Answer the question

Tags

, , , , , , , , , , ,

keep-calm-and-answer-the-question-137.jpg

It’s advanced level examinations results day in the UK (pre-University examinations for my international readers). Thousands of students will find out whether they have the grades to go to the university of choice. I remember my advanced level history teacher constantly setting out the same mantra – answer the question, the whole question and nothing but the question.

I’ve been thinking about internal audit work and how it has evolved since I started in the profession. I remember, when I first undertook internal audit. Back then it was about looking a few objectives, thinking about a few risks that could affect those objectives, then writing a report with enough observations to justify the fee. We did not even ask what the question was, let alone answer it.

Of course I tried to get the right risks, ask the right questions, evaluate the right risk mitigation action and controls. At that time, however, a lot of internal audit work was about compliance and verification of systems. So yes there was an element of looking at the design of controls, but a lot was about the implementation of controls as designed. In other words, someone else had supposedly done the thinking and as an auditor I was meant to just verify the thoughts’ implementation and perhaps, sprinkle a little added value by suggesting some improvements. Also it was almost all finance and financial control. Who remembers the CIPFA control matrices? (Do they still exist?)

I knew when I took on my own internal audit service as a CAE that this was not enough. I knew I wanted to add real value, to be really risk based. I have since socratically followed the logic of internal audit’s value proposition and it led me to design a proper risk based audit system. One where the balance of effort was not on looking at what was there, because invariably from experience it was poor or could be much better, but to look at what should be there.

Internal audit under this model significantly changes. It considers risk and risk appetite. It has to make the same complex and difficult business decisions that managers make. It has to accept that perfect is not possible and make value for money judgements about what is reasonable and cost-effective. This places a huge burden of responsibility on each auditor and me as a CAE particularly. Every decision we take, every report judgement we publish, every piece of advice we give, has a burden of being ‘right’. Reports need to form appropriate judgements based on real and complex analysis. Reports can no longer be exception reports, picking up some stuff. They need to pick up everything, as appropriate. They need to be complete as well as balanced, as well as right, as well as risk based. They also risk putting internal audit into an executive position, for where a management team is weak, they will rely on internal audit either overtly or tacitly

When internal audit plays in the space of uncertainty and grey, it loses the protection of just being a form of organisational additionality. In other words it is not something nice to have, but it becomes core to an organisation. It is an integral part of a good organisation’s eco-system and governance framework. Internal audit can rightly be held to account when things go wrong. It can make mistakes with consequences.

To do this type of internal audit also requires a step change, not just of CAE but also of the whole internal audit department. You no longer need two dimensional thinkers without an ability to go ‘off piste’. You need both bright and experienced people. You need better learning across the department and increased knowledge sharing. You need a department to become better than the sum of its parts to keep up with, or preferably stay ahead of, management team colleagues. Reports are not longer cut and paste, cut and shut; they are consultancy reports with a narrative, storyline, argument, analysis and conclusion. They no longer answer some questions, but they answer all relevant questions. In effect each assignment becomes evaluative or research based in nature, not systematised or programmatic.

For in our modern, complex, world, real risk does not lie basking in the sun. It is hidden in the complexity of pre and co-requisites, interrelation, culture, people and process. To make sense of a complex world you need higher skills supported by experience.

I am writing up my PhD at the moment and I hope I will do enough to get it. It’s hard, but rewarding, work. Yes the type and standard of writing and line of argument needs to be excellent and every paragraph carefully crafted, so it is different to the writing in my day job as an auditor. I don’t expect every audit report I read and write to be the same but, actually, nearly. For internal audit reports are mini-research and evaluation reports. They do need to ask the right questions and, more importantly, answer them too. They need a carefully crafted and credible argument and they need to form sensible conclusions.

Does your internal audit ask, and then answer, the right questions?

Advertisements

Audit committee dialectic

Tags

, , , , , , , , ,

dialectic_giotto

I’m a member of three audit committees; a national charity; world-class university; and a global multilateral organisation. In my career I have been to thousands (literally) of audit committee meetings.

Whilst audit committees vary in terms of effectiveness, form, nature, personalities, remits, scopes and charters, there is I think an ideal (in a Platonic sense) of what an audit committee should do. i.e. any good audit committee should do certain things.

I don’t want to list all of the things an audit committee should do. Instead I wish to focus on one core thing – its dialectic. So let’s define this (per wikipedia):

Dialectic or dialectics (Greek: διαλεκτική, dialektikḗ), also known as the dialectical method, is a discourse between two or more people holding different points of view about a subject but wishing to establish the truth through reasoned arguments.

This is a core process for audit committees. It is not aggressive or conflictual. It is a joint process to discover the ‘truth’. Who holds those opinions? Well the management team; independent auditors (both internal and external) and the independent audit committee members. What is truth? Long time readers of my blog will  understand that I have epistemological and ontological issues with the concept of ‘truth’. Simply, I don’t believe in truth. Evidence and ‘facts’ can be interpreted in different ways to create different ‘truths’.

So what is dialectic process in audit committee settings?   Well I think it is the core process and point of audit committees. An audit committee is delegated a role of independence and organisational oversight by the board. Most audit committees oversee as their core task, the suitable application of risk appetite (as set by the board) through ensuring there is a reasonable system of risk management and that risks taken are within the board-approved risk appetite. They also oversee governance. So they will ensure the management and the board are working to ‘direct and control’ the organisation effectively (which is the definition of governance). They also oversee the implementation of control.

Now there are various definitions of control – one that sees control as compliance with rules and procedures and another that sees control as mitigation of risk through control actions to be within the organisation’s risk appetite. It may appear that control can be detached from risk and risk appetite, but what is a system of control if not a designed set of actions to ensure risk is mitigated to within risk appetite? Personally I would cut out the middle man and just define control as mitigation of risk within appetite, rather than set it up as being something independent of risk, which ultimately is a documented version of risk appetite control in any case.

So how does the audit committee dialectic fit? Well a good audit committee will receive data (normally reports from the management team or auditors) and it will debate these. Through this debate it will attempt to discover the ‘truth’ of the data presented. At a fundamental level do these data tell the committee that the board-approved risk appetite is being breached or not? Are the systems and processes of governance, risk management and control working adequately?

