Bad internal audit?


, , , , , , , ,


I spend a lot of time on this blog taking about what good internal audit is, but very little time about what bad internal audit is. I guess, bad is the converse of good, so take my views of ‘up’ and reverse it to see what ‘bad’ is.

So I guess a very narrow definition is an audit service that is non compliant, or partially compliant with international auditing standards from the IIA. I’ve commented lots on standards Generally conforms?, so I think they are rather binary, rather limited, and not a particularly good measure of performance, more conformance.

So let’s think more about about what bad is. Something is bad when it does not meet its core purpose. So what is internal audit’s core purpose? Not the production of audit, not the production of assurance. If we take the lines of defence model, as the third line we are to prevent problems, at least at an organisational level. So the non prevention of organisational failure from a risk’s or risks’ crystallisation could be seen as a failure. Whilst we are non executive, we surely are accountable for the prevention of failure of our client organisation? So when an organisation fails, so the CAE has in my view.

Again this measure is a little digital. Also bad internal audit is only discernible in this model when something falls to pieces. Not very helpful as preemptive and forward looking measure of badness.

So let’s keep reviewing the situation and we better think it out again. So another thing I think internal audit should be is be relevant. It should do stuff and be an element of its client organisation that matters. So if the internal audit function is irrelevant, if it performs a perfunctory role at the audit committee, if the opinion of external audit matters more over business risk (and why should it, they check the veracity of one document per year – why would they have any valid view on business risk?), then internal audit is doing badly.

But what does irrelevance look like? I would say it means internal audit looks at small things; it: looks at things solely at the direction of the management team (i.e. it is not independent); it conversely is never asked by the management team to do anything (so is unloved by the management team); it does not do any work outside of a too small audit plan; large chunks of the business do not see or feel the impact of internal audit for long periods of time; internal audit reports (even strongly expressed positive or negative ones) have little impact; and the head of audit is a junior member of the team, with no access to the c suite and little in demand from the organisation’s CEO and board.

For the real test for me of bad internal audit is when something goes wrong and internal audit is not involved. It is not looked to for support, for additional assurance, its prior work is not reviewed to see if lessons could have learned earlier. Internal audit is of course not the only part of an organisation that could possibly solve these issues, but it is well placed to. It is independent, skilled in risk management, governance and control, and has a good and in-depth knowledge of the organisation. So why would it not be a natural partner for the CEO, C suite and the board?

Another measure of bad internal audit for me is poor quality opinions. Perhaps they are wrong (and for those of you who know me I don’t believe in wrong, but things can be a long way from the range of ‘right’ answers). They are absent, meaning that no opinion is given or the opinion is limited to the work done on an exception basis. The opinion is really difficult to determine or divine from the audit reports and work. For me an internal audit function stands or falls on its opinion quality. Does it say the things that matter? Even if it’s difficult to say it. Does it say things in a way that is balanced and supported by evidence? Does it say things in a manner that is clear, but supportive of creating positive change? This can mean being really tough – it can mean being really gentle – but never means being unclear.

Another indicator is people. Is the internal audit department populated with people of the same or better standard than the business they audit. Coming from a big four firm we always believed we were better than our clients. In many cases we were. Certainly we would never regard ourselves as being below our clients. This is with good reason. For an effective audit function should attract the very best. It has a great qualification; teaches generically valuable skills of governance, risk management, control, value for money, and report writing; encourages operational, detailed, tactical and strategic thinking; provides a fantastic oversight of the business; and gives both breadth and depth in experience. Why then would internal audit not attract the very best talent from the business and also export it? If your function has only career internal auditors, who ar not of the standard of the management team you audit, you need to look again.

The biggest indicator for me of a poor internal audit is that is does not amount to a whole hill of beans. In other words, the sum total of its efforts does not enhance or improve the host client. If after a five year audit or assurance plan, is the client better? Better at achieving its objectives (which is the entire purpose of risk management). If not then why not? It may not be entirely or even partially internal audit’s fault – we are non executive after all, but does internal audit deliver meaningful improvements to a client’s capacity to deliver and manage risk?

I know various audit services that measure the implementation of recommendations by the management team, but for me this misses the point. Surely the point is that the risks to the achievement of the organisation’s objectives are the things that matter? So I would follow up the exposure to net risk above the board approved risk appetite, that is the ultimate measure of internal audit.

So are you bad or good?

Agreed management actions?


, , , , , , , , ,


In my role I get to see other audit services and teams, and see how they deal with their clients. One of the great things about the internal audit profession is that there is no single ‘best’ or ‘right’ practice. This allows the profession to really meet our clients’ needs without being straight-jacketed by rules.

So one model I’ve seen recently in a number of internal audit functions is for the internal audit function to agree management actions in response to observations recorded in audit reports. These may or may not be accompanied with recommendations from internal audit or not.

So let’s think this through. It has some appeal. It forces engagement of the management team with auditors and their audit reports. It means that there is a set of actions that will occur. It means that audit committees only see agreed reports. It makes internal audit really think about the quality of their reports and their suggestions (if they are included in the report). It makes the management team think through their response, as they have to debate and discuss them with internal audit. It also potentially improves the implementation record of management in response to internal audit.

