Management and audit – two sides of the same coin or different currency?


, , ,


As a CAE I am required to attend the audit committee. It is something I have done for a majority of my professional career and it is something that has always been professional and personal challenge. It never seems to get any easier.

One thing the audit committee process does is force me to work with my management colleagues. I cannot produce audit committee papers on my own. I need the management engagement, support and response to make the audit committee process work. This presents a professional challenge, for it is the time when I act most like my management colleagues, i.e. using persuasion, collaboration, cross working, shared effort, as opposed to the arguably more detached and institutionally created, demanding approach to audit. I can demand to audit (of course one doesn’t, one works collaboratively, but I could demand to be able to audit). I cannot demand a suitable management response.

In discussing reports and audit results I do have perhaps a more liberal and relaxed approach than that of many of my CAE colleagues. I don’t see the draft audit as fixed and to be ‘responded to’. I see it as a starting point for a conversation, debate and discussion about risk and challenges. I see audit findings as a shared challenge and set of questions that internal audit and the management team should debate and discuss potential solutions to. So in some ways we face the same problem but from different sides of the coin.

Yet, for every audit committee in every client I have ever worked at and with, getting management responses and producing audit committee papers on a timely basis, has been a chore and hard work. At some point the conversation needs to stop and response be provided. I sometimes think this is because we (as auditors) and managers do sometimes linger in the old world of audit being an accountability and checking mechanism. The audit report is seen as a gaming process, to be batted backwards and forwards until a negotiated settlement that is not too ‘critical’ of the management team and will be seen positively by the audit committee as such, is published.

Yet I see it differently. I see audit as a collaborative, shared, cathartic approach, where the value is less in whether the audit report is intellectually or scientifically ‘right’, but whether the process of debating it has really moved our collective (audit and management) thoughts forward. In other words does it prompt change, or a conscious and comfortable adoption of the status quo (both are appropriate outcomes)?

Also don’t see a particular need for an audit report to be agreed at the point of publication. Yes, broadly you don’t want diametrically opposed positions, but does the challenge and debate of an audit report need to be settled at the point of audit committee publication. I would say not. The reason I say this, is because the very best auditors look forward into the future or ask the really big questions. This is the real value of a good internal audit function. They say things the management discourse has not yet got to, or is not yet current currency. So for example, in the Tesco context, the internal audit function should have said, ‘look our business model is becoming unsustainable in a fundamental way here, and I see the pressures (albeit small at this point) beginning to show’. That may have saved Tesco a lot of its current stress. Most of my best audit reports have said, years before the risks became issues, what the real problems were. The management team have looked back at the original audit report and valued it retrospectively. My previous boss accused me of having a crystal ball, I explained that I simply knew that unmanaged risk will, eventually, somehow, become a set of issues.

I don’t really see management as being fundamentally different from audit. We both face the same complex, messy, world, and this world does not get easier and less challenging. So a good audit report should really push the debate on, push the organisation to adopt a position, and be seen as an organisational, process, a risk management debate. It should not be seen as an criticism and judgement of individuals, for control environments are almost never ascribable to a single business unit or process, and never at the level of an individual.

So why then do audit committee papers push two parties with a collaborative and joint interest to adopt such different positions? I suspect it has to do less with how the auditor or individual manager thinks about audit (many now have much more modern views than the traditional inspection model). I suspect it is a fear about whether others  still see the audit model in those terms. So do the audit committee members see it as a process of compliance inspection? What about our publics and stakeholders? Again, in reality, a lot of modern audit committees don’t see internal audit in those terms, they are on board with a more collaborative approach.

Yet, whilst modernity is beginning to come to audit practice, it is still difficult to see this in public audit discourse. Our institute is still obsessed with independence and objectivity. It still sees this divide in absolute terms, and in prima facie, two dimensional, terms. For independence is a state of mind, not a set of rules and processes. In pushing this divide it pushes audit and management teams apart. Instead of being two sides of the same coin, it forces us to be different currencies.

So next time you are preparing your audit papers and thinking about why the process is difficult, perhaps take comfort in that a good audit approach pushes and organisation, and that no one likes to be pushed. So are you the other side of the coin or a different currency altogether?

Adaptive audit


, , ,


Last week I attended a conference of international development professionals discussing adaptive programming (or projects – for those outside the internal development world). For a short readout see:

Adaptive programming is a sort of ‘agile’ project methodology for aid programmes, in others words, a contingent, try as you go, methodology for seeing ‘what works’, in international development.

