If there has been something that has captured my thoughts this Christmas, it has been volatility. I mean this in terms of reflecting on 2012 and its key themes. Volatile economies, volatile markets, volatile competitive advantage. Even volatile prices for key commodities, goods and services, including Christmas presents. Even the public sector, once the bastion of stability, seems now to be changing and subject to market(ing) forces.
Yet volatility is not something one naturally loves. It’s disturbing, upsetting; change is not welcome. For as soon as one begins to form an analysis, a diagnosis of the position, so it changes and the treatment and prediction of the prognosis is very challenging indeed. This presents a challenge for internal auditors in particular. Internal audit is not necessarily a fast-moving thing. Its predilection for evidence-based opinions and its risk averse nature (due to the contractual nature of many provided internal audit services) can make fast auditing in a complex, fast-moving and as yet unclear, position very difficult.
As a chief audit executive I know I naturally avoid these types of audits. If I can, I stick to the longer-term, more strategic, audits. Yes these are complex and uncertain. They are, however, on longer planning horizons and make auditing them, and the following process of allowing the management team to address audit suggestions arising, more possible.
There is a need in 2013 for internal auditors to engage with the ‘wicked’ audit problems. I do still believe internal audit’s and management’s best chance lay with risk, rather than issue, management (you know, fewer issues arise following better risk management). For 2013 then, I do think we as a profession should tackle some issues as well.
So how can the longer range, risk based, tool of internal audit be brought to bear on short range issue management? Well I think it is about being more nuanced about the opinions provided and the way they are provided. Current practice involves producing a view on the adequacy of control and risk management. Well I can assure you, from experience, when it comes to it, most organisations are barely or poorly controlled. So in my audits I provide an opinion on net risk (grounded in the organisation’s own risk management framework and nomenclature). Yes this means the scope of the work is not what I’ve had time to do (unlike many providers of internal audit) rather it is the scope of the work needed to provide an opinion assessing the net risk arising from the area audited.
The next stage is to consider at what level of risk granularity is that opinion provided. Strategic? Tactical? Programme? Project? Operational? Clearly, levels of decreasing granularity require increased levels of audit work (it is so strange that most resource-limited internal audit providers claim the operational then?). Perhaps you could almost phrase this as risk reporting materiality. To avoid missing something strategically significant takes less work than something operationally.
Then consider the longevity of the opinion. How quickly will the assessment date? For payroll and cash risks, the external environment is relatively stable, so the opinion would hold for a period of time. For marketing effectiveness or IT controls much less so. Why not state an expiry date on the opinion? Then consider the direction of travel. Are controls likely to get stronger or weaker, relative to the external environment and gross risk? A direction of movement and travel for the opinion if you prefer. Then consider other important sub elements of the opinion. What about fraud and value for money risk?
Eventually you are forming less of scientific statement of fact and more of an analysis based on diagnosis, treatment and prognosis. Add in other facets of the opinion, fraud and VFM, link it to a clearly stated scope of work done related to the granularity of the opinion provided (i.e. your audit materiality) and you begin to form a more rounded opinion, report and risk assessment.
So perhaps for 2013, we as a profession should lose our inhibitions and make our audit statements provide a better, more intellectually defensible and credible contribution to our clients. For some this will mean the need to shed a scientific notion of knowledge being absolute and permanent, and recognise that organisations, people and risks, are messy things. Knowledge is always relative and mediated through human society, activity and perception. As long as our opinions are more nuanced, a risk assessment scorecard if you will, then I think we as a profession can truly step up to the increasingly volatile 2013 plate.