Yet it does have its downsides. I have found a really hard hitting or transformative audit report takes time to digest. Also strategic issues and risks are not always able to be responded to in short order, they take time. So forcing agreement through an internal audit-agreed management action right at the end of the audit doesn’t work. This means it can either hold up the report’s publication whilst disagreements and debate occur between the management team and internal audit, or it can force a lower level of ambition in what is agreed. It could make internal audit reports avoid difficult or challenging points altogether as there is a challenging process of closure needed; it’s easy to make a suggestion to sign a form, but much more difficult to posit a challenge to a strategic project or programme of the management team.

The most concerning element of the approach is that it could impact on internal audit’s independence. Internal audit has to agree and take some, if only vicarious, responsibility for management actions and their response. The management team could use disagreement to denude, or water down the report’s findings.

So I do think getting a degree of agreement with the management in  response to internal audit is important. It’s not a particularly sensible position that internal audit has a diametrically opposed position to the management team constantly. I do, however, think the ability and willingness of internal audit to disagree with the management team is essential to the dialectic relationship needed for good internal audit. I also think that early and immediate agreement to points in internal audit reports is unhelpful. I think some space to provide an immediate response, then amend, discuss and change it later, is important. I find a management team’s consideration of internal audit reports prompts a sense of bereavement and cognitive dissonance with their established viewpoints. These take time to dissipate and adjust to. The best audit responses in my view come six months after the delivery of the audit report. Then the challenge, spotlight, and angst of being audited has faded. This means in six months’ time the management team has more space to respond and the nature of the response is more flexible.

I also think it presupposes that there is a response that makes sense at the point the audit report is delivered. At a point of the audit, if an audit report is focusing on stuff that matters and the big risks, then surely the issues and risks may be difficult to respond to. So does it make sense to agree a set of actions immediately the opinion is delivered? I don’t think, in all cases, it does. Perhaps the ‘action’ is to consider the position. But then the follow up, under the agreed management actionsmodel, is to check that the management team has ‘considered the position’. So this approach may actually prompt weaker management action, than leaving some time for the management team to respond might otherwise have done.

I do have difficulty with risk based internal audit forcing actions in any case. I think the most important thing is that actions mitigate risk. So why ask for management actions, unless they mitigate risk? So internal audit should not follow up the implementation of the management team’s actions, far rather follow up the mitigation of risk. This fixes an agreement of the risk as the point of focus, not the actions. So following up risks allows actions to adapt, move and respond, potentially improving the management of risk.

The overall aim of internal audit is to help to ensure risks to the achievement of the organisation’s objectives are mitigated to be within the governance-agreed risk appetite, or report to the governance structure if they’re not. So the management team should be owning their own risk, forcing internal audit to be part of this process potentially intervenes in the adoption of risk by the management team.

My view is that the agreed management actions approach does have benefits, but I think it: forces fake or lower quality agreement; limits the time for the management team to digest audit reports; does put internal audit’s independence at risk if done badly; loses the focus on risks as opposed to actions; makes follow up easy, but potentially less effective; and limits the management team’s adoption of their own risks.

How do you finalise your audit reports? Is there an ideal?

Generally conforms?


, , , , , , , ,


I am belatedly setting my objectives for the coming year, both for and at work, and also personally. It’s a good thing to stop and think about what you wish to achieve and setting measures and metrics to assess those.

Whilst I know every chief audit executive considers their audit service to be more than just themselves, there is a still a temptation for it to be seen as, and genuinely be, a reflection of the CAE leading it. This is especially so in internal audit for two reasons. First many audit services are relatively small, so the span and depth of control of the CAE is relatively all encompassing. Second because internal audit provides a principles based framework of standards and compliance, that allows quite a wide latitude to how the actual service manifests itself. Third, internal audit services are held together by their methodology. This methodology is not just the processes and documentation used by the service, but is also a view on the world, which is as much intellectual and ideological as it is practical and process based.

So that’s why, when I: set the standards for the year for my service; review the templates and processes; and when I look at the skills and needs I have for my service, I am as much as anything else, reflecting on my own development and view of the world. I take a granular interest in this things; they matter. I have said in this blog before (Radio Four or Three auditing) much like a business, internal audit has a brand. This brand is set and controlled in large part by the CAE. They set the tone, basis of engagement, style, content and method of engagement with their clients.

My current team will, no doubt, say that I am too detail focused and obsessed with format and style. Like a top restaurant or a upper class retailer, the image and the way the service is delivered is as important as the content (though in my view one must be supported with the other). This is inculcated from the methodology, the training, the leadership (in practice) from the CAE. It is enforced through quality assurance and review. Eventually in my experience the team will self edit and review with very little input from the CAE.

So what should be the bedrock for those standards? I think it should be the International Internal Audit Standards. These have, built in, the need for compliance. In particular the need for an external quality assurance assessment (EQA) by a competent third party every five years. There are many ways in which reviewers assess these standards, but the one that seems to have gained traction is the ‘fully / generally / partially / does not conform to the standards’ opinions.

When I’ve been benchmarking services, I’ve found that ‘generally conforms’ is the most given opinion. Generally conforms ‘indicates that an IA activity has a charter, policies, and processes that are judged to be in accordance with the Standards, with some opportunities for improvement’. So that sounds good. Or does it?

