The UK’s IIA has produced a policy report thinking about models of effective internal audit. It is entitled Models of Effective Internal Audit: How to organise a successful internal audit function.
I have to say I didn’t find this terribly helpful. In the preface Dr Peters, CEO of the UK’s IIA does state that this report is to ‘inform rather than judge’. When you review the report it seems to describe various audit functions across the public and private sectors and some in between. The report lacks some basic elements. First a description of what ‘effective’ looks like. Second any reasonable justification or rationale for the case studies chosen.
The lack of analysis or analytical description is very disappointing, and renders the report largely useless. What we have is a serious of high level descriptions of the audit services themselves, some in more advertisement form, with some pros and cons, all of which I would expect my audit trainees to be able to list out for the studies selected.
There is no sense of how the services map to their respective clients, nor what benefits are particularly useful, or what makes sense in their businesses. Nor are there any generic issues or themes drawn from the case studies. The real benefit of case studies, the rich data, the soft data, the cultural data, is not included. Most disappointing of all is the fact that I know, or have experienced in my career, the quality of service from a number of the selected case studies services, and I would not regard them necessarily as paragons of high quality delivery.
We are told that the Institute’s conclusion is ‘that there is no right or wrong way to deliver internal audit’. Well that is clearly nonsense. There must be a right and wrong way – otherwise why have an Institute? There may be no single right way to deliver internal audit, but that’s a different argument.
So what can we glean from the report? Well they do list some attributes that could be used to measure success of internal audit. These are: knowledge of the client; specialist expertise; flexibility of risk responsiveness; confidence of senior management; RBIA and an agreed audit methodology; advice and guidance through consultancy; consistency of service delivery; co-ordination with other assurance providers; effective teamwork; career development opportunities; and commitment to quality. Well who would argue with all of these? It’s a bit motherhood and apple pie.
So if we think about the examination question – what does good internal audit look like? Let me try to set out what I think it looks like. I think it is internal. The real strength of internal audit is to link a contextual and deep understanding of the client organisation with context independent knowledge (technical ability) brought with organisational independence. I’m sorry, but externally provided internal audit simply does not provide this context-specific knowledge. Being internal makes a real difference to the quality of the service provided because it means you can be independent, but part of the organisation. You can have difficult conversations with the client organisation as ‘one of them’. This is important. This provides permission to operate and a greater engagement with what you are saying as an audit function.
Second I would suggest a good audit function moves away from financial controls auditing. Most organisation’s risks are not around financial controls and reporting. They are in the first line of the business. No organisation, with the possible exception of Enron, died from financial reporting risk. Most die because their underlying business model falls apart in some way. So SOX and Sarbannes Oxley? Not so much.
Third I would argue that internal audit must move away from a compliance mindset. I have freed my audit team to engage with the full panoply of risk, not just auditing a set of rules. Most organisations are not fully rules based in any case. Most modern, flexible, organisations are not finding command and controls rules helpful. My own client organisation has ‘smart rules’ to promote judgements and risk taking. Google and the new organisations have less rules-based organisational structures. Internal auditors should challenge rules in any case. ‘We do it like this’ – why? Does that map to risk? Is it effective? To do this we need a new breed of internal auditors, ones that think, act, do, like consultants. We are consultants, we should act like them. I would argue most organisations are 20% rules; 30% loosely defined processes; 50% culturally informed risk taking. It varies by business, sector and organisation, but an IA function that cannot play in the c50% is missing the real risk. This is where board-level decisions, strategic choices, life-changing transactions, are processed, not in the processes and organisational day-to-day grind.
My third suggestion is to be in the front of the business. Most audit functions play around in the corporate zone of their client organisations. If your business sells food, audit food. If it makes cars, look at car production. If it delivers public services, go and look at how it does it. That does not mean ignoring the back office, for it is a false divide between the front and back offices anyway; it does mean, however, being on the ground in the front line of the business.
So I think the Institute has the right idea in asking these questions, but if it is to take a leadership role, it needs to actually do it in a meaningful and helpful way. I appreciate the Institute has a representative role but this does not mean not challenging the functions and members under its organisational aegis. So come on UK IIA, have an opinion and help the profession to develop – be brave!