Agile, adaptive, serendipitous or out of control?


, , , , , ,


One of the greatest pleasures I get as an auditor is working in a cross–disciplinary way across my client organisations. This means I can be a marketer, IT person, HR person, finance etc. The way I do this is not to be an expert in each area, but to bring my professional expertise of being an auditor to each of these disciplines and areas of my client organisation. I do this primarily through being a qualified internal auditor (not chartered accountant – it’s not the same), but also through multidisciplinary myself, being a chartered accountant, holding a generalist MBA, also being qualified in risk management and IT audit.

I mention cross disciplinarity because as an auditor you can see this playing out in different professional areas of the business. So as a recent example, IT professionals have now discovered ‘agile’ systems development and also my international development programme management colleagues have discovered adaptive programming. The two are quite similar.

It’s difficult to find a good working definition of agile so I will attempt to define how I see it. For a good paper see US Govt: Both agile and adaptive development to my mind have similar traits. They adopt short windows of work incrementally, are close to customers and beneficiaries, locate success in meeting customer and beneficiary needs and have less burdensome documentation, and frequently change direction. In other words it is an incremental and iterative, rather than a linear and process oriented way of delivering projects.

Agile is a process through which it is recognised that software systems need space to react, move, develop, iterate and incrementally develop. It works on the idea that most systems are still valuable with 80% of the functionality specified and do not need to be perfect. So instead of a linear process of specifying needs, then building them, testing them and releasing them, it provides for iterative loops until a good enough system is developed (i.e the ‘technical debt’ is paid off – the gap between the system and users’ requirements).

Adaptive programming is quite similar. In international development the variables creating the ‘wicked problems’ preventing development are too many and numerous to calculate in advance with any reliability. So why not try something, then adapt it as you go along, and, once working, scale it up? Most projects are not linear, so why not be upfront about it recognise it.

So the common challenge in these two approaches is control. Control because the way organisations control things is through management approval, normally on a hierarchical and linear basis, of a set plan. This plan is then prioritised and resourced and the party that is approved to deliver it has a set of inputs (resources) from which processes to deliver outputs and then ultimately outcomes, related to the original objectives, are delivered. Variances to budgets, processes, outputs and outcomes are then measured and value for money and success are then delivered.

This command and control process does not work well in the context of adaptive or agile programming. Programmes are not well understood at commencement; the starting point varies considerably from the potential range of end points. Variances provide poor, if any, indicators of performance; value for money is extremely hard to judge until the final completion of the programme.

So is adaptive or agile work simply poorly controlled or does it recognise our human nature and allow for complex problems to be solved? As an auditor, but also a socially scientific auditor, I am torn. My professional training tells me that control should be established, that order and documentation make sense. Anarchy cannot be allowed to reign. Yet the social scientist in me, a realist one at that, tells me that this makes better sense of the real world. People, organisations and problems are messy. Why not be realistic and remove the linear planning processes we put in place to manage it? The same arguments are deployed in international and IT development as are deployed for research. Namely – you cannot plan research, you cannot know where you will end up at the beginning of a project.

Yet more scientific disciplines seem to manage. House builders, architects, physicists, manufacturers and many other disciplines seem to be able to design, build and deliver things from the outset and use budgets, input process and output measures to control the activities. These are also complex things. Boeing builds complex aeroplanes. Mercedes complex cars. So why should IT, international development and academic research be any different?

I guess as a socially scientific auditor I see a position in between. I see adaptive, agile, serendipitous activities as valuable. Valuable as part of a portfolio. A minority part of a portfolio. All universities, companies, international development NGOs and IT functions need some space to be creative. Space to allow freedom to adapt and change. This is where the truly imaginative and creative breakthroughs will occur. But most organisations will need to balance this. They will need to justify the use of the resources applied. They will need to be able to have overall value for money. High risk (in the uncertainty sense) high return (in the innovation sense) processes are fine, but you need some lower risk but still substantial return projects to balance this out. Any organisational portfolio that only comprises these elements will fail at some point; it is just a matter of time.

So is serendipitous, adaptive or agile work auditable? Sure. First question – is it suited to the task? i.e. does the project need something that mostly works or 100% works. I would not like to see agile work on airplane construction for example. Second question – are these types of project too significant at a portfolio level? If the they are, the organisation is put at significant risk of failure. Third question – If it fails, can the organisation cope with all of the impacts? For this think not just financial, but also legal, political and most importantly, reputational. Reputation risk is difficult to predict and even more difficult to control. Fourth question – is the project controlled? For being adaptive, agile, or serendipitous is not being out of control. I would expect to see excellent risk management. Constant updates to paperwork in an efficient manner. A really strong audit trail of decisions taken and escalation of decision making where they required it.

So I would argue that these flexible methods, applied well, in context, in proportion, by the very best people the organisation has to offer, can be perfectly well controlled. It can be equally well audited with an auditor with the right mindset.

My experience tells me that too often though, these structured methodologies are taken to be a lack of structure, a relaxing of control, a lack of suitable accountability, and too often they are done with others’ resources without recourse to the funder. For the methodology is never a justification for poor control, only different control. As auditors we will need to lighten up, be less scientific and more flexible, for these are spaces in which independent, intelligently applied, internal audit has a legitimate and helpful remit.

So when is your next agile, adaptive or serendipitous audit?

