Internal Audit – the next Blackberry?


, , , , , , ,


So in this post I want to consider the work of Tim Leech from Risk Oversight Solutions. He is critical of internal audit’s paradigm paralysis, see Risk Oversight Solutions critique. I have to say I do think there is at least some truth in his view, but disagree its paradigmatic.

In this blog I have been critical of internal audit’s adherence to working in a way that means that, in many organisations sees internal audit marginalised and ignored. It’s something to do with the paranoia that internal audit has of there being one right answer to how internal audit is done. Most CAEs I know have a strong, almost religious, quality to how they see the work being done. These religions have their own practices and cultural totems and mean that CAEs find it difficult to accept differences of style and structure.

So what’s Tim’s critique?

First that enterprise risk management (ERM) is a flawed concept as practiced by most organisations. I think I would agree, not because the process of being clear on objectives, writing down risks, and then considering their mitigation is inherently wrong or unhelpful, but that it becomes an exercise to be done, rather than lived. Most organisations define control outside of risk management, i.e. good control is not the adequate mitigation of risks to be within a desired or target appetite, but is something detached. In other words, risk does not relate to the real management. So I think Tim’s criticism of this is valid. He makes a leap, in my view, that, by implication, if internal audit is then hitching itself to this faulty waggon, then it, by implication, is problematic. Tim’s suggestion is objective-centric registers. I agree, but this is a risk management in practice point, not a theoretical point, as risks derive from objectives.

He then suggests internal audit provides and annual opinion on the data prepared by the management team on these residual risks. Well I agree, and those internal audit functions that opinion on ‘control’ as distinct from the quality of the mitigation of risks are missing a trick. This is not, though, a problem within internal audit per se or its standards. A risk based (properly risk based) audit approach is compliant with the standards. Perhaps the issue he is flagging is that a non risk based approach is also perfectly possible within the IIA Standards, and I agree that is problematic.

He then talks about the paradigm of internal audit being about starting with an audit universe (dividing the organisation into pieces) and then auditing them. He is critical not of the direct report or attestation on a management assertion point, but of the link of those plans to risk. Here I think Tim is critical of internal audit practice, not the paradigm. I’ve said on this blog before Roots or routes of strategic audit, it’s difficult for anyone to audit strategic risks and they need to be broken down. As risk management changes constantly and is a web of control, not a conscious simple framework, is it any wonder that any break down of this into meaningful chunks is difficult? I don’t hold that this is paradigmatic issue per se, but is one of effective practice. I am not a great fan of audit universes Audit planning: helpful or not? Universal success? but the idea of breaking something down and trying to focus with limited resources in each period, seems sensible to me.

So the critique by Tim seems to be that internal audit does seem to focus on the net risks flowing from key strategic and value creating objectives. Well this critique may be true, but this equally applies to management teams who do not always focus on the things that matter either. Again this is complex. Who would have thought that the biggest threat to value creation in Volkswagen would be the emissions testing department? So I do think the issue is not paradigmatic, but one of the quality of application.

The core criticism seems to be that internal audits are limited when they form subjective opinions on the adequacy of controls are effective or not. The whole point of internal audit in my view is the formation of an independent opinion. It is its independence and objectivity that is its unique contribution to the organisational eco-system. If that opinion is a risk based one, i.e. forms a view whether risks are as the management team has assessed them, are mitigated to within the organisation’s risk appetite set by the board and mediated through the management team, and that the consciousness within which they have been developed is mature, then I think that is valid.

These are implementation challenges, not paradigmatic ones. I think internal audit is more needed and more valid now than ever. The globalised world is full of complexity and mature, large-scale organisations that need meaningful challenge and independent support. Surely we, internal audit, are well placed to do that? I don’t deny the challenge of relevance, quality, the non-risk based nature of some audit services etc. but these are not paradigmatic issues, nor ones the current standards mandate.

What do you think – internal audit – blackberry or pillar of good governance?

Healthy audit


, , , , ,


It was World Mental Health Day 2016 last week. DFID, my current client, has a strong record of support and engagement with the challenges being raised by mental health. In the contexts in which DFID works with trauma and humanitarian disasters, the affects on mental health can be as significant as the physical ones. In the corporate world mental health is a strange thing, in that we tend to treat it in a binary way; you are either well or ill. This is so different to how we treat physical health, that has a range of states (from severely ill to ‘feeling under the weather’). Also because mental health does not always have physical manifestations it has a sense of stigma (which is quite unjustified). We simply find it difficult to talk about.

As I’ve got older and my home and work life have become more pressured, I’ve come to realise that mental health is not a simply binary issue, it’s more up and down and analogue. I am generally very stable and have strong mental health, but I need to look after myself more. I need to have breaks, I need to consider more actively  how events make me feel, and how I might react to periods of pressure. In effect my mental health does vary during the year, during the month, during the day.

So how does this important issue relate to internal audit? I think internal audit is a unique profession within most organisations as it has a role to be objective and independent. IA has a role to challenge the organisation. This makes being an internal auditor or CAE prone to having difficult conversations. This can be stressful.

The biggest professional challenge I think young internal auditors face is to learn the ability to challenge without upsetting, to be direct without being offensive, to challenge without being conflictual. This is not a simple skill to learn, as one person’s direct comment is another’s overly strong challenge. So the ability to challenge within the capability of those being challenged to cope, requires not just the ability to deliver the challenge, but also to ‘read’ how this is being received.

