I’ve been thinking this week about the boundaries of internal audit; as a profession, practice, and as individuals. I’ve often preached that good internal auditors and good internal audit is about being renaissance man; that is being multi-skilled and able to tackle the whole business. Internal audit mired in purely financial controls, populated by just accountants, is no good if the role of internal audit is to tackle business risk. The read across here is with the management team, are they all accountants? No. Why not? Primarily because their businesses require a range of talents from across the professional spectrum to deliver their business plan. So in this sense I think internal audit has no real organisational boundaries. In fact any such imposed boundaries should be reported as limitations of scope to the audit committee and the board as a matter of professional standards good practice.
So then the idea that internal audit does not have the expertise to understand the business, so there should be a wall there. Well of course internal audit does not understand the business, if by ‘understand the business’ it is meant that internal audit is a specialist in each area of the business and buys into the structure, language and organisational and cultural totems of that business area.
A variation on this general expertise theme is that only professionals in the area can possibly judge the area properly. Well there is a some truth in that. I believe that someone can only really assess internal audit properly if they know something about it and are professionally trained. It would be churlish then for me not to buy into the same argument made by accountants, academics, lawyers, IT specialist et al in relation to my audit judgements. Is this what an internal auditor is really doing when assessing an area of the business though? I don’t think so. They are assessing the risk management capacity, and the corollary risk management and mitigation framework and pulling this together into an assurance framework. So, food retailer auditors should form a view over the food being sold, university auditors should form a view over what is well-managed-and-delivered research, development aid auditors should have a view over what a good aid programme looks like. This is not to form judgements over what good food, research or aid is, but is to use the stated objectives and concomitant risk and control framework as a basis to assess whether the food, research or aid is ‘good’ from a business risk perspective. Of course other, industry, specialists will have a view over the quality of the food, research or aid. That is appropriate and reasonable, but it is not for internal audit to tool up as industry specialists to justify its interest in these core business areas.
There is in here though the first real ‘wall’ I recognise for internal audit. The wall not of coverage of the business or ability to deliver an assurance opinion about it, but the difference between challenging the risk and control framework arising from the management agreed policy, as opposed to the policy itself, the latter being the preserve of management. It is the role of internal audit to challenge if the control framework flowing from a policy is good enough, and to ask if the policy meets the business or organisational objective, but not to agree the objective itself.
There is then the second real ‘wall’. In my view internal audit should not make a decision on risk, but leave that to the management team. We can challenge the team to deliver the risk management framework correctly but should not make risk decisions ourselves.
Then there are the walls we apply to ourselves as individuals. The first one, that all professions apply, in particular those with objective knowledge at their disposal, for example law and accounting, to decide that particular actions are right and wrong. I do not recognise these in an internal audit context. Just as for managers, there is only making the best of current information and knowledge in relation to business risk. So we limit ourselves by getting stressed over our judgements. Are they right or wrong? Well I think they can be better and more or less informed. A good internal auditor will gather enough evidence to support the scope and remit of the assurance opinion they are offering. It is conceivable in my view that two great auditors could look at the same data and form different views. So the quicker we all learn that we form judgements and that these judgements are of a greater or lower quality, but not right and wrong, then we can improve the quality of our lives. When I was a junior auditor I felt the pressure of getting things right or wrong. Now I’m older and slightly wiser I am less concerned. I feel the pressure of not delivering a quality service, but not of getting things wrong, for I know now there is no such thing. Just as managers fumble around in the darkness of knowledge about the future, so do we as auditors. We just need to apply our lessons learned and our analytical skills to anticipate the future and try to deliver an opinion that predicts, as closely as possible, the future. This is the sense of ‘reasonable’ but not ‘absolute’ assurance.
Internal audit is unique within the professions as having the fewest walls possible. This is both problematic, but hugely positive, for us auditors and the profession we work in. As I’ve said before, the absence of walls must be used judiciously and sensitively. For this is a privilege that we must use for good.