Heterogenous auditing


, , , , , , , , ,


As an auditor I’ve spent nearly the whole of my career at the edge of my ignorance, and I’ve loved it. Almost every review I’ve done is new. For when you see people and organisations in their full, wonderful and frustrating complexity, not the simplified representation of reality a systems audit approach would have you believe, everything is new.

Sure, in my junior audit days I did financial statements and data audits. Yes they were repetitive and dull in places. Long checklists of things to ensure were ‘right’. Yet, when I was put as a junior on internal audits outside of these areas, I noticed that people, not paper or processes, controlled organisations. I noticed that personalities came into play. I noticed that people have differing perspectives. I noticed the difference between low and high performing organisations and departments was people.

Two things I look for in a new auditor for my team are common sense and an ability to engage with, and understand, people. Now common sense is a misnomer. Common sense is anything but. Common sense is an ability to take a step back from something and ask the blindingly obvious questions that are not blindingly obvious to others. It is an ability to say – I don’t understand this, it doesn’t stack up, explain it to me – without feeling embarrassed, ashamed or ignorant.

I also look for raw intelligence and analysis. I look for the capacity to think. This is not just locked into the brightest and best from the top universities, it is a way of thinking, an approach to life. It is something that someone either has the ability to do or not. Sure I’ve managed to get those with latent and hidden talent to develop and engage it, but I’ve never been able to teach someone to think. Perhaps other CAEs have, I’m afraid I’ve failed at that. I would welcome stories about how other have managed to do this.

So I consider the ability to engage with organisations in their heterogeneous complexity as crucially important to a good audit. This is uncomfortable for audit. Auditors are used to ignoring people and the soft stuff of organisations. We audit rules, systems; definite things. I know many good auditors and functions that will nuance an audit message, or provide ‘between the lines’ the true position. You read their reports, however, and they point out ‘suboptimal’ areas, things that could be ‘enhanced’, areas of ‘potential uncertainty’ and whatever other euphemistic phrases we get taught at audit school. Yet, when you get the authors of those reports in a pub, with a pint, then they will tell you how it really is. They will tell you the people they think are excellent and those that are, conversely, dreadful. They will provide a detailed and rich organisational narrative that is really genuinely able to explain how things really are. I can assure you, in most organisations, they are suboptimal in my experience.

So how do we, as leaders in our profession, move internal audit discourse into a more reflexive space? How do we enable organisations to benefit from our structured yet rich and contextual analysis? How can we move to getting our professional discourse to be more disco and less royal court-style gavotte?

I would suggest that the Institute is recognising this as well. Richard Chambers in his blog ( ) is messaging that internal audit needs to change. He is moving (not before time from a British perspective) to the new principles-based approach, enshrined in the new 2015 IPPF – Professional practices framework). This requires internal audit to be less straightjacketed, more nimble, more flexible, and less obsessed with structural independence (instead focusing on real independence – which in my view is a state of mind). He even thinks it may be time to open up the conversation about internal audit helping in second line functions.

This is all helpful from my perspective. This change agenda makes sense. It chimes with the reality us CAEs face and seems to recognise that most second line functions struggle as they are somewhere between management and the professional discipline of internal audit.

Yet internal audit discourse has a long way to go to become engaged with this level of debate. In the meantime, the demand from the first and management lines of our client businesses for professional assurance becomes ever more. Yet the profession, or us as leaders of it, remains too nervous to make the leap into becoming a corporate audit function. Our precious independence remains a barrier to prevent us being more than just a niche provider of machine based auditing somewhere above the organisation but below the board. It is this that is now preventing the profession from self-actualising.

So what is my solution? To allow the profession more space to be independent but also be the corporate assurance function. This would enable a scaling up of internal audit to provide decent coverage of the organisation, not a high level audit of a mythical process machine. It will enable us to engage with the real first line of the business, its projects, risks, and programmes. If you conceptualise the three lines of defence as ‘N’ or ‘U’ shaped, the former being how most organisations are – weak first line, strong central controls and processes, and weak and small internal audit function, then we need to evolve to be ‘U’ shaped. We need to have strong risk-aware intelligent first line business activities, with a light principles-based second line, and a strong, risk based intelligent internal audit function. This will provide the real support and challenge to a business, yet ensure the framework of control (a light principles-based second line) is engaged and effective within the business. It is this approach that will ensure real engagement of internal audit, allow it to be resourced enough to be sustainable, provide interesting and rewarding career options, and take internal audit into the fascinating and real heterogeneity of our client organisations.

How heterogeneous are you?

Audit reports – a measure or shackle of output?


, , , ,


In some senses the pace of change in internal audit during my career has been fast. In the UK the profession has matured, taking Royal Chartership and is no longer the internal financial controls work overseen by the CFO. Yet in other ways the pace of change in the profession has been slow.

Take the idea that we produce audit reports. Audit reports are the measure of output, the measure of the department, the core product of any audit department. Yet we blindly still worry about how many of these things we’ve produced by the end of the year and compare to our annual plan. Any variance from the annual plan is seen as bad and we will stand or fall on the plan.

Now all CAEs know that setting the annual plan is challenging. I don’t for one minute want to say that the annual plan is unimportant, it is not; for one should always have a work ‘budget’ that gives some sense of planned work, some sense and working through of how it is going to be delivered, and some sense of defining what ‘success’ at the end of the year looks like. The annual plan and the number of reviews is only one element though.

