Heavy lifting


, , , , , , ,


I am on the board of a number of organisations, an international non governmental organisation, a UK national charity and world-class higher education institution. I also work in my day job with a huge range of organisations and their corporate structures. These organisations have a range of internal audit provision through to none.  Where there is internal audit it adds value, in whatever form.

Organisations go through life cycles, and the bigger, more established and complex they are, the more they benefit from a good internal audit. They benefit because organisations under-resource corporate functions. I understand why. Corporate functions are overhead. They don’t make stuff, they don’t sell stuff, they don’t speak to customers, they don’t deliver the cash earning product or service.

Yet, when an organisation gets to a certain size, it ceases to be controllable by people, either one, or a few. The span and depth of control is too much. Culture helps, but is difficult to deliver and control. This is where good strategic internal audit comes in. Not the compliance or two dimensional internal audit, but one that asks the really difficult questions and one that has coverage from the strategy down the organisation into delivery.

Good internal audit says the unsayable. It challenges group think. It systematically looks at the organisation (and yes in depth and breadth, not just six top level reviews a year). It goes from the strategy and follows that through to the floor, to the way the organisation is seen by customers, beneficiaries and stakeholders. For only when you have enough time and independence to look objectively at the organisation can you really form a view over how it is really working.

So why heavy lifting? Well for me internal audit is the organisational equivalent of going to the gym. It is the organisation trying out its parts, putting them under pressure and isolating them (as you do with weights at the gym) to see if they work. This process of putting them under pressure identifies sometimes big problems and weaknesses, but most of the time there are lots of little things that could be better and fixed. That’s how you grow muscles at the gym, through the precipitation of lots of ‘micro’ tears. These repair and the muscle grows and that part of your body has greater capacity to lift more. So it is with organisations and internal audit.

Just like going to the gym, it can be aversive for organisations to face the challenge of internal audit. Most organisations have developed the optics of public and reputational protection. Too often that becomes internalised and the top management team loses its openness to challenge. The press lines replace reality. Sure being told something is not good, or having an alternative perspective is challenging. I know that as a leader myself. Being open to challenge is not easy or pain free sometimes. It is something I and I think organisations must continually work at.

Internal audit’s role is to ensure the organisation has plenty of capacity to run to keep up with competitors. It should be the gym instructor counting out the ten press ups and putting the extra weight on the bar. Don’t get me wrong, most great management teams I’ve worked with do the same with their strategies. What they don’t have is the capacity and time, however, to test this down the organisation, to follow down the delivery and control chain. Internal audit is set up to do that.

Of course internal audit needs to know what organisationally ‘fit’ looks like. So you need a  breath of generalists, specialist and range of professional backgrounds. You most of all need a mindset that is willing to put up with the gripes and moans of the organisation as it is at the ‘gym’. This requires auditors to be fairly strong and resilient in the face of challenge, without being closed to it.

Just like a good gym instructor, you get what you pay for. A cheap service benefits you less. Similarly doing it without a good gym does not work, so home exercise is possible, but rarely takes you forward. So it is with internal audit; organisations need to invest time, resources, energy and engagement to really benefit. As an internal auditor I’ve met fit and unhealthy organisations. Unhealthy ones are flabby, inefficient and lazy, and so the role of audit is harder (most notably on the engagement side).

So next time you engage your internal audit team, think of it as being like exercise. It’ll be challenging, difficult and hard work, but you will gain the pleasure and endorphins that result and be more efficient and effective as a result – a real win!

So when will you next train and get those IA gains?!

Auditing The Matrix


, , , , , ,


I was asked by a management colleague this week – how do you train your team to see things my team don’t? The premise behind the question was why internal audit continues to see issues and risks and propose solutions that the management team doesn’t.

Honestly I am not sure I have the answer. For me common sense is just that, common sense. I think what I train my auditors to do is think and apply common sense. So no matter what the business challenge or question – I ask auditors just to think through what would the reasonable person on the apocryphal ‘Clapham omnibus’ do. Now I know that common sense is not common and that one person’s common sense is not another. I do genuinely think that auditors’ best professional tool is just to think and ask obvious questions.

So how do I do train my auditors?

Well I think surrounding them with the other experienced and great auditors in my team helps. It is important to ensure that any audit function retains a core of knowledgeable, professional trained and experienced auditors, who know the business they are auditing.

Second I think it is important to provide constant leadership and support of professional discovery and continuing professional development. I provide a diet of masters courses, IIA qualifications, ACFE and other counter fraud qualifications. I supplement these with a diet of experiences, conferences and workshops. In addition I ensure that an underlying base of ethical training, professional behavioural expectations and high standards of propriety are expected and enforced through oversight and quality assurance of work and the processes through which that work is produced. Can I micromanage and be a perfectionist? Yes, a little, but this ensures that my auditors work to the produce the very best they can, all of the time.

Third, I train auditors to challenge the status quo. I ask and encourage them to free their mind and be inquisitive and challenging.  This means I ask them to audit not only what is there, but much more importantly to audit what should be. I tell all of my auditors that their views (even when training) are valid, sensible and value adding. I say to them to feel free to challenge and to put their views across, to ask the stupid question (for the only stupid thing is not to ask the question), to feel supported to go ask, do and investigate anything reasonable thing they think important. When I trained at a big four firm I always felt there was a risk that these firms spent lots of money recruiting bright people, and then spent three years training them not to think. I do my very best not to do this. I want my auditors to feel as if there are no cages or walls oppressing them.

So why do I think my audit team picks some issues the management team does not always manage? Well I think this is primarily because internal audit is objective and independent and is set up to take a risk based approach. Most management teams get too wrapped up in  issues and the here and now to take real time to analyse why they do things.


Update – I’ve taken some time to finish this blog post, as I’ve normally got an opinion or a view on the question at hand. I usually use my blog to expound and refine this view. In this case, as you read above, I was genuinely not sure of the answer.

I’ve had a damascene moment today though that made this clear to me.

