So this post has been sat in my draft outbox for some time. Why? Well I’m not sure I have a definitive answer. Is there such a thing as business-specific internal auditing? I think the answer is perhaps both yes and no. Yes, in the sense that internal auditing needs to understand the context of the business. The context dependent element of the business is important. Also each business activity has its own sense of technical specialisms, details of activity and specialist terms and conditions that a good internal audit function would need to know.
No, in the sense that the internal auditor should bring a challenge, a fresh perspective, breaking out of group think to challenge individuals, teams and organisations, to do better. This context independent knowledge is important to bring an objective, best practice (I hate this term), approach to their client organisations.
If we do a risk based audit, and if risks flow from objectives, how much better will a risk-based audit be if we understand what the objectives of our client organisations really are? By this I mean more than boiler plate understanding of objectives, I mean a deep contextual understanding of the business.
If we accept that internal audit is intended to be both specialist in auditing a business and applying a generalist skillset, then does this provide for internal audit’s credibility to be judged by how much like management and management’s understanding of a business they hold? In order words, does this approach open internal audit up to ‘they don’t understand the business properly’ as a proxy for ‘they don’t share my perspective or agree with my viewpoint’. This is a significant danger. Internal audit should not be compared to how much they are like or agree with management in my view. Disagreement with management is a healthy and normal part of good internal audit provision, as long as this is not conflictual, personal or competitive. It is internal audit’s role to promote genuine, constructive, challenge. If there is a debate over risk in the discourse – great! The client organisation benefits from better risk management.
Then it comes back to risk appetite – whose risk appetite is valid? The internal auditor’s or the client management’s? Well I guess both. Within the bounds of an acceptable (legal, moral, generally accepted) appetite I would suppose it is management’s. Outside of this it is internal audit’s. So in this latter situation it would be potentially blowing the whistle or reporting to a regulator. But within the bounds of normal I guess it is for the auditor to state their independent risk appetite and assessment, expressed via their audit report. I suppose I would like to aim for a risk appetite slightly below my client management’s (this promotes continuous control improvement and challenges a management team to justify their actual risk appetite) but not so far out of kilter that undertaking audit work becomes too conflictual, competitive and challenging for all involved. This is a difficult balance to strike.
The real issue with whether we need to understand the business is to know what the organisation’s response, risk appetite, views, objectives and control environment, are like. Then internal auditors can apply the context independent knowledge in a more judicious manner to really promote enhanced risk management and control via a subtle and manageable push, via their audit reports.