Checking out

I am a member of LinkedIn. Like most social media, motivations for joining each social media channel vary. For me LinkedIn is a good place to check in with colleagues past, present and future; to provide a basis for those with whom I interact professionally, to understand my career, background and capabilities; to get information about professional developments, career and organisational changes; it serves as my public CV; and also is a space to share job opportunities.

Also, like many social media platforms, its use and activities have changed over time. LinkedIn in particular has become more ‘social’. Whilst still primarily a professional space, it now often punctuated with background personal stories and events from people’s lives. Most often these are linked to professional activites or making work / life balance points.

One particularly new phenomenon is what I call the ‘checking out’ message. This is when individuals indicate their end of membership of LinkedIn due to suffering from a terminal disease. These messages are often challenging to read, from a human perspective, but also from a professional perspective. It is a challenge to see often senior and successful people who will not make retirement, thank their colleagues and professional contacts at the enforced end to their careers.

It got me thinking quite broadly from a systems and data perspective – who / how does our digital footprint get managed? What happens when we go? How long do our digital ghosts remain? I have long thought archiving, digital storage, management, removal etc are neglected in our working lives and from an audit perspective. The internet is still young. It is a relatively unregulated space. Are social media the modern equivalent boxes of letters left by past generations, clues to our identities, actions, career, motivations etc.

Also from a human perspective? What do we want to achieve from our careers? When do we decide to stop? For those like me that live to work, not work to live, how do we retire? Will I change my views in the next 20 years? Does the risk of not retiring change my view of work now?

As an auditor, it has always been my choice and my privilege to work for organisations whose mission makes a difference to the world and in which I believe. I have also been blessed with great colleagues and teams to work with. Often these check out messages are from people who have been similarly blessed. It does not make them any easier to read or less prone to sadness.

What thoughts does the check out phenomenon prompt for you?

I’m back!


, , ,


I have taken an entire year off my blog, not intentionally you understand, but pressure of work, a change of role and an international move crowded out this blog. To be honest, I was not sure whether I had anything more to say on internal audit.

I am glad to say, the year off has been good. I think I do have something to say about internal audit and I think internal audit (done well) has an ever-more important role globally. So I’m back (and will try to stick to this during 2019)!

I think internal audit is more relevant in 2019 than at any other time; but only if it’s done well. I worry that organisations and individuals are increasingly being revealed as not being straightforward and trustworthy. If I take my own sector, the humanitarian sector, the safeguarding and abuse scandals suffered by Oxfam and others have overshadowed the amazing work my sector does globally. Good internal audit and investigations work is now a pre-requisite for success in my sector, and rightly so.

Most striking, as we start 2019, is the polarisation of populations in societal and political discourse. We see some evidence of centrist and moderate views being crowded out in the media and elections by more polarised positions. We can point to a number of democracies across the world where division has become ever more apparent. We also see in my view, a trend away from evidence-based and more critical thinking, for less complex and temptingly simple analyses and diagnoses for the world’s problems. I think internal audit should be the evidence-based voice of calm, supportive advice and enhancing critical thinking about how we solve the world’s challenges and to encourage all views and people to be valued equally to appreciate our common humanity.

We as chief audit executives have a responsibility to our organisations and the stakeholders and customers they serve, to bring a disciplined approach to risk assessment to help our organisations deliver on their goals ethically and with full consideration of the environmental impact they have. Often internal audit has the positional strength within organisations to drive change, in particular to practice and culture.  We need to work with our organisation’s governing boards, no matter how they are organised and structured, to get a forward problem-solving mindset. For larger organisations in particular can help drive globalisation to a more inclusive, helpful, place where the world collaborates to solve the big challenges of our time.

So this new year, I hope to keep you in contact with my thoughts and challenges in internal audit and hope that we, Team Audit, can really push for improvements to our world. I would welcome your thoughts and challenge too, so please contact me with them.

The last Jedi (an internal auditor’s story)


, , , , , ,


So I’ve just been appointed as the new head of internal audit and counter fraud for the First Order.

It’s been an interesting time. We have a new leader, Kylo Ren who is charismatic and a little challenging to work for. Audit independence is going to be challenging with this CEO! We’ve just lost our chance to crush the rebellion, despite expending lots of resources on crushing activities. Value for money will be a challenge. The Jedi and the force still seem strong with the rebels.

My first job is to conduct a independent review into the lost opportunity to crush the rebels and the killing of our previous leader, Snoke.