As an example, in my current client my auditors are required to work together on overseas audits in fragile and conflict prone places of the world. This requires real talent and resilience from the team lead and team members. In my view it requires the teams to really look after each other, both in terms of work and living circumstances (as being away from home can be difficult and challenging just on its own). Also colleagues are, in the evenings, neither in work, nor at home, so a little bit of slack for colleagues to be suboptimal is required (we all get grumpy sometimes!).

The CAE needs to not only be able to do this on a one to one level as for an internal auditor, they need to be able to do this on an organisational level. So this ability to deliver challenge needs to be within the bounds of what the organisation’s management, governance and audit committee can cope with. A great way to test this is within the audit committee. In my view a good CAE engages the independent members and top executive attendees to the audit committee in a joint change agenda. This allows the committee to then be a place where a shared vision of organisational enhancement and reform is tested, evidenced (through management papers) and validated (through audit papers). It becomes a safe organisational reform forum.

One of the professional IA maturity points I look for in my team as they progress their careers in audit and counter fraud is the ability to deliver challenge, have difficult conversations, adapt to individuals’ responses and read the room. Some of the best places to practice these skills is at audit closeout meetings, report review meetings, and most especially the audit committee. Presenting to the audit committee is a key challenge in my view. The questions are normally incisive, to the point and challenging, and the ability to give answers that are truthful, point out real challenge, but keep an engaged management team is one delivery challenge that is key.

It’s been gratifying to see my auditors at all levels engage in this delivery of the challenge process. The ability to be highly socially skilled is a core audit skill. This is practiced first with each other in the department, then wider with clients, then in bigger, broader and more senior contexts. For the top talented auditors, the ability to recognise each other’s mental state, their level of exhaustion, pressure and general energy levels, is really important. A simple – are you alright? Take a few days off. Let me handle that meeting. These are so valued by me when I see my team do it. It shows an audit team that really works together. I hope that I read my audit team in the same way and provide that level of support to them too!

I also think a CAE has a role to provide the cover and support for their team to be able to deliver difficult challenge. It is also their role and responsibility to ensure their team recognises this is a powerful and privileged role of audit, and to make sure it is delivered in full support and cognisance of the effects on those upon whom it is used; in other words, used responsibly. For delivery of a message directly and straightforwardly is not, sadly, usual in modern corporates. We are now more used to avoiding conflict and challenge, or being passive in our critiques or concerns. I believe in being straightforward as a general principle as I think it is respectful of those to whom you are communicating and respects their ability to receive a message in a professional manner, if you are. Of course one needs to temper the message and the method of delivery for its audience, the sensitive, the weaker minded and the more junior in the organisation; but I was always taught to think through issues professionally and to respect client feedback, so perhaps I am used to both receiving and giving these messages over my professional career. Perhaps it is an auditor trait?

I have a  number of roles, both in my day job and in my roles on audit committees and boards as a member, where I need to apply this skill. Do I get it right all of the time? No. Do I try to? Of course, yes. The whole point of IA’s objectivity is to identify issues and problems that need to be tackled in a way that the current actors are either unable or unwilling to recognise and do. Then the point of independence is to be able to say these things and put them on the record such that they are then dealt with. It is this responsibility, as I see it, that makes being a CAE stressful.

In my view internal audit cannot avoid this challenge role, as it’s the one unique feature of IA. So internal audit needs to break some eggs to make an omelette. This means being cognisant of others is a key, and core, audit skill. It also makes managing our own mental health and those with whom we work a core and key part of our roles.

So how do you maintain your health, a healthy audit team and a healthy client?

New 2017 IIA Standards – Good or bad?


, , , , , ,



The global IIA announced new standards on 1 October to be applied from 1 January 2017. So since I as  CAE member of the UK and Global IIA will have to comply (even though my local standards, the Public Sector Internal Audit Standards, applicable to the the practice of internal auditing in the UK Government, will not be updated quite yet).

So let’s have a look at the changes shall we? 2017 Standards (marked up changes)

The first interesting change is that internal audit is for organisations, not within as previously. This recognises that for many organisations IA is provided externally. Now I have a view that IA is less successful when delivered this way, but even I must recognise that some organisations are small and struggle to maintain a high quality in house service.  So this is a sensible change as long as it is not the thin end of the wedge, making IA no longer part of a standard organisation’s control and assurance infrastructure.

The next changes promote the primacy of the Standards over any other standards. This will be interesting in terms of seeing how other local standard setters and bodies react to this. I think the Standards are well established now, so I’m happy with this.

The idea of establishing principles based standards is sensible, losing the mix of compliance and principles as previously. I am a great fan and believe that the best internal audit services mould to their organisations, subject to some unchanging principles, so I am keen on this change.

Updated references to the professional practices frameworks are sensible too. I think the whole package makes sense now, so having the pieces independent of each other no longer does. So this is a sensible change too.

Of particular interest is the IIA’s response to the consultation, saying some respondents misunderstood objectivity and independence. Interesting. It’s worth looking at the glossary for the definitions of each. So for objectivity:

‘An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.’

Let’s compare this to independence:

‘The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.’


