Ooh calibration, ooh calibration, calibration that’s what you need! (Just a memory from my childhood, Roy Castle and Record Breakers – although he sang ‘dedication’ – sorry to my international audience – it’s a UK television programme!). So why am I singing about calibration? Well I have been lucky over my career to work with clients over an extended period of time, in some cases over a period of three strategic, multi-year assurance plans.
So what do I mean by calibration and calibration of what? Well calibration of findings and audit judgements and risk appetite. As I’ve stated in a recent blog post, the risk appetite of internal audit should be aligned in broad terms to the board-set and management-led one (subject to de minimis standards – see https://chiefauditexecutive.wordpress.com/2013/09/21/do-we-need-to-understand-the-business/)
I’ve worked with many clients over the years and never really consciously considered risk appetite and calibration of my work. In the early years of my career because the work was not risk based so risk calibration did not matter. Then, later, when I worked for a professional services firm, it did not seem to matter as the client and billing relationship was more important. This ensured that any significant divergence of opinion over risk appetite and audit findings, even if they existed, were not shared. Also I was always one stage removed from the client, being external, and (having now moved to a number of in house roles) I realised my knowledge of the client was, relatively, thin then, not accounting for the people, culture and complexity of the client organisations I worked with. I have now worked also, in-house, with various clients. Here it does matter. Here, unencumbered by billing relationships, there is real knowledge of the client and the CAE can express a risk appetite with a significantly different calibration to that of their client organisations.
So having said that it matters, why? Well it matters because, like budgeting, internal audit’s calibration should be a stretch target but not aim for something perfect – unless the clients’ risk appetite is set at that level (sadly many organisation’s are set at this level). A boss of mine, some time ago in my career, when I had recently started working with them and published my first few audit reports, said that I should ‘keep it real’. By that they did not mean make it more aligned to the corporate risk appetite, or your work is too intellectual or theoretical. They meant, keep your work and its suggestions to things that can and should realistically be done by the management team. Later on a different boss at the same client told me that ‘we [the management team] are telling you that we do not have the capacity to do the things you suggest.’ So what should the CAE’s response be? At the time my CAE response was a little too timid, acknowledging that prioritisation should occur etc etc. What it should have been I think was, ‘well there are three things you can change, risk appetite (take more), management resources (create more), be less ambitious (take less risk and do less), the one thing you should not do is leave a cognitively dissonant position in place as it will surprise board and stakeholders alike’. So the stretch is between the current and the required, not the ‘doable’. It is for the management team to set the ‘required’ which they do through their risk appetite.
So if internal audit can plough its own furrow, should it? I think yes where the organisation requires it. If I was head of audit at a bank leading up to 2008 (and I was able to see the unmanaged risk building up), that furrow would become, louder, deeper and ever more distant from the board and management views, eventually leading to the regulator. In general, however, I think not. Internal audit is lonely enough without ploughing a lonely furrow. In the end the role of internal audit is to improve our clients’ risk management and outcomes, that cannot often be achieved by shouting from a distance in a disaffected manner, though where my clients have set a risk appetite they have not lived up to, I have done this.
Within the audit team it is for the CAE to set the standard and decide how and when to press the risk appetite differences with their clients and when not to. This lead and general appetite, should in my view, permeate throughout the whole internal audit function, from scoping, fieldwork and then to opinion forming and delivery. Your teams should have a ‘sense’ of the CAE’s risk appetite.
Perhaps the real challenge then, for the CAE, is to determine his / her clients’ appetites? This is really difficult. Different risk appetites permeate individuals’, departments’, professional functions’ and leaderships’ views in most organisations. How often have I thought the client was, overall, at X position and found that position was actually Y once the audit report was issued. I guess the CAE needs to constantly review and check their internal audit views and test them with management.
Will this promote harmony? No, I hope not. A harmonious internal audit relationship is not a good one in my view. Perhaps we can, however, be more open and collaborative in our risk appetite setting, maintaining and expressing?