So, first I need to look at defence design. We lost a dreadnought to a single rebel bomber and a few fighters. How did this occur when so many cruisers and our fighters were there? Why are there so many single points of failure? Is it quality of design? Process of approval? Lack of independent quality assurance? Poor intelligence of rebel capability?Then we had the leak of security codes to allow an approach to our leader Snoke’s ship. They got onboard and close to the supreme leader. Thanks to the individual that was bribed to turn them over. Then the stormtrooper called Finn. He is an anomaly according to Captain Phasma, but how can this occur? We have strong controls. I will need to use some data analytics to get under the skin of this. How many others go ‘wrong’. Then we had the debacle of a single rebel ship being able to sit in full view but not be able to be attacked. What is the point of all of this technology? Finally why were we not able to detect it turn on us and jump to light speed through our ship, destroying it?

We have a strong control framework based on 145th COSO edition framework – how did it go so wrong? We have a clear command and control framework and each part of the machine operated. Perhaps it was a compliance issue? Do we need an even larger stormtrooper second line? Perhaps a better training programme for Sith Lords? Our Sith compliance and risk training programme seems not to have delivered?

I have a good 10,000 storm trooper auditors. But are they enough? Or perhaps I need to have them trained to think? Or perhaps I need them trained in the force? To resist Jedi mind tricks! Thinking auditors… hmm… interesting.

What is clear however that this is another disappointing lesson that compliance and command and control cultures always seem to fail when it matters; when strategic choices are made; or when the system, designed for normal operations is put under severe stress.

Are there more complex risk based lessons I need to consider here in my review of this debacle? Thoughts on a droid video please! Happy Christmas!

Star baker


, , , , ,


So it’s just been The Great British Bake Off  season again. A quaint British baking competition on television. Each week one baker comes last in the judging of their baked goods and one wins; the star baker.

So what makes a star auditor or a star audit function? Well I’ve written lots of times about audit quality and also the traits of good internal audit. My recent period of work has brought me in contact with many other audit teams and their outputs. The one thing that bothers me about those that are less good, is their inability to be truly risk based.

What do I mean by that? I mean that they do not provide a risk based opinion. For me this is the entire point of internal audit. For if we cannot be risk based how can we preach it to our clients? This means forming an opinion (which many audit shops don’t, either at an annual or assignment level). It means delivering an opinion that expresses a view based upon risk and stated in risk terms. It means linking control to risk; that is good control means managing risk to within a target risk or risk appetite. It means giving an opinion that accounts for risk appetite. I’ve written loads about this, but I find myself still surrounded by auditors and audit functions that still do not do this, and many that don’t even understand it.

I presented to the UK Institute of Internal Auditors’ annual conference last month. I made these points again. I am not sure whether the points echoed agreement or echoed into an unreceptive void. I hope the former. I know from my many roles that fully risk based internal audit works. It adds value. It makes a real difference the quality of he organisations to which it is applied. It works for governance committees. Yes it is complex. It requires our two dimensional scientific positivistic models we use in our profession to grow. It moves IA up the business value chain.

We are not the poor relation to finance. We are internal organisational consultants that are the guardians of ethics, good governance and organisational achievement of objectives. Done right, risk based IA is the senior management team’s best friend.

Returning to my cake theme. Too many auditors think rough, dry, unappetising cake is fine in terms of their product. We should aim for a ‘showstoppers’, fully iced and beautiful creations that our management colleagues want more of.  Sure it takes hard work, effort and expertise. That’s what anything of value requires. This means that the thing needs not only to look good, but also needs to taste good, that is to say for an audit report it needs to be meaningful.

I genuinely think our profession is scared of risk. We as accountants, many of us, have been brought up in a world of laws and rules, right and wrong. When faced with complex and uncertain risk we struggle. For only once we let loose our fixation on rules and control defined independently of risk, we will add real value.

It is said that management science does not exist. Management has no right and wrong, just a complex set of choices. We as auditors should recognise this and be more ‘management’ in our approach. This means engaging with risk and celebrating its complexity and in most cases the lack of a right or wrong answer.

So back to baking – we as auditors need to use our CAKE (cumulative audit knowledge and experience) to make better products, more appealing products, more complex products. We need to have reporting that compares the tough choices our management colleagues make and makes some contextual sense of them. Done well these ‘showstopper’ products move an organisation forward in a way that it cannot do through any other function or governance activity. We are an essential part of any organisation’s eco system.

So when is your next showstopper bake?

