What does excellent look like? If you were presented with the question – what does excellent internal audit look like and how would we get there? What would be your answer? More? Better? Wider? Deeper?
I’ve been wrestling with this question. If, in an ideal resource world, what would internal audit look like? Well it is tempting first as a CAE to say I want more. More staff, more budget, more training, more kudos etc. I’ve worked in internal audit for many years and the one consistent thing about all of them, in house, co-sourced, outsourced and hybrid, is that internal audit is under resourced. Why is that? Well I think first because internal audit is separate from the management team and the management team control resources for internal audit function. Only a few, really high class, managers in my opinion recognise that internal audit is useful and supportive to them. You have to be confident and secure to accept challenge, even if done supportively. Second, governing bodies are meant to govern, but even in my past career where the audit committee has clearly demanded more resources for internal audit, it has not happened. This is because governors don’t feel they can be demanding and ‘executive’ and thus do not really push and demand resources for ‘their’ audit function.
So yes to ‘more’, in general. Then to ‘better’. I think regular readers of my blog (there may be the odd one!) will be able predict my view of this. Yes – of course. Internal auditors (and I’ve had occasion to interview a few for roles in my career) are in the main, not good. Partly this is due to the maturity of the profession. Partly it is because it is a cinderella audit function in most organisations, partly because it is misunderstood by a the public, management and governing bodies alike. But come on guys, we as professional CAEs need to up our services’ collective games. We must set our expectations as being the assurance professionals and supremos we are trained and experienced to be. This means stopping our thunder being stolen by external auditors, regulators, risk managers, compliance units, quality units or whomever else claims to be a professional internal auditor. Yes they audit, in the same way that many people ‘account’, but are not auditors, nor accountants.
What does better mean? Well I think more consultancy like. More business savvy. More broad based in training. More intelligent, good graduates from good universities, with a thinking, contingent, brain. Reporting that is contextual, meaningful, focused, balanced, supportive and helpful to management teams. Why should an internal audit report be an unhelpful, terse, set of problems, without a reasonable and balanced assessment of risk? I am a great fan to the UK’s National Audit Office value for money reports. This appears to me to be the right style.
So yes to ‘better’. What about ‘wider’ and ‘deeper’? The world is ever more complex. The holistic and all-embracing opinion we need to offer is never changed, thus the work to get there must. Yet the external world gets more specialist, more complex, more international and more complex. Thus internal audit must have a broader skill set. This demands creative solutions to accessing these specialist resources. Probably co-sourcing. Probably a procurement framework to access resources. Deeper. Internal auditors pride themselves on being generalist and wide-ranging. An internal auditor should be able to audit anything. Yes I think this is true to some extent. Internal auditors do, in my view, have a unique skill set and professional approach to life, that is valuable in itself. I say this because why, if internal audit, does not bring anything unique, does it continue to have things to include in its reports? I think because the objective, independent, perspective does bring some insight and value. I would counter this, ‘internal audit is omni-competent’, view though. It is not. Yes generalist controls can be audited, but then once the general position is obtained, you should add deep specialist professionals. Thus for IT. Internal audit can review general IT controls, IT governance and management etc. It can go into some depth into IT systems and project. This can go to some deep layers of detail. But to audit a specialist, specific, IT system, will require a specialist at some point. No internal audit function can afford to have an SAP specialist on tap, ‘just in case’, for example. So buy it in. Can these consultants be made to think more systematically, like an internal auditor? Yes, I think so, combine them with the core team and you have a powerful proposition. The knowledge of a consultant with the discipline of an internal auditor.
So yes to more, yes to better, yes to deeper and wider. Does this mean internal audit needs to be a huge part of an organisation? No, not really. Internal audit should be a small, specialist, unit in my view. For a great internal audit can make a disproportionate impact on its client organisations. Precisely because of its unique position in the organisation. So, colleagues, we should make a case for the profession. But we should also deliver on its promise too.
But what makes the killer difference in my opinion between an okay and an excellent internal audit function? I think governor and senior management engagement. For with a supportive senior team, and a sensitive approach to internal auditing by the audit function, internal audit can make a difference. A difference that cannot be obtained by any other corporate or administrative function. So a requisite element of internal audit excellence is engagement. Start with this and work from there.