If we look up the word ‘conform’ it means comply. That means meeting the standard. So it is a binary judgement. That must therefore mean generally conforms also conversely means also, does not comply in parts. It seems odd to me that a profession obsessed with being ‘risk based’ would then have such a two dimensional, binary, and non risk based compliance opinion applied to itself. So is a ‘generally conforms’ service at significant or minor risk of not meeting its objectives? How impactful are the areas of non compliance? Not complying with ethics is presumably much worse than not issuing a form of opinion on an assignment level piece of work, or not immediately drawing the board’s attention to an error in an audit report? Who knows?

When I had my service’s EQA at the beginning of this year I was clear with the reviewing party that I did need the requisite badge, and yes expressed in terms of compliance, but that I was much more interested in how good that compliance was. Did my internal audit service make a difference to my client? In other words did the work of my service amount to a whole hill of beans or not?

That’s not something that is so easy to express. Particularly in terms of the Standards, as the Standards require basic compliance only. They do not require any particular measure of quality. Compliance with them neither guarantees nor prevents quality audit work being done. As an example let’s take attribute standard 1100:

Threats to independence must be managed at the individual auditor, engagement, functional and organisational levels.

Well you either do or do not manage independence at these levels. The standard does not require it to be done well, or to a low risk appetite, or high quality, merely to be done. Let’s take a performance standard:

The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

Again – there is no requirement for the risk assessment to be good or high quality. Merely for it to exist, be done annually with input from senior management and the board. So I wonder, how do so few audit services not fully comply? I consider the Standards, therefore, in terms of a risk based quality delivery, to be merely the basis and required baseline framework. I ask again how then do so few audit services obtain fully compliant?

I expect and inculcate in my audit team a methodology and set of professional standards and ethics that mean they naturally comply with the Standards, both collectively and individually. This does take time, but high quality auditors will comply with the standards without even thinking about it. I know and trust my team will comply with the standards, because they know that they should and because I, and my senior team, have inculcated good internal audit as an instinctual response. That does not mean I don’t check and review, and never have to correct the tiller individually or collectively to make sure it remains so. Nor does it mean I do not undergo an EQA as required (indeed it’s a useful process).

For those of you wondering about my EQA, my service was deemed fully compliant, as well as identifying things that I and my service could do better and more of. That’s a long way from non compliance in my view, and as internal audit has so much expectation upon it now, can any of us afford not to comply?

School’s out, Summer and audit are in


, , , , , ,


So my team and I have just despatched our latest set of audit committee papers for our last audit committee meeting before the Summer. Producing audit committee papers, I was reflecting, is part of the rhythmic heartbeat of any auditor’s life. It’s been part of mine for nearly 20 years. The Summer break, however, got me thinking about what it would be like not to have that.

I like the Summer. Yes the longer days, the sunshine, the general positivity of being in nicer weather. I like it as an auditor, especially as it gives me a chance to do audit work without the ‘distraction’ of reporting to a committee or the senior management team, and in my current role, ministers. Sure people in the audit team are on holiday, but there are always some around at any point in time. My current team is split between London and Glasgow, so even these holiday periods are naturally staggered. Yet there just seems to be a little more quiet time to do project work. To sit, pause, think, and gather our collective thoughts.

I was asked to do a lessons learned paper about my and my team’s work this week. I think we as a team are a learning team and I am a learning individual. As a consequence sitting and doing a lessons learned thing seems alien to me as we and I learn and adapt constantly. Every audit and counter fraud investigation is a project, from which we learn, tweak, adapt and improve. Yet the stepping back, in the space that Summer affords, does strike me as a useful thing. A chance to pull together and enhancement plan, a set of lessons from the audits and counter fraud work of the year.

Summer will also be a time to reflect on my team. Where do we need to be? What does next year demand? How best will we be shaped to meet that demand? I am not one to leap to restructure, as this is often an attempt to look busy and is a lazy way of creating change. There may be some restructure, but actually I think our team collectively thinking about what the future looks like will be important.

So whilst Summer, our Q2, can appear relatively quiet, actually in audit terms it is when the fieldwork really gets done and change and enhancements to the processes and systems are able to be done. Our CEO likes to suggest or at least, post Summer share, his Summer reading. I think, for those of my team not studying (and most will have sat examinations this month) it’s a good chance to take some reading on. At present there is precious little new thinking I’ve seen in internal audit. No one is really pushing the profession on, or doing the blue sky stuff. Perhaps Summer might be a chance for us collectively to write, rather than read?

I am now also a member of three audit committees. This is a great thing for any auditor, to be the other side of the table. It’s a chance to engage with other auditors, which I think is a good thing, a chance to have a sense of what it is like to be a non executive (it’s a hard role actually). There are lots of charities, housing associations etc. that need good audit input, I would recommend all auditors do one as part of their public service as well as professional development. I will have had my first taste of these committees before Summer comes along, so Summer will be a chance to reflect on these initial experiences and then engage with the organisations fully in the next year.