Answer the question


, , , , , , , , , , ,


It’s advanced level examinations results day in the UK (pre-University examinations for my international readers). Thousands of students will find out whether they have the grades to go to the university of choice. I remember my advanced level history teacher constantly setting out the same mantra – answer the question, the whole question and nothing but the question.

I’ve been thinking about internal audit work and how it has evolved since I started in the profession. I remember, when I first undertook internal audit. Back then it was about looking a few objectives, thinking about a few risks that could affect those objectives, then writing a report with enough observations to justify the fee. We did not even ask what the question was, let alone answer it.

Of course I tried to get the right risks, ask the right questions, evaluate the right risk mitigation action and controls. At that time, however, a lot of internal audit work was about compliance and verification of systems. So yes there was an element of looking at the design of controls, but a lot was about the implementation of controls as designed. In other words, someone else had supposedly done the thinking and as an auditor I was meant to just verify the thoughts’ implementation and perhaps, sprinkle a little added value by suggesting some improvements. Also it was almost all finance and financial control. Who remembers the CIPFA control matrices? (Do they still exist?)

I knew when I took on my own internal audit service as a CAE that this was not enough. I knew I wanted to add real value, to be really risk based. I have since socratically followed the logic of internal audit’s value proposition and it led me to design a proper risk based audit system. One where the balance of effort was not on looking at what was there, because invariably from experience it was poor or could be much better, but to look at what should be there.

Internal audit under this model significantly changes. It considers risk and risk appetite. It has to make the same complex and difficult business decisions that managers make. It has to accept that perfect is not possible and make value for money judgements about what is reasonable and cost-effective. This places a huge burden of responsibility on each auditor and me as a CAE particularly. Every decision we take, every report judgement we publish, every piece of advice we give, has a burden of being ‘right’. Reports need to form appropriate judgements based on real and complex analysis. Reports can no longer be exception reports, picking up some stuff. They need to pick up everything, as appropriate. They need to be complete as well as balanced, as well as right, as well as risk based. They also risk putting internal audit into an executive position, for where a management team is weak, they will rely on internal audit either overtly or tacitly

When internal audit plays in the space of uncertainty and grey, it loses the protection of just being a form of organisational additionality. In other words it is not something nice to have, but it becomes core to an organisation. It is an integral part of a good organisation’s eco-system and governance framework. Internal audit can rightly be held to account when things go wrong. It can make mistakes with consequences.

To do this type of internal audit also requires a step change, not just of CAE but also of the whole internal audit department. You no longer need two dimensional thinkers without an ability to go ‘off piste’. You need both bright and experienced people. You need better learning across the department and increased knowledge sharing. You need a department to become better than the sum of its parts to keep up with, or preferably stay ahead of, management team colleagues. Reports are not longer cut and paste, cut and shut; they are consultancy reports with a narrative, storyline, argument, analysis and conclusion. They no longer answer some questions, but they answer all relevant questions. In effect each assignment becomes evaluative or research based in nature, not systematised or programmatic.

For in our modern, complex, world, real risk does not lie basking in the sun. It is hidden in the complexity of pre and co-requisites, interrelation, culture, people and process. To make sense of a complex world you need higher skills supported by experience.

I am writing up my PhD at the moment and I hope I will do enough to get it. It’s hard, but rewarding, work. Yes the type and standard of writing and line of argument needs to be excellent and every paragraph carefully crafted, so it is different to the writing in my day job as an auditor. I don’t expect every audit report I read and write to be the same but, actually, nearly. For internal audit reports are mini-research and evaluation reports. They do need to ask the right questions and, more importantly, answer them too. They need a carefully crafted and credible argument and they need to form sensible conclusions.

Does your internal audit ask, and then answer, the right questions?

Audit committee dialectic


, , , , , , , , ,


I’m a member of three audit committees; a national charity; world-class university; and a global multilateral organisation. In my career I have been to thousands (literally) of audit committee meetings.

Whilst audit committees vary in terms of effectiveness, form, nature, personalities, remits, scopes and charters, there is I think an ideal (in a Platonic sense) of what an audit committee should do. i.e. any good audit committee should do certain things.

I don’t want to list all of the things an audit committee should do. Instead I wish to focus on one core thing – its dialectic. So let’s define this (per wikipedia):

Dialectic or dialectics (Greek: διαλεκτική, dialektikḗ), also known as the dialectical method, is a discourse between two or more people holding different points of view about a subject but wishing to establish the truth through reasoned arguments.

