Appraising internal audit – impossible or merely difficult?


, , , , ,


I have been thinking about what makes a successful internal auditor. This is because my year end appraisal is due. I think it is difficult to appraise a CAE. We are perhaps the strangest job in any organisation.

First of all there is who is best placed to do it? Normally your line manager does it. This makes sense because they direct and control your work. They decide what good looks like. They define your objectives, resources and activities. A CAE, however, is meant to be independent of the management. The whole point is that the management chain does not define your objectives as a CAE, limit your activities or direct and control your work.

So then we turn to the non-executives, most particularly the audit committee. Most non executives only see a portion of the internal audit’s work, in a formal and presented setting. I’ve been lucky to work with some good chairs, in particular one, who spent time with me and the team to evaluate and understand what we did in some detail. In the main however, feedback and input into your work from a CAE is by exception as non executives do not see your work day to day.

Then there is the fact that most CAEs have a formal reporting line to the CEO, but in practical terms there is a ‘pay and rations’ line reporting relationship, most often to the COO or CFO. Either way, both the CEO and COO are unlikely to see the full panoply of an internal auditor’s or CAE’s work, particularly as internal audit moves away from just financial control ticking. We work across the organisation, top to bottom, side to side. So it is difficult, in a way not true for other managers in the business, to present your achievements and delivery.

Then there is the fact that internal audit works in both formal and informal ways across the business. If an internal audit function is any good, then it will provide a good source of informal support to the business. It should have a good database of knowledge and experience, and understand the overall strategic and corporate messages and contexts for local decisions. I would say I spend at least 30% of my time assisting the business in this way.

Perhaps the most odd thing about appraising a CAE is that being challenging, difficult and disruptive, is part of the role. A good CAE should avoid the management ‘group think’, the politics of the sayable and unsayable, the limitations placed on the rest of the business about asking challenging questions. To some extent a good CAE should receive a proportion of grumpy feedback. If they don’t, then I would argue they are not assisting the organisation to genuinely grow.

In the same vein, an audit function that does not receive at least some aggressive ‘shooting of the messenger’ is not delivering the right messages. I would say at least 20% of my reports are regarded and ‘completely wrong’ or not ‘how we recognise the business’ when first published. For me, sometimes this is a problem with the analysis, or the engagement of the team with the client, for which I am accountable. Most of the time it is because the report is, painfully, spot on. I have lost count of the times a ‘completely wrong’ report has either been adopted in full by the relevant report recipients six months later, or ignored and the risks stated have, unfortunately, crystallised as predicted. I guess a good CAE knows when something is just too right, or genuinely wrong, and amends and edits accordingly.

The role is contradictory and demanding: so you have a role (CAE) and function (internal audit) that is meant to be all-knowing yet cover the whole business; be both unpopular and popular; is appraised primarily by those it is institutionally set up to working independently with and sometimes hold to account; support change against all the challenges that any change brings; and work across the whole business whilst competing for attention with those management in the thick of the strategic priority areas of the organisation. Hmmm, a relatively tall order for any individual or function.

I think, however, the biggest issue is that internal audit is set up with a completely different lens and mindset to the management team. The internal audit function’s lens, is and should be, according to the International Standards of the Practice of Internal Auditing, risk based. So we trade not in the current, not in the accomplishment of the here and now, not in the delivery of lots of currency. We trade in the possible prevention of something that may not have occurred in the first place. In other words, we focus on risks, not issues, a totally different currency to the management team. This was the subject of my first substantive blog on this site and I still haven’t changed my mind on this since.

So we are a function and individuals that are the antithesis of management in practically every sense, yet we are all appraised within a management appraisal paradigm. Should we feel hard done to? Well not completely. A CAE still has to manage people and delivery business processes, run a department etc. A CAE still has to influence colleagues and organisations in the same way as our management colleagues do. We still have to balance our role with maintaining a permission to operate (we are not without accountability or any boundaries).

Yet we are unique and special (I think in a positive way). We are organisationally renaissance people, we need to be extra special to be appreciated. I am of the view that a good CAE should be noted, for both the irritation and plaudits for support they deliver. For both are good for any well governed organisation.

So when you are next appraised – are you being appraised as a manager or an auditor?

Inspiring individuals


, , , , ,

15_The Rev Dr..