So yes Summer is, for many, a chance to refresh and recharge batteries, but in audit I think it’s a crucial period for the heavy lifting that makes a real difference to the rest of the year, to be done. Yet I would not be without the rhythm of audit committee cycles. All professions have them (management accountants, IT, marketing, HR etc), they also give a real framework within which to work and organise yourself. So yes Summer, for me, is a great period of structure free reflection, which I intend to use well this year but I will look forward to the start of the new ‘term’.

So what will you be doing for your Summer?

Risk is not bad! Celebrate it!


, , , , , , ,


So I’ve been thinking about risk. I had the pleasure of attending a course on risk hosted by Norman Marks and Richard Anderson. Norman has a great blog NormanMarksBlog. Richard is a trainer and general risk guru AndersonRisk. I’ve also given my annual assurance opinion, which requires me to opine on risk management systems. We’ve also had a new head of risk start at my client organisation and all of these are making me think afresh about what good risk management looks like.

So I’ve been working hard over some period of time to advance my risk thinking with my audit team, my client organisations, and my professional audit colleagues. In particular my view that risk is simply not bad. Risk is just a description of fact. Theoretically perfect, risk management is just a 100% accurate description of the world at a point in time. If we could imagine how the perfect information world would be, we would understand the full factors impacting the uncertainty of the achievement of our objectives. This is the aim scientific risk management, quant risk management, aims for.

For most organisations outside of banking, and most risks, are not prone to cost effective mathematical modelling, so we make do with judgements. These judgements are those that the management team does every day. So what then is the difference between risk management and just management? Well I think it the difference is between the natural tendency of managers to focus on the here and now, to solve issues. Real risk management is designed to allow risks and uncertainty to be more easily foreseen and addressed, so that issues and proximate risks do not occur. So in a way, busy, issued-focused management is a failure of risk management.

So why is risk not bad if we try to avoid it so much? Well risks flow from objectives. If you or your client organisations are not sufficiently ambitious enough then they are likely to yield poorer performance. This can be financial, but could be social. So a charity campaigning for diversity and against discrimination is unlikely to be successful unless it pushes itself to challenge the status quo, to stimulate and create change. Risk is not bad then – we need risk management to be successful overall so that our objectives are achieved.

Getting organisations to see risk and its crystallisation as a good thing takes time; for all ambitious organisations take on risk, and some of it will, inevitably, crystallise. We, as auditors, are partially to blame for risk aversion. We code our risk based reports with colours equating risk as bad, ‘red’. Yet my greatest audit achievement is to get an audit committee to celebrate and endorse a red risk report. Yes risk was high, the likelihood of achieving objectives was highly uncertain, and no, I could not give positive assurance, for the outcome was so uncertain, how could I? Yet I said red was fine. Red was where the organisation wanted to be. Red came with it high costs and likelihood of failure, yet it also came with high rewards. In this case, the saving of millions of people’s lives. So it was good risk. Good risk to take.

Sure, risk at that level across the whole organisation is bad, for the whole organisation could fail. Yet how many businesses do take massive risks? Apple has the majority of its profits arising from one single product line, the iPhone. So each update carries with it massive risk. Will we look at Apple in ten years as the Blackberry of the future? Possibly. This risk could, however, be the source of their further success.

So we as auditors are not there to stop organisations taking risk. We are there to enable them to take more risk. To help and assist build risk management intelligence and capacity. We are there to make organisations more conscious and capable of handling and handing off risk. For a good risk management system surely allows more and more complex risk to be taken?

The key point for audit is to ensure that objectives, the risks that flow from those objectives, mediated through appetite, lead to a sensible allocation of risk management resource and capacity. For where any single of those elements is out of kilter, then organisational failure occurs. Our role is not to take pseudo executive responsibility for what risk is good or bad. We should point out where risks are not properly governed, well resourced to be managed, well understood or analysed. The only time, in my view, risk is bad, is if it breaks the law (the law is not a risk based judgement) or if it threatens the very existence of the client organisation you are working with.

So how will you celebrate risk with your clients?

Clearing out the wardrobe


, , , , , ,


One of the tasks I get around to not nearly as frequently as I should, is to empty out my wardrobe. I periodically review all of my clothes and ask myself ‘Does it still fit?’ ‘Did the reason I bought this still exist and make sense?’ ‘Is it worn out?’ ‘Is it still in fashion?’ Then the killer question – ‘have a I worn this in the last six months or year?’.

I end up putting a whole section of my wardrobe in the bin or take it to the charity shop. I also rediscover items I forgot about and looks and items that I loved once, and can still see me wearing.  This then clears space for new items, new fashion, new (sadly more age-appropriate) items. This is a win, win: lots of additional space; an excuse to shop; and better and newer looks for my work and social life. It’s a great process and makes you feel great.

So if this is so good for me, why don’t I do this periodically? Well it is generally because it takes time. It takes time to sit and go through a wardrobe. It’s easier to add rather than subtract. It’s easier to buy something new when I have ‘nothing to wear’. If I don’t think about it I buy the same sorts of items and styles, because I know they are fine and comfortable. It’s a change-avoidant process.

I think internal controls in organisations are the same. Organisations rarely step back and declutter their control frameworks and actions. People continue to do stuff because it is familiar and comfortable. I’ve asked management colleagues why something is done the way it is. What’s the risk it is intended to manage or mitigate? Why do you do this manual thing when something newer and simpler could be done. Organisations have a tendency, and we as auditors can be at best collusive, and at worst encouraging, of more and more controls added.  No management team has endless resource, but yet when something goes wrong they and their organisations rush to fix it with more process, more controls, more stuff to do.