So objectivity is the requirement to form our own view, and independence is / are the conditions that allow us to form our own view. This ties into the edit on page two, that removes independent from opinions and leaves it for the auditor. So the auditor is independent but does not form independent opinions, but rather forms objective opinions. That’s quite an interesting nomenclature change and one that is more than just semantics in my view. I welcome it, for objectivity is a mental attitude, not some organisational or structural comment. Indeed being paid by and working for an organisation as an internal internal audit function does promotes far greater objectivity than being paid for as an external contractor.

There’s an interesting nod at the bottom of page two for us CAEs. We don’t only have to comply for our audit work, but also for  the work of the IA services we lead. This is not new, but this ‘additional’ responsibility, now spelled out, is notable.

So – to the attribute standards. 1000 spells out that the mission and all elements of the international professional practices framework must be complied with and included in the IA charter. This will need me to review mine (which is due a refresh anyway), so I would suggest you familiarise yourselves with the mission in particular. Standard 1010 requires that you have this chat with your board, so I would suggest a paper to your next audit committee.

1110.A1 requires us CAEs to report any scope interference to the board. Presumably not every last little intervention, but any significant limitation or change to scopes. I’ve written lots of times about scoping, and I don’t see it as contracting, so reporting adverse interference is fine with me, though I would consider it unlikely to ever come to that.

Standard 1112 – Here’s the great change in my view. This standard recognises that IA can and does do a number of governance activities (because we are best placed and skilled to) outside of just internal auditing. I’ve written about the nonsense paper from the UK IIA prohibiting whistleblowing Whistleblowing – another thing internal audit cannot do? . This puts this nonsense to bed in the standards. For this is all fair game, as long as independence and objectivity are safeguarded and suitable assurance over the performance of this activity is put in place (as the board requires a five year assurance over assurance). Well done Global IIA!

1130.A3 – Another sensible step. If we review something or consult on it, we can audit it subsequently. As long as IA did not get intimately involved in risk treatment decisions in doing the original consultancy and as long as you use another part of the audit team to do it. Another triumph for common sense – well done!

1210 – Another sensible change requiring competency to include currency. This means we need to be current in our knowledge and research for our assignments. This underpins a long-held belief of mine that CPD is continuous. Of course this is obvious, but making it clear in the standards is a great thing in my view.

1300 – A requirement to engage the board and audit committee in continuous improvement of internal audit. A think a good CAE does this anyway, encouraging support input and transparency of performance monitoring to the audit committee. Indeed I’ve been really lucky to have extremely high quality audit committee chairs to support and cajole me to perform. As an audit committee member myself I take this element of my role seriously too, IA risks being unloved and this can risk under-resourcing of and lack of seriousness given to it by the management team.

1312 – Requiring an audit opinion on the audit of the internal auditors seems sensible to me. We as a profession put such store by opinions, so we should be subject to them too. I welcomed mine Generally conforms? Board oversight of this is really important. Both to give the exercise credibility and to allow the Board to engage with the outcome.

2000 – Well done on the Standards picking up that IA is only successful when it is up to date and relevant. This means really understanding the challenges an organisation faces now and in the future.

2050 – Now this is interesting. So we can formally rely on others’ work, and I think that is sensible, but there are two interesting caveats. First the reliance is not blind faith, it’s done with a full knowledge of what scope and quality the assurance is. Second the CAE remains fully accountable for their opinion and cannot pass blame on others. A sensible set of changes as IA is too small to do all assurance The one percent.

2060 – Reporting to the Board – a small but important change here – we should report when the Board needs it, not when they request it.  This is a sensible change as IA should push the Board when it needs it, we are and should be more than bystanders when something major goes wrong. I am not a fan of the list of things it must include. This seems odd. Most Boards don’t need all of this information, and most of these data are reported to the audit committee of the board in any case. I would have this as a list of suggestions.

2100 – Another slightly strange addition saying we’re most effective as internal auditors when we are proactive, offer new insights and are forward-looking. Well yes, but does this need to be in the Standards? No. Not really.

2010.A3 – Another not needed list of the obvious. It’s interpretive, but not really needed in the Standards – another edit to remove in my view.

2410.A1 – This is another opportunity missed, leaving assignment work as having to provide conclusions, but not an opinion. The interesting thing here is that assignments must include ‘applicable recommendations and/or action plans’. This is a blow to those auditors who no longer provide any suggestions or recommendations. One to check for some services, otherwise they will no longer comply with the Standards.

2450 – We should support our overall opinions with a summary of the information supporting them. No short opinion with little backup. A number of the professional services firms will need to review their annual report formats in my view. Is this the end of exception reporting? Perhaps or the promotion of a more extreme version of it?

Glossary – The definition of the Board is interesting, particularly with the list of data we are required to present to them – the Audit Committee is also the Board, so perhaps the detailed list of reporting I am critical of would make sense where the Board apparently includes just its sub committees too. This is a bit odd and I think needs be tidied up in the next version of the Standards. If you mean Board, mean it, don’t then widen its definition in the glossary.

So overall, a sensible set of changes to the Standards, which the professional should welcome and not have too much difficulty in applying if they are doing a good job. There’s a few too many lists in here for me that seem odd and out of context for the Standards, but I’ll take those for the other changes, which on balance are positive. So when are you writing your briefing paper for your audit committee?