The real reason why I think internal audit sees things is in that I had always assumed organisational discourse, that is the organisational ‘press lines’ that we articulate on our organisational intranets was generally recognised to be nonsense. i.e. that we all had a real understanding of how things really are: complex; messy; driven by personalities, culture, currencies of power, resources and political position. Yet it I appear to be wrong. apparently this world is not clear to others. This reality is not one that people really see. When we have what I thought were organisational ‘press lines’, lots of people in organisations actually believe them.

How can I best describe this? Well if you’ve ever seen The Matrix franchise of films, the main character, Neo, has the ability to see past the computer-generated code that constructs a false reality which he was being fed in order for the evil machines (that had taken over the world) to use his body and brain (along with the  rest of the enslaved human race) as a battery. I think good auditors see enough of organisations, both in depth and width to really understand how organisations actually work. They think in terms of analysing, objectively, and as an intellectual research exercise, how the organisation works (I of course mean this of fully risk based and in-house internal audit services – not externally provided – for they never really know their clients – or compliance based auditors – for they never really challenge to any depth).

Perhaps I am lucky, or perhaps my team are, that we have these real conversations and do not buy into the computer-generated false reality of organisations. Perhaps I am lucky in that I deal mainly with the top of the organisation, those senior managers that know all too well, and have to deal with, the real reality the organisation faces. They know when their constructs and organisational press lines stretch truth or test credulity, for they construct them. Perhaps I am lucky that I can be open, honest and helpful in supporting and challenging them in both the real world and the use and deployment of those constructs.

I think great internal audit functions train their auditors to see the ‘stream of numbers’ behind organisational constructs (another Matrix  reference). This means that even fairly junior members of my team are inducted into seeing the world in this way, the ‘code’.

So perhaps this is something I had not ever appreciated or understood because I had always thought it obvious, at least to me, and it did not need saying. Or perhaps I am just odd in my perspective (as one of my team called me like Sherlock from the Elementary TV series – I think it was meant as a compliment but it was hard to tell!).

As an auditor, do you see people and 20th century America or the code that the machines use to construct them?

New Year – existential crisis?


, , , , , , , , , ,


Happy New Year to all of my blog readers!

This is usually the point of the year at which I debate whether to continue my blog; whether it is making a difference to the world of internal audit theory, and more importantly, practice; and whether it is really working as a platform for me to debate my professional issues, challenges and debates.

I won’t be having an existential crisis this year. I see from the statistics that my blog posts are read, and I have a (very) small loyal following. My team I know reads the blog, at least some do and pass the thoughts on, for which I am grateful. I can see that the profession, once again in 2017, still feels fragile. It feels fragile in the developing world contexts with which I professionally deal and still is fragile in the developed Western economies. So I think there is a need for my blog.

The profession is stronger in many ways. The IPPF and the International Standards are, broadly, sensible (see New 2017 IIA Standards – Good or bad?). Internal audit is something that the professional services firms are still engaging with, albeit their own non-internal version of it.

Yet there are dark storm clouds on the horizon. The professional qualifications from the Institute are still not where they should be (see Continuing or continuous professional development?), and the QIAL qualification has not yet fully established itself (for example here or here). Certainly from a UK perspective it is challenging to see what I thought was our relatively strong CMIIA qualification subsumed into the Global Qualifications, and then the dual certification process we have left. This leaves the path open to other institutes, for example the UK’s Chartered Institute of Public Finance and Accountancy (CIPFA) and their ever-increasing set of qualifications offerings (see CIPFA) to fill the gap. In the UK we have the Internal Audit Standards Board which is part-hosted by CIPFA. See here for more information. It’s unclear to me why a finance and accounting institute should have an interest in this, other than fees and training revenue potentially from it. I thought internal audit had moved on from pure internal financial control some time ago. The Board I think is useful and the people on it are good, but the Standards themselves don’t seem to me to add much to the International Standards and are forced de facto to change as the Standards change (as their current consultation suggests).

The Institute ensures internal audit is principles-based. This makes a lot of sense. Yet I find that this allows a range of practice, some of which is quite dated and unhelpful, to continue. Tim Leech makes some helpful criticisms of this, though I don’t really agree with his conclusion or solutions (see Internal Audit – the next Blackberry?). In my current role I work across the international community and see a range of internal audit functions. Many I need to take a view on, whether they are suitable to meet my current client’s standards (for my client in part funds those third parties). I see a range of internal audit services, from the good to the very poor. This variation in performance is not often to do with competence or quality, but its positioning in the organisation. Does the organisation ‘get’ its need for good governance and internal audit’s role in that? If it does then the internal audit function should step up and deliver it. If not, then even the best placed and talented internal audit team will not make an impact. I believe that where an organisation has great internal audit it makes a seismic difference.

Then there is the Institute itself. I think the Global Institute and its federal members need to make a step change in how they organise themselves to really take the profession forward. This is not just limited to internal audit as a profession, the accounting profession has a similar set of challenges with a preponderance of institutes. What joins the accounting profession together are its global accounting standards, IFRS and IPSAS. What should join the IA institutes together is a single global set of standards. These are, however, not as specific and legally structured as IFRS or IPSAS, so this makes using the Standards as a binding force less tenable. Is there a need to make the federal structure more tight around the US / Global Institute (that has reached critical mass)? A single global platform? Lower overhead costs? Greater consistency? This would still seek to retain the best of local institutes but use the organisational efficiency of a single global organisation. Just a thought.

If I turn a little introspectively to my own team and internal audit service this year. I think it’s been great (I would say that, but the statistics, evidence and client feedback seems to suggest the same). We’ve got vacancies because my people are in demand across the business. That’s a huge compliment (also an interesting challenge). We have a fully risk based based  approach and this is making a difference to my client’s risk management as a result. We are effectively an internal consultancy service (long-time readers of my blog will know I see little difference between consultancy and internal audit, see Consultancy or imposition?). We’re fully compliant with the Standards. We are full of bright and talented  people and have successfully integrated  internal audit and counter fraud teams and work. One of my team has even been recognised in the New Year’s honours list for her work, a personal and team accolade.