So, accepting that it is easier to add then redesign or remove controls, why don’t more organisations empty their control ‘wardrobes’? I suspect because this requires thought. It requires time. It requires clear thinking. First it requires clear objectives. A clear and granular identification and then assessment of risks arising from those objectives. Then a mapping of current activity, processes, controls and resources to those risks. Then, finally, a confidence to stop doing things, move and divert resources. More than that, this process needs to be repeated periodically, and relentlessly, to maintain the efficient operation of the organisation.

Of course, it’s a paradox that the better an organisation is at risk, the less likely to be efficient at control it is. For crisis is the mother of invention and hard working. Choices in activities, resources, controls and activities are not going to be made, I’ve noticed, unless an organisation no longer has big profits and is in crisis. One reason why startups and small organisations are so inventive is because they have to be. They have to be more efficient and effective and make choices in what they do. Large, profitable, organisations are much less likely to be forced to make difficult choices and prioritise activity.

As internal auditors we should be at the vanguard of organisational improvement and be the pressure on successful organisations to continue to be more efficient. I am unlike the normal expectation of the CAE. I am not particularly rules based, I much prefer principles focused on tangible outcomes required. So I try not to just add control, but instead ask for meaningful control. I am, however, guilty as charged in that I do generally require more control, not less, normally for good reasons but oftentimes because I simply like the order control brings.

So can I take my wardrobe emptying task to work and should I? I think the answer to both will be yes. Will you?

Fraud assurance


, , , , , , , ,


In my current CAE role I also have responsibility for counter fraud. This is not unusual. Lots of CAE’s have this role and remit. Yet does my professional training prepare me for this work? Is it a sensible fit?  Having done this now for three years I think that it is, but that my preparation and ongoing support for it has been lacking.

First, I think that the counter fraud world does not have the same professional rigour and maturity as internal audit. There are some helpful and useful qualifications, for example the ACFE (though the law component is heavily US based and less helpful in an international context). There aren’t the professional standards and maturity of quality assurance processes or body of established best practice that internal audit has.

I think the real world of practice is somewhat less defined than internal audit. So counter fraud functions can vary significantly in scope, remit and quality. A lot is driven by the nature of the counter fraud task and whether the host organisation is a prosecutorial authority. Where the organisation is, the legal requirements tend to drive the form and nature of the counter fraud function.

I also think there is a lack of an obvious talent, career and training structure for counter fraud professionals. This allows quite of charlatanism with the ‘secret squirrel’ people hiding their lack of clarity about their role behind faux confidentiality requirements (in my view counter fraud work needs to emerge from the organisational shadows and be seen as a more mainstream part of organisational ecosystems). So it is difficult to identify what good talent looks like and to measure, accredit and reward it.

There is the perennial issue of second and third line responsibility. The three lines model was conceptualised for audit and assurance, and maps awkwardly to counter fraud work. Counter fraud investigations work is clearly best done in the third line – whistleblowing at its heart is meant to be independent of management (for that’s who whistleblowers are either directly or indirectly complaining about). That’s why this strand of work is, in my view not just a bedfellow of internal audit (as an independent part of the organisation) but an integral part of it. There is a need for a second line function to set policy and take risk decisions for countering fraud and to make the first and second lines collectively counter fraud. Yet the problem is that all of the professional structure, discipline, career training paths, and data sit inside the third line function.  Lots of organisations have directors of risk and assurance who straddle both the semi independent second line functions and independent third line functions. Here the three lines model starts to intellectually break down and lose its clarity and coherence. For how independent is the third line in this model?

Then there are the practical elements of the counter fraud function. What skills do you need? Well an understanding of risk, governance, audit, forensic work, finance, assurance etc. These are (or should be) found within a good internal audit function. Yet counter fraud only professionals, with their detailed, bottom up, mindset lack the necessary grip of systems, processes, controls, assurance and governance to deliver two of the three core elements of counter fraud work – proactive investigations on a risk basis and fraud assurance to prevent reoccurrence. Here internal audit skills score highly. For the record, internal audit staff also lack the scepticism, detail focus, analytics, bottom up skills that counter fraud professionals have.

So there is a real challenge here about counter fraud. Outside of those organisations that have law enforcement as their core task, the clarity of this role breaks down. I think therefore this space is nationally and internationally up for some work, some clearer and better thinking through what excellence in terms of delivery looks like. I do think the international space has set out some good markers. In the World Bank it has invested a significant sum of money in an independent  counter fraud function. This has significant resources and headcount, but does not map well across other compliance and assurance functions as a result – for example with internal audit or legal. Most UN agencies and multilateral agencies vest counter fraud alongside internal audit in one inspector general model. This feels right, and is mirrored in my organisation, under me.

So why does it feel right? Well it means that counter fraud work is fully independent of management, yet is within the organisation to be able to support and engage with it. It ensures that risk management decisions are made within the management chain (or if appropriate governance chain). It also brings to bear (or has the potential to bring to bear) the counter fraud and internal audit mindsets and creates a discipline and career structure to the counter fraud activities, not previously open to it.