CAEs – take a break from audit


, , , ,


As a CAE with both counter fraud and assurance under my aegis, I have a chance to move between the two. I’ve written a few times about my current (pre)occupation with enhancing and building a world-class counter fraud function, see Fraud assurance . This means that I have been (relatively) good at letting go of my iron grip of assurance.

So as I approach our first audit committee of the new term this coming week, it’s nice to come back to my assurance team’s reports, some of which I have been relatively distant from, to see them with fresh eyes. What a refreshing and new perspective it’s given me. Yes I still think the reports are good (of course I would, I designed and built the methodology and trained and hired the team), but I can also see them as new.

The other reason for the fresh view is that I have spent a lot of time in the counter fraud role, although it is a governance function (and therefore independent of management), it is more closely and immediately intertwined with the management agenda. So we all know fraud is not just: find a problem, investigate, conclude, prosecute, job done. It’s all about currencies of negotiation, dealing with people and culture, working out what the business wants and how it will get there etc. In other words, the management agenda is front and centre of the counter fraud work (including the timing deliverables) in a manner that in assurance and audit it is not.

So what has this new objectivity and distance provided me as insight into my reports. Well a few formatting and style issues that need a light touch on the tiller to readdress, a welcome recognition that the underlying quality of my people and the work they produce is really very good, assurance that audit would not atrophy as quickly as I imagine should I ever become indisposed; but the more insightful thing, that we need to work even more on being straightforward. We should say things as we think they are. We should focus on being clearer in our communications.

As my current and ex colleagues know, I think the usual nonsense of report writing training that says you should write for a five year old, is not helpful. If something is apposite, it’s apposite, not ‘the right time’ or ‘timely’ they have similar, but slightly different, meanings. Yet I recognise that perhaps the biggest change we need to make to our reports is just to have a little more white space, a little less text. Also our report writing style is very formal. Very technical. That’s good, and one of my biggest criticisms of most auditors is that their work is not very meaningful as it is not intellectually sound. Either reports are pseudo science, but actual nonsense; or they are bland and lacking in any technical view or judgement, such that meaning is difficult to discern. I think our less successful reports err on the side of overly jargonistic and technical to hide a lack of real analysis or assessment of the underlying risk position.

I should caveat these observations that I am coming back at my own and my team’s work with a laser-like critical eye, so these are all at the very extreme margins and belie the top quality running throughout the whole body of work. Also what we look at is complex and difficult in my team, so the right answer often does not exist and they do a great job of doing that.

It’s also interesting to observe the cultural and quality standards that are expressed in an audit department’s audit reports. For a good audit department should express its reports consistently, you should not see individual auditor’s work or their agendas or style coming across. I think the CAE’s hand is really important to ensure this style is how they want it to be. So having had a period a little away from my assurance team, I am glad that the my culture is still reflected in the reports.

So I think having had a break from audit is good it gives a CAE a little time to reflect, reset the tiller and the overall direction, and to be assured and pleased about the progress made to date. When’s your next break from audit?



Internal audit architects?


, , , , , ,


I had a chat to my mentor this week. Having a mentor is fantastic, someone who can really challenge your perspective and give a completely objective view. As a CAE I think it’s necessary. Being a CAE can be a lonely role in any organisation and my mentor, being a world class CAE herself, is really able to understand how I, as a CAE, can feel sometimes.

The challenge this week was to consider career development, mine for a change, as I spend a lot of time thinking about the careers of my audit team, both to ensure that they are being challenged, but supported, and that there are suitable career steps for them (and for my department to ensure it has enough talent pipeline to manage the exigencies of modern organisational delivery).

I have tended to stay in my roles for a reasonable period of time, normally 6-8 years so far (I am always nervous of the two year mover – they never have to live with their work or decisions). This had made more sense as, when I was first a CAE in my own right, I was young for the role (29) and had lots to learn about management, audit methodology, auditing itself, corporate organisations and general technical stuff, and all that quite aside from the interest of learning a new organisation and its business.  Yet now I am older I have the technical stuff (though every day is still a school day) and I have a strong and demonstrable record of management and audit management in a global context and at scale. Yet as I get older I find the ‘newness’ in roles becomes less.

One of the great career boosting things about internal audit is that you can cover a whole organisation and never really have an ‘adult career’ being stuck in one part of an organisation. This ‘Peter Pan’ ability to look at everything as and when the fancy takes me (being CAE has some freedoms as well as a lot of pressure and limitations) suits me. I have a short attention span and like solving problems. Once solved, I like to move onto the next thing. [Just for the record that does not mean I don’t see things through or have a forensic eye for detail when needed (for any potential recruiters reading this) but that my natural style is inquisitive.] I think that’s why I loved doing my MBA so much. This ability to reinvent roles and the ability add things (non executive roles, charitable roles, study, representation in organisational groups etc) has meant that I have been able to change roles relatively infrequently, whilst actually varying my role quite significantly in post.

I have now added counter fraud at scale as a significant element to my current role and this has been a new area of interest and development for me. There is little technical and established practice out there, with counter fraud work being relatively (compared to internal audit) immature. So it has given me a chance to invent the wheel and work out what works best.