So this means it is incumbent on all parties at the audit committee to bring their opinions and be willing to debate them. This for most audit committees takes the form of debating reports, considering the author’s view and comparing them to the response or to the committee’s own views. So for management reports the audit committee should decide whether it is happy with the data and views presented and approve or not modifying actions. This is the basis of its consideration of reports, fundamentally to approve the actions taken / to be taken as proposed in the report. For audit reports the audit committee should consider the audit and management view and then decide to approve the management response to risks or not.

Yet I’ve been in so many  committees that do not do this. They either don’t consider reports (there are too many of them); or they are conflict avoidant (and yes some tension and conflict is helpful and necessary in an audit committee); or they are not presented with anything to consider. Far too many of my audit colleagues are guilty as charged on this one. For what value is an audit report without a conclusion or an opinion? How much less valuable is a report that does not include a risk based opinion.

So all of my audit colleagues will claim to be risk based. Yet they do not form risk based opinions, or in many cases, any conclusion. For the presentation of a list of risks and issues is not an opinion or a conclusion. There is no ‘truth’ to test.

I work hard with my team to make them form an opinion. It is difficult. Often there is no right or obvious answer. So, as an example, is a complex aid programme in a conflict state good or bad? Is net risk too high? Hmmm. Difficult to tell. But if an opinion is not formed the audit committee cannot do its role. It cannot approve the management response (to do less, nothing, or more) to the report. It cannot apply, on behalf of the board, the organisation’s risk appetite. A series of decisions to improve the organisation either in terms of control or value cannot be made and implemented.

Back to my team. Finding a set of issues or risks is fine. If one reads them, however, and is none-the-wiser whether those tell me something is good, bad, or indifferent, then what is the point? My team has the very brightest and best and they are getting great at forming a view, though it takes constant work in my experience. If, later, we discover that opinion turns out to be wrong then fine – if we could predict the future we would be in the business of buying lottery tickets,  not audit. At the time we issue the report however, through the audit committee dialectic process we will have created organisational change through stating an opinion and a ‘truth’ to be tested. That is the point.

So why do we as auditors fail in this? Well, as auditors we confuse audit with science. We confuse complexity with impossibility. We apply our conservative nature to avoid taking risk ourselves. We are conflict avoidant (though a dialectic process is not meant to be conflictual). Yet having an opinion and sharing that in a proportionate, justified, way is our core job. We are best placed, being independent of management, to do this. We can say what we like and we should (must) do that. As auditors we should work hard (with Socratic questioning if necessary) to enhance our audit committee’s dialectic processes.

So how is your audit committee’s dialectic?

Change of guard

Tags

, , , , , , , , , , , ,

2caf2d03dcad8df3875e797c683c85b18f81d43c

So this week I’ve said goodbye to my CEO boss, in this case a Permanent Secretary. This is not the first time in my career I’ve done this. Sometimes it has been planned and organised but most times, at this level, people suddenly leave, either to take on their next role or in some cases it has been a sudden departure for less clear reasons.  I have been lucky in my CAE career to work with people that I respect and that have all been ethical, moral, talented and capable (I can think of one exception).

Sir Mark, my latest, has been exemplary and I’m sad to no longer be working with him.

The CEO to CAE relationship is key to a successful audit function in my view. For without the trust, engagement and support of the CEO, internal audit is exponentially more difficult to make deliver. Not impossible, but much more difficult. For the tone at the top, as with so many organisational things, makes a difference to not just making things happen, but making change as a result of those things. Outputs can be achieved by an audit function on its own, outcomes require collaborative co-working with the client management team with the support of their leader.

I am grateful to Mark, as with some of the CEO equivalents I have worked with before, for taking me and internal audit seriously. Mark ensured that I reported to him, not just because he felt it was the right thing to do, not because he saw me as his elite police force or praetorian guard, but because he felt internal audit had a role in the organisation, was part of good governance, and was worthy of some of his highly valuable and limited time.

If we go to the International Standards from the IIA, standard 1110 states:

‘The chief audit executive must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities.’

This is framed primarily as being about the CAE being senior enough to be independent, i.e. having a reporting line both outside of the management chain to the board and to the top of the management chain. It is also about status. For internal audit to be successful in getting senior managers to take it seriously, those senior managers that control resources, power, knowledge and access, then those senior managers must know that the work of internal audit is to be taken seriously by the board and CEO and the response to it will have an impact on their futures. That might be in terms of performance targets, performance assessments, future resource allocations (both positively to tackle risks identified and negatively, to divert resource from poor performing activities).

Sir Mark insisted I reported directly to him, which in the UK Government system (due to odd governance arrangements concerning dual accountability to parliament for resources) is both the CEO and one of the two ultimate governance functions of the department to the UK Parliament (the other being political accountability to Parliament). This was an important statement and one that I recognised when I first met Sir Mark in his office, then adjacent to Buckingham Palace in London.

If I reflect on other CEOs I have worked with, this was a strong statement of support. Not all CEOs recognise the importance of having dialogue with CAEs. This is crucial in my view, for a good CAE should have a breadth, and more importantly depth, of view of the organisation that few others in the management team will have. Also a good CAE should be independent and objective, so should have the courage, ability and perspective, to talk truth unto power. This should provide any CEO with a different perspective to those they normally hear. I’ve written about the dangers of management ‘groupthink’ before Group think the Kryptonite of Leadership – Internal Audit the antidote?

This relationship between CEO and CAE also has to be one of respect, and some level of parity, in that the CAE should not just be able to report to the CEO, but talk to them. Dialogue is important. What takes time is for any two CEOs and CAEs to get to a position; where the CAE is a trusted business advisor. This is difficult for anyone to achieve with a CEO. They are typically well experienced, very capable and confident individuals. If the selection process for them has gone well then I would expect them to be the most capable and confident. So everyone else will, to some extent, still be learning and developing compared to the CEO. If a CEO is truly capable, however, they will recognise their ability to listen is important and this should provide a CAE with a basis on which to provide some insights from their perspective and work.