So then if I as a CAE, and many others like me, take on this counter fraud role, is it about time the IIA globally begins to think about this more carefully and adopt this activity? I think so. Not just so that CAEs like me can have some structure and standards to apply to this work, but so that the work itself has a home to look to in terms of training, career and professional support.

The one percent

We are the one percent. We are the one percent of the organisation, in many cases less than one percent. Yet when we talk crises, problems, governance we are far more. For the lines of defence model we are 33 percent.  For governance we are more; for external auditors check one document to a level of materiality. We check the rest, apparently to a ‘reasonable’ level. 

Yet we as a profession are not yet having a sensible dialogue to link the one percent of resources to the excessive demands and expectations on us. These expectations are collectively, on each service, on each head of audit and on each individual auditor, excessive. 

As a CAE I feel it acutely. The pressure to deliver consultancy, to keep diverse demands of the audit committee, CEO and line management satisfied. For those of you who also have counter fraud I feel this more. For every fraud feels like a crisis and a problem. All fraud matters appear to need salving immediately. Yet we are the one percent. 

I’ve been thinking about what needs to change. I think we, more specifically our mindsets, need to. We need to stop apologising for not being management for we are different. We need to stop apologising for being generalists, for that is what senior management is. We need to stop apologising for saying difficult and unsayable things, for that is our core role. Most of all we need to stop feeling sorry for ourselves and having confidence. Internal audit is a good thing per se

We deserve more than 1 percent. More than one percent of organisational resources. More than one percent of organisational respect. More than one percent of press and public coverage. 

For if all organisations had excellent internal audit to prevent problems rather than expensive consultancy to fix problems the world would be a better place. We should demand more. Demand more pay, more airtime, more people and resources. 

I have been debating with many in our profession who are wedded to the three lines paradigm where internal audit is a small, limited, so-called strategic function; a function smaller than the CEO’s press office or planning office. We need to be bigger and do more. 

The quid pro quo for this investment has to be for us to be better.  No longer failed finance or business people, no more transitory guests on the way to promotion elsewhere in the business. We need the same talent that banking, consultancy or other much less worthy jobs attract. We need at least to have as much thinking and intellectual firepower as our business colleagues in the management team. 

That means the professional firms’ model of sending in trainee kids, propped up with remote reviews needs to change. It means our reporting needs to be consultancy standard or better. It means our thinking has to be at least three dimensional, if not multi faceted. It means our childishly simple colour coded reports need to be more honest and more complex.  We need to leave the solely compliance world behind and integrate compliance work within analysis and thinking. 

In short we need, as a profession, to remove the walls we falsely put around us and grow into the unlimited space within which our management colleagues take risk. 

Do you think the one percent is up to it in your organisation? 

Audit planning: helpful or not?


, , , , , , , ,


Audit planning. It’s that time of the year when I think about my own department’s audit plan. It’s the area that seems to garner the most questions from new auditors and it seems to be the area of our profession where least agreement exists. In particular, what is risk based audit planning?

We all know what we think it is. I would argue there’s very little agreement. If we consider the ask from the standards and the Institute for a moment. It’s a performance standard – so it is about how we do things, not about us per se. So the top level standard 2010:

The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals.

Well this sounds fine until you unpick it a little in particular what is risk-based? So this means prioritisation of work – so we as auditors should look at some things based upon risk. But does this mean gross or net? So the areas the organisation feels it’s most exposed to (high net risk)? Or perhaps the areas where the organisation is least exposed, but works hardest to control the risk (high gross risk)? What sort of risk – financial? Organisational? Repuational? etc. For the risk profile will be very different across these. What about proximity? So the risks that are most likely to crystallise into issues?

Let’s go back to the standards:

The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organisation’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organisation.

So as CAE, the interpretation says I have a responsibility to deliver a risk based plan. This should take into account the organisation’s risk management framework and risk appetite. So take into account? Ignore, register, use, follow, agree, interpret? What? Organisation’s risk appetite. Do we mean individually or in aggregate? So if an organisation has a very high risk appetite, say like Enron, do I have to agree or work within it or provide an override? Hmmm more confusing by the minute.

Let’s go back to the standards:

If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organisation’s business, risks, operations, programmes, systems, and controls.

So I can only use my own judgement where the framework does not exist? Or do I impose my own judgement on it? I must adjust in relation to the client organisation. Well that much seems simple, my plans must in someway work with the client. The direction, type or manner of the adjustment feels quite vague though. If a client does not want me to work in an area, should I do it anyway or work with the client?

Back to the standards:

The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

Finally – so clear direction. I must have a documented risk assessment. I must take the input of senior management and the board. Great – that’s clear. Let’s go further:

The chief audit executive must identify and consider the expectations of senior management, the board and other stakeholders for internal audit opinions and other conclusions.

I need to take into account management, board and other stakeholders’ expectations. In the real world these often clash and are contradictory. Whose expectations matter more or less? What if my independent judgement is to ignore all of these expectations, say to do the right thing or open all of their minds to something new?

Finally the standards say:

The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value and improve the organisation’s operations. Accepted engagements must be included in the plan.