There are a number of obvious points that bear stating. Not all reports are the same. Not the same in terms of scope, complexity, size, organisational importance, political sensitivity or value. Some of the most hard-hitting and transformational pieces of work have been ‘small’ when reported, but taken significant work, effort, negotiation and, frankly, blood, sweat and tears, to produce.

Second one needs to look carefully at the audit report classifications to look under the numbers. Not all reports are equal. So a full risk-based assurance report of a significant process, area of the business, strategic risk or policy, is likely to represent some significant effort. A short review of a specific question or subset of any of those units is likely to be a lot less effort. A grant audit and opinion is much less, as they have a short standard audit report format, a workschedule (so less thinking) and less effort all around. CAEs, like me, will spin the outputs to suit our year end performance narrative. So be aware at taking things at face value. So do we have clear classifications of full scope risk based assurance report; limited scope review; grant opinion; advice note etc? No. I would encourage CAEs in their annual or periodic reports to do so, to enable better quality comparative views to be taken.

Third, there is a question over whether we should use the audit report as a unit of measurement at all? The global CEO of the IIA, Richard Chambers, argues we should audit ‘at the pace of risk’, meaning the world is fast moving and so should we be. So is the slow, report unit-based, world most CAEs live in still fit for purpose? Should we be auditing continually (or is this second line management?).

Well on one side I think it makes sense for audit reports to be considered more in their wider form, assignments. One output from an assignment is the assignment report, sure. There are a range of other assignment outputs, however. I like to consider an audit assignment to be for life, not just for the audit. So my team don’t walk away having delivered the report, we stand shoulder to shoulder with our management colleagues to help them solve the issues and risks we’ve identified with them. This makes sense if audit is to deliver the value we truly can bring to organisations. It also means that audit is less of a scary process or wringer to be put through, and more of an ongoing piece of consultancy.

Yet as a CAE I need to be able to support the allocation of resources provided to me at the end of each year and commencement of the next, so being clear about what outputs have been delivered is really important. So I would always want to capture any significant support (not just assignment reports) in some way. So I believe the real politik of most organisational resourcing processes requires audit reports to be counted, bagged and tagged.

Would I like a world where the audit function was judged less by outputs and more by outcomes? Sure. Would I like the lack of accountability given to other functions (finance, HR, IT, marketing, PR, etc) to be applied to internal audit? Yes – for equity purposes (although I would rather see proper accountability applied to all of them).

So are we going to see a move away from audit reports: a move to continuous assurance; slide packs; multimedia presentations; or assurance through the medium of modern dance? Hmm possibly, though my ability at the latter may not be up to par. I would however like to defend the audit report. It is hard work. It is a well crafted, deliberate and purposeful intervention. It feels less ephemeral than management slide packs. It has to be well-written, stand the test of time, and be both intellectually rigorous and stimulating. So I would always judge an auditor and an audit function by the core, risk based, audit reports; for that is the core mark of an internal audit function and its quality. Should we count how many of these are produced by an internal audit function? Yes. It matters.

So how many have you produced?

Models of effective internal audit?


, , , ,


The UK’s IIA has produced a policy report thinking about models of effective internal audit. It is entitled Models of Effective Internal Audit: How to organise a successful internal audit function.

I have to say I didn’t find this terribly helpful. In the preface Dr Peters, CEO of the UK’s IIA does state that this report is to ‘inform rather than judge’. When you review the report it seems to describe various audit functions across the public and private sectors and some in between. The report lacks some basic elements. First a description of what ‘effective’ looks like. Second any reasonable justification or rationale for the case studies chosen.

The lack of analysis or analytical description is very disappointing, and renders the report largely useless. What we have is a serious of high level descriptions of the audit services themselves, some in more advertisement form, with some pros and cons, all of which I would expect my audit trainees to be able to list out for the studies selected.

There is no sense of how the services map to their respective clients, nor what benefits are particularly useful, or what makes sense in their businesses. Nor are there any generic issues or themes drawn from the case studies. The real benefit of case studies, the rich data, the soft data, the cultural data, is not included. Most disappointing of all is the fact that I know, or have experienced in my career, the quality of service from a number of the selected case studies services, and I would not regard them necessarily as paragons of high quality delivery.

We are told that the Institute’s conclusion is ‘that there is no right or wrong way to deliver internal audit’. Well that is clearly nonsense. There must be a right and wrong way – otherwise why have an Institute? There may be no single right way to deliver internal audit, but that’s a different argument.

So what can we glean from the report? Well they do list some attributes that could be used to measure success of internal audit. These are: knowledge of the client; specialist expertise; flexibility of risk responsiveness; confidence of senior management; RBIA and an agreed audit methodology; advice and guidance through consultancy; consistency of service delivery; co-ordination with other assurance providers; effective teamwork; career development opportunities; and commitment to quality. Well who would argue with all of these? It’s a bit motherhood and apple pie.

So if we think about the examination question – what does good internal audit look like? Let me try to set out what I think it looks like. I think it is internal. The real strength of internal audit is to link a contextual and deep understanding of the client organisation with context independent knowledge (technical ability) brought with organisational independence. I’m sorry, but externally provided internal audit simply does not provide this context-specific knowledge. Being internal makes a real difference to the quality of the service provided because it means you can be independent, but part of the organisation. You can have difficult conversations with the client organisation as ‘one of them’. This is important. This provides permission to operate and a greater engagement with what you are saying as an audit function.