This is a core process for audit committees. It is not aggressive or conflictual. It is a joint process to discover the ‘truth’. Who holds those opinions? Well the management team; independent auditors (both internal and external) and the independent audit committee members. What is truth? Long time readers of my blog will  understand that I have epistemological and ontological issues with the concept of ‘truth’. Simply, I don’t believe in truth. Evidence and ‘facts’ can be interpreted in different ways to create different ‘truths’.

So what is dialectic process in audit committee settings?   Well I think it is the core process and point of audit committees. An audit committee is delegated a role of independence and organisational oversight by the board. Most audit committees oversee as their core task, the suitable application of risk appetite (as set by the board) through ensuring there is a reasonable system of risk management and that risks taken are within the board-approved risk appetite. They also oversee governance. So they will ensure the management and the board are working to ‘direct and control’ the organisation effectively (which is the definition of governance). They also oversee the implementation of control.

Now there are various definitions of control – one that sees control as compliance with rules and procedures and another that sees control as mitigation of risk through control actions to be within the organisation’s risk appetite. It may appear that control can be detached from risk and risk appetite, but what is a system of control if not a designed set of actions to ensure risk is mitigated to within risk appetite? Personally I would cut out the middle man and just define control as mitigation of risk within appetite, rather than set it up as being something independent of risk, which ultimately is a documented version of risk appetite control in any case.

So how does the audit committee dialectic fit? Well a good audit committee will receive data (normally reports from the management team or auditors) and it will debate these. Through this debate it will attempt to discover the ‘truth’ of the data presented. At a fundamental level do these data tell the committee that the board-approved risk appetite is being breached or not? Are the systems and processes of governance, risk management and control working adequately?

So this means it is incumbent on all parties at the audit committee to bring their opinions and be willing to debate them. This for most audit committees takes the form of debating reports, considering the author’s view and comparing them to the response or to the committee’s own views. So for management reports the audit committee should decide whether it is happy with the data and views presented and approve or not modifying actions. This is the basis of its consideration of reports, fundamentally to approve the actions taken / to be taken as proposed in the report. For audit reports the audit committee should consider the audit and management view and then decide to approve the management response to risks or not.

Yet I’ve been in so many  committees that do not do this. They either don’t consider reports (there are too many of them); or they are conflict avoidant (and yes some tension and conflict is helpful and necessary in an audit committee); or they are not presented with anything to consider. Far too many of my audit colleagues are guilty as charged on this one. For what value is an audit report without a conclusion or an opinion? How much less valuable is a report that does not include a risk based opinion.

So all of my audit colleagues will claim to be risk based. Yet they do not form risk based opinions, or in many cases, any conclusion. For the presentation of a list of risks and issues is not an opinion or a conclusion. There is no ‘truth’ to test.

I work hard with my team to make them form an opinion. It is difficult. Often there is no right or obvious answer. So, as an example, is a complex aid programme in a conflict state good or bad? Is net risk too high? Hmmm. Difficult to tell. But if an opinion is not formed the audit committee cannot do its role. It cannot approve the management response (to do less, nothing, or more) to the report. It cannot apply, on behalf of the board, the organisation’s risk appetite. A series of decisions to improve the organisation either in terms of control or value cannot be made and implemented.

Back to my team. Finding a set of issues or risks is fine. If one reads them, however, and is none-the-wiser whether those tell me something is good, bad, or indifferent, then what is the point? My team has the very brightest and best and they are getting great at forming a view, though it takes constant work in my experience. If, later, we discover that opinion turns out to be wrong then fine – if we could predict the future we would be in the business of buying lottery tickets,  not audit. At the time we issue the report however, through the audit committee dialectic process we will have created organisational change through stating an opinion and a ‘truth’ to be tested. That is the point.

So why do we as auditors fail in this? Well, as auditors we confuse audit with science. We confuse complexity with impossibility. We apply our conservative nature to avoid taking risk ourselves. We are conflict avoidant (though a dialectic process is not meant to be conflictual). Yet having an opinion and sharing that in a proportionate, justified, way is our core job. We are best placed, being independent of management, to do this. We can say what we like and we should (must) do that. As auditors we should work hard (with Socratic questioning if necessary) to enhance our audit committee’s dialectic processes.

So how is your audit committee’s dialectic?