So I think I face 2017 from a professional perspective in an overall positive mood. One of my ambitions is to influence the profession more and help out with its improvement. I will explore ways to do that. Another is to focus on the promulgation of my own internal audit methodology, which I think is both fully risk based and transformative. It’s not rocket science, but it works and at scale. My team talks about the ‘Garnett’ methodology of internal audit so expect some copyrighted promulgation of it in my blog this year.

I hope all of my professional colleagues and partners have a great new year too and I look forward to working with you.

Continuing or continuous professional development?


, , , , ,


I received a helpful reminder letter from the Chartered Institute of Internal Auditors (UK) in the last few weeks. It states that I should be aware that I need to do 40 hours of CPE (continuing professional education) for the CIA qualification and 20 hours of CPE for the QIAL. Some activities can contribute to both. I was concerned – why did the Institute feel the need to write to me to remind me? Had something changed? Was the guidance more strict? 60 hours seems a lot of formal CPE – two whole weeks? Surely learning comes from lots of different sources?

The UK IIA provides a helpful link to some guidance here . This guide states that the following activities contribute to CPE and the hours required:

  1. Attending courses, conferences, seminars and master classes
  2. Undertaking structured reading and research, including technical updates and guidance
  3. Working towards relevant qualifications
  4. Participating in external quality assessments (EQAs)
  5. Participating in, or leading, professional discussions or learning conversations
  6. Networking and sharing good practice with colleagues in the profession
  7. Leading meetings or projects
  8. Engaging in in-house training and development, by external trainers as well as by colleagues and peers
  9. Engaging in work-shadowing, job exchanges, professional placements and secondments
  10. Soliciting peer reviews and analysing feedback on own performance
  11. Receiving or giving mentoring and coaching
  12. Reflective practice, such as maintaining a journal
  13. Supported induction into new areas of activity, eg if you’ve been promoted or you’re on rotation
  14. Contributing to the activity of relevant professional bodies and their committees
  15. Developing and producing technical papers, reports and other resources

Wow. Almost every day at work for me counts. So this guidance does not really specify which contribute to each qualification and which do not. What’s the balance between formal and informal CPE (the old chestnut of reading professional press etc). The template provided makes this no clearer either, just a simple table – surely a spreadsheet would  make better sense?

So let’s head over to the Global (US) IIA’s website to see if this makes anything clearer. The relevant link is here .  Once you’ve got there it’s all a bit vague and fluffy, so you need to click into the detail on an ominously title Administrative Direction Number 4. This is here . So the overall objectives seem reasonable to me:

  •  To maintain their knowledge and skills.
  • To update their knowledge and skills related to improvements and current developments in internal auditing standards, procedures, and techniques or in their specialization area (government auditing, financial services, control self-assessment, or risk management assurance).

Then there’s a set of requirements for the Global Standards (presumably as part of the wider IPPF):

  1. To encourage understanding of The IIA’s International Standards, the Professional Certification Board (PCB) requires that certification holders incorporate review of The IIA’s International Standards as part of their annual CPE program.
  2. Certificants must review or receive training on The IIA’s International Standards during the CPE reporting period.
  3. In addition to reviewing the Standards, The IIA encourages individuals to review the Practice Advisories (accessible with an IIA member password) and other sections of The IIA’s Professional Practices Framework.
  4. Certified individuals will be asked to certify their conformance to the Code of Ethics and the International Standards as part of the annual CPE report submission to The IIA.

These are less good in my view. The annual training on the Standards? Well they seem to change annually, so I guess any self respecting auditor should know about them – but formal training? Or is this something more informal? Also the Practice Advisories referred to are in fact not accessible to UK members from the US website or on the Global IIA website. There is also some lag between their publication from the US to the UK site. So does this mean I cannot certify to the Global IIA that I am compliant?

The CPE certification then states the evidence requires:

  1. Title of program and/or description of content.
  2. Dates attended.
  3. Location of course or program.
  4. Sponsoring organization.
  5. Contact hours of credit as recommended by the course sponsor.
  6. A letter, certificate, or other written independent attestation of course completion.
  7. Documentation supporting publications, oral presentations, and committee or other participation.

So this must be for courses – but this describes a very limited view of professional training and seems to narrowly focus on formal training courses. As I get older and more experienced as a CAE I learn more from doing and informal training than I do from formal training. Most training nowadays is not a formal classroom based thing in any case.

Then we have a useful table setting out the CPE hours required:



Use Certification / Designation?


Internal Auditing?

Annual CIA Required Hours

Annual Specialty Certification (CCSA, CFSA, CGAP, CRMA, Internal Audit Practitioner)

Annual QIAL Required Hours


Actively performing internal audit or related activities.







Not actively performing internal audit or related activities







No longer in the workforce






This means I require 40 for my CIA, 20 for my QIAL and 20 for my CRMA (Certificate in Risk Management Assurance). I also hold the ITAC (IT Auditing Certificate from the UK IIA). This is not mentioned anywhere on the UK website. I’ve never been asked to pay anything for it, or return CPE. It does not attract post nominal letters, so perhaps that is why.

Fees prices take some time to find and are difficult to obtain I found them here – however, just to report my CPE (just the admin cost of me filling a web form in the CCMS (Certification candidate management system) is $25 for the CIA and $10 for each specialty certification (my CRMA and QIAL in this case). So this is $45 just to fill in a form annually. These don’t seem to be to an annual cycle  – reminders come in at various times – I assume all are due 31 December. On top of this I pay the UK Institute an annual fee – in my case paid through a corporate membership of the UK IIA of my audit service.  This, from memory, was c.£250.

So what CPE hours contribute to what? The directive begins to answer this question:

  • CPE/CPD hours earned can be applied across all IIA Global designations, with some exceptions.
    •   CFSA, CCSA, CGAP, CRMA – 25% of the hours earned must be related to the specialty.
    •   QIAL – Some CPD categories for QIAL do not apply to other IIA global certification programs.

So I need at least 40 hours. Of that 25% must be risk management oriented. Also I need some extra hours that pertain only to the QIAL.

So what are these? So formal training courses (either internal or external) can contribute 20 hours to both CIA and CRMA. Again this is very narrowly drawn to be formal training courses with the requirements I set out above. Other categories include: maximum of 10 hours of contributions to publications; translations of technical materials (max 10 hours); oral presentations (max 10 hours); and performing an EQA (max 10 hours).

