Sarbannes Oxley? Not so much.

Third I would argue that internal audit must move away from a compliance mindset. I have freed my audit team to engage with the full panoply of risk, not just auditing a set of rules. Most organisations are not fully rules based in any case. Most modern, flexible, organisations are not finding command and controls rules helpful. My own client organisation has ‘smart rules’ to promote judgements and risk taking. Google and the new organisations have less rules-based organisational structures. Internal auditors should challenge rules in any case.  ‘We do it like this’ – why? Does that map to risk? Is it effective? To do this we need a new breed of internal auditors, ones that think, act, do, like consultants. We are consultants, we should act like them. I would argue most organisations are 20% rules; 30% loosely defined processes; 50% culturally informed risk taking. It varies by business, sector and organisation, but an IA function that cannot play in the c50% is missing the real risk. This is where board-level decisions, strategic choices, life-changing transactions, are processed, not in the processes and organisational day-to-day grind.

My third suggestion is to be in the front of the business. Most audit functions play around in the corporate zone of their client organisations. If your business sells food, audit food. If it makes cars, look at car production. If it delivers public services, go and look at how it does it. That does not mean ignoring the back office, for it is a false divide between the front and back offices anyway; it does mean, however, being on the ground in the front line of the business.

So I think the Institute has the right idea in asking these questions, but if it is to take a leadership role, it needs to actually do it in a meaningful and helpful way. I appreciate the Institute has a representative role but this does not mean not challenging the functions and members under its organisational aegis. So come on UK IIA, have an opinion and help the profession to develop – be brave!


Get every new post delivered to your Inbox.

Join 303 other followers