Change of guard


, , , , , , , , , , , ,


So this week I’ve said goodbye to my CEO boss, in this case a Permanent Secretary. This is not the first time in my career I’ve done this. Sometimes it has been planned and organised but most times, at this level, people suddenly leave, either to take on their next role or in some cases it has been a sudden departure for less clear reasons.  I have been lucky in my CAE career to work with people that I respect and that have all been ethical, moral, talented and capable (I can think of one exception).

Sir Mark, my latest, has been exemplary and I’m sad to no longer be working with him.

The CEO to CAE relationship is key to a successful audit function in my view. For without the trust, engagement and support of the CEO, internal audit is exponentially more difficult to make deliver. Not impossible, but much more difficult. For the tone at the top, as with so many organisational things, makes a difference to not just making things happen, but making change as a result of those things. Outputs can be achieved by an audit function on its own, outcomes require collaborative co-working with the client management team with the support of their leader.

I am grateful to Mark, as with some of the CEO equivalents I have worked with before, for taking me and internal audit seriously. Mark ensured that I reported to him, not just because he felt it was the right thing to do, not because he saw me as his elite police force or praetorian guard, but because he felt internal audit had a role in the organisation, was part of good governance, and was worthy of some of his highly valuable and limited time.

If we go to the International Standards from the IIA, standard 1110 states:

‘The chief audit executive must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities.’

This is framed primarily as being about the CAE being senior enough to be independent, i.e. having a reporting line both outside of the management chain to the board and to the top of the management chain. It is also about status. For internal audit to be successful in getting senior managers to take it seriously, those senior managers that control resources, power, knowledge and access, then those senior managers must know that the work of internal audit is to be taken seriously by the board and CEO and the response to it will have an impact on their futures. That might be in terms of performance targets, performance assessments, future resource allocations (both positively to tackle risks identified and negatively, to divert resource from poor performing activities).

Sir Mark insisted I reported directly to him, which in the UK Government system (due to odd governance arrangements concerning dual accountability to parliament for resources) is both the CEO and one of the two ultimate governance functions of the department to the UK Parliament (the other being political accountability to Parliament). This was an important statement and one that I recognised when I first met Sir Mark in his office, then adjacent to Buckingham Palace in London.

If I reflect on other CEOs I have worked with, this was a strong statement of support. Not all CEOs recognise the importance of having dialogue with CAEs. This is crucial in my view, for a good CAE should have a breadth, and more importantly depth, of view of the organisation that few others in the management team will have. Also a good CAE should be independent and objective, so should have the courage, ability and perspective, to talk truth unto power. This should provide any CEO with a different perspective to those they normally hear. I’ve written about the dangers of management ‘groupthink’ before Group think the Kryptonite of Leadership – Internal Audit the antidote?

This relationship between CEO and CAE also has to be one of respect, and some level of parity, in that the CAE should not just be able to report to the CEO, but talk to them. Dialogue is important. What takes time is for any two CEOs and CAEs to get to a position; where the CAE is a trusted business advisor. This is difficult for anyone to achieve with a CEO. They are typically well experienced, very capable and confident individuals. If the selection process for them has gone well then I would expect them to be the most capable and confident. So everyone else will, to some extent, still be learning and developing compared to the CEO. If a CEO is truly capable, however, they will recognise their ability to listen is important and this should provide a CAE with a basis on which to provide some insights from their perspective and work.

The relationship also works the other way. It is easy for CAE to do what they want. To take independence to be a non listening position and see all different views as ‘wrong’. I know as a younger CAE I did not listen to my client organisations and CEOs as much as I should have done. For the CEO, if they’re good, should know and be able to guide their CAE about what the organisation can cope with and how it will deal with, and hear, messages from audit work better.

The CEO and CAE relationship is not about agreeing all of the time. A good CAE’s most crucial role is to disagree bravely at times. For it these moments that are the crucible for transformative step change to occur. A good CAE should know how to do that, however. When has a ‘red line’ been reached? When will an organisation benefit from a tough message, when will it retract and recoil from it?

The line between support and challenge is forged in a collaborative, guiding and supportive CEO to CAE relationship. The key is to stretch an organisation, but not to break it. This stretch can be quick with a ‘snap back’ management response to catch up, or it can be a thematic message that builds over time and stretches the gap between internal audit and management views, until the management response begins to catch up. In my experience, compliance and legal issues fit the former; risk management, value for money and governance challenges, fit the latter.

So will I miss my recent boss? Yes, hugely. Both personally and professionally. Do I hope my new boss ‘gets’ internal audit? Yes of course. I have high hopes though see: Do organisations only ‘get’ internal audit when they mature?