Consulting arrangements must be included in the plan. This seems strange since most consulting arrangements are ad hoc and arise as needed. All of this seems a little periodic and annual, not rolling or reflecting the speed at which risk and organisations seem to move.

So the standards themselves set some very high level principles and provide very few rules and little guidance. I think that is good, as the CAE should have space to do the right thing in context. It does, however, provide a problem in the real world. What should a CAE do? What is ‘right’ or ‘best’? In particular I think the most confusing and omni-meaning phrase is ‘risk based’.

So what do I call risk based audit planning?

Well on risk appetite I work with the organisation’s risk appetite both in aggregate and at business unit level. That is I report my opinions based on net risk, but decide whether this risk is good or bad depending on the management’s clearly established risk appetite. So an organisation can, in business units, or in aggregate, take high risk. As long as this is legal and is sanctioned by senior management in full consultation of the board, then I work with it. It is not my job to decide whether organisational risk is good or bad, merely to test the reality of control (where control means the adequate management of risk within a risk appetite) and report where this control is inadequate to mitigate risks within established management appetite. I caveat this with two audit overrides: in that something unethical or illegal is not deemed to be within appetite; and that excessive risk in aggregate to the organisation, such that the organisation could fail, are inappropriate. It is my job to report them. Even if the board sanctioned them – so the reporting route would be to the police or regulatory authorities.

On risk based planning I don’t believe in full risk based planning. Partly because this is a path to justifying to the most extreme level, a lack of audit resource. I’ve heard ‘oh we audit strategic risk only’ (despite the fact this statement includes strategic risk which is a  meaningless concept) to justify coverage of an organisation over 20, 40 and record-breakingly 150 year audit cycles. No, no, no. Internal audit needs better coverage if it is to be meaningful. Why? Because there is no such thing as strategic risk. For a start most organisations have no strategy. For those that do, the point at which the strategy becomes both meaningful and auditable is at the ‘set of coherent actions’ level. For most sizeable and complex organisations are such that for a risk to be strategic i.e. organisationally significant and impactful, they are too esoteric. In reality top level risks like a ‘fall in sales’ or ‘loss of competitive position’ are most likely a whole portfolio of actions and activities that need to occur for the risk to be managed or crystallise. So strategic risks have webs of risks and roots that extend into the organisation. So a strategic risk based plan must map out the detail of audit work on those roots to be truly strategic. The issue for me is one of coherence not strategic audit interventions. I do acknowledge some organisations may have the odd strategic risk, but these are few and far between, and most likely not controllable by the organisation. This means audit plans need to ignore strategic risks and map out the roots of the organisation’s web of risks into a coherent whole.

Some of the plan must be non risk based. There are various things a good audit service should do that are required that have nothing to do with risk. Coverage of finance, coverage of IT, coverage of other specialist risks. Also meeting various regulators’ requirements. These need to be accommodated. We also need to provide a periodic assurance opinion, so annual sufficiency is important. Ultimately we need to do less ‘strategic’ stuff too, otherwise the diet of assurance is too rich, for both management and the governance structures.

Should we take account of the management risk assessment? Well yes – but with caveats. First of all most risk management systems implemented by management teams are poor, or at least suboptimal. Risk mature organisations are rare indeed. If they do exist, they will always be grounded in the paradigm of management thinking. Surely a good audit service should challenge and sit outside of that. So I would think it likely that a good audit service should be challenging in its thinking and perform an independent assessment.

I want to see fewer audit services using an audit universe (I don’t like these see: Running Towards Risk or Risk Based Audit? ) I want to less thin justifications of a lack of coverage dressed up as being risk based. I want to risk based auditing actually mean understanding and looking at risks, not ordering the organisational parts by gross risk and then prioritising them. All of these two dimensional approaches to risk based planning are unhelpful.

I want to see more audit services really know and understand their clients, the real risk and the real risk exposure, and be resourced to provide a meaningful level of coverage to deliver a sensible audit response. Sure I can justify any number of plans and there is probably no right plan, but there are wrong plans. These are ones with 20 year cycles of organisational coverage, with a gross risk proxy only, or those that stick to the management risk script only (even assuming its written well). Most of all I want to see the profession do better than it does currently – so how do you plan?

Do organisations only ‘get’ internal audit when they mature?


, , , , , ,


So I had the pleasure of attending the UK Government’s Finance and Internal Audit Conference 2016 this week. I was not convinced linking the two separate professions was massively helpful, as it seems to perpetuate a myth that all accountants are auditors and that financial audit is the same as internal audit. I would argue my audit team has more in common with general management and policy colleagues than our financial ones. Heigh ho! It was good to have a gathering of my internal audit colleagues across HM Government, so in that sense a gathering will always have some value.

So why was I there? I had been invited to argue in formal debate about the motion ‘Internal Audit can deliver more value in a risk mature organisation’. I was asked to argue against this motion. I was happy to argue against as the motion presses on a number of weak points in the increasingly global, and in my view false, current paradigm of internal audit.

So the main argument for the motion (provided by a partner from PWC who I hold in respect) was that in a risk mature organisation internal audit is more valued, more engaged with, and can deliver more value to the management team as a result. In other words risk immature organisations are too immature for internal audit. Or that internal audit does not, or cannot, deliver as much or any value to risk immature organisations.