Unlike IT, international aid is solving genuinely complex problems, or ‘wicked problems’ for which the causes of the failure of development or continued poverty are multifaceted and difficult to pin down. For example, is poor nutrition in a country due to barriers to economic development, lack of basic resources, cultural issues, poor political and state governance, or a complex messy combination of all of these? I would suspect the latter. If so, how can any programme of international aid make a difference to this?

Standard programmes require a clear definition of the problem, clear designed solution, and then systematic, orderly, well controlled, project implementation of the solution.

Just as this is being recognised as not possible in IT programmes (i.e. you cannot predict 100% of the problems in advance) then similarly this is the more so in development programmes. IT’s solution is agile – a reflexive, adaptive, contingent approach to solving the problem, with many learning loops within a non linear process. Adaptive programming (I have interpreted) is the same thing in an international aid context.

So where’s the relevance for internal audit? Well, internal audit in its traditional form is great at assuring standard, linear, projects. You review the process and design of the process – will it deliver a good project? So most organisations would have some familiarity with PRINCE2 (I’ve not seen anyone really apply PRINCE2 by the way). Fabulous – you can send junior staff to look at a book of rules, if the programme is complex, send a more senior auditor (who can take some judgement or view of the rules). Then tick it and report non-compliance.

What about adaptive programming though? A vague project plan, lots of changes, lots of judgements, a lack of evidence (save implementation results). This requires auditors who are happy to work ‘off piste’ and work without a rulebook. So what do they rely on? Common sense? – we know this is in short supply. Also, whose ‘common’ sense is it? When an auditor is unclear what way is ‘up’, how can they audit in this environment? For surely all adaptations can be appropriate?

Well as ever, and consistent with my audit mantra, internal audit needs to move away from being scientific. There is no definitively right and wrong in the real world. Yet I am not ready to sacrifice the idea of things being wrong or unreasonable, totally. For then internal audit becomes nothing more than an impressionistic, artistic, other voice in the organisation. For if all decisions are right, no matter the results, outcomes, resources expended, or risks taken, then your basic rules of governance collapse.

What I mean by this is that governance is about direction and control. The board, or equivalent, and senior management need some framework to do this through. They need a framework to approve and control activity within. Normally this is the risk framework, i.e. the organisational and management risk appetite. This is expressed in many forms, finance delegations, formal risk delegations, key controls and authorisations, policies, legal restrictions etc.

So I, as an internal auditor want a framework, however lacking in granularity and however much adaptive flexibility it has, to be consciously applied in an organisation. The auditing of this framework is adaptive auditing. Yet when a business is introduced to adaptive auditing, that is an audit function that is happy to see adaptability applied in context and does not want to see a rules-based culture imposed, the business struggles to adapt to adaptive audit.

It must be odd for many in management teams for an internal auditor to not only accept a lack of rules-based compliance, but to be wanting to see this model applied in practice. But let’s be clear, adaptive programming and the demands of an adaptive audit, can be challenging. In particular I think agile audit, adaptive programming or any non-rules based method of management, require more control, not less. It requires a clear articulation of the current position at any point in time – that is a justification for the current control environment. It also requires a clearer view of why things are where they are at present, a clearer view of how success will be monitored, and a clearer view of the what would need to change to provoke further control changes.

So this is what I mean by adaptive programming requiring more control not less. It requires as more conscious articulation of the programme. It requires a better audit trail of previous decisions. It requires a more thoughtful justification of the programme.

Similarly adaptive audit is much harder to manage and deal with. Auditors are taking judgements. This therefore requires a higher quality of auditor. More work to co-produce reports (although ultimately they are independent). More work and higher levels of management engagement during an audit to discuss complexity and difficulty. More openness and honesty about risk and ultimately, failure.

So are you and your client organisations ready for adaptive management and adaptive audit? I would say a lot of organisations have a way to go. It fundamentally requires the audit and management relationship to be reset. No longer an adversarial game, but a collaborative effort to face complexity and challenge together. This will require some sanguine understanding of risk and audit by regulators, governing bodies and senior management.

Are most clients I have worked with ready for this grown-up relationship? Some, but not many. It is the line between artistic chaos and socially-scientific control frameworks that is difficult to pitch. This will vary and cannot be always clearly articulated. If we can open ourselves to trying this model though, it would benefit both audit and management teams alike.