The relationship also works the other way. It is easy for CAE to do what they want. To take independence to be a non listening position and see all different views as ‘wrong’. I know as a younger CAE I did not listen to my client organisations and CEOs as much as I should have done. For the CEO, if they’re good, should know and be able to guide their CAE about what the organisation can cope with and how it will deal with, and hear, messages from audit work better.

The CEO and CAE relationship is not about agreeing all of the time. A good CAE’s most crucial role is to disagree bravely at times. For it these moments that are the crucible for transformative step change to occur. A good CAE should know how to do that, however. When has a ‘red line’ been reached? When will an organisation benefit from a tough message, when will it retract and recoil from it?

The line between support and challenge is forged in a collaborative, guiding and supportive CEO to CAE relationship. The key is to stretch an organisation, but not to break it. This stretch can be quick with a ‘snap back’ management response to catch up, or it can be a thematic message that builds over time and stretches the gap between internal audit and management views, until the management response begins to catch up. In my experience, compliance and legal issues fit the former; risk management, value for money and governance challenges, fit the latter.

So will I miss my recent boss? Yes, hugely. Both personally and professionally. Do I hope my new boss ‘gets’ internal audit? Yes of course. I have high hopes though see: Do organisations only ‘get’ internal audit when they mature?

So when your guard next changes are you ready?

Guidance, or do we mean rules?

Tags

, , , , , ,

AAEAAQAAAAAAAAd0AAAAJGRhNmFiMzgzLWQwYmUtNDQzMS04NzdjLTEwMDg2ZTdmNGQ4MA

I’ve come across an interesting phenomenon recently, the idea that internal audit must be bound by rules; or at least guidance. So I was asked the question, when I posited that internal audit should give a periodic (normally annual) opinion over the adequacy of its client organisation’s governance, risk management and control, well wouldn’t that just be your opinion? With the follow up, why is your opinion any more valid than anyone else’s?

It’s a good challenge. Why should the CAE’s view be taken any more seriously than the CFO’s, CEO’s or COO’s? The answer I think is because it is grounded in internal audit work. Let’s go back to the definition of internal audit:

‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.’

So the opinion is independent and objective. This is why is should carry greater weight from a board perspective than the management team’s views. It is grounded in a planned, and hopefully risk based, programme of assurance and consulting activity. This is designed, or should be, to cover risks that matter, and the core elements of the assurance opinion being given. i.e. the work provides evidence and support to the opinion.

This line of questioning extends further, how can you provide an opinion if you are not attesting to something? So standard audit methodology requires that attestation must be against something, a framework, a set of rules, a management assertion, a set of measurable things. So for some, internal audit can only provide an opinion where there is a set of rules to compare practice against. i.e. I compared B to A and found these deficiencies between B and A. This leads to the school of audit thinking that says – I can’t audit that – there are no rules. The management team has not yet put in ‘controls’ (by which they mean business rules), so I cannot audit it yet.

In my career to date I see that many auditors struggle when a clear set of rules is not in place. Let’s be clear, there is a place for compliance work and minor control design improvement work in internal audit. A truly risk based auditor should be able to work ‘off piste’ however. They should be able to look at what needs to be there based upon the objectives and risk appetite in place and take a view. Consultants seem to struggle little with giving their view, why should auditors?

Most organisational activity is not defined via rules and most management teams are poor at defining rules and even worse at enforcing them. The breaking of rules per se does not relate to risk. Most organisations do not follow rules most days, yet they succeed or have a level of risk that is bearable. So the idea of ‘control’ as compliance or conformance with rules, has little relation to risk in my experience.

Thinking is incredible difficult. We all try to avoid it. I know that it’s the hardest bit of my role, yet the one, as CAE, I do almost exclusively. When I review my team’s work and reporting I am not primarily looking at what is there (well yes obviously for grammar and presentation etc as my team will attest), but primarily I am looking for what is not there. What are the obvious or less obvious things that are missing? What should be there? What is the management team not doing? What will come to bite me later if I don’t pick it out now? What are the logical end points for the area under review if the organisation continues as it does? That is what a CAE and all auditors should do. We can all get wrapped up in compliance and get the wrong answer ultimately.

I love doing audit work. I still do audit work as a CAE and I love the thrill and chase of audit. I adore looking at something new, researching it, thinking about it, bringing 20+ years of experience and formal training to bear on a scope of work. I do struggle to do this whilst having my day job of being a CAE, but given some time, I love auditing. I love the ‘private words’ people want to have with you, the cultural and organisational intrigue and interest, the satisfaction of my naturally curious and nosey nature. I ultimately love producing something that, if engaged with positively, will make a lasting difference to clients. In my current role I have the added satisfaction that this will ultimately improve and save lives of some of the poorest people in the world. Now that’s something worth getting up out of bed in the morning for!

I don’t love internal audit when it becomes the policemen for rules. When the creative and value adding thinking element is cut out of it. When the risk related bit (i.e. seeing that risk is good, not bad per se) is taken out of it. When you can only express an opinion as an attestation of conformance.

So thinking about the line of questioning I experienced, I was asked what framework or model of control I would use to provide my opinion. I was at a loss. Why would I use a framework? Most frameworks are merely other people’s documentation of what they think should exist, i.e. their thinking, not mine. These frameworks, to have any generalisability, are required to be high level or vague. Sure, COSO has some nice structure and thoughts, but it tells you little about what control should look like in context A or context B. It tells you little about sub elements of control – what should cash controls look like? IT controls? Marketing controls? Surely anyway these frameworks are merely other people’s thinking? Why can I not think myself? Why should I not take account of how the management team thinks about control? Why should I not use and range of other specialist various frameworks of good financial, risk, IT, governance etc. control?

For the truth of the matter is that the world is complex and good quality audit opinions come from good quality CAEs. If a CAE needs to have a control framework as a crutch to support wooly or low quality thinking then you should change CAE. Sure a framework is helpful starting point or logic check – particularly for completeness, but it is no more than that. It is no more than non context dependent thinking of others. The CAE should be providing the context-dependent insight and thinking.