Second I would suggest a good audit function moves away from financial controls auditing. Most organisation’s risks are not around financial controls and reporting. They are in the first line of the business. No organisation, with the possible exception of Enron, died from financial reporting risk. Most die because their underlying business model falls apart in some way. So SOX and Sarbannes Oxley? Not so much.

Third I would argue that internal audit must move away from a compliance mindset. I have freed my audit team to engage with the full panoply of risk, not just auditing a set of rules. Most organisations are not fully rules based in any case. Most modern, flexible, organisations are not finding command and controls rules helpful. My own client organisation has ‘smart rules’ to promote judgements and risk taking. Google and the new organisations have less rules-based organisational structures. Internal auditors should challenge rules in any case.  ‘We do it like this’ – why? Does that map to risk? Is it effective? To do this we need a new breed of internal auditors, ones that think, act, do, like consultants. We are consultants, we should act like them. I would argue most organisations are 20% rules; 30% loosely defined processes; 50% culturally informed risk taking. It varies by business, sector and organisation, but an IA function that cannot play in the c50% is missing the real risk. This is where board-level decisions, strategic choices, life-changing transactions, are processed, not in the processes and organisational day-to-day grind.

My third suggestion is to be in the front of the business. Most audit functions play around in the corporate zone of their client organisations. If your business sells food, audit food. If it makes cars, look at car production. If it delivers public services, go and look at how it does it. That does not mean ignoring the back office, for it is a false divide between the front and back offices anyway; it does mean, however, being on the ground in the front line of the business.

So I think the Institute has the right idea in asking these questions, but if it is to take a leadership role, it needs to actually do it in a meaningful and helpful way. I appreciate the Institute has a representative role but this does not mean not challenging the functions and members under its organisational aegis. So come on UK IIA, have an opinion and help the profession to develop – be brave!

How to audit a dinosaur


, , , ,


Jurassic World – where would internal audit have been?

I have imagined where internal audit fitted into a number of historical situations, for example in the building of the Boeing 747 and in the White Star Line when the Titanic sunk, but I thought it might be helpful to consider where internal audit might have been in films.

So I went to see the latest film in the dinosaur franchise, Jurassic World. I was not the only one by the reports of the opening weekend’s box office figures. Can I just say, it was fantastic, it totally captured the quality of the original. The film, for those who have not seen it, does not have a storyline much different from the original. You know: dinosaur theme park set up or rebuilt, dinosaurs all amazing, dinosaurs escape and wreak havoc. Yet these parks are run by commercial companies (and eccentric billionaires) so have a real-world feel about them. In this film much is made of the park’s need for customer satisfaction, a need for investors and star attractions to make it happen. In fact it is this commercial imperative that appears to seed the park’s self-destruction. So where would internal audit be in this melee of activity?

Let’s consider the facts as set out in the film. Well, we know the park is run by a company and a US company at that, ‘we’ll be in chapter 11 by tomorrow morning’ is a line from the film. So Jurassic World Inc. exists. Although funded by an eccentric billionaire, it seems unlikely that these resources would rescue the park following the expected carnage (I won’t say why, as it will be a spoiler, but needless to say accessing this wealth will be challenging at the end of the film). We know that the company board has some sense of control and ethics. When discussing the genetics work of the company, it appears the board want some ethical stance. We also know that the company has some form of risk management system. The character played by Chris Pratt appears to be some ranger who has a risk management view over the containment risks for dinosaurs. Similarly the park is well controlled with cameras, sensors, trackers, tagged dinosaurs and containment arrangements that are well considered and tested. There is also a unit of forces, the ACU (Asset Containment Unit) whose role it is to contain the ‘assets’ (dinosaurs).

So how does it go wrong? Well, the park needs a star attraction. The genetics guys take this is a clue to go off piste and create a super tyrannosaurus rex. I won’t go in to detail, but needless to say they create something the park cannot control.

So where is internal audit in all of this? Would a good internal audit function have prevented this disaster? Well, needless to say an internal auditor is not shown in the film (why not? I hear you cry!). Well first there is the fact that, being a US company, the internal auditors will have spent quite a lot of time auditing financial risk and financial (SOX) controls. None of this work would have impacted this risk.

Second the internal audit function should have audited the risk management system. The company clearly has a system. This appears to be relatively strong. They may well have audited the management information system. If I’d looked at the MI the company had over operations, including customer satisfaction etc. I would have thought it reasonable.

I would have sought to audit park operations. I know many auditors never get to the core business of their clients, but this would seem to make sense. Had we audited this, we would have found well thought through manuals, well thought-out systems. We see the orderly evacuation of the park during the film, warnings to customers and even the most junior staff seem to have access to operations manuals. So I would have probably given it a clear light.

So what about dangerous dinosaurs? Would internal audit have audited these systems? Well possibly. Under my watch; yes. Most internal audit functions, I doubt it. Why? Well most audit functions don’t have permission to wonder into the front end of the business. The usual arguments – you’re not qualified, you don’t understand, it’s specialist etc. Well internal auditors are not ‘qualified’ in anything. They are qualified to internally audit, that is their qualification.

So had I audited dinosaur risk systems, would I have given it a clear light? Possibly. The walls and fences looked reasonable, the gates strong, the control room impressive. I may have picked the real risk, the new super dinosaur, the new super secret experimental dinosaur. I would have sought a risk assessment of all species and data about incidents. At this stage the Jurassic franchise has quite a lot of data to draw on.