So when your guard next changes are you ready?

Guidance, or do we mean rules?


, , , , , ,


I’ve come across an interesting phenomenon recently, the idea that internal audit must be bound by rules; or at least guidance. So I was asked the question, when I posited that internal audit should give a periodic (normally annual) opinion over the adequacy of its client organisation’s governance, risk management and control, well wouldn’t that just be your opinion? With the follow up, why is your opinion any more valid than anyone else’s?

It’s a good challenge. Why should the CAE’s view be taken any more seriously than the CFO’s, CEO’s or COO’s? The answer I think is because it is grounded in internal audit work. Let’s go back to the definition of internal audit:

‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.’

So the opinion is independent and objective. This is why is should carry greater weight from a board perspective than the management team’s views. It is grounded in a planned, and hopefully risk based, programme of assurance and consulting activity. This is designed, or should be, to cover risks that matter, and the core elements of the assurance opinion being given. i.e. the work provides evidence and support to the opinion.

This line of questioning extends further, how can you provide an opinion if you are not attesting to something? So standard audit methodology requires that attestation must be against something, a framework, a set of rules, a management assertion, a set of measurable things. So for some, internal audit can only provide an opinion where there is a set of rules to compare practice against. i.e. I compared B to A and found these deficiencies between B and A. This leads to the school of audit thinking that says – I can’t audit that – there are no rules. The management team has not yet put in ‘controls’ (by which they mean business rules), so I cannot audit it yet.

In my career to date I see that many auditors struggle when a clear set of rules is not in place. Let’s be clear, there is a place for compliance work and minor control design improvement work in internal audit. A truly risk based auditor should be able to work ‘off piste’ however. They should be able to look at what needs to be there based upon the objectives and risk appetite in place and take a view. Consultants seem to struggle little with giving their view, why should auditors?

Most organisational activity is not defined via rules and most management teams are poor at defining rules and even worse at enforcing them. The breaking of rules per se does not relate to risk. Most organisations do not follow rules most days, yet they succeed or have a level of risk that is bearable. So the idea of ‘control’ as compliance or conformance with rules, has little relation to risk in my experience.

Thinking is incredible difficult. We all try to avoid it. I know that it’s the hardest bit of my role, yet the one, as CAE, I do almost exclusively. When I review my team’s work and reporting I am not primarily looking at what is there (well yes obviously for grammar and presentation etc as my team will attest), but primarily I am looking for what is not there. What are the obvious or less obvious things that are missing? What should be there? What is the management team not doing? What will come to bite me later if I don’t pick it out now? What are the logical end points for the area under review if the organisation continues as it does? That is what a CAE and all auditors should do. We can all get wrapped up in compliance and get the wrong answer ultimately.

I love doing audit work. I still do audit work as a CAE and I love the thrill and chase of audit. I adore looking at something new, researching it, thinking about it, bringing 20+ years of experience and formal training to bear on a scope of work. I do struggle to do this whilst having my day job of being a CAE, but given some time, I love auditing. I love the ‘private words’ people want to have with you, the cultural and organisational intrigue and interest, the satisfaction of my naturally curious and nosey nature. I ultimately love producing something that, if engaged with positively, will make a lasting difference to clients. In my current role I have the added satisfaction that this will ultimately improve and save lives of some of the poorest people in the world. Now that’s something worth getting up out of bed in the morning for!

I don’t love internal audit when it becomes the policemen for rules. When the creative and value adding thinking element is cut out of it. When the risk related bit (i.e. seeing that risk is good, not bad per se) is taken out of it. When you can only express an opinion as an attestation of conformance.

So thinking about the line of questioning I experienced, I was asked what framework or model of control I would use to provide my opinion. I was at a loss. Why would I use a framework? Most frameworks are merely other people’s documentation of what they think should exist, i.e. their thinking, not mine. These frameworks, to have any generalisability, are required to be high level or vague. Sure, COSO has some nice structure and thoughts, but it tells you little about what control should look like in context A or context B. It tells you little about sub elements of control – what should cash controls look like? IT controls? Marketing controls? Surely anyway these frameworks are merely other people’s thinking? Why can I not think myself? Why should I not take account of how the management team thinks about control? Why should I not use and range of other specialist various frameworks of good financial, risk, IT, governance etc. control?

For the truth of the matter is that the world is complex and good quality audit opinions come from good quality CAEs. If a CAE needs to have a control framework as a crutch to support wooly or low quality thinking then you should change CAE. Sure a framework is helpful starting point or logic check – particularly for completeness, but it is no more than that. It is no more than non context dependent thinking of others. The CAE should be providing the context-dependent insight and thinking.