So I learned today of the death of someone who inspired not just me but countless generations of young people. His name was Joe Cassidy, principal of St Chad’s College Durham, UK, of which I am an alumni twice over.

You don’t really reflect on how people impact on your social and professional lives until, sadly, they are gone. Joe was one of those few and special people that combined managerial skills and leadership with academic and teaching ability. He led a college community as a priest and academic and was able to provide a highly moral and inclusive view of the world. This was a view that he inculcated into the generations of Chadsmen he has seen pass through the College’s doors.

It is this moral sense and a sense of right that was not dogmatic or particularly pious in its expression. This is the reason why, in an increasingly atheist society, he was able to be relevant and impactful on those young students he worked with and supported in the College community.

It got me thinking about how he has impacted me. He was a tough manager, able to put his perspective across in a forceful, but polite and engaging way. Yet you never felt as if he’d won or you’d lost. More a sense of shared engagement with tough choices and issues.

He also created a sense of moral location. By that I mean he was able to communicate, in his words, but mainly through his actions, a sense of right and wrong. This was not a narrow dogmatic sense of right and wrong, as he was open to diversity of views and people.

This was very important to me professionally as I see internal audit and my role as an internal auditor as having, in some small way, a moral and ethical component. Whilst it is not for internal audit to judge right from wrong in pejorative or dogmatic way (for I and Joe recognised that the world is complex and there are very rarely moral absolutes) it is a recognition that business, as any other field of work, has to have some sense of societal and moral obligation. It has to work for us all as citizens of one global community.

For Joe, like the very best people I have known, was able to be influential without you knowing it; supportive without you feeling a sense of obligation; and most importantly able to bring a sense of perspective that puts the noise of life in its immediacy to one side. This is especially important as when you are a student (undergraduate or postgraduate) the world seems like a competitive race and short termism in choices can soon take over.

For that and all the many things he did, seen and unseen, I, and the many generations of Chad’s graduates, will miss him.

From my mentor – internal audit as organisational ethnography?


, , , , , ,


So I have a mentor. For any CAE out there I would suggest you do so too. I would suggest, like mine, they are excellent, experienced, and understand the area of audit and business you are working in.

In my recent chat to my mentor they provoked, using their objective viewpoint, my thinking about what I thought internal audit should do theoretically compared to practice. In other words they were able to see that the intellectual purity of audit has to be tempered by organisational reality.

Interfering with the intellectual purity of audit is something I am always uncomfortable about. It always feels to me that organisations should do the right thing on a principled basis, irrespective of organisational politics etc. This is something I have had professionally drilled into me in my big four professional services firm audit training. For the task there was always to get the ‘right’ answer. Right was always defined in terms of accounting and auditing standards (all of which provide a basis in law of what must and should happen).

Internal audit is, however, a much more complex activity and proposition. As I, and my career, have evolved and I became an internal auditor (which for the record is completely different role from external (financial statements) audit), I realised that there is no right and wrong. Well at least I took a realist ontological and epistemological position that there is a macro right and wrong, but that the right can have a number of legitimate interpretations.

But the leap my mentor helped me to take was to recognise that internal audit needs to take account of the organisation, its culture, its capacity and its ability to deliver what needs to happen. Internal audit’s role is to be ethnographic (a social science and anthropological research term that means studying a group of humans and their behaviours as part of the group, whilst remaining objective and independent of it as a researcher).

So internal audit is about: divining what needs to happen (the right / wrong answer); divining what the organisation can do possibly do; divining what the organisation is willing to do; and then forming a set of suggestions that work with this. In other words, internal audit becomes a problem solver using its ethnographic position.

So the CAE and senior management team whose roles do seem a little esoteric and disconnected from day to day audits, actually have a complex social and intellectual task. This is of working with the organisation and assessing not just what the audit work is telling them, but also of how to manage its delivery in the organisation to effect positive change.

So if an auditor is an ethnographer, where should internal audit pitch its findings? Is it something that professionally should be ‘pitched’. i.e. is it the role of internal audit to decide how far to challenge an organisation? Our institute has little formal advice on this matter. In fact this is, I think, the biggest challenge I have found as an CAE. If a CAE challenges too much the organisation pushes back, too little and the audit team feels their findings are not being pushed enough by the CAE and the CAE loses credibility with his / her team. Also too little challenge risks not pushing an organisation beyonds its comfort zone to make it grow and get better.