Objectively speaking…


, , ,

 Value Proposition - Objectivity

I am cracking my way slowly through a PhD – bizarrely in marketing (don’t ask – it’s a subject that fascinates me and is I think a much neglected concept to be studied critically). As part of this I am working with three case study organisations. They are very diverse, large, complex and high performing (in their fields of expertise). It is nice to be able to spend some quality time with some diverse organisations.

What has struck me in various conversations is how all organisations need a critical eye. They need a party that is knowledgable, confident and capable of understanding how the organisation really works to challenge them. This challenge needs to be done after the manner of a friend – robust and direct, but with understanding and compassion.

So many organisations reach out for this robust and critical challenge that really says what needs to be said, but struggle to obtain it. They employ consultants who tell them what they want to hear (they are the people paying of course), or tell them nonsense (because they have not really understood the question / organisational context). Or they submit to inspectorates with reporting and agendas that will play out in the public domain, meaning the result is either made bland or are driven by other organisation’s views of the world. Both of these methods of feedback can, of course, work. Yet in practice they do struggle to consistently and helpfully challenge organisations in a way that enhances, builds and moves their client organisations on.

I believe good internal audit can do this. Good internal audit, that is accepted by the client organisation as a friend. For only once an organisation loses its inhibitions can it truly have an honest and open discussion with its internal audit service and itself.

Yet accepting this level of feedback is tough. Tough for the organisation as a whole, tough for the individuals within it (many of whom believe criticism will be career limiting). Most of all tough for those who govern the organisation. For it is difficult to accept that something you direct and control is suboptimal, let alone, poor performing, and those charged with governance are accountable for the organisation’s failings after all.

Yet this is also tough for internal audit. As a CAE my preference is to deliver thin reports, spreading good and positive assurance news. Shorter to draft, easy to quality assure, easier to deliver, positive response from all parties etc etc. Being a challenging, difficult, bad news-delivering, argumentative, stroppy CAE is not easy nor enjoyable! Choosing which items to deliver and in which order – much more challenging and difficult.

Yet, if an internal audit function can get its client organisations into a good space where both parties take the pejorative element out of internal audit and the process of review, then there is a better outcome to be achieved. This requires both parties to see issues and risks in objective terms, to accept that both risks and occasionally issues, arise in a resource constrained, complex and challenging world. If internal auditing can be seen as a collaborative process to lay bare reality, with a view that the process itself, even before an outcome, is cathartic and useful, then internal audit can really leverage its USPs (unique selling points).

For internal audit is uniquely, independent and objective, yet engaged, interested, supportive, and understands its client organisations. So, objectively speaking, where else, either inside or outside of the organisation, do you get this confluence of unique features?

So when I am in conversation with an organisation and they ask for a source of objective but supportive review and challenge – I shall say – look no further than an excellent internal audit service.

Supply chain auditing – a step(s) too far?


, , ,

spanish python

A few weeks ago the BBC documentary programme, Panorama, published a programme containing allegations about Apple’s supply chain. Not really news I hear you say? Apple has long been accused of having poor supply chain practices, ranging from poor workers’ rights through to poor environmental or social records.

The Panorama programme, in case you missed it, made allegations that despite the public commitment of Apple to clean up its act, it actually had not done so. In particular it alleged that one of its supplier factories in China worked its workers such that they slept on the production line. Also that tin got into its supply chain from child and illegal mine practices in Asia.

Now it is not for me to form a view on these allegations. I am sure there are others who are closer to this than me and who know the industry better. Apple of course can afford to do better, but also attracts disproportionate criticism in a way that other companies do not. So I suspect the allegation probably has a truth somewhere between the two extreme views.

What interested me, as an auditor however, was why the auditing practices put in place by Apple had not seemed to address the problem. The supplier’s factory in particular talked about having forms for ‘Apple’s auditors to review’. With staff being forced to sign forms as a proxy for accepting a briefing or for their assent to signing away their employment rights. Why did Apple’s auditors accept this and not challenge it?

This reminded me of when I was a junior auditor working in a professional services firm. We used to audit further education colleges in the UK. There was a scandal that a college had made up what was called ‘franchise’ or ‘community provision’ – that was courses that were delivered by commercial partners, charities or businesses in the community to bring education to hard-to-reach students.