The system that I can guarantee most internal auditors would not have picked, was the genetics business. This would have regarded as unauditable. Yet the park’s ethical, moral, and business risk is intimately tied up in this part of the business. Yet it would not have featured on the top of most audit plans. It appears from the film as if this is the bit of the business that had gone wrong for the longest period of time. I wonder if this had been audited? If it had, then the real risks of inter species change, the lack of understanding about what this meant and the lack of behavioural understanding of the resulting animals must be high.

I would say I would have audited it because I have done it before. I have looked into the regulatory controls of use of human material for research in a research client. It’s interesting and hugely challenging work. Would this audit have prevented the disaster? Possibly not as the head of the genetics department was clearly working outside of authority, but it may have limited their scope for going out of control. A good auditor would not have just picked up the systems though, they would have picked up the culture. I suspect in the period prior to the disaster a whistleblower may have raised concerns (in my view scientists are an ethical bunch of people), so the CAE would have had some data to support a challenge needed in this area.

So where was internal audit in Jurassic World? Nowhere. And I’m still waiting for a blockbuster film about internal audit. I do think a good internal audit function would have avoided a dinosaur disaster; but it may not have made for such a good film!

Catalysing internal audit


, , , ,

10B intro graphic

I have always thought of good internal audit to be much like how I imagine a catalyst works in chemical processes. I say imagine, as I left my education after GCSE level (end of high school around the age of 16 for my international readership), so as my science degree colleagues will say, I am no scientist. 

For me a catalyst has a number of traits that are similar to internal audit within an organisation. First, they promote substantive and substantial change. Their presence creates a circumstance that makes change both possible, likely and in some cases, inevitable. I see internal audit in these terms. Far from the blocking, barring and dis-enabling role that audit is sometimes credited with, it should take a role to promote, facilitate and sometimes demand, change.

Second, a catalyst creates and promotes this change but does not get involved; it is not doing the change itself. This has lots of similarity in my view with internal audit’s role being non executive. I am not an Institute of Internal Audit purist, regular readers of my blog will realise that I take a ‘what makes sense’ approach to my work,  in that I do not believe in the long list of purist bans and admonitions against action that the the IIA believes. Sure I believe in being non-executive, but I would like to temper this with some practical pragmatism. If internal audit is the only or right party in a situation to get the organisational good done, it should do so. Sure it should not do it for ever, nor ever take a risk treatment decision itself. It should, however, provide plenty of consultancy support, advice and encouragement to make itself helpful and relevant to the management team. For it seems obvious to me that if the management team had capacity to do something, then the opportunity for internal audit should not be there in the first place.

Third internal audit should promote, as a force itself, change in an organisation. If the best internal audit can do is reportage of organisational atrophy and failure, that’s not much of a value proposition. One has to be careful that this promotion is not one of its own making, or in other words, pursue its own agenda. Ideally this should be something mandated and directed by the board. If not them, the senior management team. If the reason change is needed is because of these both, then the organisation should be served by an objective audit function stepping in. I would suggest, however, this should be a last resort. Only in extremis should internal audit step in in this way.

Fourth, I always imagine that catalysts fizz when they react. In my experience a little manageable creative tension is important when internal audit interacts with the organisation. Clearly something explosive is unhelpful. Although I guess where an organisation needs substantial change, perhaps a big bang is required. I would hope, however, that if an organisation had functioning governance and internal audit, then this level of crisis should, generally, be averted. So a good internal audit function should provide a little light, heat and fizz, to promote cathartic organisational change.

Fifth, catalysts work because they have the right connections, structure and composition to work with the other organisational components to deliver change. In particular a catalyst needs to adjust to the context to be effective. So a good internal audit function should be constantly adjusting, constantly sensing and adapting and having a learning approach to what it does. It should do this because internal audit should always be a force for positive and engaging change, development and enhancement.

I believe and have stated on this blog many times, that I believe internal audit has a potential to be transformative to organisations. In particular I think internal audit has the necessary position, floating above the organisation, yet part of it; and with the right skills and connection to governance and senior management;  to really promote good organisational change. So, consequentially, I think the role of being an organisational catalyst is commodious to internal audit.

So how can internal audit play this role? I think first internal audit needs to increase its capacity beyond compliance. Internal audit needs to be fully risk based. This means engaging in an organisation’s key challenges; being in the middle of the key debates; providing an in depth but also organisation-wide understanding of the organisation; high quality staff that can think off-piste; and most importantly an ability to sense and understand organisational priorities.

It is this last bit, sensing of the organisation that is both the most needed but also the most challenging. Most needed, because it is easy for internal audit to retreat into an objective and independent white tower turret. I say most challenging, as organisational ebbs and flows and politics are notoriously difficult to interpret and understand and even harder to work with and address. As I’ve written on this blog before, internal audit should at least understand, but remain aloof and disengaged from, organisational politics. For if internal audit is to promote change as a catalyst, it needs to understand the politics pro and anti the change, and also the underlying business of environmental need for it.

So for internal audit to be transformative, a proposition I firmly believe, it needs to be a catalyst. I’m sure the chemists out there amongst you will point out the deficiencies in my scientific knowledge, but as a simile or metaphor for good internal audit I think it stands. Do you?

Bridging narrative


, , ,


So when I moved my internal audit thinking into a risk based mode, I imagined the difficulties would be around how to do enough high quality work to see and understand the world in the complexity of its reality. I also thought it would be difficult to train compliance-educated internal auditors to think laterally, to act more like consultants, to consider the wider, deeper and more complex picture. Yet none of these have, surprisingly been that difficult (though not without challenge).