So there it is, the biggest real challenge a CAE faces. Balancing challenge. Yes a CAE has to develop a good audit methodology. Yes they have to develop an audit team that picks out the findings. The core challenge is always to balance challenge and deliver the messages from internal audit work in a way that an organisation can digest. For the first line of criticism when something goes wrong always seems to be ‘where was audit’ (rather strange since audit is the third line of defence). I think too few management colleagues appreciate that a CAE has to be ‘right’, so they are not open to criticism if things go wrong, yet deliver a message in a way that promotes organisational change and development.

For ultimately a CAE is not meant, in role terms, to be popular. Too many people confuse this with professional respect, i.e. ‘I don’t like or agree with the CAE, therefore they can’t be performing well’. For me, a good CAE, is not necessarily popular. They say the unsayable, point out the difficult, address the ignored, champion the marginalised, push the counterfactual.

I am lucky that I have generally worked with senior management teams that get the real value of audit. They value and engage with its challenge and support the different perspective brought by internal audit. It takes a good dose of internal audit objectivity for management teams to support and endorse this approach.

So how far does ethnography feed into your audit approach? How do you pitch your findings?

Risk control and assurance – single or multiple paradigms?


, , , , ,


I’ve been thinking about technical audit methodology this week. So a little bit of a dry post, but one I hope will be of interest.

So I’ve got to thinking about risk, control and assurance. How do these concepts overlap and how should they play out in an audit methodology? For those that know me I am a CAE obsessed with audit methodology. Why?; because it is the foundation upon which the audit discourse, the audit work, the audit team, is bound together. For if you start out with something that makes no sense, how can you use that to persuade others, in particular management, or governors of the organisation?

So risk. A simple concept. The UK HM Treasury’s Orange Book is still the best exposition of it I’ve seen. Gross risk, risk mitigation, leading to net risk. Simple. I have always thought of risk mitigation action to be control. Yet my thinking is evolving in this matter. More of this in a moment.

Let’s consider assurance. In a risk-based assurance model, the one I use, I take assurance to be the converse of risk. I appreciate this is not ideal, but the wider industry concept within which my audit service operates requires equation of risk in a converse way with assurance. So, for example, high risk equals high uncertainty; this leads to less assurance. i.e. I, as an auditor, can provide you with less assurance over something I consider to be uncertain (risky). Conversely, I can provide high assurance over something certain.

Yet we know that this definition emphasises the level of certainty (and to some extent, proximity) of risk above the impact. So if risk is a factor of both, the level of uncertainty (including proximity) and level of impact of not achieving objectives, then assurance can well be described as the converse but not necessarily so. i.e. high risk could be high impact but low uncertainty, yet under this model it would be equated with low assurance. We know also that assurance is about the ability of the auditor to form a view as well. So I could, for example, fully assure you that the risks are high. Here assurance is detached from the risk measurement itself and linked to the level of work being done.

So my risk based audit methodology as I currently use it, links risk and assurance and treats them and converse factors, even though this is not perfect (in an ideal world I would simply ascribe risk).

So where does control feature? In my risk-based model as I currently have it, control is equated with risk mitigation. So good control is adequate risk mitigation. In my model I recognise risk appetite. So I form a view of net risk and apply no pejorative judgement to it at all. Risk is risk, be it high or low. Whether it is ‘good’ or ‘acceptable’ or not, is entirely a matter of risk appetite. So in a high risk appetite area of the business (with risk appetite defined by my client’s governance body and then applied by the management team) controls as designed and applied are deemed adequate when net risk is below the defined risk appetite.

This works fine until you come to something that is poorly controlled (perhaps with few or weak controls) but it is low net risk (and most probably low gross risk). You are then presented with a choice of nomenclature. Do you go with the intellectually pure, risk based, interpretation. If it is low risk and risk appetite is, say medium, even though something is badly controlled it presents little risk? So something coded ‘yellow’ or ‘green’ is deemed acceptable even where the control system is a mess? Hmm difficult. You want to message the lack of control in your report, but your risk based reporting is oriented around risk. So something low risk must be coded as such.

This is made much worse by most audit services’ methodological maps of risk. For those that colour reports in a risk based way (i.e. referenced to risk, rather than a pejorative judgement about control – the red is bad, green is good, methodology as I call it) if you use a single scale for the whole organisation you quickly get into a mess. So most things in most organisations do not matter. Organisations are too big and complex and rarely is any risk an organisationally significant one. The natural portfolio hedge sees to that. So your non compliant process x will not kill off the organisation. We get around that in my service by having four risk layers. This allows smaller, tactical and operational processes to have ‘reds’ of their own.

