Why does internal audit allow itself to be defined by others? Or put in audit terms, why does it define itself by exception? You know the score, well good internal audit is not external audit because… or good internal audit is not consultancy because… or good internal audit is not compliance because… or good internal audit is not risk management because… You get the idea.
Now these statements are true. Good internal audit is none of these things, that’s because good internal audit is good internal audit. Internal auditing is sufficient in its own right. Good internal audit is neither consultancy, nor financial statements auditing, nor risk management nor compliance.
Good internal audit has none of the flaws of these practices nor is it specifically designed to be pale imitations of them. Take consulting. Let’s define that negatively. Consulting is non risk based, dependent on management, lacking independence and objectivity (no consultant I know ever went against their paymasters), lacking a systematic process of application, with a poor record of gaining a disciplined evidence base and absent of critical quality assurance both internally and to objective international standards and without the right of reporting to the governing body of organisations or their audit committees to ensure their work is acted upon, considered and the organisation they serve improved. There, how about that for negative definition! So why do internal auditors define anything thoughtful, well argued, complex and nuanced and getting to a heart of a business that the auditor will know well, as being ‘consultancy’.
Similarly at the other end. Compliance. Let’s define this as mindless and uncritical policing and ticking of low-level operational controls with a lack of regard to the context, strategy and risk appetite of the business and without the disciplined, risk-based, systematic analysis of the whole of the organisation and the people that deliver it, without a route of guaranteed reporting to the board and audit committee to make change and recommendations happen.
Or my particular favourite. Let’s define external audit: an elaborate verification of the veracity of a single document per annum irrespective of the value of that document to the business or its stakeholders, against a set of ever more complex and unhelpful rules with some non business-related, non risk-based compliance controls advice over the production of that financial statement without any regard to the underlying business model or risk except, for a bland statement that the business will exist in 12 months’ time.
Now of course none of these characterisations is entirely accurate. Consultancy can be helpful, many external auditors try to bring value well outside of their remit and report on the regularity of funds’ use as well, and compliance can be key to some businesses’ survival. It illustrates though how far internal audit as a profession has to go before it feels comfortable in its own skin.
Internal audit has some great things to commend it and being an internal auditor is increasingly important as business practice, and its ethical, moral and effective delivery seem ever more challenging. Only this week we learn that G4S has allegedly made up the qualifications of the staff it has managed to find. A good internal auditor could and would have picked this up and dealt with it (I have no knowledge over G4S’s IA arrangements, perhaps they did and were ignored). Good internal audit is good internal audit, it is thoughtful, independent (in attitude not appearance) and critically supportive of the management and governing teams it works for. We are a chartered profession (in the UK) now. So let’s build on that and make a real difference to the organisations we work with and in turn, the societies and markets in which they work, and be proud to make that contribution.