The real challenge has been creating reporting narratives. That is, moving audit reports from a colour block or standard wording grade, to something more meaningful. In other words, creating the narrative of the report. I call these bridging because they bridge between the findings and data in a report and formal opinion.

Consultants, professional services firms and others struggle with this too, they struggle because their narrative is external to the organisation, so lacks the anthropological totems that the organisation holds dear. These can be language, jargon, narrative styles, accepted descriptors or an accepted way of understanding the world. External professional services reports are, therefore, always open to the criticism of ‘you don’t understand us’, even if the points are intellectually and technically sound. Actually one of the reasons for the commission of consultants and professional services firms is exactly because of this external ‘cold’ and objective view. It can be extremely powerful and shake organisations away from their own myopia.

Yet I always considered internal audit to be in the best place to resolve these issues. To provide both. Both the independence and objectivity, but also the dependence and contextual understanding of the organisation to provide a challenging but also recognisable narrative to the points being made. This has not proved simple in practice. This has been the hardest element to train auditors to write. Telling a story is challenging and difficult. Considering the diverse audiences for most audit reports it is difficult to play to all of the audiences’ requirements. It has provided challenging to summarise complex risk items into a short enough narrative to have enough brevity for an executive and yet enough detail to make those close to the area to be audited to feel fairly, and objectively, evaluated.

Yet the real challenge is that actually providing a storyline, a control and risk narrative, puts the auditor’s view into a published and public domain in a way that is really difficult for both the auditor and auditee to evade. It seems to be this, the few short paragraphs of the executive summary that has proven most challenging to craft and get right.

So what have I learned about doing these? First that uncomfortable news will remain uncomfortable and that no paragraph, no matter how carefully crafted, is likely to satisfy. In this case the best thing to do is to sit with the auditee and co-craft something and at some point, agree to narrow down the disagreement to the genuinely disagreed elements. In reality these tend to be quite small in my experience, but the overall feeling and impression left with the auditee is often much larger.

Second that there are genuine choices when you pull these narrative summaries together. Choices between whether to provide little detail and summarise headline themes only, or whether to summarise the more detailed content of the report more fully. I would say, as a general lesson, the more you summarise the more carefully you need to craft the narrative.

Third, a good summary narrative should be more than just a list of points, it should say something, make an argument, state something about the work done. Otherwise the risk based opinion is not really being supported.

Fourth, I would say that whatever you do will be deemed ‘wrong’, ‘uncontextual’  and ‘internal audit don’t understand’ on occasions. Sometimes this will be by design – in the manner of consultants who purposefully are there to challenge the status quo (as internal audit is on occasion). Sometimes this will be because a narrative is uncomfortable and this will take open, joint and reflexive audit closeout procedures to ensure that these are fully explored. Sometimes the narrative will simply be difficult to get right because of the complexity or nature of the audit material or scope of work that has been audited.

My overall view is that narratives in audit reports are hard to sustain because organisations are not used to them. They are used to boxes, colours and statements of fact, rather than risk-based opinions. This goes back to internal audit’s origins in financial statements audits, where a body of rules provided the ‘right’ and the ‘wrong’ and thus opinions were, simply, more factual.

Yet do I think internal audit should make an effort to sustain and persevere with risk based opinions? Yes. I believe in the transformative power of internal audit’s unique position of objective independence and yet contextual understanding of its clients (if it is an in-house service). I think this makes internal audit a very different proposition and its work potentially powerful. So if you can stay the course with your clients, and work through the issues of how to deliver audit reports with a risk based opinion, I think it is worth the effort. How should one do this? With an open mind; a real commitment to support and work with clients; an openness to sustaining a no win, no loss, approach to the narrative; a genuine no fear or favour approach to audit; the complete removal of any agenda by internal audit (I personally believe this is the key to winning trust); and finally a strong sense of working across management layers (understanding all elements of the management team’s views – these vary markedly within organisations and ‘management’ should not be taken as homogenous).

So the final point I wanted to make is, the task of writing a bridging narrative between the audit findings and a report opinion is tough enough in an assignment level report. It is much more so in the annual report. For there, as CAE, I need to take a step back, to oversee the whole picture and to counter balance positive and negative data to aggregate this into an opinion.

This is an area I am still working on, so if you have any good thoughts and ideas, please feel free to share in the comments below.

What does the UK general election have to tell us about internal audit?


Well, at first glance, very little. Elections are, however, complex events and have a number of lessons to be drawn from them. Take, for example, the post-election arguments about the fairness of the system. In the UK we use the first past the post system. This means that the UK is divided into roughly equal geographic portions (constituencies) containing a similar number of voters, and that at each election, the candidate from the party with the most votes in each constituency wins. This means a margin can be as little as one vote. The fewest I understand was Glenda Jackson in London for Labour (54 votes). For the system’s detractors this is manifestly unfair. It means that many votes are wasted (i.e. voting for those not likely to win the election in a particular constituency); parties that don’t have geographically concentrated support are unlikely to win; and most challenging, that the system magnifies support for big parties creating the increased likelihood of stronger government.

The lesson for internal audit here is that I see the electoral system as being a bit like audit reports. Any electoral system is attempting to simplify the complex will of the electorate. Just as political parties do. They attempt to boil down a complex set of issues, challenges and choices, into a single vote for a single party. If I’m honest I could have made an argument to myself to vote for at least three of the main UK political parties.