I know all of this sounds dreadfully British (I also appreciate that the UK’s international currency – quite literally – is low now). It is important, however, that we as a profession must avoid a rules based, dare I say it, US-centric view, of the world. We are not a world bound by rules, where ‘guidance’ is sought and becomes very quickly proxy rules. Pragmatism, agile, adaptive approaches driven by intellectual curiosity are a fantastic quality of the UK and its internal audit profession. Sure there is a risk that you get a bad CAE and they don’t do this well, but the opportunity of getting a great one that makes a real exponential difference to an organisation is worth taking a risk on. For if an organisation sticks with rules and the slow evolutionary approach it precipitates then it will not change with the times and atrophy.

So how rules-based are you?

Heavy lifting

Tags

, , , , , , ,

Screen-Shot-2017-01-06-at-11.23.10-AM

I am on the board of a number of organisations, an international non governmental organisation, a UK national charity and world-class higher education institution. I also work in my day job with a huge range of organisations and their corporate structures. These organisations have a range of internal audit provision through to none.  Where there is internal audit it adds value, in whatever form.

Organisations go through life cycles, and the bigger, more established and complex they are, the more they benefit from a good internal audit. They benefit because organisations under-resource corporate functions. I understand why. Corporate functions are overhead. They don’t make stuff, they don’t sell stuff, they don’t speak to customers, they don’t deliver the cash earning product or service.

Yet, when an organisation gets to a certain size, it ceases to be controllable by people, either one, or a few. The span and depth of control is too much. Culture helps, but is difficult to deliver and control. This is where good strategic internal audit comes in. Not the compliance or two dimensional internal audit, but one that asks the really difficult questions and one that has coverage from the strategy down the organisation into delivery.

Good internal audit says the unsayable. It challenges group think. It systematically looks at the organisation (and yes in depth and breadth, not just six top level reviews a year). It goes from the strategy and follows that through to the floor, to the way the organisation is seen by customers, beneficiaries and stakeholders. For only when you have enough time and independence to look objectively at the organisation can you really form a view over how it is really working.

So why heavy lifting? Well for me internal audit is the organisational equivalent of going to the gym. It is the organisation trying out its parts, putting them under pressure and isolating them (as you do with weights at the gym) to see if they work. This process of putting them under pressure identifies sometimes big problems and weaknesses, but most of the time there are lots of little things that could be better and fixed. That’s how you grow muscles at the gym, through the precipitation of lots of ‘micro’ tears. These repair and the muscle grows and that part of your body has greater capacity to lift more. So it is with organisations and internal audit.

Just like going to the gym, it can be aversive for organisations to face the challenge of internal audit. Most organisations have developed the optics of public and reputational protection. Too often that becomes internalised and the top management team loses its openness to challenge. The press lines replace reality. Sure being told something is not good, or having an alternative perspective is challenging. I know that as a leader myself. Being open to challenge is not easy or pain free sometimes. It is something I and I think organisations must continually work at.

Internal audit’s role is to ensure the organisation has plenty of capacity to run to keep up with competitors. It should be the gym instructor counting out the ten press ups and putting the extra weight on the bar. Don’t get me wrong, most great management teams I’ve worked with do the same with their strategies. What they don’t have is the capacity and time, however, to test this down the organisation, to follow down the delivery and control chain. Internal audit is set up to do that.

Of course internal audit needs to know what organisationally ‘fit’ looks like. So you need a  breadth of generalists, specialist and range of professional backgrounds. You most of all need a mindset that is willing to put up with the gripes and moans of the organisation as it is at the ‘gym’. This requires auditors to be fairly strong and resilient in the face of challenge, without being closed to it.

Just like a good gym instructor, you get what you pay for. A cheap service benefits you less. Similarly doing it without a good gym does not work, so home exercise is possible, but rarely takes you forward. So it is with internal audit; organisations need to invest time, resources, energy and engagement to really benefit. As an internal auditor I’ve met fit and unhealthy organisations. Unhealthy ones are flabby, inefficient and lazy, and so the role of audit is harder (most notably on the engagement side).

So next time you engage your internal audit team, think of it as being like exercise. It’ll be challenging, difficult and hard work, but you will gain the pleasure and endorphins that result and be more efficient and effective as a result – a real win!

So when will you next train and get those IA gains?!

Auditing The Matrix

Tags

, , , , , ,

o-THE-MATRIX-AND-HINDUISM-facebook

I was asked by a management colleague this week – how do you train your team to see things my team don’t? The premise behind the question was why internal audit continues to see issues and risks and propose solutions that the management team doesn’t.

Honestly I am not sure I have the answer. For me common sense is just that, common sense. I think what I train my auditors to do is think and apply common sense. So no matter what the business challenge or question – I ask auditors just to think through what would the reasonable person on the apocryphal ‘Clapham omnibus’ do. Now I know that common sense is not common and that one person’s common sense is not another. I do genuinely think that auditors’ best professional tool is just to think and ask obvious questions.

So how do I do train my auditors?

Well I think surrounding them with the other experienced and great auditors in my team helps. It is important to ensure that any audit function retains a core of knowledgeable, professional trained and experienced auditors, who know the business they are auditing.

Second I think it is important to provide constant leadership and support of professional discovery and continuing professional development. I provide a diet of masters courses, IIA qualifications, ACFE and other counter fraud qualifications. I supplement these with a diet of experiences, conferences and workshops. In addition I ensure that an underlying base of ethical training, professional behavioural expectations and high standards of propriety are expected and enforced through oversight and quality assurance of work and the processes through which that work is produced. Can I micromanage and be a perfectionist? Yes, a little, but this ensures that my auditors work to the produce the very best they can, all of the time.

Third, I train auditors to challenge the status quo. I ask and encourage them to free their mind and be inquisitive and challenging.  This means I ask them to audit not only what is there, but much more importantly to audit what should be. I tell all of my auditors that their views (even when training) are valid, sensible and value adding. I say to them to feel free to challenge and to put their views across, to ask the stupid question (for the only stupid thing is not to ask the question), to feel supported to go ask, do and investigate anything reasonable thing they think important. When I trained at a big four firm I always felt there was a risk that these firms spent lots of money recruiting bright people, and then spent three years training them not to think. I do my very best not to do this. I want my auditors to feel as if there are no cages or walls oppressing them.

So why do I think my audit team picks some issues the management team does not always manage? Well I think this is primarily because internal audit is objective and independent and is set up to take a risk based approach. Most management teams get too wrapped up in  issues and the here and now to take real time to analyse why they do things.