My firm led in the provision of spot checks. These were short visits of up to one hour and they would be unannounced. The idea being that you would verify a sample of activity and prove, or not, their existence.

As a junior auditor, it was my task to do these. It was a chore. Driving to out of the way places. We had a big checklist and we had to check the register and the registration data held by the college. There was a mathematical sampling formula that set out the number of spot checks to be done and the partners that should be visited.

I learned a lot from these. First it built up my social skills. As a rather sheltered graduate from a middle class background, it was a shock to wonder into crisp or sandwich factories and speak to adult learners (by the way I would not buy a cheap shop-made sandwich even now! – nor eat a cheap sausage roll from a bakery – but’s that’s a different audit story).

It also taught me to open my eyes. It taught me to think beyond the checklist, beyond the story being told to me. Even now I look for cars in the car park. The language used by interviewees. What they are wearing (my current colleagues notice my observation skills). In one place the small ‘learning shop’ located in a small rural shopping centre seemed okay. It had a small room, two computers, a member of staff, college brochures etc. Yet, when I got back to the office and asked about the total enrolments for the year, I was told a number that could not have been serviced by the small shop I saw.

I learned that tidy records meant higher, not lower, fraud risk. I learned to be critical and testing of clients. I learned to, politely, bring people back to the points I was asking (otherwise the 45 minutes allowed for the spot check could drag on for hours). I learned to interview diverse types of people, those outside of my professional auditor experience.

The real point of all of this is that it is perfectly possible to audit and tick boxes. Don’t get me wrong, sometimes spot check visits felt like they were ticking boxes, not adding value. But audit around the checklist. Join up the dots. Aim for the higher skills marks, and they can become powerful vehicles.

In my current role it is difficult, as it is in most organisations, to oversee supplier risk. To know how far down your supply chain reputational risk extends is tough to decide. the big lesson for me though, and perhaps for Apple post Panorama, is to throw away the forms and the checklist auditing, and to send good quality, critical and intelligent experienced auditors to do spot checks – preferably unannounced.

This is the type of auditing I love. Noticing the detail. Really challenging the consistency across different data sets. And yes – it is a uniquely audit skill. For management are often too naive or trusting, in a way that we auditors (and me from my spot checks many years previously) are not.

How challenging are you of your supply chain?

Internal audit (in)dependence?


, , ,

IA model updated

Internal audit and client relationship model

So as we go into the new year and we CAEs think about how our IA departments are positioned with and within our client organisations, I thought it would be helpful to revisit the debate about internal audit independence.

Internal audit’s great strength is both its independence, both actual and perceived, but also its dependence i.e. if provided in-house, the IA function is committed full time to the client. In that sense it has a dependence on the client organisation. It has to ‘live’ with its judgements and decisions.

Yet, for a CAE, despite the standards requiring constant and full independence, a CAE has to consider how it works in practical terms with its client organisations. In other words a CAE has to have some level of client management and organisational orientation. So for a major report, should a CAE pitch it as a grumpy challenge, encouraging questioning of the status quo or as a gentle shot across the bow? All are legitimate positions in different circumstances. A CAE has to decide.

Get this wrong and IA can be poorly placed. If the independent challenge is too high, then internal audit becomes an inspector. Well into the third line of defence in a regulatory and challenge function. This will lose the benefits of a positive, open and cathartic relationship for the promotion of change and improvement. If the independent challenge is too low then you risk taking audit into being either irrelevant or being controlled by your client’s management team.

In an ideal world one would seek to pitch both an independent challenge, but within a client and management oriented manner. This takes you to being a friend. I’ve characterised how this friend relationship would work in a separate blog post here:

As a CAE I have found that often the relationship with the client organisation and management team varies over time. It is a result of a cumulative outcomes from decisions and ongoing discussions. For despite a CAE’s wish to be pitched in a particular space, the assurance assignments as they are published could, at a point of time, point the CAE into a difficult position. For example, consider where a CAE wishes to be more challenging, but the programme of work at a point in time comes out (correctly) with benign or positive results. The CAE has no timeous reports and outcomes to pitch that challenge with. Consider the converse also. Where a CAE is trying to build a positive, safe, space for discussion, yet assurance results are challenging, then it is difficult to dial back the perception of, or actual, challenge.