For the QIAL the list of qualifying activities is more limited:

  • Delivering training on topics of relevance to senior practitioners of internal auditing;
  •   Authoring new case study materials for the QIAL;
  •   Acting as an assessor or moderator for QIAL case studies;
  •   Participation as an assessor on a panel assessing QIAL candidates’ presentations and final panel interviews;
  •   Acting as an assessor for the QIAL Portfolios of Professional Experience;
  •   Receiving relevant training at an advanced level;
  •   Serving as an officer or committee member for an IIA affiliate or the global body, or a professional industry organization relevant to senior practitioners of internal auditing;
  •   Presenting at a conference;
  •   Writing for one of The IIA’s publications;
  •   Authoring materials for The IIA Research Foundation;
  •   Contribution to external quality assessments.

So tackling these eligible items: the delivery of training (max 10 hours); authoring of QIAL case study (max 10 hours); serving as assessor or panelist for QIAL (10 hours max split 5 hours for panel member and assessor respectively); being trained (max 20 hours); serving as a committee member for the IIA (max 10 hours); presenting (max 10 hours); authoring IIA publications (max 10 hours);  translations (max 10 hours); and performing EQAs (max 10 hours).

So what is all of this telling me? Well first I think it shows the transitional mess that the UK and Global qualifications are in. UK members are stuck somewhere mid-Atlantic with no real clear and single reporting route for CPD. Second I think the salami adding approach of certifications across the IIA needs to be streamlined into a single return to a single point. This should include a single fee. Third, I think the Global IIA needs to consider the value for money for its qualifications reporting – the fees are clearly above the administrative cost and their cumulative nature is not particularly fair on those members most committed to the Institute. Fourth I think the definitions of CPD need to be modernised, less restrictive and more focused on the real world learning. To get an external certification of an internal training course is challenging. Also as  CAE for a large audit team, with auditors at many different levels of progression, a formal training course is not likely to occur or be helpful. Instead we have smaller learning groups and professional practices group that is more flexible. Fifth, the UK IIA says it makes sense to use your normal appraisal and development processes as applied in your organisation. These formal and restrictive CPE requirements do not play well into this.

One additional complication for me is that I am also a Chartered Accountant (of the UK’s ICAEW – Institute of Chartered Accountants of England and Wales). This has an annual reporting and fee deadline too (with a single significant fee).  The approach from the ICAEW is thus:

‘Unlike some professional bodies, we don’t dictate how much CPD members must do. There are no set hours or points to attain. You simply need to complete as much development activity as you feel is required to remain competent in your role(s).’ See here.

They have an approach which is less restrictive:

‘You don’t necessarily need to attend training courses to maintain CPD compliance. We recognise that people learn in different ways, through several different channels.

These are the popular ways members stay up to date:

Read the ICAEW email alert – it contains updates and news relevant to your role
Attend a workshop, conference, seminar or webinar
Read a book or journal, such as a faculty publication
Participate in the ICAEW community
Arrange an informal training session with a colleague’

They have a ‘reflect, act, impact, declare’ approach. This treats the professional as a mature adult and enables a more reflective learning approach to be adopted. It also recognises that ICAEW members act in a variety of different roles, for which the training and CPD will look different.

I am afraid all of this rather makes the IIA’s approach seem rather dated and unhelpful. It’s odd, given accounting has a much more restrictive remit and role than internal audit, so broader reflection would appear more appropriate for internal auditing than perhaps accounting.

So what do I suggest? I suggest the UK and the Global IIAs take a step back from the labyrinthine CPD and qualifications structure they’ve created. I think a single point of fees and CPD declaration makes sense. Why not do this through the IIA UK and share data with the Global IIA? I think the administration fees need to be looked at, especially as UK members cannot access global resources, despite holding a global qualification. I also think the guidance on CPD could be made shorter, clearer, and in a single place.

I take my CPD very seriously and it is a key priority for me and my audit team. The recent perturbation of UK IIA qualifications has been unhelpful and now needs to be tidied up and modernised, with clearer UK and Global integration. For the UK and Global Institutes in my view risk competition from other Institutes where they don’t make membership an easier and clearer proposition for busy internal audit professionals.



Auditing Rogue 1 *spoiler alert*


, , , , , , ,


So I have seen Rogue 1, the latest instalment of the Star Wars franchise. It’s really Star Wars episode 3.5 as it is the period immediately prior to the original 1977 Star Wars film. Of course, whilst enjoying the film, as any self-respecting CAE will report, the main concern is, if I was head of internal audit in this context, would I have done any better?

I have to say I think the Empire’s internal audit function did a lot better than the First Order’s Auditing a Galactic Empire *spoiler alert*  So the story is about how the rebel alliance got hold of the DeathStar’s plans, that they used to such good effect in Star Wars.

The DeathStar’s data was not leaked by the disaffected DeathStar scientist Galen Erso. The best he was able to do was to find a single Empire freighter pilot to send a message that there was a weakness in the DeathStar’s plans and construction that could be exploited if the plans could be obtained. This suggests to me that, although the Empire knew Erso was an unwilling and untrustworthy employee (they had no choice to employ him as they needed his expertise), they did put good data controls in place. Remember this is in the future, there must be many ways to communicate data secretly. I am not sure why not controls and QA of the designs was not put in place though. Surely a fatal flaw would be something to check from a disgruntled employee? Perhaps it was too technical? Although it did not seem to need collusion from the other scientists – which seems to be their view (although they got shot anyway).

It also seems that the Empire was onto the disloyal and lost freighter pilot who had the message for his daughter and the rebel alliance. So I would be fairly comfortable that HR establishment controls were up to snuff. After all there must be millions of pilots and staff working in the Empire across the Galaxy.

So this is all good. Excellent internal control and a happy head of Empire internal audit. Then things seem to go wrong. First it’s not that difficult to identify where the secret plans were held. Everyone seems to know the Empire has a single archive (which appears to be a single point of failure itself, as no backup is mentioned). This archive is held on Scarif which has a reasonable set of protective and detective controls (a shield around the planet, controlled entry, lots of guns to protect it).