********

Update – I’ve taken some time to finish this blog post, as I’ve normally got an opinion or a view on the question at hand. I usually use my blog to expound and refine this view. In this case, as you read above, I was genuinely not sure of the answer.

I’ve had a damascene moment today though that made this clear to me.

The real reason why I think internal audit sees things is in that I had always assumed organisational discourse, that is the organisational ‘press lines’ that we articulate on our organisational intranets was generally recognised to be nonsense. i.e. that we all had a real understanding of how things really are: complex; messy; driven by personalities, culture, currencies of power, resources and political position. Yet it I appear to be wrong. apparently this world is not clear to others. This reality is not one that people really see. When we have what I thought were organisational ‘press lines’, lots of people in organisations actually believe them.

How can I best describe this? Well if you’ve ever seen The Matrix franchise of films, the main character, Neo, has the ability to see past the computer-generated code that constructs a false reality which he was being fed in order for the evil machines (that had taken over the world) to use his body and brain (along with the  rest of the enslaved human race) as a battery. I think good auditors see enough of organisations, both in depth and width to really understand how organisations actually work. They think in terms of analysing, objectively, and as an intellectual research exercise, how the organisation works (I of course mean this of fully risk based and in-house internal audit services – not externally provided – for they never really know their clients – or compliance based auditors – for they never really challenge to any depth).

Perhaps I am lucky, or perhaps my team are, that we have these real conversations and do not buy into the computer-generated false reality of organisations. Perhaps I am lucky in that I deal mainly with the top of the organisation, those senior managers that know all too well, and have to deal with, the real reality the organisation faces. They know when their constructs and organisational press lines stretch truth or test credulity, for they construct them. Perhaps I am lucky that I can be open, honest and helpful in supporting and challenging them in both the real world and the use and deployment of those constructs.

I think great internal audit functions train their auditors to see the ‘stream of numbers’ behind organisational constructs (another Matrix  reference). This means that even fairly junior members of my team are inducted into seeing the world in this way, the ‘code’.

So perhaps this is something I had not ever appreciated or understood because I had always thought it obvious, at least to me, and it did not need saying. Or perhaps I am just odd in my perspective (as one of my team called me like Sherlock from the Elementary TV series – I think it was meant as a compliment but it was hard to tell!).

As an auditor, do you see people and 20th century America or the code that the machines use to construct them?

New Year – existential crisis?

Tags

, , , , , , , , , ,

thecrisissss_largewide

Happy New Year to all of my blog readers!

This is usually the point of the year at which I debate whether to continue my blog; whether it is making a difference to the world of internal audit theory, and more importantly, practice; and whether it is really working as a platform for me to debate my professional issues, challenges and debates.

I won’t be having an existential crisis this year. I see from the statistics that my blog posts are read, and I have a (very) small loyal following. My team I know reads the blog, at least some do and pass the thoughts on, for which I am grateful. I can see that the profession, once again in 2017, still feels fragile. It feels fragile in the developing world contexts with which I professionally deal and still is fragile in the developed Western economies. So I think there is a need for my blog.

The profession is stronger in many ways. The IPPF and the International Standards are, broadly, sensible (see New 2017 IIA Standards – Good or bad?). Internal audit is something that the professional services firms are still engaging with, albeit their own non-internal version of it.

Yet there are dark storm clouds on the horizon. The professional qualifications from the Institute are still not where they should be (see Continuing or continuous professional development?), and the QIAL qualification has not yet fully established itself (for example here or here). Certainly from a UK perspective it is challenging to see what I thought was our relatively strong CMIIA qualification subsumed into the Global Qualifications, and then the dual certification process we have left. This leaves the path open to other institutes, for example the UK’s Chartered Institute of Public Finance and Accountancy (CIPFA) and their ever-increasing set of qualifications offerings (see CIPFA) to fill the gap. In the UK we have the Internal Audit Standards Board which is part-hosted by CIPFA. See here for more information. It’s unclear to me why a finance and accounting institute should have an interest in this, other than fees and training revenue potentially from it. I thought internal audit had moved on from pure internal financial control some time ago. The Board I think is useful and the people on it are good, but the Standards themselves don’t seem to me to add much to the International Standards and are forced de facto to change as the Standards change (as their current consultation suggests).

The Institute ensures internal audit is principles-based. This makes a lot of sense. Yet I find that this allows a range of practice, some of which is quite dated and unhelpful, to continue. Tim Leech makes some helpful criticisms of this, though I don’t really agree with his conclusion or solutions (see Internal Audit – the next Blackberry?). In my current role I work across the international community and see a range of internal audit functions. Many I need to take a view on, whether they are suitable to meet my current client’s standards (for my client in part funds those third parties). I see a range of internal audit services, from the good to the very poor. This variation in performance is not often to do with competence or quality, but its positioning in the organisation. Does the organisation ‘get’ its need for good governance and internal audit’s role in that? If it does then the internal audit function should step up and deliver it. If not, then even the best placed and talented internal audit team will not make an impact. I believe that where an organisation has great internal audit it makes a seismic difference.

Then there is the Institute itself. I think the Global Institute and its federal members need to make a step change in how they organise themselves to really take the profession forward. This is not just limited to internal audit as a profession, the accounting profession has a similar set of challenges with a preponderance of institutes. What joins the accounting profession together are its global accounting standards, IFRS and IPSAS. What should join the IA institutes together is a single global set of standards. These are, however, not as specific and legally structured as IFRS or IPSAS, so this makes using the Standards as a binding force less tenable. Is there a need to make the federal structure more tight around the US / Global Institute (that has reached critical mass)? A single global platform? Lower overhead costs? Greater consistency? This would still seek to retain the best of local institutes but use the organisational efficiency of a single global organisation. Just a thought.

If I turn a little introspectively to my own team and internal audit service this year. I think it’s been great (I would say that, but the statistics, evidence and client feedback seems to suggest the same). We’ve got vacancies because my people are in demand across the business. That’s a huge compliment (also an interesting challenge). We have a fully risk based based  approach and this is making a difference to my client’s risk management as a result. We are effectively an internal consultancy service (long-time readers of my blog will know I see little difference between consultancy and internal audit, see Consultancy or imposition?). We’re fully compliant with the Standards. We are full of bright and talented  people and have successfully integrated  internal audit and counter fraud teams and work. One of my team has even been recognised in the New Year’s honours list for her work, a personal and team accolade.