Yet I do feel, as I become more senior, a pressure to take on new roles with more frequency. Each time I do this, I seem to have the same challenge; that of turnaround. I seem to find each audit department I take on needs to establish itself in the business, release the talent of the current staff, add talent from new staff and structure, improve its methodology, improve its client organisation’s risk management, and generally improve to be business relevant. Internal audit done well, I believe, is a must have for competitive and delivery advantage for any organisation. It just makes sense from a CEO and governance perspective.

So am I a turnaround specialist? Should I only be happy when reforming and enhancing a department, or can I take pleasure, challenge and satisfaction from running a good department as well? As the turnaround task becomes easier with practice, perhaps my lifecycle of role satisfaction is decreasing.

I think all of the greatest internal auditors are ‘architects’ (a term helpfully provided to me by my current deputy). What do we mean by this? Well it is the ability to set or identify strategic objectives, then diagnose the problem, identify the broad principles of a solution, and finally to put in place a set of coherent actions to deliver this. Architects need the ability to envisage (or envision if you’re American) something that is not there. This is not just an internal audit skill at a leadership level, it is one each internal auditor should have at each level. Auditing what is there is easy, auditing what is not and what should be, is much harder. I think it is that ability and emphasis that marks out internal audit as a profession from our management and other professional colleagues.

So in my CAE role I do act as an architect, in every paper, audit report, technical and risk challenge I face. Thinking about blank pages and filling them is tiring however, and I am lucky that I have a team with lots of this capability itself. Perhaps it is doing this stuff that keeps me challenged and interested?

So perhaps the challenge is to find enough building in my role to keep me interested, for once a building is built, it requires little architectural input. Internal audit as a profession is one that, uniquely, has significant capacity to challenge and develop, so I feel sure that this is possible.

So what have you built lately?

Bad internal audit?


, , , , , , , ,


I spend a lot of time on this blog taking about what good internal audit is, but very little time about what bad internal audit is. I guess, bad is the converse of good, so take my views of ‘up’ and reverse it to see what ‘bad’ is.

So I guess a very narrow definition is an audit service that is non compliant, or partially compliant with international auditing standards from the IIA. I’ve commented lots on standards Generally conforms?, so I think they are rather binary, rather limited, and not a particularly good measure of performance, more conformance.

So let’s think more about about what bad is. Something is bad when it does not meet its core purpose. So what is internal audit’s core purpose? Not the production of audit, not the production of assurance. If we take the lines of defence model, as the third line we are to prevent problems, at least at an organisational level. So the non prevention of organisational failure from a risk’s or risks’ crystallisation could be seen as a failure. Whilst we are non executive, we surely are accountable for the prevention of failure of our client organisation? So when an organisation fails, so the CAE has in my view.

Again this measure is a little digital. Also bad internal audit is only discernible in this model when something falls to pieces. Not very helpful as preemptive and forward looking measure of badness.

So let’s keep reviewing the situation and we better think it out again. So another thing I think internal audit should be is be relevant. It should do stuff and be an element of its client organisation that matters. So if the internal audit function is irrelevant, if it performs a perfunctory role at the audit committee, if the opinion of external audit matters more over business risk (and why should it, they check the veracity of one document per year – why would they have any valid view on business risk?), then internal audit is doing badly.

But what does irrelevance look like? I would say it means internal audit looks at small things; it: looks at things solely at the direction of the management team (i.e. it is not independent); it conversely is never asked by the management team to do anything (so is unloved by the management team); it does not do any work outside of a too small audit plan; large chunks of the business do not see or feel the impact of internal audit for long periods of time; internal audit reports (even strongly expressed positive or negative ones) have little impact; and the head of audit is a junior member of the team, with no access to the c suite and little in demand from the organisation’s CEO and board.

For the real test for me of bad internal audit is when something goes wrong and internal audit is not involved. It is not looked to for support, for additional assurance, its prior work is not reviewed to see if lessons could have learned earlier. Internal audit is of course not the only part of an organisation that could possibly solve these issues, but it is well placed to. It is independent, skilled in risk management, governance and control, and has a good and in-depth knowledge of the organisation. So why would it not be a natural partner for the CEO, C suite and the board?

Another measure of bad internal audit for me is poor quality opinions. Perhaps they are wrong (and for those of you who know me I don’t believe in wrong, but things can be a long way from the range of ‘right’ answers). They are absent, meaning that no opinion is given or the opinion is limited to the work done on an exception basis. The opinion is really difficult to determine or divine from the audit reports and work. For me an internal audit function stands or falls on its opinion quality. Does it say the things that matter? Even if it’s difficult to say it. Does it say things in a way that is balanced and supported by evidence? Does it say things in a manner that is clear, but supportive of creating positive change? This can mean being really tough – it can mean being really gentle – but never means being unclear.

Another indicator is people. Is the internal audit department populated with people of the same or better standard than the business they audit. Coming from a big four firm we always believed we were better than our clients. In many cases we were. Certainly we would never regard ourselves as being below our clients. This is with good reason. For an effective audit function should attract the very best. It has a great qualification; teaches generically valuable skills of governance, risk management, control, value for money, and report writing; encourages operational, detailed, tactical and strategic thinking; provides a fantastic oversight of the business; and gives both breadth and depth in experience. Why then would internal audit not attract the very best talent from the business and also export it? If your function has only career internal auditors, who ar not of the standard of the management team you audit, you need to look again.