Also electoral systems and resulting electoral campaigns promote two dimensional arguments, analysis and discourse. We as humans like to know the right from the wrong and innately struggle with the idea that there is a range of choices. We also like to personify difference and different opinions and give them meaning and social currency. So I don’t agree with politician X, or I would never agree or vote with politician Y. I have found this with internal audit. Internal audit is wrong. We are right. This project must continue because it is right. We as humans (internal auditors included) find those with alternative views difficult and challenging. This means it is difficult for us to really focus on what is going on. To consider the grey, to consider the nuanced and difficult choices we face in our professional and personal lives. Internal audit is at the organisational nexus of this.

Any electoral system simplifies reality. So the big criticism of the UK system is that it does this too much. How can 4.1m UKIP (a UK political party) votes result in 1 seat in the house of commons, and yet 1.5m Scottish National Party votes result in 54 seats? Yet this is to miss the point about how the system was designed. It was designed for a two or three party system. It was designed to provide a strong government. The UK system is adversarial, not collaborative and coalition based like the European systems. It requires parties to establish a broad base of support across a significant geographic swathe of the country and locks out small and marginal parties. This to me seems no bad thing. It also misses the point that coalition politics in the UK is intra-party. That is to say that coalition politics is live and well in the UK, it just exists intra party. The major political parties, Liberal (well until last week), Conservative and Labour are all coalitions themselves. They work to simplify choices, messages and proposals into their manifestos and campaigns, to make the electoral system itself do less work. Most European coalition systems take weeks or months to form stable government. The UK system does this ‘pre storming’ so that, post election, a government can get on with it.

So what does this tell me about internal audit? Well internal audit nomenclature is like the electoral system. It should provide the top management structures and the audit committee with a clear and unambiguous readout of the results of audit. Yet it should be understood as a simplification of reality and those using the top-level messages should understand this. 

Second, internal audit leadership is much like being a politician. You share the analysis with your publics and point of view and are just as likely to be personified as either ‘good’ ‘bad’ or something in-between. The message is personalised in the CAE. This is not necessarily right or fair, but it is true.

Third leading an internal audit team is like being the leader of a political party. It is to be head of a coalition. It is to make a set of messaging and delivery choices following strong internal debate and discussion. It is to head up a group of ambitious, bright, challenging and people with the need to both listen and lead in equal measure.

The final lesson from politics I want to draw is that colours matter. We as a profession use colour in our reports to indicate concerns, messages, focus etc. Just as colour and image matter in politics, they matter in internal audit. So in the wake of the euphoria or depression following the UK general election result, note that the UK has accepted the result, win or lose. Whatever we think about politics in the UK, we have had a smooth transition of power. This requires some maturity. Are your client organisations mature enough to accept your next audit result?

Crisis mode?


Sorry for not blogging for a few weeks, pressure of work, study and preparing for audit committee meetings has affected my writing time.

I am lucky to work for an international organisation that deals with international emergencies and humanitarian disasters. As such, whilst my organisation has built some resilience and capacity to be ready for these, as there is, inevitably, a pressure on the organisation each time this occurs.

I have written many times before that internal audit should be a part of the organisation that has a different focus from the management team. In particular, as internal audit is risk, not issue, focused, it should be forward looking. Being part of an organisation so focused on delivery and with a remit to both focus on, and allow, issue management however, how does a risk based internal audit function work in this context?

First there is the issue of resourcing. When an organisation is issue focused, it can be tempting to allocate resources purely to issue management. So why fund something that helps in the long term, where the direct benefit from the resources and issues is never immediately and clearly felt? Is the delivery of a service to help the organisation prevent something happening that may never have happened in the first place a good basis for funding?

The second issue is more practical. Where is the role of internal audit during a crisis? Other corporate departments can get stuck in. A crisis will need resourcing, so finance, IT, HR and procurement will all be needed. The top management team will need be engaged in overseeing it all. It can feel in audit as if we get left out, left at home whilst others get involved.

Then there is the question of auditing emergency responses. How does one apply normal audit practice? Rules and compliance can be at best, weaker. Where these are broken, the organisation is likely to justify these on the basis of ‘need’. Also, of course, because internal audit is unlikely to have been there in the thick of it, it is difficult for us as auditors to challenge judgements made on the ground without that context.

What is the timing of this audit? During? At the end? Some time afterwards when the dust has settled? At the very least it needs to be soon enough after operations for the audit function to still have the relevant functions and management structures around to hold accountable. It also needs to be early enough to be before regulators get involved, so that the business can have a safe, sensible and genuine lessons learned conversation. It needs to be early enough that the audit trails of people and paperwork are in place to review. Fundamentally it needs to be timed to be meaningful.

Yet, there is a role for internal audit prior to this, to be a corporate service that adds value. It requires careful embedding into emergency response, it requires for internal audit to move into a continuous auditing mode and be flexible, and it requires for internal audit to be comfortable with risk based audit judgements.

Internal audit has unique attributes that other functions do not have, and that has real value during an emergency response in particular; independence and objectivity. The ability to float above the crisis, to provide an independent perspective and to help decision makers on the ground is important. The ability to think ahead to the accountability questions to be asked in due course is key. The skills we have in risk management, governance, accountability, commercial awareness, counter fraud and experience across the businesses we audit could all be brought to bear.