Even a multilayered risk map process does not save you from the quandary of some poorly controlled things simply not being significant in risk terms. Indeed in a purely risk based organisational world, you would not seek to mitigate low gross or net risk items further, so you could argue a weak control system is appropriate. Yet the audit committee and the management team do want to know what items are simply non compliance and poor management control, rather than a complex and ultimately debatable net risk exposure point.

So cue a controls judgement. Where something is not high net risk, it could be poorly controlled. So is a control view, independent from a risk view? I have held in my audit methodology that this is not the case, as I have equated risk mitigation with control. So control is a relative concept and is grounded in risk. So control adequacy is mitigation of risk within a defined risk appetite.

Yet I do feel I need to have a way of dealing with poor controls in a risk based audit methodology. I currently cope with this through ascribing a low risk appetite to enable me to say something low net risk is inadequately controlled. The classic example is financial control. Most organisations have a low risk appetite here, so a weak, say payroll system, even if low net risk, would get a ‘yellow’ with a negative view of controls as designed and operated.

The other way of dealing with this is control awareness. This would flag how well control was delivered in an area of an organisation, irrespective of risk, to be within a defined risk appetite. So poor control, even if it led to low risk, would receive a negative view. This detaches control from risk though.

I am still working through my thinking on this and would appreciate any thoughts and suggestions – what do you think?

Management and audit – two sides of the same coin or different currency?


, , ,


As a CAE I am required to attend the audit committee. It is something I have done for a majority of my professional career and it is something that has always been professional and personal challenge. It never seems to get any easier.

One thing the audit committee process does is force me to work with my management colleagues. I cannot produce audit committee papers on my own. I need the management engagement, support and response to make the audit committee process work. This presents a professional challenge, for it is the time when I act most like my management colleagues, i.e. using persuasion, collaboration, cross working, shared effort, as opposed to the arguably more detached and institutionally created, demanding approach to audit. I can demand to audit (of course one doesn’t, one works collaboratively, but I could demand to be able to audit). I cannot demand a suitable management response.

In discussing reports and audit results I do have perhaps a more liberal and relaxed approach than that of many of my CAE colleagues. I don’t see the draft audit as fixed and to be ‘responded to’. I see it as a starting point for a conversation, debate and discussion about risk and challenges. I see audit findings as a shared challenge and set of questions that internal audit and the management team should debate and discuss potential solutions to. So in some ways we face the same problem but from different sides of the coin.

Yet, for every audit committee in every client I have ever worked at and with, getting management responses and producing audit committee papers on a timely basis, has been a chore and hard work. At some point the conversation needs to stop and response be provided. I sometimes think this is because we (as auditors) and managers do sometimes linger in the old world of audit being an accountability and checking mechanism. The audit report is seen as a gaming process, to be batted backwards and forwards until a negotiated settlement that is not too ‘critical’ of the management team and will be seen positively by the audit committee as such, is published.

Yet I see it differently. I see audit as a collaborative, shared, cathartic approach, where the value is less in whether the audit report is intellectually or scientifically ‘right’, but whether the process of debating it has really moved our collective (audit and management) thoughts forward. In other words does it prompt change, or a conscious and comfortable adoption of the status quo (both are appropriate outcomes)?

Also don’t see a particular need for an audit report to be agreed at the point of publication. Yes, broadly you don’t want diametrically opposed positions, but does the challenge and debate of an audit report need to be settled at the point of audit committee publication. I would say not. The reason I say this, is because the very best auditors look forward into the future or ask the really big questions. This is the real value of a good internal audit function. They say things the management discourse has not yet got to, or is not yet current currency. So for example, in the Tesco context, the internal audit function should have said, ‘look our business model is becoming unsustainable in a fundamental way here, and I see the pressures (albeit small at this point) beginning to show’. That may have saved Tesco a lot of its current stress. Most of my best audit reports have said, years before the risks became issues, what the real problems were. The management team have looked back at the original audit report and valued it retrospectively. My previous boss accused me of having a crystal ball, I explained that I simply knew that unmanaged risk will, eventually, somehow, become a set of issues.