The biggest indicator for me of a poor internal audit is that is does not amount to a whole hill of beans. In other words, the sum total of its efforts does not enhance or improve the host client. If after a five year audit or assurance plan, is the client better? Better at achieving its objectives (which is the entire purpose of risk management). If not then why not? It may not be entirely or even partially internal audit’s fault – we are non executive after all, but does internal audit deliver meaningful improvements to a client’s capacity to deliver and manage risk?

I know various audit services that measure the implementation of recommendations by the management team, but for me this misses the point. Surely the point is that the risks to the achievement of the organisation’s objectives are the things that matter? So I would follow up the exposure to net risk above the board approved risk appetite, that is the ultimate measure of internal audit.

So are you bad or good?

Agreed management actions?


, , , , , , , , ,


In my role I get to see other audit services and teams, and see how they deal with their clients. One of the great things about the internal audit profession is that there is no single ‘best’ or ‘right’ practice. This allows the profession to really meet our clients’ needs without being straight-jacketed by rules.

So one model I’ve seen recently in a number of internal audit functions is for the internal audit function to agree management actions in response to observations recorded in audit reports. These may or may not be accompanied with recommendations from internal audit or not.

So let’s think this through. It has some appeal. It forces engagement of the management team with auditors and their audit reports. It means that there is a set of actions that will occur. It means that audit committees only see agreed reports. It makes internal audit really think about the quality of their reports and their suggestions (if they are included in the report). It makes the management team think through their response, as they have to debate and discuss them with internal audit. It also potentially improves the implementation record of management in response to internal audit.

Yet it does have its downsides. I have found a really hard hitting or transformative audit report takes time to digest. Also strategic issues and risks are not always able to be responded to in short order, they take time. So forcing agreement through an internal audit-agreed management action right at the end of the audit doesn’t work. This means it can either hold up the report’s publication whilst disagreements and debate occur between the management team and internal audit, or it can force a lower level of ambition in what is agreed. It could make internal audit reports avoid difficult or challenging points altogether as there is a challenging process of closure needed; it’s easy to make a suggestion to sign a form, but much more difficult to posit a challenge to a strategic project or programme of the management team.

The most concerning element of the approach is that it could impact on internal audit’s independence. Internal audit has to agree and take some, if only vicarious, responsibility for management actions and their response. The management team could use disagreement to denude, or water down the report’s findings.

So I do think getting a degree of agreement with the management in  response to internal audit is important. It’s not a particularly sensible position that internal audit has a diametrically opposed position to the management team constantly. I do, however, think the ability and willingness of internal audit to disagree with the management team is essential to the dialectic relationship needed for good internal audit. I also think that early and immediate agreement to points in internal audit reports is unhelpful. I think some space to provide an immediate response, then amend, discuss and change it later, is important. I find a management team’s consideration of internal audit reports prompts a sense of bereavement and cognitive dissonance with their established viewpoints. These take time to dissipate and adjust to. The best audit responses in my view come six months after the delivery of the audit report. Then the challenge, spotlight, and angst of being audited has faded. This means in six months’ time the management team has more space to respond and the nature of the response is more flexible.

I also think it presupposes that there is a response that makes sense at the point the audit report is delivered. At a point of the audit, if an audit report is focusing on stuff that matters and the big risks, then surely the issues and risks may be difficult to respond to. So does it make sense to agree a set of actions immediately the opinion is delivered? I don’t think, in all cases, it does. Perhaps the ‘action’ is to consider the position. But then the follow up, under the agreed management actionsmodel, is to check that the management team has ‘considered the position’. So this approach may actually prompt weaker management action, than leaving some time for the management team to respond might otherwise have done.

I do have difficulty with risk based internal audit forcing actions in any case. I think the most important thing is that actions mitigate risk. So why ask for management actions, unless they mitigate risk? So internal audit should not follow up the implementation of the management team’s actions, far rather follow up the mitigation of risk. This fixes an agreement of the risk as the point of focus, not the actions. So following up risks allows actions to adapt, move and respond, potentially improving the management of risk.

The overall aim of internal audit is to help to ensure risks to the achievement of the organisation’s objectives are mitigated to be within the governance-agreed risk appetite, or report to the governance structure if they’re not. So the management team should be owning their own risk, forcing internal audit to be part of this process potentially intervenes in the adoption of risk by the management team.

My view is that the agreed management actions approach does have benefits, but I think it: forces fake or lower quality agreement; limits the time for the management team to digest audit reports; does put internal audit’s independence at risk if done badly; loses the focus on risks as opposed to actions; makes follow up easy, but potentially less effective; and limits the management team’s adoption of their own risks.

How do you finalise your audit reports? Is there an ideal?

Generally conforms?


, , , , , , , ,


I am belatedly setting my objectives for the coming year, both for and at work, and also personally. It’s a good thing to stop and think about what you wish to achieve and setting measures and metrics to assess those.

Whilst I know every chief audit executive considers their audit service to be more than just themselves, there is a still a temptation for it to be seen as, and genuinely be, a reflection of the CAE leading it. This is especially so in internal audit for two reasons. First many audit services are relatively small, so the span and depth of control of the CAE is relatively all encompassing. Second because internal audit provides a principles based framework of standards and compliance, that allows quite a wide latitude to how the actual service manifests itself. Third, internal audit services are held together by their methodology. This methodology is not just the processes and documentation used by the service, but is also a view on the world, which is as much intellectual and ideological as it is practical and process based.