As a CAE I firmly believe that assurance results are just that, and should not be distorted or misreported for the short term political benefit of either the CAE or the IA function. As a CAE I should, however, look at the overall diet of assurance and messaging. For individual assignments form part of an overall opinion and storyline, and the CAE must keep an eye on what that is and how it will play out organisationally and in terms of control.

So for all of you auditors out there who see what seem to be odd or strange decisions from your CAE, do please appreciate the ‘higher currents’ the CAE must consider in the IA function’s work. Seek to understand those, for they will help you in your work and your assignment level opinions.

So is the New Year a good time for CAEs to reconsider the overall positioning and message? Yes – I think so. Should this be a purely CAE decision? No – I think it should be something debated with the IA function and team as a whole (or at least a senior subset of the team). For this will ensure that the orientation of all interactions the client organisation and management team has with the internal audit function are more consistent.

So where are you placed on the scale above and will you seek to change it?

Should I stay or should I go?


Well it’s that time of the year. A time when we all think about the year past and the future. Some people will be thinking about setting up a blog. I am one of those who takes the turn of the year to think about my ongoing blog.

Why do I do it? What do I get out of it? How can I improve and develop it? Like all bloggers – how can I get more people to look at it? My blog is written on an anonymous basis – not because I am embarrassed or say things that I don’t want to be held accountable for; quite the opposite. I write it without my name because I want people to focus on the issues and the content, not the writer or their organisational brand. My personal currency will no doubt increase and decrease with certain audience members if they thought I worked in their sector, was sufficiently senior in the profession etc. I wanted to avoid that. Yes the blog is connected to my linkedin and twitter profiles, so some of you may already see it on this basis in any case. I think the decision to keep it at least semi-anonymous is right though.

I also consider whether my ideas are relevant, helpful, thoughtful and encouraging. I hope that they are. Is my blog well-read? It is difficult to tell. The blog stats from WordPress are for direct hits, so those that browse from elsewhere may not be reflected. It is fair to say though that I won’t be selling the blog’s advertising space for millions of pounds in the near future though! Also the numbers of comments and responses is fewer than I would have hoped. For I don’t have all of the answers for the challenges a CAE faces – not even a small proportion of them! I hope, however, that I do at least have something of relevance to say that prompts at least a few of our profession to pause and think.

Should the content of my blog change? I am not sure I could change it even if I wanted to. I post thoughts and ideas as they come to me through my work experience. Luckily I am in an amazing audit job and am constantly stimulated by the high-quality organisation and people I work with. So I will try to experiment with things that resonate and make a difference.

If I had a hope for my blog in 2015 it would be that it reaches more people and that it becomes a space for internal auditors to debate and discuss the many and varied challenges our profession faces in 2015.

So for those who do read my blog – have a great 2015, and I look forward to your continued engagement and interest in our shared professional interest.

Happy new year!

Freedom of speech?


, , ,


In a week where the ‘hacktivists’, allegedly from North Korea, have taken Sony pictures to a decision about rejecting the publication of their film about the North Korean leader, I wonder if it is worth considering the freedom of speech of internal audit?

Of course, on paper, internal audit has all of the right independence and status protections to ensure it has freedom of speech. Internal audit can say the unsayable. I would argue it must and should say this, for by doing so it unblocks the organisational and governance constipation that most large organisations and bureaucracies suffer from.

Yet, as a CAE, I am always faced with a quandary. My model of internal audit and modus operandi is to be a friend. I’ve written about this before on this blog. It is not any CAE’s or my intent to harm or damage our clients. So being robust and firm, as you would with any friend, can often be the right answer.

Sometimes, however, writing something down or highlighting genuine, close to the bone risk, is difficult. It is difficult because by doing so, internal audit may well crystallise the risk itself. So, pointing out total dependence on a key supplier, if leaked, would damage a commercial entity. Identifying a fundamental flaw in a manufacturing process could damage sales of the good manufactured. Pointing out health and safety risks could damage the reputation of our client.

Internal audit is just that, internal. So it should be a safe space to debate, discuss, disagree and argue (in an academic sense) with our clients’ management teams. I like to argue that under the three lines of defence model (about which I have written on this blog to make this point) that internal audit is more like the 2.5 line or third amongst four lines of defence. External audit and regulators (the unfriendly auditors) make up the fourth line in my view.