So I think I face 2017 from a professional perspective in an overall positive mood. One of my ambitions is to influence the profession more and help out with its improvement. I will explore ways to do that. Another is to focus on the promulgation of my own internal audit methodology, which I think is both fully risk based and transformative. It’s not rocket science, but it works and at scale. My team talks about the ‘Garnett’ methodology of internal audit so expect some copyrighted promulgation of it in my blog this year.

I hope all of my professional colleagues and partners have a great new year too and I look forward to working with you.

Continuing or continuous professional development?

Tags

, , , , ,

cpd-2

I received a helpful reminder letter from the Chartered Institute of Internal Auditors (UK) in the last few weeks. It states that I should be aware that I need to do 40 hours of CPE (continuing professional education) for the CIA qualification and 20 hours of CPE for the QIAL. Some activities can contribute to both. I was concerned – why did the Institute feel the need to write to me to remind me? Had something changed? Was the guidance more strict? 60 hours seems a lot of formal CPE – two whole weeks? Surely learning comes from lots of different sources?

The UK IIA provides a helpful link to some guidance here . This guide states that the following activities contribute to CPE and the hours required:

  1. Attending courses, conferences, seminars and master classes
  2. Undertaking structured reading and research, including technical updates and guidance
  3. Working towards relevant qualifications
  4. Participating in external quality assessments (EQAs)
  5. Participating in, or leading, professional discussions or learning conversations
  6. Networking and sharing good practice with colleagues in the profession
  7. Leading meetings or projects
  8. Engaging in in-house training and development, by external trainers as well as by colleagues and peers
  9. Engaging in work-shadowing, job exchanges, professional placements and secondments
  10. Soliciting peer reviews and analysing feedback on own performance
  11. Receiving or giving mentoring and coaching
  12. Reflective practice, such as maintaining a journal
  13. Supported induction into new areas of activity, eg if you’ve been promoted or you’re on rotation
  14. Contributing to the activity of relevant professional bodies and their committees
  15. Developing and producing technical papers, reports and other resources

Wow. Almost every day at work for me counts. So this guidance does not really specify which contribute to each qualification and which do not. What’s the balance between formal and informal CPE (the old chestnut of reading professional press etc). The template provided makes this no clearer either, just a simple table – surely a spreadsheet would  make better sense?

So let’s head over to the Global (US) IIA’s website to see if this makes anything clearer. The relevant link is here .  Once you’ve got there it’s all a bit vague and fluffy, so you need to click into the detail on an ominously title Administrative Direction Number 4. This is here . So the overall objectives seem reasonable to me:

  •  To maintain their knowledge and skills.
  • To update their knowledge and skills related to improvements and current developments in internal auditing standards, procedures, and techniques or in their specialization area (government auditing, financial services, control self-assessment, or risk management assurance).

Then there’s a set of requirements for the Global Standards (presumably as part of the wider IPPF):

  1. To encourage understanding of The IIA’s International Standards, the Professional Certification Board (PCB) requires that certification holders incorporate review of The IIA’s International Standards as part of their annual CPE program.
  2. Certificants must review or receive training on The IIA’s International Standards during the CPE reporting period.
  3. In addition to reviewing the Standards, The IIA encourages individuals to review the Practice Advisories (accessible with an IIA member password) and other sections of The IIA’s Professional Practices Framework.
  4. Certified individuals will be asked to certify their conformance to the Code of Ethics and the International Standards as part of the annual CPE report submission to The IIA.

These are less good in my view. The annual training on the Standards? Well they seem to change annually, so I guess any self respecting auditor should know about them – but formal training? Or is this something more informal? Also the Practice Advisories referred to are in fact not accessible to UK members from the US website or on the Global IIA website. There is also some lag between their publication from the US to the UK site. So does this mean I cannot certify to the Global IIA that I am compliant?

The CPE certification then states the evidence requires:

  1. Title of program and/or description of content.
  2. Dates attended.
  3. Location of course or program.
  4. Sponsoring organization.
  5. Contact hours of credit as recommended by the course sponsor.
  6. A letter, certificate, or other written independent attestation of course completion.
  7. Documentation supporting publications, oral presentations, and committee or other participation.

So this must be for courses – but this describes a very limited view of professional training and seems to narrowly focus on formal training courses. As I get older and more experienced as a CAE I learn more from doing and informal training than I do from formal training. Most training nowadays is not a formal classroom based thing in any case.

Then we have a useful table setting out the CPE hours required:

Status

Definition

Use Certification / Designation?

Practice

Internal Auditing?

Annual CIA Required Hours

Annual Specialty Certification (CCSA, CFSA, CGAP, CRMA, Internal Audit Practitioner)

Annual QIAL Required Hours

Practicing

Actively performing internal audit or related activities.

Yes

Yes

40

20

20

Non-Practicing

Not actively performing internal audit or related activities

Yes

No

20

10

10

Retired

No longer in the workforce

Yes

No

0

0

0

This means I require 40 for my CIA, 20 for my QIAL and 20 for my CRMA (Certificate in Risk Management Assurance). I also hold the ITAC (IT Auditing Certificate from the UK IIA). This is not mentioned anywhere on the UK website. I’ve never been asked to pay anything for it, or return CPE. It does not attract post nominal letters, so perhaps that is why.

Fees prices take some time to find and are difficult to obtain I found them here – however, just to report my CPE (just the admin cost of me filling a web form in the CCMS (Certification candidate management system) is $25 for the CIA and $10 for each specialty certification (my CRMA and QIAL in this case). So this is $45 just to fill in a form annually. These don’t seem to be to an annual cycle  – reminders come in at various times – I assume all are due 31 December. On top of this I pay the UK Institute an annual fee – in my case paid through a corporate membership of the UK IIA of my audit service.  This, from memory, was c.£250.