But once again it is lax implementation of operational control that allows the rebels in – a simple no recoding of entry codes on the Empire freighter the rebels stole. They seem to get landing rights and a very small welcoming party. How often as a CAE do we see that the weakness of business critical control is down in the weeds? Why was the freighter’s codes not invalidated automatically when they knew it was stolen? If they did not know it was stolen how can the refresh of the codes be so far apart and not more frequently and automatically updated?

Access controls also fall apart once in the building holding the archive. A single droid with access (again a stolen Empire asset without access removed) is able to identify the location of top secret data. How? Why? Where was the monitoring? Why did this not trigger a lockdown.

It seems that the Rebel’s plans were only picked up by very senior people (the Peter Cushing look alike) and Darth Vader. I have seen it said that the force is a the control, but as auditors we should not be Jedi auditors and rely on the force. If I can’t see it, taste it, smell it, hear it, or touch it, ‘it’ doesn’t exist.

The data was able to be simply removed on a card from the tower of server data. I would have though the data would be virtualised and not be in one physical part of the server. Also to have an ability to open the relevant data storage card seems odd too.

Finally the data was able to be transmitted using their main transmitter, despite the base being on lockdown! How? Why are external comms or removal of the data at that scale able to be done? – this was an archive surely?

So I can see a lessons learned exercise being conducted by me as a the Evil Empire’s CAE. I am not sure I would conclude that controls were inadequate, though a full review of the debacle of the then now destroyed Empire archive I think would be needed. So would I have done any better as the CAE? I think the data archive bit would have been better to be honest. So overall, a ‘generally conforms’ for me to the CAE of the Evil Empire, but not fully compliant!


Internal Audit – the next Blackberry?


, , , , , , ,


So in this post I want to consider the work of Tim Leech from Risk Oversight Solutions. He is critical of internal audit’s paradigm paralysis, see Risk Oversight Solutions critique. I have to say I do think there is at least some truth in his view, but disagree its paradigmatic.

In this blog I have been critical of internal audit’s adherence to working in a way that means that, in many organisations sees internal audit marginalised and ignored. It’s something to do with the paranoia that internal audit has of there being one right answer to how internal audit is done. Most CAEs I know have a strong, almost religious, quality to how they see the work being done. These religions have their own practices and cultural totems and mean that CAEs find it difficult to accept differences of style and structure.

So what’s Tim’s critique?

First that enterprise risk management (ERM) is a flawed concept as practiced by most organisations. I think I would agree, not because the process of being clear on objectives, writing down risks, and then considering their mitigation is inherently wrong or unhelpful, but that it becomes an exercise to be done, rather than lived. Most organisations define control outside of risk management, i.e. good control is not the adequate mitigation of risks to be within a desired or target appetite, but is something detached. In other words, risk does not relate to the real management. So I think Tim’s criticism of this is valid. He makes a leap, in my view, that, by implication, if internal audit is then hitching itself to this faulty waggon, then it, by implication, is problematic. Tim’s suggestion is objective-centric registers. I agree, but this is a risk management in practice point, not a theoretical point, as risks derive from objectives.

He then suggests internal audit provides and annual opinion on the data prepared by the management team on these residual risks. Well I agree, and those internal audit functions that opinion on ‘control’ as distinct from the quality of the mitigation of risks are missing a trick. This is not, though, a problem within internal audit per se or its standards. A risk based (properly risk based) audit approach is compliant with the standards. Perhaps the issue he is flagging is that a non risk based approach is also perfectly possible within the IIA Standards, and I agree that is problematic.

He then talks about the paradigm of internal audit being about starting with an audit universe (dividing the organisation into pieces) and then auditing them. He is critical not of the direct report or attestation on a management assertion point, but of the link of those plans to risk. Here I think Tim is critical of internal audit practice, not the paradigm. I’ve said on this blog before Roots or routes of strategic audit, it’s difficult for anyone to audit strategic risks and they need to be broken down. As risk management changes constantly and is a web of control, not a conscious simple framework, is it any wonder that any break down of this into meaningful chunks is difficult? I don’t hold that this is paradigmatic issue per se, but is one of effective practice. I am not a great fan of audit universes Audit planning: helpful or not? Universal success? but the idea of breaking something down and trying to focus with limited resources in each period, seems sensible to me.

So the critique by Tim seems to be that internal audit does seem to focus on the net risks flowing from key strategic and value creating objectives. Well this critique may be true, but this equally applies to management teams who do not always focus on the things that matter either. Again this is complex. Who would have thought that the biggest threat to value creation in Volkswagen would be the emissions testing department? So I do think the issue is not paradigmatic, but one of the quality of application.

The core criticism seems to be that internal audits are limited when they form subjective opinions on the adequacy of controls are effective or not. The whole point of internal audit in my view is the formation of an independent opinion. It is its independence and objectivity that is its unique contribution to the organisational eco-system. If that opinion is a risk based one, i.e. forms a view whether risks are as the management team has assessed them, are mitigated to within the organisation’s risk appetite set by the board and mediated through the management team, and that the consciousness within which they have been developed is mature, then I think that is valid.

These are implementation challenges, not paradigmatic ones. I think internal audit is more needed and more valid now than ever. The globalised world is full of complexity and mature, large-scale organisations that need meaningful challenge and independent support. Surely we, internal audit, are well placed to do that? I don’t deny the challenge of relevance, quality, the non-risk based nature of some audit services etc. but these are not paradigmatic issues, nor ones the current standards mandate.

What do you think – internal audit – blackberry or pillar of good governance?

Healthy audit


, , , , ,


It was World Mental Health Day 2016 last week. DFID, my current client, has a strong record of support and engagement with the challenges being raised by mental health. In the contexts in which DFID works with trauma and humanitarian disasters, the affects on mental health can be as significant as the physical ones. In the corporate world mental health is a strange thing, in that we tend to treat it in a binary way; you are either well or ill. This is so different to how we treat physical health, that has a range of states (from severely ill to ‘feeling under the weather’). Also because mental health does not always have physical manifestations it has a sense of stigma (which is quite unjustified). We simply find it difficult to talk about.