So why is internal audit always left at home in a cinderellaesque manner when crisis or emergency hits? Well partly because stopping and thinking is not always welcome in a crisis. There is a pressure to do, and be seen to be doing. Pausing and planning is not a welcome voice and viewpoint in such moments. Also I think people are aware that accountability standards do fall during a crisis. Call it an increase in risk appetite or a recognition that difficult accountability questions can always be batted back with a ‘it was a crisis’ response.

Then there is the practical element of internal audit discourse. Internal audit communicates in slower time, purposely, carefully, using a written medium. Who wants this in the middle of a fast-paced, fast-moving crisis? I wouldn’t.

So can we find a paradigm of internal audit that makes a difference in this environment? Can we present via slides? Can we contribute to daily action meetings and wash-ups? I think we can. I think we will need to reconceptualise what emergency and crisis-auditing looks like. I think we will need to move beyond the concept of continuous assurance into something more like normal audit, just on speed.

I think as a profession we can no longer idly stand aside in these events. I think we should be part of the core team. That will require a change in auditor and client mindsets however. Have you been part of, or seen crisis auditing? I’d welcome your comments below.

Appraising internal audit – impossible or merely difficult?


, , , , ,


I have been thinking about what makes a successful internal auditor. This is because my year end appraisal is due. I think it is difficult to appraise a CAE. We are perhaps the strangest job in any organisation.

First of all there is who is best placed to do it? Normally your line manager does it. This makes sense because they direct and control your work. They decide what good looks like. They define your objectives, resources and activities. A CAE, however, is meant to be independent of the management. The whole point is that the management chain does not define your objectives as a CAE, limit your activities or direct and control your work.

So then we turn to the non-executives, most particularly the audit committee. Most non executives only see a portion of the internal audit’s work, in a formal and presented setting. I’ve been lucky to work with some good chairs, in particular one, who spent time with me and the team to evaluate and understand what we did in some detail. In the main however, feedback and input into your work from a CAE is by exception as non executives do not see your work day to day.

Then there is the fact that most CAEs have a formal reporting line to the CEO, but in practical terms there is a ‘pay and rations’ line reporting relationship, most often to the COO or CFO. Either way, both the CEO and COO are unlikely to see the full panoply of an internal auditor’s or CAE’s work, particularly as internal audit moves away from just financial control ticking. We work across the organisation, top to bottom, side to side. So it is difficult, in a way not true for other managers in the business, to present your achievements and delivery.

Then there is the fact that internal audit works in both formal and informal ways across the business. If an internal audit function is any good, then it will provide a good source of informal support to the business. It should have a good database of knowledge and experience, and understand the overall strategic and corporate messages and contexts for local decisions. I would say I spend at least 30% of my time assisting the business in this way.

Perhaps the most odd thing about appraising a CAE is that being challenging, difficult and disruptive, is part of the role. A good CAE should avoid the management ‘group think’, the politics of the sayable and unsayable, the limitations placed on the rest of the business about asking challenging questions. To some extent a good CAE should receive a proportion of grumpy feedback. If they don’t, then I would argue they are not assisting the organisation to genuinely grow.

In the same vein, an audit function that does not receive at least some aggressive ‘shooting of the messenger’ is not delivering the right messages. I would say at least 20% of my reports are regarded and ‘completely wrong’ or not ‘how we recognise the business’ when first published. For me, sometimes this is a problem with the analysis, or the engagement of the team with the client, for which I am accountable. Most of the time it is because the report is, painfully, spot on. I have lost count of the times a ‘completely wrong’ report has either been adopted in full by the relevant report recipients six months later, or ignored and the risks stated have, unfortunately, crystallised as predicted. I guess a good CAE knows when something is just too right, or genuinely wrong, and amends and edits accordingly.

The role is contradictory and demanding: so you have a role (CAE) and function (internal audit) that is meant to be all-knowing yet cover the whole business; be both unpopular and popular; is appraised primarily by those it is institutionally set up to working independently with and sometimes hold to account; support change against all the challenges that any change brings; and work across the whole business whilst competing for attention with those management in the thick of the strategic priority areas of the organisation. Hmmm, a relatively tall order for any individual or function.

I think, however, the biggest issue is that internal audit is set up with a completely different lens and mindset to the management team. The internal audit function’s lens, is and should be, according to the International Standards of the Practice of Internal Auditing, risk based. So we trade not in the current, not in the accomplishment of the here and now, not in the delivery of lots of currency. We trade in the possible prevention of something that may not have occurred in the first place. In other words, we focus on risks, not issues, a totally different currency to the management team. This was the subject of my first substantive blog on this site and I still haven’t changed my mind on this since.

So we are a function and individuals that are the antithesis of management in practically every sense, yet we are all appraised within a management appraisal paradigm. Should we feel hard done to? Well not completely. A CAE still has to manage people and delivery business processes, run a department etc. A CAE still has to influence colleagues and organisations in the same way as our management colleagues do. We still have to balance our role with maintaining a permission to operate (we are not without accountability or any boundaries).

Yet we are unique and special (I think in a positive way). We are organisationally renaissance people, we need to be extra special to be appreciated. I am of the view that a good CAE should be noted, for both the irritation and plaudits for support they deliver. For both are good for any well governed organisation.

So when you are next appraised – are you being appraised as a manager or an auditor?


Get every new post delivered to your Inbox.

Join 290 other followers