So what CPE hours contribute to what? The directive begins to answer this question:

  • CPE/CPD hours earned can be applied across all IIA Global designations, with some exceptions.
    •   CFSA, CCSA, CGAP, CRMA – 25% of the hours earned must be related to the specialty.
    •   QIAL – Some CPD categories for QIAL do not apply to other IIA global certification programs.

So I need at least 40 hours. Of that 25% must be risk management oriented. Also I need some extra hours that pertain only to the QIAL.

So what are these? So formal training courses (either internal or external) can contribute 20 hours to both CIA and CRMA. Again this is very narrowly drawn to be formal training courses with the requirements I set out above. Other categories include: maximum of 10 hours of contributions to publications; translations of technical materials (max 10 hours); oral presentations (max 10 hours); and performing an EQA (max 10 hours).

For the QIAL the list of qualifying activities is more limited:

  • Delivering training on topics of relevance to senior practitioners of internal auditing;
  •   Authoring new case study materials for the QIAL;
  •   Acting as an assessor or moderator for QIAL case studies;
  •   Participation as an assessor on a panel assessing QIAL candidates’ presentations and final panel interviews;
  •   Acting as an assessor for the QIAL Portfolios of Professional Experience;
  •   Receiving relevant training at an advanced level;
  •   Serving as an officer or committee member for an IIA affiliate or the global body, or a professional industry organization relevant to senior practitioners of internal auditing;
  •   Presenting at a conference;
  •   Writing for one of The IIA’s publications;
  •   Authoring materials for The IIA Research Foundation;
  •   Contribution to external quality assessments.

So tackling these eligible items: the delivery of training (max 10 hours); authoring of QIAL case study (max 10 hours); serving as assessor or panelist for QIAL (10 hours max split 5 hours for panel member and assessor respectively); being trained (max 20 hours); serving as a committee member for the IIA (max 10 hours); presenting (max 10 hours); authoring IIA publications (max 10 hours);  translations (max 10 hours); and performing EQAs (max 10 hours).

So what is all of this telling me? Well first I think it shows the transitional mess that the UK and Global qualifications are in. UK members are stuck somewhere mid-Atlantic with no real clear and single reporting route for CPD. Second I think the salami adding approach of certifications across the IIA needs to be streamlined into a single return to a single point. This should include a single fee. Third, I think the Global IIA needs to consider the value for money for its qualifications reporting – the fees are clearly above the administrative cost and their cumulative nature is not particularly fair on those members most committed to the Institute. Fourth I think the definitions of CPD need to be modernised, less restrictive and more focused on the real world learning. To get an external certification of an internal training course is challenging. Also as  CAE for a large audit team, with auditors at many different levels of progression, a formal training course is not likely to occur or be helpful. Instead we have smaller learning groups and professional practices group that is more flexible. Fifth, the UK IIA says it makes sense to use your normal appraisal and development processes as applied in your organisation. These formal and restrictive CPE requirements do not play well into this.

One additional complication for me is that I am also a Chartered Accountant (of the UK’s ICAEW – Institute of Chartered Accountants of England and Wales). This has an annual reporting and fee deadline too (with a single significant fee).  The approach from the ICAEW is thus:

‘Unlike some professional bodies, we don’t dictate how much CPD members must do. There are no set hours or points to attain. You simply need to complete as much development activity as you feel is required to remain competent in your role(s).’ See here.

They have an approach which is less restrictive:

‘You don’t necessarily need to attend training courses to maintain CPD compliance. We recognise that people learn in different ways, through several different channels.

These are the popular ways members stay up to date:

Read the ICAEW email alert – it contains updates and news relevant to your role
Attend a workshop, conference, seminar or webinar
Read a book or journal, such as a faculty publication
Participate in the ICAEW community
Arrange an informal training session with a colleague’

They have a ‘reflect, act, impact, declare’ approach. This treats the professional as a mature adult and enables a more reflective learning approach to be adopted. It also recognises that ICAEW members act in a variety of different roles, for which the training and CPD will look different.

I am afraid all of this rather makes the IIA’s approach seem rather dated and unhelpful. It’s odd, given accounting has a much more restrictive remit and role than internal audit, so broader reflection would appear more appropriate for internal auditing than perhaps accounting.

So what do I suggest? I suggest the UK and the Global IIAs take a step back from the labyrinthine CPD and qualifications structure they’ve created. I think a single point of fees and CPD declaration makes sense. Why not do this through the IIA UK and share data with the Global IIA? I think the administration fees need to be looked at, especially as UK members cannot access global resources, despite holding a global qualification. I also think the guidance on CPD could be made shorter, clearer, and in a single place.

I take my CPD very seriously and it is a key priority for me and my audit team. The recent perturbation of UK IIA qualifications has been unhelpful and now needs to be tidied up and modernised, with clearer UK and Global integration. For the UK and Global Institutes in my view risk competition from other Institutes where they don’t make membership an easier and clearer proposition for busy internal audit professionals.

 

 

Auditing Rogue 1 *spoiler alert*

Tags

, , , , , , ,

rogueone_logo-0-0

So I have seen Rogue 1, the latest instalment of the Star Wars franchise. It’s really Star Wars episode 3.5 as it is the period immediately prior to the original 1977 Star Wars film. Of course, whilst enjoying the film, as any self-respecting CAE will report, the main concern is, if I was head of internal audit in this context, would I have done any better?

I have to say I think the Empire’s internal audit function did a lot better than the First Order’s Auditing a Galactic Empire *spoiler alert*  So the story is about how the rebel alliance got hold of the DeathStar’s plans, that they used to such good effect in Star Wars.

The DeathStar’s data was not leaked by the disaffected DeathStar scientist Galen Erso. The best he was able to do was to find a single Empire freighter pilot to send a message that there was a weakness in the DeathStar’s plans and construction that could be exploited if the plans could be obtained. This suggests to me that, although the Empire knew Erso was an unwilling and untrustworthy employee (they had no choice to employ him as they needed his expertise), they did put good data controls in place. Remember this is in the future, there must be many ways to communicate data secretly. I am not sure why not controls and QA of the designs was not put in place though. Surely a fatal flaw would be something to check from a disgruntled employee? Perhaps it was too technical? Although it did not seem to need collusion from the other scientists – which seems to be their view (although they got shot anyway).