So that’s why, when I: set the standards for the year for my service; review the templates and processes; and when I look at the skills and needs I have for my service, I am as much as anything else, reflecting on my own development and view of the world. I take a granular interest in this things; they matter. I have said in this blog before (Radio Four or Three auditing) much like a business, internal audit has a brand. This brand is set and controlled in large part by the CAE. They set the tone, basis of engagement, style, content and method of engagement with their clients.

My current team will, no doubt, say that I am too detail focused and obsessed with format and style. Like a top restaurant or a upper class retailer, the image and the way the service is delivered is as important as the content (though in my view one must be supported with the other). This is inculcated from the methodology, the training, the leadership (in practice) from the CAE. It is enforced through quality assurance and review. Eventually in my experience the team will self edit and review with very little input from the CAE.

So what should be the bedrock for those standards? I think it should be the International Internal Audit Standards. These have, built in, the need for compliance. In particular the need for an external quality assurance assessment (EQA) by a competent third party every five years. There are many ways in which reviewers assess these standards, but the one that seems to have gained traction is the ‘fully / generally / partially / does not conform to the standards’ opinions.

When I’ve been benchmarking services, I’ve found that ‘generally conforms’ is the most given opinion. Generally conforms ‘indicates that an IA activity has a charter, policies, and processes that are judged to be in accordance with the Standards, with some opportunities for improvement’. So that sounds good. Or does it?

If we look up the word ‘conform’ it means comply. That means meeting the standard. So it is a binary judgement. That must therefore mean generally conforms also conversely means also, does not comply in parts. It seems odd to me that a profession obsessed with being ‘risk based’ would then have such a two dimensional, binary, and non risk based compliance opinion applied to itself. So is a ‘generally conforms’ service at significant or minor risk of not meeting its objectives? How impactful are the areas of non compliance? Not complying with ethics is presumably much worse than not issuing a form of opinion on an assignment level piece of work, or not immediately drawing the board’s attention to an error in an audit report? Who knows?

When I had my service’s EQA at the beginning of this year I was clear with the reviewing party that I did need the requisite badge, and yes expressed in terms of compliance, but that I was much more interested in how good that compliance was. Did my internal audit service make a difference to my client? In other words did the work of my service amount to a whole hill of beans or not?

That’s not something that is so easy to express. Particularly in terms of the Standards, as the Standards require basic compliance only. They do not require any particular measure of quality. Compliance with them neither guarantees nor prevents quality audit work being done. As an example let’s take attribute standard 1100:

Threats to independence must be managed at the individual auditor, engagement, functional and organisational levels.

Well you either do or do not manage independence at these levels. The standard does not require it to be done well, or to a low risk appetite, or high quality, merely to be done. Let’s take a performance standard:

The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

Again – there is no requirement for the risk assessment to be good or high quality. Merely for it to exist, be done annually with input from senior management and the board. So I wonder, how do so few audit services not fully comply? I consider the Standards, therefore, in terms of a risk based quality delivery, to be merely the basis and required baseline framework. I ask again how then do so few audit services obtain fully compliant?

I expect and inculcate in my audit team a methodology and set of professional standards and ethics that mean they naturally comply with the Standards, both collectively and individually. This does take time, but high quality auditors will comply with the standards without even thinking about it. I know and trust my team will comply with the standards, because they know that they should and because I, and my senior team, have inculcated good internal audit as an instinctual response. That does not mean I don’t check and review, and never have to correct the tiller individually or collectively to make sure it remains so. Nor does it mean I do not undergo an EQA as required (indeed it’s a useful process).

For those of you wondering about my EQA, my service was deemed fully compliant, as well as identifying things that I and my service could do better and more of. That’s a long way from non compliance in my view, and as internal audit has so much expectation upon it now, can any of us afford not to comply?

School’s out, Summer and audit are in


, , , , , ,


So my team and I have just despatched our latest set of audit committee papers for our last audit committee meeting before the Summer. Producing audit committee papers, I was reflecting, is part of the rhythmic heartbeat of any auditor’s life. It’s been part of mine for nearly 20 years. The Summer break, however, got me thinking about what it would be like not to have that.

I like the Summer. Yes the longer days, the sunshine, the general positivity of being in nicer weather. I like it as an auditor, especially as it gives me a chance to do audit work without the ‘distraction’ of reporting to a committee or the senior management team, and in my current role, ministers. Sure people in the audit team are on holiday, but there are always some around at any point in time. My current team is split between London and Glasgow, so even these holiday periods are naturally staggered. Yet there just seems to be a little more quiet time to do project work. To sit, pause, think, and gather our collective thoughts.

I was asked to do a lessons learned paper about my and my team’s work this week. I think we as a team are a learning team and I am a learning individual. As a consequence sitting and doing a lessons learned thing seems alien to me as we and I learn and adapt constantly. Every audit and counter fraud investigation is a project, from which we learn, tweak, adapt and improve. Yet the stepping back, in the space that Summer affords, does strike me as a useful thing. A chance to pull together and enhancement plan, a set of lessons from the audits and counter fraud work of the year.