I don’t really see management as being fundamentally different from audit. We both face the same complex, messy, world, and this world does not get easier and less challenging. So a good audit report should really push the debate on, push the organisation to adopt a position, and be seen as an organisational, process, a risk management debate. It should not be seen as an criticism and judgement of individuals, for control environments are almost never ascribable to a single business unit or process, and never at the level of an individual.

So why then do audit committee papers push two parties with a collaborative and joint interest to adopt such different positions? I suspect it has to do less with how the auditor or individual manager thinks about audit (many now have much more modern views than the traditional inspection model). I suspect it is a fear about whether others  still see the audit model in those terms. So do the audit committee members see it as a process of compliance inspection? What about our publics and stakeholders? Again, in reality, a lot of modern audit committees don’t see internal audit in those terms, they are on board with a more collaborative approach.

Yet, whilst modernity is beginning to come to audit practice, it is still difficult to see this in public audit discourse. Our institute is still obsessed with independence and objectivity. It still sees this divide in absolute terms, and in prima facie, two dimensional, terms. For independence is a state of mind, not a set of rules and processes. In pushing this divide it pushes audit and management teams apart. Instead of being two sides of the same coin, it forces us to be different currencies.

So next time you are preparing your audit papers and thinking about why the process is difficult, perhaps take comfort in that a good audit approach pushes and organisation, and that no one likes to be pushed. So are you the other side of the coin or a different currency altogether?

Adaptive audit


, , ,


Last week I attended a conference of international development professionals discussing adaptive programming (or projects – for those outside the internal development world). For a short readout see:

Adaptive programming is a sort of ‘agile’ project methodology for aid programmes, in others words, a contingent, try as you go, methodology for seeing ‘what works’, in international development.

Unlike IT, international aid is solving genuinely complex problems, or ‘wicked problems’ for which the causes of the failure of development or continued poverty are multifaceted and difficult to pin down. For example, is poor nutrition in a country due to barriers to economic development, lack of basic resources, cultural issues, poor political and state governance, or a complex messy combination of all of these? I would suspect the latter. If so, how can any programme of international aid make a difference to this?

Standard programmes require a clear definition of the problem, clear designed solution, and then systematic, orderly, well controlled, project implementation of the solution.

Just as this is being recognised as not possible in IT programmes (i.e. you cannot predict 100% of the problems in advance) then similarly this is the more so in development programmes. IT’s solution is agile – a reflexive, adaptive, contingent approach to solving the problem, with many learning loops within a non linear process. Adaptive programming (I have interpreted) is the same thing in an international aid context.

So where’s the relevance for internal audit? Well, internal audit in its traditional form is great at assuring standard, linear, projects. You review the process and design of the process – will it deliver a good project? So most organisations would have some familiarity with PRINCE2 (I’ve not seen anyone really apply PRINCE2 by the way). Fabulous – you can send junior staff to look at a book of rules, if the programme is complex, send a more senior auditor (who can take some judgement or view of the rules). Then tick it and report non-compliance.

What about adaptive programming though? A vague project plan, lots of changes, lots of judgements, a lack of evidence (save implementation results). This requires auditors who are happy to work ‘off piste’ and work without a rulebook. So what do they rely on? Common sense? – we know this is in short supply. Also, whose ‘common’ sense is it? When an auditor is unclear what way is ‘up’, how can they audit in this environment? For surely all adaptations can be appropriate?

Well as ever, and consistent with my audit mantra, internal audit needs to move away from being scientific. There is no definitively right and wrong in the real world. Yet I am not ready to sacrifice the idea of things being wrong or unreasonable, totally. For then internal audit becomes nothing more than an impressionistic, artistic, other voice in the organisation. For if all decisions are right, no matter the results, outcomes, resources expended, or risks taken, then your basic rules of governance collapse.

What I mean by this is that governance is about direction and control. The board, or equivalent, and senior management need some framework to do this through. They need a framework to approve and control activity within. Normally this is the risk framework, i.e. the organisational and management risk appetite. This is expressed in many forms, finance delegations, formal risk delegations, key controls and authorisations, policies, legal restrictions etc.

So I, as an internal auditor want a framework, however lacking in granularity and however much adaptive flexibility it has, to be consciously applied in an organisation. The auditing of this framework is adaptive auditing. Yet when a business is introduced to adaptive auditing, that is an audit function that is happy to see adaptability applied in context and does not want to see a rules-based culture imposed, the business struggles to adapt to adaptive audit.