As I’ve got older and my home and work life have become more pressured, I’ve come to realise that mental health is not a simply binary issue, it’s more up and down and analogue. I am generally very stable and have strong mental health, but I need to look after myself more. I need to have breaks, I need to consider more actively  how events make me feel, and how I might react to periods of pressure. In effect my mental health does vary during the year, during the month, during the day.

So how does this important issue relate to internal audit? I think internal audit is a unique profession within most organisations as it has a role to be objective and independent. IA has a role to challenge the organisation. This makes being an internal auditor or CAE prone to having difficult conversations. This can be stressful.

The biggest professional challenge I think young internal auditors face is to learn the ability to challenge without upsetting, to be direct without being offensive, to challenge without being conflictual. This is not a simple skill to learn, as one person’s direct comment is another’s overly strong challenge. So the ability to challenge within the capability of those being challenged to cope, requires not just the ability to deliver the challenge, but also to ‘read’ how this is being received.

As an example, in my current client my auditors are required to work together on overseas audits in fragile and conflict prone places of the world. This requires real talent and resilience from the team lead and team members. In my view it requires the teams to really look after each other, both in terms of work and living circumstances (as being away from home can be difficult and challenging just on its own). Also colleagues are, in the evenings, neither in work, nor at home, so a little bit of slack for colleagues to be suboptimal is required (we all get grumpy sometimes!).

The CAE needs to not only be able to do this on a one to one level as for an internal auditor, they need to be able to do this on an organisational level. So this ability to deliver challenge needs to be within the bounds of what the organisation’s management, governance and audit committee can cope with. A great way to test this is within the audit committee. In my view a good CAE engages the independent members and top executive attendees to the audit committee in a joint change agenda. This allows the committee to then be a place where a shared vision of organisational enhancement and reform is tested, evidenced (through management papers) and validated (through audit papers). It becomes a safe organisational reform forum.

One of the professional IA maturity points I look for in my team as they progress their careers in audit and counter fraud is the ability to deliver challenge, have difficult conversations, adapt to individuals’ responses and read the room. Some of the best places to practice these skills is at audit closeout meetings, report review meetings, and most especially the audit committee. Presenting to the audit committee is a key challenge in my view. The questions are normally incisive, to the point and challenging, and the ability to give answers that are truthful, point out real challenge, but keep an engaged management team is one delivery challenge that is key.

It’s been gratifying to see my auditors at all levels engage in this delivery of the challenge process. The ability to be highly socially skilled is a core audit skill. This is practiced first with each other in the department, then wider with clients, then in bigger, broader and more senior contexts. For the top talented auditors, the ability to recognise each other’s mental state, their level of exhaustion, pressure and general energy levels, is really important. A simple – are you alright? Take a few days off. Let me handle that meeting. These are so valued by me when I see my team do it. It shows an audit team that really works together. I hope that I read my audit team in the same way and provide that level of support to them too!

I also think a CAE has a role to provide the cover and support for their team to be able to deliver difficult challenge. It is also their role and responsibility to ensure their team recognises this is a powerful and privileged role of audit, and to make sure it is delivered in full support and cognisance of the effects on those upon whom it is used; in other words, used responsibly. For delivery of a message directly and straightforwardly is not, sadly, usual in modern corporates. We are now more used to avoiding conflict and challenge, or being passive in our critiques or concerns. I believe in being straightforward as a general principle as I think it is respectful of those to whom you are communicating and respects their ability to receive a message in a professional manner, if you are. Of course one needs to temper the message and the method of delivery for its audience, the sensitive, the weaker minded and the more junior in the organisation; but I was always taught to think through issues professionally and to respect client feedback, so perhaps I am used to both receiving and giving these messages over my professional career. Perhaps it is an auditor trait?

I have a  number of roles, both in my day job and in my roles on audit committees and boards as a member, where I need to apply this skill. Do I get it right all of the time? No. Do I try to? Of course, yes. The whole point of IA’s objectivity is to identify issues and problems that need to be tackled in a way that the current actors are either unable or unwilling to recognise and do. Then the point of independence is to be able to say these things and put them on the record such that they are then dealt with. It is this responsibility, as I see it, that makes being a CAE stressful.

In my view internal audit cannot avoid this challenge role, as it’s the one unique feature of IA. So internal audit needs to break some eggs to make an omelette. This means being cognisant of others is a key, and core, audit skill. It also makes managing our own mental health and those with whom we work a core and key part of our roles.

So how do you maintain your health, a healthy audit team and a healthy client?

New 2017 IIA Standards – Good or bad?


, , , , , ,



The global IIA announced new standards on 1 October to be applied from 1 January 2017. So since I as  CAE member of the UK and Global IIA will have to comply (even though my local standards, the Public Sector Internal Audit Standards, applicable to the the practice of internal auditing in the UK Government, will not be updated quite yet).

So let’s have a look at the changes shall we? 2017 Standards (marked up changes)

The first interesting change is that internal audit is for organisations, not within as previously. This recognises that for many organisations IA is provided externally. Now I have a view that IA is less successful when delivered this way, but even I must recognise that some organisations are small and struggle to maintain a high quality in house service.  So this is a sensible change as long as it is not the thin end of the wedge, making IA no longer part of a standard organisation’s control and assurance infrastructure.

The next changes promote the primacy of the Standards over any other standards. This will be interesting in terms of seeing how other local standard setters and bodies react to this. I think the Standards are well established now, so I’m happy with this.

The idea of establishing principles based standards is sensible, losing the mix of compliance and principles as previously. I am a great fan and believe that the best internal audit services mould to their organisations, subject to some unchanging principles, so I am keen on this change.

Updated references to the professional practices frameworks are sensible too. I think the whole package makes sense now, so having the pieces independent of each other no longer does. So this is a sensible change too.

Of particular interest is the IIA’s response to the consultation, saying some respondents misunderstood objectivity and independence. Interesting. It’s worth looking at the glossary for the definitions of each. So for objectivity:

‘An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.’

Let’s compare this to independence:

‘The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.’