I think this proposition is clearly false. Internal audit with its unique attributes of: independence; objectivity; and purview across, into and at the top of, organisations; should add value to any organisation. Sure risk immature organisations are very hard work. Some are very challenging indeed. This does not mean internal audit does not add value, it just means internal audit has to work harder, better and clearer with those organisations. It’s true I faced a challenge back, that risk immature organisations would not resource internal audit. That’s true, but you only really need one talented and capable internal auditor. So if you run a small audit team (and there are lots of you that do), don’t feel marginalised. When I did it I forced value on the organisation, I was truly independent and said what I thought. That was not popular or necessarily engaged with, but it made a difference. For one of my previous clients I take credit that that organisation is safer, more customer focused, has a better built environment and generally has stronger processes and systems as a result of my work, even if it was not liked, or valued at the time.

The other obvious statement is that risk immature organisations present lots to go at. Lots of systems, processes, risks, strategies, governance and control issues to get your teeth stuck into. Doctors don’t spend a majority of their time with the healthy. Similarly having some low hanging fruit (or fallen off the tree rotting in the ground fruit) is a great organisation to be involved in. Lots of chances for IA to be relevant, valued, bring to bear IA’s unique attributes etc. As a CAE I love risk immature organisations. They present both a challenge and an opportunity – save the risk mature organisation for the few years before I retire!

So back to risk mature organisations. My biggest beef against this is that it takes it is not real. It’s the Disney position. It’s not real. Let’s be honest how many really mature organisations have you seen? Where the first line of defence is well organised and thinks in controls terms; where the second line is clearly structured and professionally organised and has a genuinely semi independent role from management; and a proportionately and sensibly resourced third line, which is 100% respected and listened to. No, me either.

That’s because this whole three lines of defence paradigm is nonsense. It describes a world the professional services firms would like to see, as it justifies their systems only, light-touch approach to audit (they don’t really distinguish between internal or financial statements audit – for surely risks only impact financial controls?!).

Yet real internal audit (and yes it has to be internal) needs to understand the culture and totems of the organisation. It needs to have a deep and rich understanding of how the organisation really works. For all organisations are not controlled by systems and processes. They might be in part, but the really significant risks are controlled by senior people, mostly using intuition (labelled as experience) and there is no real law or right and wrong objective knowledge in management. For why would we globally pay senior management so many times more than the average employee if organisations were just bags of systems? It’s because organisations are not bags of systems. They are complex, messy, human, full of people. So internal audit needs to audit systems and processes and controls, but it also needs to understand incentives, culture, politics (both capital and lower case ‘p’) to provide real and meaningful assurance.

So, if we take it back to the dominant paradigm of the three lines of defence. Clearly the three lines of defence is nonsense. It’s a model. Models are used to help us humans to simplify and understand more complex reality. They occasionally provide a basis for us to predict outcomes or causality. The very best provide an ideal that, if applied, will lead to success. Yet the three lines model does none of this. It is not predictive. It is not even clearly understood, outside of the banking sector where is it mandated. It is, therefore, neither law, nor observable fact. So I see it more like the Pirates’ Code in the Pirates of the Caribbean – ‘guidance’ not rules. I see it has a religious quality. You have to make a leap of faith to believe in it. Indeed I’ve even been told it’s some people’s Bible. It does have a cultist element to it. At best, its a typology of organisational activity. It tells us nothing about the detail of what goes on in each typological segment and gives no sense of the relative strengths, size, resourcing or value provided by each.

So let’s all move on and treat it as the basic typology it is please. For this three lines model, taken out of context, is what causes the motion such as this to even be talked about in relation to internal audit. It is this idealised model of a fake Disney reality of a pyramidal organisation with a big first line, smaller independent second line and tiny third line IA that limits IA. It limits IA to doing nothing. So when IA does any real analysis or consultancy or asks difficult questions it prompts the clarion call – ‘oh that’s a second line activity’. Nonsense – internal audit is very well placed to do proper consultancy. Not the imposing consultants usually do that is limited by management in scope and buried if it is not the preferred answer, but real consultancy that asks the right questions and provides the right answers that have to be dealt with.

It is the three lines model that limits IA in most organisations to overseeing the sausage machine, occasionally tasting the odd sausage, but assuming that risks are all ‘aggregatable’ to the top level of an organisation and testing those ‘strategic’ risks (they are not – risks are complex webs of detail, not one liners at a board level). It is this model and ideal paradigmatic approach we all are increasingly buying into that makes IA functions tiny. Would Volkswagen have doubled its IA resource to avoid its current woes? – I would argue yes and that it should.

IA is part of an eco system. It can and should be larger and better resourced in all organisations. It should do second line functions – or at least review in more detail further down organisational detail from an independent perspective. Most second line functions are weak and unclearly structured anyway – so some overlap is needed. Internal audit can and should add value to all organisations and I would argue good IA will add more value to risk immature organisations as we have access to the governance of the organisation to unblock the constipation that most risk immature organisations face.

For remember, at the end of the day when something goes wrong – this model we all buy into falls apart – no CEO ever asks ‘where was my first and second lines of defence’ they ask ‘when was it last audited and why did you not tell me’. 


Get every new post delivered to your Inbox.

Join 308 other followers