Yet there is pressure for internal audit reports to become public property. For a start our partner, customer and supplying organisations all want to share our assurance and map and understand sources available. In the international arena in which I work, we seek and have sought from us, the nature of assurances available about our client organisations. This all seems reasonable. Yet it is a countervailing influence on the ‘safe space’ we seek to have as internal auditors.

This in turn creates an odd set of behaviours in organisations that do publish reports. A sense that internal audit becomes a ‘boiler plate’ exercise – something to be managed. Messages to be massaged and manipulated or an adversarial process to be batted away and mitigated. Or the other route – bland and vague audit reports alluding to risks and issues. Neither is particularly helpful in my view. Gone is the open, reflective, supportive, encouraging and change-oriented internal audit process. Gone is the meaningful and free engagement with management, in its place a discussion ultimately oriented to how the report might play out in public.

Now of course any CAE is aware of the externalities and end point of a report and indeed should be. So it is never a case of having a completely free internal space or a totally public external space. In reality it is spectrum and the CAE should be aware, report by report, where on the spectrum the report’s subject matter is.

If, however, something is on the public end of this spectrum, it is possible and in my view, likely, that it will be a space the management or governance body of your client may well seek to limit internal audit’s freedom of speech. The more important or challenging the issue, the less free to speak internal audit may be.

So what’s the remedy? Well internal auditing standards simply require the same freedom of speech as for all internal audit activity. This is naive though. In reality most CAEs have the ‘it’s not a good time to audit’, ‘I’m not sure internal audit can add much value at this point’, ‘we know what the problems are in this area’ comments. All of these misunderstand internal audit (we can audit good as well as bad things, we may well have insight the management team doesn’t, we will always add value, for to think about risk is a cathartic process in itself).

I think the remedy is of course for internal audit to say what it needs to say. It should feel free to say what it requires and what the organisation, more importantly, requires. Internal audit should also not have any no-go areas. It is not acceptable for internal audit to be restricted in this way. Yet there are times when a CAE needs to take a step back and not use lots of organisational capital to push through the smaller review or issue, when a larger point exists and requires a stronger stance. Sometimes though, when a CAE does this, they risk losing credibility. They flex in a unhelpful way and lose the respect of their team and the business.

Ultimately a CAE needs to think at the annual or periodic planning stage, what each review is likely to yield and the diet of messages and change challenges being delivered. Then at the assignment scoping stage, the CAE needs to think, when setting the question, to decide how the report might play out. For a poor CAE has no idea how a report might ‘land’ or what messages it is likely to deliver.

So does internal audit have free speech? Yes – potentially, but not without consequence. For free speech is not consequence-free speech. I’ve always found as a CAE the issue is not whether I am confident or willing to have free speech, much more am I using it responsibly for the good of my client organisation (note not management or governance parts of it, but the organisation as a corporate body)? This is a difficult judgement that, for most CAEs, is embedded in an underlying plan of messages across the year and across years strategic audit plan and is made much earlier than the assignment delivery and report writing stage.

In my view internal audit’s access and use of free speech is the essential gap that organisations have. When I see organisations that fail I always ask where was internal audit? and what I mean by that is, why was internal audit not using its uniquely free speech to shout out about the problems. For as an American air steward once said to a difficult airline passenger, ‘I’m here to save your ass, not kiss it’.

Are you free?

A question of detail


, ,


I’ve had a few comments this week about detail. One stating that I provided too much detail in a presentation or perhaps too much content. Another in an audit committee that I attend that internal audit was praised for being able to provide a précis of the busy unit under audit review, in other words to balance detail provided.

This got me thinking about audit and detail. Is it a good thing to be able to provide detail? Is the devil in it, or does it show that well-worn criticism of not being ‘strategic’ enough?

As a CAE you are meant to be able to do both, to see the bigger and more important picture and also have a grip of the detail (at a forensic level for most audit committees, I find). Sometimes, and this is this true of our management colleagues as well, the connection between the ‘dots’ of detail are difficult to join up into a ‘strategic’ narrative. This is the bit I, and my audit teams, find really difficult. We have been trying to find a good way to do this. My solution, and it works with some teams and not others, is to get the team to sit around a table or videoconference and talk about the story, the narrative of the report. For as we know facts (if indeed there are such things) do not give meaning. As an example, is a project that has had all sorts of management responses an indication of a good or bad risk and control environment?   Well, I guess it depends, it depends on the detail.