So objectivity is the requirement to form our own view, and independence is / are the conditions that allow us to form our own view. This ties into the edit on page two, that removes independent from opinions and leaves it for the auditor. So the auditor is independent but does not form independent opinions, but rather forms objective opinions. That’s quite an interesting nomenclature change and one that is more than just semantics in my view. I welcome it, for objectivity is a mental attitude, not some organisational or structural comment. Indeed being paid by and working for an organisation as an internal internal audit function does promotes far greater objectivity than being paid for as an external contractor.

There’s an interesting nod at the bottom of page two for us CAEs. We don’t only have to comply for our audit work, but also for  the work of the IA services we lead. This is not new, but this ‘additional’ responsibility, now spelled out, is notable.

So – to the attribute standards. 1000 spells out that the mission and all elements of the international professional practices framework must be complied with and included in the IA charter. This will need me to review mine (which is due a refresh anyway), so I would suggest you familiarise yourselves with the mission in particular. Standard 1010 requires that you have this chat with your board, so I would suggest a paper to your next audit committee.

1110.A1 requires us CAEs to report any scope interference to the board. Presumably not every last little intervention, but any significant limitation or change to scopes. I’ve written lots of times about scoping, and I don’t see it as contracting, so reporting adverse interference is fine with me, though I would consider it unlikely to ever come to that.

Standard 1112 – Here’s the great change in my view. This standard recognises that IA can and does do a number of governance activities (because we are best placed and skilled to) outside of just internal auditing. I’ve written about the nonsense paper from the UK IIA prohibiting whistleblowing Whistleblowing – another thing internal audit cannot do? . This puts this nonsense to bed in the standards. For this is all fair game, as long as independence and objectivity are safeguarded and suitable assurance over the performance of this activity is put in place (as the board requires a five year assurance over assurance). Well done Global IIA!

1130.A3 – Another sensible step. If we review something or consult on it, we can audit it subsequently. As long as IA did not get intimately involved in risk treatment decisions in doing the original consultancy and as long as you use another part of the audit team to do it. Another triumph for common sense – well done!

1210 – Another sensible change requiring competency to include currency. This means we need to be current in our knowledge and research for our assignments. This underpins a long-held belief of mine that CPD is continuous. Of course this is obvious, but making it clear in the standards is a great thing in my view.

1300 – A requirement to engage the board and audit committee in continuous improvement of internal audit. A think a good CAE does this anyway, encouraging support input and transparency of performance monitoring to the audit committee. Indeed I’ve been really lucky to have extremely high quality audit committee chairs to support and cajole me to perform. As an audit committee member myself I take this element of my role seriously too, IA risks being unloved and this can risk under-resourcing of and lack of seriousness given to it by the management team.

1312 – Requiring an audit opinion on the audit of the internal auditors seems sensible to me. We as a profession put such store by opinions, so we should be subject to them too. I welcomed mine Generally conforms? Board oversight of this is really important. Both to give the exercise credibility and to allow the Board to engage with the outcome.

2000 – Well done on the Standards picking up that IA is only successful when it is up to date and relevant. This means really understanding the challenges an organisation faces now and in the future.

2050 – Now this is interesting. So we can formally rely on others’ work, and I think that is sensible, but there are two interesting caveats. First the reliance is not blind faith, it’s done with a full knowledge of what scope and quality the assurance is. Second the CAE remains fully accountable for their opinion and cannot pass blame on others. A sensible set of changes as IA is too small to do all assurance The one percent.

2060 – Reporting to the Board – a small but important change here – we should report when the Board needs it, not when they request it.  This is a sensible change as IA should push the Board when it needs it, we are and should be more than bystanders when something major goes wrong. I am not a fan of the list of things it must include. This seems odd. Most Boards don’t need all of this information, and most of these data are reported to the audit committee of the board in any case. I would have this as a list of suggestions.

2100 – Another slightly strange addition saying we’re most effective as internal auditors when we are proactive, offer new insights and are forward-looking. Well yes, but does this need to be in the Standards? No. Not really.

2010.A3 – Another not needed list of the obvious. It’s interpretive, but not really needed in the Standards – another edit to remove in my view.

2410.A1 – This is another opportunity missed, leaving assignment work as having to provide conclusions, but not an opinion. The interesting thing here is that assignments must include ‘applicable recommendations and/or action plans’. This is a blow to those auditors who no longer provide any suggestions or recommendations. One to check for some services, otherwise they will no longer comply with the Standards.

2450 – We should support our overall opinions with a summary of the information supporting them. No short opinion with little backup. A number of the professional services firms will need to review their annual report formats in my view. Is this the end of exception reporting? Perhaps or the promotion of a more extreme version of it?

Glossary – The definition of the Board is interesting, particularly with the list of data we are required to present to them – the Audit Committee is also the Board, so perhaps the detailed list of reporting I am critical of would make sense where the Board apparently includes just its sub committees too. This is a bit odd and I think needs be tidied up in the next version of the Standards. If you mean Board, mean it, don’t then widen its definition in the glossary.

So overall, a sensible set of changes to the Standards, which the professional should welcome and not have too much difficulty in applying if they are doing a good job. There’s a few too many lists in here for me that seem odd and out of context for the Standards, but I’ll take those for the other changes, which on balance are positive. So when are you writing your briefing paper for your audit committee?

CAEs – take a break from audit


, , , ,


As a CAE with both counter fraud and assurance under my aegis, I have a chance to move between the two. I’ve written a few times about my current (pre)occupation with enhancing and building a world-class counter fraud function, see Fraud assurance . This means that I have been (relatively) good at letting go of my iron grip of assurance.

So as I approach our first audit committee of the new term this coming week, it’s nice to come back to my assurance team’s reports, some of which I have been relatively distant from, to see them with fresh eyes. What a refreshing and new perspective it’s given me. Yes I still think the reports are good (of course I would, I designed and built the methodology and trained and hired the team), but I can also see them as new.