I know all of this sounds dreadfully British (I also appreciate that the UK’s international currency – quite literally – is low now). It is important, however, that we as a profession must avoid a rules based, dare I say it, US-centric view, of the world. We are not a world bound by rules, where ‘guidance’ is sought and becomes very quickly proxy rules. Pragmatism, agile, adaptive approaches driven by intellectual curiosity are a fantastic quality of the UK and its internal audit profession. Sure there is a risk that you get a bad CAE and they don’t do this well, but the opportunity of getting a great one that makes a real exponential difference to an organisation is worth taking a risk on. For if an organisation sticks with rules and the slow evolutionary approach it precipitates then it will not change with the times and atrophy.

So how rules-based are you?

Heavy lifting


, , , , , , ,


I am on the board of a number of organisations, an international non governmental organisation, a UK national charity and world-class higher education institution. I also work in my day job with a huge range of organisations and their corporate structures. These organisations have a range of internal audit provision through to none.  Where there is internal audit it adds value, in whatever form.

Organisations go through life cycles, and the bigger, more established and complex they are, the more they benefit from a good internal audit. They benefit because organisations under-resource corporate functions. I understand why. Corporate functions are overhead. They don’t make stuff, they don’t sell stuff, they don’t speak to customers, they don’t deliver the cash earning product or service.

Yet, when an organisation gets to a certain size, it ceases to be controllable by people, either one, or a few. The span and depth of control is too much. Culture helps, but is difficult to deliver and control. This is where good strategic internal audit comes in. Not the compliance or two dimensional internal audit, but one that asks the really difficult questions and one that has coverage from the strategy down the organisation into delivery.

Good internal audit says the unsayable. It challenges group think. It systematically looks at the organisation (and yes in depth and breadth, not just six top level reviews a year). It goes from the strategy and follows that through to the floor, to the way the organisation is seen by customers, beneficiaries and stakeholders. For only when you have enough time and independence to look objectively at the organisation can you really form a view over how it is really working.

So why heavy lifting? Well for me internal audit is the organisational equivalent of going to the gym. It is the organisation trying out its parts, putting them under pressure and isolating them (as you do with weights at the gym) to see if they work. This process of putting them under pressure identifies sometimes big problems and weaknesses, but most of the time there are lots of little things that could be better and fixed. That’s how you grow muscles at the gym, through the precipitation of lots of ‘micro’ tears. These repair and the muscle grows and that part of your body has greater capacity to lift more. So it is with organisations and internal audit.

Just like going to the gym, it can be aversive for organisations to face the challenge of internal audit. Most organisations have developed the optics of public and reputational protection. Too often that becomes internalised and the top management team loses its openness to challenge. The press lines replace reality. Sure being told something is not good, or having an alternative perspective is challenging. I know that as a leader myself. Being open to challenge is not easy or pain free sometimes. It is something I and I think organisations must continually work at.

Internal audit’s role is to ensure the organisation has plenty of capacity to run to keep up with competitors. It should be the gym instructor counting out the ten press ups and putting the extra weight on the bar. Don’t get me wrong, most great management teams I’ve worked with do the same with their strategies. What they don’t have is the capacity and time, however, to test this down the organisation, to follow down the delivery and control chain. Internal audit is set up to do that.

Of course internal audit needs to know what organisationally ‘fit’ looks like. So you need a  breadth of generalists, specialist and range of professional backgrounds. You most of all need a mindset that is willing to put up with the gripes and moans of the organisation as it is at the ‘gym’. This requires auditors to be fairly strong and resilient in the face of challenge, without being closed to it.

Just like a good gym instructor, you get what you pay for. A cheap service benefits you less. Similarly doing it without a good gym does not work, so home exercise is possible, but rarely takes you forward. So it is with internal audit; organisations need to invest time, resources, energy and engagement to really benefit. As an internal auditor I’ve met fit and unhealthy organisations. Unhealthy ones are flabby, inefficient and lazy, and so the role of audit is harder (most notably on the engagement side).

So next time you engage your internal audit team, think of it as being like exercise. It’ll be challenging, difficult and hard work, but you will gain the pleasure and endorphins that result and be more efficient and effective as a result – a real win!

So when will you next train and get those IA gains?!