So this brings me back to the issue I began with, detail. It matters. I often use the phrase that ‘real organisational risk is down in the weeds’. This is true in my experience. It would be nice to think that the IIA standard audit universe and focus on those high risk items above the risk appetite line, would work. It doesn’t. First organisations are not really systematised. They are full of people who are not systematic. Also maintaining and controlling a system takes a lot of work and effort. Also people, if they do not like the control the system applies, will bypass the system. Second most IIA-based universes try to create ‘auditable entities’. I contend that auditable entities change constantly. They are in effect the roots of strategic risk reaching ‘down’ into the organisation. These change as the agenda, mission, power and cultural relationships of senior management teams change. I would contend the effort of truly creating a meaningful or accurate enough audit universe is not worth it, versus the saving of having invested in an audit function of sufficient size to cover the organisation in depth. In other words, the costs of cutting corners to support a small audit function with targeted and limited assurance coverage, via the development of a good enough audit universe, is greater than paying for greater audit coverage to pick up issues across the organisation (some of which may not be the most strategic or value adding). The latter is a cheaper path to a sufficient and suitable annual or periodic assurance opinion in my view.

Should we CAEs or auditors do detail? Yes I think we should, because control is vested in detail. Control is buried in detail. Complex, human, messy, detail. Do I believe there are strategic themes and messages to taken from the detail. Yes of course. To get at those messages needs coverage, it needs some send of sifting through examples and building a case.

For most management teams I have worked with need ‘evidence’ of risks. By evidence they mean instances where the risk has crystallised into an issue. For otherwise there is no risk unless issues arise. As CAEs our purpose is to avoid issues arising in the first place, so as you would not stop servicing a car just because it had not previously broken down, so a CAE needs to ensure businesses do not stop risk managing just because business issues have not arisen.

So what is the right level of detail for audit? I would say very detailed, because it is through detail that the reality of control is divined and identified. A CAE always needs to take the detail and work out what this is saying in terms of the bigger and wider picture. The CAE should always still engage with detail though, as we as CAEs need to have the grip that is so often not afforded to senior management. Senior management I have worked with have always valued the real world perspective provided by audit, and the real world is that seen day in, day out, by internal audit on the ground. So I would caution any CAE who wishes to become grand and remote not to, for therein in the path to a lack of grip over the audit plan, the organisation’s risk, and ultimately to a weaker assurance opinion.

I will still always therefore be a pedant for detail – will you?

Roots or routes of strategic audit


, , ,

shutterstock_65729302 copy

Strategic audit is one of the most troubling areas of audit. It is just difficult. The difficult thing about it is that most client organisations are not risk or strategy mature. As such it is really difficult to identify strategic risks.

But what is a strategic risk? Ostensibly it’s simple. A strategic risk is one that flows from strategic objectives, it is uncertainty over the achievement of a strategic objective. Most organisations, if they have any strategic objectives articulated, have very high-level esoteric objectives. These I have found are quite hard to audit. To audit something, you need to have a sense of the complex set of coherent actions that deliver on the strategic objective; the roots.

So I tend to think of strategic risks as roots on a tree, where the strategy is the tree trunk, supported by a complex web of interactions, activities and web of challenges reaching far and wide from the original objective. Very few strategies are clear about the coherent set of actions that support them in my experience. For people confuse strategy with simplicity, and brevity. Senior executives, who get promoted on the basis of being normally clever, capable, complex, and really understanding the business, seem, when at the top, to require single side traffic light diagrams. Sure I appreciate they have less and limited time, but that does not make the organisation’s strategic challenge any simpler. So why should auditing them be any simpler?

The other interesting challenge for strategic audit, other than identifying the roots (or routes) of the strategy is the distinction between a strategy’s roots and the tactical frameworks of control. So in other words, the difference between top down (strategy) and sideways in (thematic frameworks of control).

Some are obvious. So financial approvals and delegated financial approvals are a framework of control. Some strategies are obvious, for example, if an organisation is trying to improve its IT systems, a programme of coherent IT change projects could be  strategic. What about piecemeal IT change? – so change of a HR system, or ledger system. This does not really feel strategic, nor is it a tactical framework of control.

The reason why all of this matters is because of the risk significance of the area under review. So when internal audit seeks to provide assurance over the key things, strategic things, whether something is connected to a ‘strategic root’ or a strategic sideways ‘runner’ or whether it is a small corporate audit.