It must be odd for many in management teams for an internal auditor to not only accept a lack of rules-based compliance, but to be wanting to see this model applied in practice. But let’s be clear, adaptive programming and the demands of an adaptive audit, can be challenging. In particular I think agile audit, adaptive programming or any non-rules based method of management, require more control, not less. It requires a clear articulation of the current position at any point in time – that is a justification for the current control environment. It also requires a clearer view of why things are where they are at present, a clearer view of how success will be monitored, and a clearer view of the what would need to change to provoke further control changes.

So this is what I mean by adaptive programming requiring more control not less. It requires as more conscious articulation of the programme. It requires a better audit trail of previous decisions. It requires a more thoughtful justification of the programme.

Similarly adaptive audit is much harder to manage and deal with. Auditors are taking judgements. This therefore requires a higher quality of auditor. More work to co-produce reports (although ultimately they are independent). More work and higher levels of management engagement during an audit to discuss complexity and difficulty. More openness and honesty about risk and ultimately, failure.

So are you and your client organisations ready for adaptive management and adaptive audit? I would say a lot of organisations have a way to go. It fundamentally requires the audit and management relationship to be reset. No longer an adversarial game, but a collaborative effort to face complexity and challenge together. This will require some sanguine understanding of risk and audit by regulators, governing bodies and senior management.

Are most clients I have worked with ready for this grown-up relationship? Some, but not many. It is the line between artistic chaos and socially-scientific control frameworks that is difficult to pitch. This will vary and cannot be always clearly articulated. If we can open ourselves to trying this model though, it would benefit both audit and management teams alike.

Objectively speaking…


, , ,

 Value Proposition - Objectivity

I am cracking my way slowly through a PhD – bizarrely in marketing (don’t ask – it’s a subject that fascinates me and is I think a much neglected concept to be studied critically). As part of this I am working with three case study organisations. They are very diverse, large, complex and high performing (in their fields of expertise). It is nice to be able to spend some quality time with some diverse organisations.

What has struck me in various conversations is how all organisations need a critical eye. They need a party that is knowledgable, confident and capable of understanding how the organisation really works to challenge them. This challenge needs to be done after the manner of a friend – robust and direct, but with understanding and compassion.

So many organisations reach out for this robust and critical challenge that really says what needs to be said, but struggle to obtain it. They employ consultants who tell them what they want to hear (they are the people paying of course), or tell them nonsense (because they have not really understood the question / organisational context). Or they submit to inspectorates with reporting and agendas that will play out in the public domain, meaning the result is either made bland or are driven by other organisation’s views of the world. Both of these methods of feedback can, of course, work. Yet in practice they do struggle to consistently and helpfully challenge organisations in a way that enhances, builds and moves their client organisations on.

I believe good internal audit can do this. Good internal audit, that is accepted by the client organisation as a friend. For only once an organisation loses its inhibitions can it truly have an honest and open discussion with its internal audit service and itself.

Yet accepting this level of feedback is tough. Tough for the organisation as a whole, tough for the individuals within it (many of whom believe criticism will be career limiting). Most of all tough for those who govern the organisation. For it is difficult to accept that something you direct and control is suboptimal, let alone, poor performing, and those charged with governance are accountable for the organisation’s failings after all.

Yet this is also tough for internal audit. As a CAE my preference is to deliver thin reports, spreading good and positive assurance news. Shorter to draft, easy to quality assure, easier to deliver, positive response from all parties etc etc. Being a challenging, difficult, bad news-delivering, argumentative, stroppy CAE is not easy nor enjoyable! Choosing which items to deliver and in which order – much more challenging and difficult.

Yet, if an internal audit function can get its client organisations into a good space where both parties take the pejorative element out of internal audit and the process of review, then there is a better outcome to be achieved. This requires both parties to see issues and risks in objective terms, to accept that both risks and occasionally issues, arise in a resource constrained, complex and challenging world. If internal auditing can be seen as a collaborative process to lay bare reality, with a view that the process itself, even before an outcome, is cathartic and useful, then internal audit can really leverage its USPs (unique selling points).

For internal audit is uniquely, independent and objective, yet engaged, interested, supportive, and understands its client organisations. So, objectively speaking, where else, either inside or outside of the organisation, do you get this confluence of unique features?