It also seems that the Empire was onto the disloyal and lost freighter pilot who had the message for his daughter and the rebel alliance. So I would be fairly comfortable that HR establishment controls were up to snuff. After all there must be millions of pilots and staff working in the Empire across the Galaxy.

So this is all good. Excellent internal control and a happy head of Empire internal audit. Then things seem to go wrong. First it’s not that difficult to identify where the secret plans were held. Everyone seems to know the Empire has a single archive (which appears to be a single point of failure itself, as no backup is mentioned). This archive is held on Scarif which has a reasonable set of protective and detective controls (a shield around the planet, controlled entry, lots of guns to protect it).

But once again it is lax implementation of operational control that allows the rebels in – a simple no recoding of entry codes on the Empire freighter the rebels stole. They seem to get landing rights and a very small welcoming party. How often as a CAE do we see that the weakness of business critical control is down in the weeds? Why was the freighter’s codes not invalidated automatically when they knew it was stolen? If they did not know it was stolen how can the refresh of the codes be so far apart and not more frequently and automatically updated?

Access controls also fall apart once in the building holding the archive. A single droid with access (again a stolen Empire asset without access removed) is able to identify the location of top secret data. How? Why? Where was the monitoring? Why did this not trigger a lockdown.

It seems that the Rebel’s plans were only picked up by very senior people (the Peter Cushing look alike) and Darth Vader. I have seen it said that the force is a the control, but as auditors we should not be Jedi auditors and rely on the force. If I can’t see it, taste it, smell it, hear it, or touch it, ‘it’ doesn’t exist.

The data was able to be simply removed on a card from the tower of server data. I would have though the data would be virtualised and not be in one physical part of the server. Also to have an ability to open the relevant data storage card seems odd too.

Finally the data was able to be transmitted using their main transmitter, despite the base being on lockdown! How? Why are external comms or removal of the data at that scale able to be done? – this was an archive surely?

So I can see a lessons learned exercise being conducted by me as a the Evil Empire’s CAE. I am not sure I would conclude that controls were inadequate, though a full review of the debacle of the then now destroyed Empire archive I think would be needed. So would I have done any better as the CAE? I think the data archive bit would have been better to be honest. So overall, a ‘generally conforms’ for me to the CAE of the Evil Empire, but not fully compliant!

 

Internal Audit – the next Blackberry?

Tags

, , , , , , ,

blackberry_close-up

So in this post I want to consider the work of Tim Leech from Risk Oversight Solutions. He is critical of internal audit’s paradigm paralysis, see Risk Oversight Solutions critique. I have to say I do think there is at least some truth in his view, but disagree its paradigmatic.

In this blog I have been critical of internal audit’s adherence to working in a way that means that, in many organisations sees internal audit marginalised and ignored. It’s something to do with the paranoia that internal audit has of there being one right answer to how internal audit is done. Most CAEs I know have a strong, almost religious, quality to how they see the work being done. These religions have their own practices and cultural totems and mean that CAEs find it difficult to accept differences of style and structure.

So what’s Tim’s critique?

First that enterprise risk management (ERM) is a flawed concept as practiced by most organisations. I think I would agree, not because the process of being clear on objectives, writing down risks, and then considering their mitigation is inherently wrong or unhelpful, but that it becomes an exercise to be done, rather than lived. Most organisations define control outside of risk management, i.e. good control is not the adequate mitigation of risks to be within a desired or target appetite, but is something detached. In other words, risk does not relate to the real management. So I think Tim’s criticism of this is valid. He makes a leap, in my view, that, by implication, if internal audit is then hitching itself to this faulty waggon, then it, by implication, is problematic. Tim’s suggestion is objective-centric registers. I agree, but this is a risk management in practice point, not a theoretical point, as risks derive from objectives.

He then suggests internal audit provides and annual opinion on the data prepared by the management team on these residual risks. Well I agree, and those internal audit functions that opinion on ‘control’ as distinct from the quality of the mitigation of risks are missing a trick. This is not, though, a problem within internal audit per se or its standards. A risk based (properly risk based) audit approach is compliant with the standards. Perhaps the issue he is flagging is that a non risk based approach is also perfectly possible within the IIA Standards, and I agree that is problematic.

He then talks about the paradigm of internal audit being about starting with an audit universe (dividing the organisation into pieces) and then auditing them. He is critical not of the direct report or attestation on a management assertion point, but of the link of those plans to risk. Here I think Tim is critical of internal audit practice, not the paradigm. I’ve said on this blog before Roots or routes of strategic audit, it’s difficult for anyone to audit strategic risks and they need to be broken down. As risk management changes constantly and is a web of control, not a conscious simple framework, is it any wonder that any break down of this into meaningful chunks is difficult? I don’t hold that this is paradigmatic issue per se, but is one of effective practice. I am not a great fan of audit universes Audit planning: helpful or not? Universal success? but the idea of breaking something down and trying to focus with limited resources in each period, seems sensible to me.

So the critique by Tim seems to be that internal audit does seem to focus on the net risks flowing from key strategic and value creating objectives. Well this critique may be true, but this equally applies to management teams who do not always focus on the things that matter either. Again this is complex. Who would have thought that the biggest threat to value creation in Volkswagen would be the emissions testing department? So I do think the issue is not paradigmatic, but one of the quality of application.

The core criticism seems to be that internal audits are limited when they form subjective opinions on the adequacy of controls are effective or not. The whole point of internal audit in my view is the formation of an independent opinion. It is its independence and objectivity that is its unique contribution to the organisational eco-system. If that opinion is a risk based one, i.e. forms a view whether risks are as the management team has assessed them, are mitigated to within the organisation’s risk appetite set by the board and mediated through the management team, and that the consciousness within which they have been developed is mature, then I think that is valid.

These are implementation challenges, not paradigmatic ones. I think internal audit is more needed and more valid now than ever. The globalised world is full of complexity and mature, large-scale organisations that need meaningful challenge and independent support. Surely we, internal audit, are well placed to do that? I don’t deny the challenge of relevance, quality, the non-risk based nature of some audit services etc. but these are not paradigmatic issues, nor ones the current standards mandate.

What do you think – internal audit – blackberry or pillar of good governance?