Auditing The Matrix


, , , , , ,


I was asked by a management colleague this week – how do you train your team to see things my team don’t? The premise behind the question was why internal audit continues to see issues and risks and propose solutions that the management team doesn’t.

Honestly I am not sure I have the answer. For me common sense is just that, common sense. I think what I train my auditors to do is think and apply common sense. So no matter what the business challenge or question – I ask auditors just to think through what would the reasonable person on the apocryphal ‘Clapham omnibus’ do. Now I know that common sense is not common and that one person’s common sense is not another. I do genuinely think that auditors’ best professional tool is just to think and ask obvious questions.

So how do I do train my auditors?

Well I think surrounding them with the other experienced and great auditors in my team helps. It is important to ensure that any audit function retains a core of knowledgeable, professional trained and experienced auditors, who know the business they are auditing.

Second I think it is important to provide constant leadership and support of professional discovery and continuing professional development. I provide a diet of masters courses, IIA qualifications, ACFE and other counter fraud qualifications. I supplement these with a diet of experiences, conferences and workshops. In addition I ensure that an underlying base of ethical training, professional behavioural expectations and high standards of propriety are expected and enforced through oversight and quality assurance of work and the processes through which that work is produced. Can I micromanage and be a perfectionist? Yes, a little, but this ensures that my auditors work to the produce the very best they can, all of the time.

Third, I train auditors to challenge the status quo. I ask and encourage them to free their mind and be inquisitive and challenging.  This means I ask them to audit not only what is there, but much more importantly to audit what should be. I tell all of my auditors that their views (even when training) are valid, sensible and value adding. I say to them to feel free to challenge and to put their views across, to ask the stupid question (for the only stupid thing is not to ask the question), to feel supported to go ask, do and investigate anything reasonable thing they think important. When I trained at a big four firm I always felt there was a risk that these firms spent lots of money recruiting bright people, and then spent three years training them not to think. I do my very best not to do this. I want my auditors to feel as if there are no cages or walls oppressing them.

So why do I think my audit team picks some issues the management team does not always manage? Well I think this is primarily because internal audit is objective and independent and is set up to take a risk based approach. Most management teams get too wrapped up in  issues and the here and now to take real time to analyse why they do things.


Update – I’ve taken some time to finish this blog post, as I’ve normally got an opinion or a view on the question at hand. I usually use my blog to expound and refine this view. In this case, as you read above, I was genuinely not sure of the answer.

I’ve had a damascene moment today though that made this clear to me.

The real reason why I think internal audit sees things is in that I had always assumed organisational discourse, that is the organisational ‘press lines’ that we articulate on our organisational intranets was generally recognised to be nonsense. i.e. that we all had a real understanding of how things really are: complex; messy; driven by personalities, culture, currencies of power, resources and political position. Yet it I appear to be wrong. apparently this world is not clear to others. This reality is not one that people really see. When we have what I thought were organisational ‘press lines’, lots of people in organisations actually believe them.

How can I best describe this? Well if you’ve ever seen The Matrix franchise of films, the main character, Neo, has the ability to see past the computer-generated code that constructs a false reality which he was being fed in order for the evil machines (that had taken over the world) to use his body and brain (along with the  rest of the enslaved human race) as a battery. I think good auditors see enough of organisations, both in depth and width to really understand how organisations actually work. They think in terms of analysing, objectively, and as an intellectual research exercise, how the organisation works (I of course mean this of fully risk based and in-house internal audit services – not externally provided – for they never really know their clients – or compliance based auditors – for they never really challenge to any depth).

Perhaps I am lucky, or perhaps my team are, that we have these real conversations and do not buy into the computer-generated false reality of organisations. Perhaps I am lucky in that I deal mainly with the top of the organisation, those senior managers that know all too well, and have to deal with, the real reality the organisation faces. They know when their constructs and organisational press lines stretch truth or test credulity, for they construct them. Perhaps I am lucky that I can be open, honest and helpful in supporting and challenging them in both the real world and the use and deployment of those constructs.

I think great internal audit functions train their auditors to see the ‘stream of numbers’ behind organisational constructs (another Matrix  reference). This means that even fairly junior members of my team are inducted into seeing the world in this way, the ‘code’.

So perhaps this is something I had not ever appreciated or understood because I had always thought it obvious, at least to me, and it did not need saying. Or perhaps I am just odd in my perspective (as one of my team called me like Sherlock from the Elementary TV series – I think it was meant as a compliment but it was hard to tell!).

As an auditor, do you see people and 20th century America or the code that the machines use to construct them?