This is all the more important where an audit function is limited for coverage and resource. For if you do only a few audits a year, you want to make sure that they make sense. You must hit the ‘roots’ or at least the ‘runners’. So next time you attempt strategic audit I think you need to have a really good grasp of the strategy, a good view of the roots of the risk, and the roots of the strategy. I contend this is difficult and challenging even for an experienced head of audit.

Earl Grey auditing


, , ,


So I’ve been Christmas shopping. Yes it’s all done. Just wrapping and sending to go. As part of my final day of Christmas shopping today I had afternoon tea at the Waldorf  Astoria Hotel in Edinburgh. Now if you’ve never been – do; it’s the best in Edinburgh.

As I was sitting there enjoying the experience I noticed that nothing about the hotel ‘shouted’. The decoration was subtle, the service unobtrusive, even the signage was muted and subtle. Everything felt quiet and orderly, even the music in the background (played on a harp) was pleasant and civilised.

So it got me thinking about audit. When we ask our clients to document process, to be clear about decisions, to more explicitly analyse a position, are we asking them to be gauche and ‘loud’? So when I’m told ‘we do risk management, but never write it down’, should I accept that from an audit perspective? For I know there is never enough time to write things up, to record decisions, to document analysis. So am I being an unreasonable auditor by asking for this?

Well I know when things do go wrong, not having an audit trail becomes crucially important. When circumstances are replayed back in slower time and someone in a public or regulatory forum says ‘you decided to spend £Xm and had no analysis or documentation of the decision?’ it sounds bad, and is. So, if we can agree that this sounds bad and is, perhaps the decision is much more around knowing which ones to document? For we all take decisions and we don’t document in full detail every single one.

Perhaps this is a risk based decision (except with this it is really difficult to know which decisions will be second guessed later)? If so, is the role of audit to be more sanguine about decisions and to say some should be documented with a supporting rationale?

Coming back to my afternoon tea experience, I think the answer is there. It has the music, the waiters, the lighting, the safety fire escape signage – it’s all there. Yet it is subtle. You are free to enjoy afternoon tea without knowing the work involved in making it happen, without seeing the control framework. Yet when you go into less high quality establishments there are loud menus, loud music, loud signage, intrusive service and gauche decoration.

So in business sense I am looking for a coherent control experience, driven less by process and documentation, but more by culture and quality. There should be sense that good control ‘just happens’ and when you look closely the control framework should appear.

I have tried to build this into my audits. My clients are not aware that I force them to engage and risk manage. You cannot respond to one of my reports without engaging in this debate. Engage with it from any other basis and it holds no water and makes no sense. So if a response to report is about ‘we’re doing okay’ (fine but the report makes no judgement or comment on how well we think the management team is doing); or if it is ‘we’re doing our best’ (fine but that does not affect the risk and net risk judgement); or it is ‘we have a high risk appetite given to us’ (fine, first prove it – in a meaningful way, second let’s share that understanding, as the report is shared with senior management, across the organisation – would head office agree?); and if the response is ‘we have good controls’ (really – how so if they do not mitigate risk? – they may be good per se but if they do not influence net risk they are the wrong controls.

The only reasonable engagement has to be within the risk-based terms of the report’s argument. i.e ‘we think the net risk is lower because of X Y or Z’. I’m always happy to be wrong – as I am engaged with facets of the business in each assurance review for only part of the year, unlike the relevant management team for the whole year. Then I have got my internal auditor way – I’ve prompted risk based thinking. In other words the output of the assurance review and audit is less relevant, much more the risk based cathartic process of debate, discussion and engagement with audit. On this basis there is no bad internal audit, even a ‘wrong answer’ audit has value to the client organisation.

So what am I looking for when I audit? A great afternoon tea experience. For I love engagement with good management teams, especially when they are struggling with high challenge and risk (for we are all struggling with risk and it is not my role to be critical of teams’ work, more to point out, objectively, where net risk actually is).

So my advice to my management colleagues – look to establish a clear control framework, but a subtle one, established through culture, through being lived, through clear values. For much like the best afternoon tea experiences, they are subtle and ‘just happen’.

So ask yourself – are you an Earl Grey auditor?


Get every new post delivered to your Inbox.

Join 284 other followers