So I had the pleasure of attending the UK Government’s Finance and Internal Audit Conference 2016 this week. I was not convinced linking the two separate professions was massively helpful, as it seems to perpetuate a myth that all accountants are auditors and that financial audit is the same as internal audit. I would argue my audit team has more in common with general management and policy colleagues than our financial ones. Heigh ho! It was good to have a gathering of my internal audit colleagues across HM Government, so in that sense a gathering will always have some value.
So why was I there? I had been invited to argue in formal debate about the motion ‘Internal Audit can deliver more value in a risk mature organisation’. I was asked to argue against this motion. I was happy to argue against as the motion presses on a number of weak points in the increasingly global, and in my view false, current paradigm of internal audit.
So the main argument for the motion (provided by a partner from PWC who I hold in respect) was that in a risk mature organisation internal audit is more valued, more engaged with, and can deliver more value to the management team as a result. In other words risk immature organisations are too immature for internal audit. Or that internal audit does not, or cannot, deliver as much or any value to risk immature organisations.
I think this proposition is clearly false. Internal audit with its unique attributes of: independence; objectivity; and purview across, into and at the top of, organisations; should add value to any organisation. Sure risk immature organisations are very hard work. Some are very challenging indeed. This does not mean internal audit does not add value, it just means internal audit has to work harder, better and clearer with those organisations. It’s true I faced a challenge back, that risk immature organisations would not resource internal audit. That’s true, but you only really need one talented and capable internal auditor. So if you run a small audit team (and there are lots of you that do), don’t feel marginalised. When I did it I forced value on the organisation, I was truly independent and said what I thought. That was not popular or necessarily engaged with, but it made a difference. For one of my previous clients I take credit that that organisation is safer, more customer focused, has a better built environment and generally has stronger processes and systems as a result of my work, even if it was not liked, or valued at the time.
The other obvious statement is that risk immature organisations present lots to go at. Lots of systems, processes, risks, strategies, governance and control issues to get your teeth stuck into. Doctors don’t spend a majority of their time with the healthy. Similarly having some low hanging fruit (or fallen off the tree rotting in the ground fruit) is a great organisation to be involved in. Lots of chances for IA to be relevant, valued, bring to bear IA’s unique attributes etc. As a CAE I love risk immature organisations. They present both a challenge and an opportunity – save the risk mature organisation for the few years before I retire!
So back to risk mature organisations. My biggest beef against this is that it takes it is not real. It’s the Disney position. It’s not real. Let’s be honest how many really mature organisations have you seen? Where the first line of defence is well organised and thinks in controls terms; where the second line is clearly structured and professionally organised and has a genuinely semi independent role from management; and a proportionately and sensibly resourced third line, which is 100% respected and listened to. No, me either.
That’s because this whole three lines of defence paradigm is nonsense. It describes a world the professional services firms would like to see, as it justifies their systems only, light-touch approach to audit (they don’t really distinguish between internal or financial statements audit – for surely risks only impact financial controls?!).
Yet real internal audit (and yes it has to be internal) needs to understand the culture and totems of the organisation. It needs to have a deep and rich understanding of how the organisation really works. For all organisations are not controlled by systems and processes. They might be in part, but the really significant risks are controlled by senior people, mostly using intuition (labelled as experience) and there is no real law or right and wrong objective knowledge in management. For why would we globally pay senior management so many times more than the average employee if organisations were just bags of systems? It’s because organisations are not bags of systems. They are complex, messy, human, full of people. So internal audit needs to audit systems and processes and controls, but it also needs to understand incentives, culture, politics (both capital and lower case ‘p’) to provide real and meaningful assurance.
So, if we take it back to the dominant paradigm of the three lines of defence. Clearly the three lines of defence is nonsense. It’s a model. Models are used to help us humans to simplify and understand more complex reality. They occasionally provide a basis for us to predict outcomes or causality. The very best provide an ideal that, if applied, will lead to success. Yet the three lines model does none of this. It is not predictive. It is not even clearly understood, outside of the banking sector where is it mandated. It is, therefore, neither law, nor observable fact. So I see it more like the Pirates’ Code in the Pirates of the Caribbean – ‘guidance’ not rules. I see it has a religious quality. You have to make a leap of faith to believe in it. Indeed I’ve even been told it’s some people’s Bible. It does have a cultist element to it. At best, its a typology of organisational activity. It tells us nothing about the detail of what goes on in each typological segment and gives no sense of the relative strengths, size, resourcing or value provided by each.
So let’s all move on and treat it as the basic typology it is please. For this three lines model, taken out of context, is what causes the motion such as this to even be talked about in relation to internal audit. It is this idealised model of a fake Disney reality of a pyramidal organisation with a big first line, smaller independent second line and tiny third line IA that limits IA. It limits IA to doing nothing. So when IA does any real analysis or consultancy or asks difficult questions it prompts the clarion call – ‘oh that’s a second line activity’. Nonsense – internal audit is very well placed to do proper consultancy. Not the imposing consultants usually do that is limited by management in scope and buried if it is not the preferred answer, but real consultancy that asks the right questions and provides the right answers that have to be dealt with.
It is the three lines model that limits IA in most organisations to overseeing the sausage machine, occasionally tasting the odd sausage, but assuming that risks are all ‘aggregatable’ to the top level of an organisation and testing those ‘strategic’ risks (they are not – risks are complex webs of detail, not one liners at a board level). It is this model and ideal paradigmatic approach we all are increasingly buying into that makes IA functions tiny. Would Volkswagen have doubled its IA resource to avoid its current woes? – I would argue yes and that it should.
IA is part of an eco system. It can and should be larger and better resourced in all organisations. It should do second line functions – or at least review in more detail further down organisational detail from an independent perspective. Most second line functions are weak and unclearly structured anyway – so some overlap is needed. Internal audit can and should add value to all organisations and I would argue good IA will add more value to risk immature organisations as we have access to the governance of the organisation to unblock the constipation that most risk immature organisations face.
For remember, at the end of the day when something goes wrong – this model we all buy into falls apart – no CEO ever asks ‘where was my first and second lines of defence’ they ask ‘when was it last audited and why did you not tell me’.