So when I am in conversation with an organisation and they ask for a source of objective but supportive review and challenge – I shall say – look no further than an excellent internal audit service.

Supply chain auditing – a step(s) too far?


, , ,

spanish python

A few weeks ago the BBC documentary programme, Panorama, published a programme containing allegations about Apple’s supply chain. Not really news I hear you say? Apple has long been accused of having poor supply chain practices, ranging from poor workers’ rights through to poor environmental or social records.

The Panorama programme, in case you missed it, made allegations that despite the public commitment of Apple to clean up its act, it actually had not done so. In particular it alleged that one of its supplier factories in China worked its workers such that they slept on the production line. Also that tin got into its supply chain from child and illegal mine practices in Asia.

Now it is not for me to form a view on these allegations. I am sure there are others who are closer to this than me and who know the industry better. Apple of course can afford to do better, but also attracts disproportionate criticism in a way that other companies do not. So I suspect the allegation probably has a truth somewhere between the two extreme views.

What interested me, as an auditor however, was why the auditing practices put in place by Apple had not seemed to address the problem. The supplier’s factory in particular talked about having forms for ‘Apple’s auditors to review’. With staff being forced to sign forms as a proxy for accepting a briefing or for their assent to signing away their employment rights. Why did Apple’s auditors accept this and not challenge it?

This reminded me of when I was a junior auditor working in a professional services firm. We used to audit further education colleges in the UK. There was a scandal that a college had made up what was called ‘franchise’ or ‘community provision’ – that was courses that were delivered by commercial partners, charities or businesses in the community to bring education to hard-to-reach students.

My firm led in the provision of spot checks. These were short visits of up to one hour and they would be unannounced. The idea being that you would verify a sample of activity and prove, or not, their existence.

As a junior auditor, it was my task to do these. It was a chore. Driving to out of the way places. We had a big checklist and we had to check the register and the registration data held by the college. There was a mathematical sampling formula that set out the number of spot checks to be done and the partners that should be visited.

I learned a lot from these. First it built up my social skills. As a rather sheltered graduate from a middle class background, it was a shock to wonder into crisp or sandwich factories and speak to adult learners (by the way I would not buy a cheap shop-made sandwich even now! – nor eat a cheap sausage roll from a bakery – but’s that’s a different audit story).

It also taught me to open my eyes. It taught me to think beyond the checklist, beyond the story being told to me. Even now I look for cars in the car park. The language used by interviewees. What they are wearing (my current colleagues notice my observation skills). In one place the small ‘learning shop’ located in a small rural shopping centre seemed okay. It had a small room, two computers, a member of staff, college brochures etc. Yet, when I got back to the office and asked about the total enrolments for the year, I was told a number that could not have been serviced by the small shop I saw.

I learned that tidy records meant higher, not lower, fraud risk. I learned to be critical and testing of clients. I learned to, politely, bring people back to the points I was asking (otherwise the 45 minutes allowed for the spot check could drag on for hours). I learned to interview diverse types of people, those outside of my professional auditor experience.

The real point of all of this is that it is perfectly possible to audit and tick boxes. Don’t get me wrong, sometimes spot check visits felt like they were ticking boxes, not adding value. But audit around the checklist. Join up the dots. Aim for the higher skills marks, and they can become powerful vehicles.

In my current role it is difficult, as it is in most organisations, to oversee supplier risk. To know how far down your supply chain reputational risk extends is tough to decide. the big lesson for me though, and perhaps for Apple post Panorama, is to throw away the forms and the checklist auditing, and to send good quality, critical and intelligent experienced auditors to do spot checks – preferably unannounced.

This is the type of auditing I love. Noticing the detail. Really challenging the consistency across different data sets. And yes – it is a uniquely audit skill. For management are often too naive or trusting, in a way that we auditors (and me from my spot checks many years previously) are not.

How challenging are you of your supply chain?

Internal audit (in)dependence?


, , ,

IA model updated

Internal audit and client relationship model

So as we go into the new year and we CAEs think about how our IA departments are positioned with and within our client organisations, I thought it would be helpful to revisit the debate about internal audit independence.

Internal audit’s great strength is both its independence, both actual and perceived, but also its dependence i.e. if provided in-house, the IA function is committed full time to the client. In that sense it has a dependence on the client organisation. It has to ‘live’ with its judgements and decisions.