Summer will also be a time to reflect on my team. Where do we need to be? What does next year demand? How best will we be shaped to meet that demand? I am not one to leap to restructure, as this is often an attempt to look busy and is a lazy way of creating change. There may be some restructure, but actually I think our team collectively thinking about what the future looks like will be important.

So whilst Summer, our Q2, can appear relatively quiet, actually in audit terms it is when the fieldwork really gets done and change and enhancements to the processes and systems are able to be done. Our CEO likes to suggest or at least, post Summer share, his Summer reading. I think, for those of my team not studying (and most will have sat examinations this month) it’s a good chance to take some reading on. At present there is precious little new thinking I’ve seen in internal audit. No one is really pushing the profession on, or doing the blue sky stuff. Perhaps Summer might be a chance for us collectively to write, rather than read?

I am now also a member of three audit committees. This is a great thing for any auditor, to be the other side of the table. It’s a chance to engage with other auditors, which I think is a good thing, a chance to have a sense of what it is like to be a non executive (it’s a hard role actually). There are lots of charities, housing associations etc. that need good audit input, I would recommend all auditors do one as part of their public service as well as professional development. I will have had my first taste of these committees before Summer comes along, so Summer will be a chance to reflect on these initial experiences and then engage with the organisations fully in the next year.

So yes Summer is, for many, a chance to refresh and recharge batteries, but in audit I think it’s a crucial period for the heavy lifting that makes a real difference to the rest of the year, to be done. Yet I would not be without the rhythm of audit committee cycles. All professions have them (management accountants, IT, marketing, HR etc), they also give a real framework within which to work and organise yourself. So yes Summer, for me, is a great period of structure free reflection, which I intend to use well this year but I will look forward to the start of the new ‘term’.

So what will you be doing for your Summer?

Risk is not bad! Celebrate it!


, , , , , , ,


So I’ve been thinking about risk. I had the pleasure of attending a course on risk hosted by Norman Marks and Richard Anderson. Norman has a great blog NormanMarksBlog. Richard is a trainer and general risk guru AndersonRisk. I’ve also given my annual assurance opinion, which requires me to opine on risk management systems. We’ve also had a new head of risk start at my client organisation and all of these are making me think afresh about what good risk management looks like.

So I’ve been working hard over some period of time to advance my risk thinking with my audit team, my client organisations, and my professional audit colleagues. In particular my view that risk is simply not bad. Risk is just a description of fact. Theoretically perfect, risk management is just a 100% accurate description of the world at a point in time. If we could imagine how the perfect information world would be, we would understand the full factors impacting the uncertainty of the achievement of our objectives. This is the aim scientific risk management, quant risk management, aims for.

For most organisations outside of banking, and most risks, are not prone to cost effective mathematical modelling, so we make do with judgements. These judgements are those that the management team does every day. So what then is the difference between risk management and just management? Well I think it the difference is between the natural tendency of managers to focus on the here and now, to solve issues. Real risk management is designed to allow risks and uncertainty to be more easily foreseen and addressed, so that issues and proximate risks do not occur. So in a way, busy, issued-focused management is a failure of risk management.

So why is risk not bad if we try to avoid it so much? Well risks flow from objectives. If you or your client organisations are not sufficiently ambitious enough then they are likely to yield poorer performance. This can be financial, but could be social. So a charity campaigning for diversity and against discrimination is unlikely to be successful unless it pushes itself to challenge the status quo, to stimulate and create change. Risk is not bad then – we need risk management to be successful overall so that our objectives are achieved.

Getting organisations to see risk and its crystallisation as a good thing takes time; for all ambitious organisations take on risk, and some of it will, inevitably, crystallise. We, as auditors, are partially to blame for risk aversion. We code our risk based reports with colours equating risk as bad, ‘red’. Yet my greatest audit achievement is to get an audit committee to celebrate and endorse a red risk report. Yes risk was high, the likelihood of achieving objectives was highly uncertain, and no, I could not give positive assurance, for the outcome was so uncertain, how could I? Yet I said red was fine. Red was where the organisation wanted to be. Red came with it high costs and likelihood of failure, yet it also came with high rewards. In this case, the saving of millions of people’s lives. So it was good risk. Good risk to take.

Sure, risk at that level across the whole organisation is bad, for the whole organisation could fail. Yet how many businesses do take massive risks? Apple has the majority of its profits arising from one single product line, the iPhone. So each update carries with it massive risk. Will we look at Apple in ten years as the Blackberry of the future? Possibly. This risk could, however, be the source of their further success.

So we as auditors are not there to stop organisations taking risk. We are there to enable them to take more risk. To help and assist build risk management intelligence and capacity. We are there to make organisations more conscious and capable of handling and handing off risk. For a good risk management system surely allows more and more complex risk to be taken?

The key point for audit is to ensure that objectives, the risks that flow from those objectives, mediated through appetite, lead to a sensible allocation of risk management resource and capacity. For where any single of those elements is out of kilter, then organisational failure occurs. Our role is not to take pseudo executive responsibility for what risk is good or bad. We should point out where risks are not properly governed, well resourced to be managed, well understood or analysed. The only time, in my view, risk is bad, is if it breaks the law (the law is not a risk based judgement) or if it threatens the very existence of the client organisation you are working with.

So how will you celebrate risk with your clients?