The other reason for the fresh view is that I have spent a lot of time in the counter fraud role, although it is a governance function (and therefore independent of management), it is more closely and immediately intertwined with the management agenda. So we all know fraud is not just: find a problem, investigate, conclude, prosecute, job done. It’s all about currencies of negotiation, dealing with people and culture, working out what the business wants and how it will get there etc. In other words, the management agenda is front and centre of the counter fraud work (including the timing deliverables) in a manner that in assurance and audit it is not.

So what has this new objectivity and distance provided me as insight into my reports. Well a few formatting and style issues that need a light touch on the tiller to readdress, a welcome recognition that the underlying quality of my people and the work they produce is really very good, assurance that audit would not atrophy as quickly as I imagine should I ever become indisposed; but the more insightful thing, that we need to work even more on being straightforward. We should say things as we think they are. We should focus on being clearer in our communications.

As my current and ex colleagues know, I think the usual nonsense of report writing training that says you should write for a five year old, is not helpful. If something is apposite, it’s apposite, not ‘the right time’ or ‘timely’ they have similar, but slightly different, meanings. Yet I recognise that perhaps the biggest change we need to make to our reports is just to have a little more white space, a little less text. Also our report writing style is very formal. Very technical. That’s good, and one of my biggest criticisms of most auditors is that their work is not very meaningful as it is not intellectually sound. Either reports are pseudo science, but actual nonsense; or they are bland and lacking in any technical view or judgement, such that meaning is difficult to discern. I think our less successful reports err on the side of overly jargonistic and technical to hide a lack of real analysis or assessment of the underlying risk position.

I should caveat these observations that I am coming back at my own and my team’s work with a laser-like critical eye, so these are all at the very extreme margins and belie the top quality running throughout the whole body of work. Also what we look at is complex and difficult in my team, so the right answer often does not exist and they do a great job of doing that.

It’s also interesting to observe the cultural and quality standards that are expressed in an audit department’s audit reports. For a good audit department should express its reports consistently, you should not see individual auditor’s work or their agendas or style coming across. I think the CAE’s hand is really important to ensure this style is how they want it to be. So having had a period a little away from my assurance team, I am glad that the my culture is still reflected in the reports.

So I think having had a break from audit is good it gives a CAE a little time to reflect, reset the tiller and the overall direction, and to be assured and pleased about the progress made to date. When’s your next break from audit?



Internal audit architects?


, , , , , ,


I had a chat to my mentor this week. Having a mentor is fantastic, someone who can really challenge your perspective and give a completely objective view. As a CAE I think it’s necessary. Being a CAE can be a lonely role in any organisation and my mentor, being a world class CAE herself, is really able to understand how I, as a CAE, can feel sometimes.

The challenge this week was to consider career development, mine for a change, as I spend a lot of time thinking about the careers of my audit team, both to ensure that they are being challenged, but supported, and that there are suitable career steps for them (and for my department to ensure it has enough talent pipeline to manage the exigencies of modern organisational delivery).

I have tended to stay in my roles for a reasonable period of time, normally 6-8 years so far (I am always nervous of the two year mover – they never have to live with their work or decisions). This had made more sense as, when I was first a CAE in my own right, I was young for the role (29) and had lots to learn about management, audit methodology, auditing itself, corporate organisations and general technical stuff, and all that quite aside from the interest of learning a new organisation and its business.  Yet now I am older I have the technical stuff (though every day is still a school day) and I have a strong and demonstrable record of management and audit management in a global context and at scale. Yet as I get older I find the ‘newness’ in roles becomes less.

One of the great career boosting things about internal audit is that you can cover a whole organisation and never really have an ‘adult career’ being stuck in one part of an organisation. This ‘Peter Pan’ ability to look at everything as and when the fancy takes me (being CAE has some freedoms as well as a lot of pressure and limitations) suits me. I have a short attention span and like solving problems. Once solved, I like to move onto the next thing. [Just for the record that does not mean I don’t see things through or have a forensic eye for detail when needed (for any potential recruiters reading this) but that my natural style is inquisitive.] I think that’s why I loved doing my MBA so much. This ability to reinvent roles and the ability add things (non executive roles, charitable roles, study, representation in organisational groups etc) has meant that I have been able to change roles relatively infrequently, whilst actually varying my role quite significantly in post.

I have now added counter fraud at scale as a significant element to my current role and this has been a new area of interest and development for me. There is little technical and established practice out there, with counter fraud work being relatively (compared to internal audit) immature. So it has given me a chance to invent the wheel and work out what works best.

Yet I do feel, as I become more senior, a pressure to take on new roles with more frequency. Each time I do this, I seem to have the same challenge; that of turnaround. I seem to find each audit department I take on needs to establish itself in the business, release the talent of the current staff, add talent from new staff and structure, improve its methodology, improve its client organisation’s risk management, and generally improve to be business relevant. Internal audit done well, I believe, is a must have for competitive and delivery advantage for any organisation. It just makes sense from a CEO and governance perspective.

So am I a turnaround specialist? Should I only be happy when reforming and enhancing a department, or can I take pleasure, challenge and satisfaction from running a good department as well? As the turnaround task becomes easier with practice, perhaps my lifecycle of role satisfaction is decreasing.

I think all of the greatest internal auditors are ‘architects’ (a term helpfully provided to me by my current deputy). What do we mean by this? Well it is the ability to set or identify strategic objectives, then diagnose the problem, identify the broad principles of a solution, and finally to put in place a set of coherent actions to deliver this. Architects need the ability to envisage (or envision if you’re American) something that is not there. This is not just an internal audit skill at a leadership level, it is one each internal auditor should have at each level. Auditing what is there is easy, auditing what is not and what should be, is much harder. I think it is that ability and emphasis that marks out internal audit as a profession from our management and other professional colleagues.

So in my CAE role I do act as an architect, in every paper, audit report, technical and risk challenge I face. Thinking about blank pages and filling them is tiring however, and I am lucky that I have a team with lots of this capability itself. Perhaps it is doing this stuff that keeps me challenged and interested?

So perhaps the challenge is to find enough building in my role to keep me interested, for once a building is built, it requires little architectural input. Internal audit as a profession is one that, uniquely, has significant capacity to challenge and develop, so I feel sure that this is possible.

So what have you built lately?