Yet, for a CAE, despite the standards requiring constant and full independence, a CAE has to consider how it works in practical terms with its client organisations. In other words a CAE has to have some level of client management and organisational orientation. So for a major report, should a CAE pitch it as a grumpy challenge, encouraging questioning of the status quo or as a gentle shot across the bow? All are legitimate positions in different circumstances. A CAE has to decide.

Get this wrong and IA can be poorly placed. If the independent challenge is too high, then internal audit becomes an inspector. Well into the third line of defence in a regulatory and challenge function. This will lose the benefits of a positive, open and cathartic relationship for the promotion of change and improvement. If the independent challenge is too low then you risk taking audit into being either irrelevant or being controlled by your client’s management team.

In an ideal world one would seek to pitch both an independent challenge, but within a client and management oriented manner. This takes you to being a friend. I’ve characterised how this friend relationship would work in a separate blog post here:

As a CAE I have found that often the relationship with the client organisation and management team varies over time. It is a result of a cumulative outcomes from decisions and ongoing discussions. For despite a CAE’s wish to be pitched in a particular space, the assurance assignments as they are published could, at a point of time, point the CAE into a difficult position. For example, consider where a CAE wishes to be more challenging, but the programme of work at a point in time comes out (correctly) with benign or positive results. The CAE has no timeous reports and outcomes to pitch that challenge with. Consider the converse also. Where a CAE is trying to build a positive, safe, space for discussion, yet assurance results are challenging, then it is difficult to dial back the perception of, or actual, challenge.

As a CAE I firmly believe that assurance results are just that, and should not be distorted or misreported for the short term political benefit of either the CAE or the IA function. As a CAE I should, however, look at the overall diet of assurance and messaging. For individual assignments form part of an overall opinion and storyline, and the CAE must keep an eye on what that is and how it will play out organisationally and in terms of control.

So for all of you auditors out there who see what seem to be odd or strange decisions from your CAE, do please appreciate the ‘higher currents’ the CAE must consider in the IA function’s work. Seek to understand those, for they will help you in your work and your assignment level opinions.

So is the New Year a good time for CAEs to reconsider the overall positioning and message? Yes – I think so. Should this be a purely CAE decision? No – I think it should be something debated with the IA function and team as a whole (or at least a senior subset of the team). For this will ensure that the orientation of all interactions the client organisation and management team has with the internal audit function are more consistent.

So where are you placed on the scale above and will you seek to change it?

Should I stay or should I go?


Well it’s that time of the year. A time when we all think about the year past and the future. Some people will be thinking about setting up a blog. I am one of those who takes the turn of the year to think about my ongoing blog.

Why do I do it? What do I get out of it? How can I improve and develop it? Like all bloggers – how can I get more people to look at it? My blog is written on an anonymous basis – not because I am embarrassed or say things that I don’t want to be held accountable for; quite the opposite. I write it without my name because I want people to focus on the issues and the content, not the writer or their organisational brand. My personal currency will no doubt increase and decrease with certain audience members if they thought I worked in their sector, was sufficiently senior in the profession etc. I wanted to avoid that. Yes the blog is connected to my linkedin and twitter profiles, so some of you may already see it on this basis in any case. I think the decision to keep it at least semi-anonymous is right though.

I also consider whether my ideas are relevant, helpful, thoughtful and encouraging. I hope that they are. Is my blog well-read? It is difficult to tell. The blog stats from WordPress are for direct hits, so those that browse from elsewhere may not be reflected. It is fair to say though that I won’t be selling the blog’s advertising space for millions of pounds in the near future though! Also the numbers of comments and responses is fewer than I would have hoped. For I don’t have all of the answers for the challenges a CAE faces – not even a small proportion of them! I hope, however, that I do at least have something of relevance to say that prompts at least a few of our profession to pause and think.

Should the content of my blog change? I am not sure I could change it even if I wanted to. I post thoughts and ideas as they come to me through my work experience. Luckily I am in an amazing audit job and am constantly stimulated by the high-quality organisation and people I work with. So I will try to experiment with things that resonate and make a difference.

If I had a hope for my blog in 2015 it would be that it reaches more people and that it becomes a space for internal auditors to debate and discuss the many and varied challenges our profession faces in 2015.

So for those who do read my blog – have a great 2015, and I look forward to your continued engagement and interest in our shared professional interest.

Happy new year!


Get every new post delivered to your Inbox.

Join 292 other followers