audit-checklist

It has struck me, reflecting on my training and development this year, that our profession, internal audit, is still very immature. It struck me for two reasons. First, that the profession still has a long way to go to establish itself within its host organisations and on the professional scene. Second, that it has a long way to go before it has established its intellectual core which is internally consistent.

Let’s take the second first, establishment of an intellectual core. This sounds a little pretentious, but what I mean by this is that the core of ideas that represent the core of ‘internal audit’ are still only rough formed. What I noticed about internal audit from my training courses was that the ideas expressed seemed so 1990s. I think the internal audit profession seems to obsess and spend all of its time defining itself negatively as the anti-thesis of management. We are not management, not executives, not responsible for detecting fraud, not responsible for identifying all control weaknesses etc. Internal must not do this, that, the other. Why can’t our profession talk about itself positively? What we can do. Why should we not try to detect all fraud and provide more than reasonable assurance? We expect that of our management colleagues? In fact the task and challenge faced by internal audit is exactly that faced by senior management; to analyse, understand and identify actions to address uncertainty and risk, in line with corporate objectives. We just do it from a non-executive position (third line of defence if you prefer).

This takes me to the first point, the lack of establishment amongst professional colleagues. A profession is only relevant and needed if it has a USP (unique selling point), if it makes  contribution that no other profession does. Finance and accounting established itself in the 19th century with the advent of the modern corporate world. The legal profession (arguably the world’s second oldest profession) many centuries before, as rational-legal authority is established. More examples, engineers in the 19th century, when construction and industrialisation established themselves. Marketers in the early 20th century, when the mass market established itself. Even personnel and HR, in the late 20th century as capital intensive businesses moved to being driven by human capital.

Yet internal audit seems, instead of defining its value and use to others, as the world becomes more complex, uncertain and risky, to get wrapped up in what it cannot and should not do. Yes internal audit’s value proposition is unique, its independence and risk-based strategic overview. Thus internal audit should in my view be focused on selling what it can do. This should be enough to establish itself as a profession. Internal audit can focus on the longer term risk horizon;  to do the heavy lifting on tackling long term uncertainty without the day to day pressure and group think that managers face; to identify and articulate the issues that those within the management fear that they cannot for fear of sanction; to be in a position to oversee and ensure good organisational governance.

I think internal audit has a lot going for it, but by defining itself as not being anything else, it loses its chance to define itself positively. Is it possible that we could look to internal auditing standards being about performance rather than conformance? Just a thought.

Advertisements