I saw a vision of the future of internal audit this week. I saw it in an old couple, in a supermarket cafe. The lady (she was lovely) was chatting the head off her husband. They were on holiday and she was talking about what they’d seen, what they were going to do, how they were going to get home… etc. etc. Why is was a vision of the future was because it showed how loving couple could be together so long, yet still work together and grow together.
I sort of see internal audit and management’s future in this way. We are, and should be, part of the same family. With shared experiences, scars of failures, joy of successes and a collective shared memory. The relationship between internal audit and management I see in family terms. It is one of working together on shared problems and challenges. It is one of utmost trust, in that you would trust a family member to help no matter what had happened. Also you would trust a family member to tell you how things really are. To not feel the need to misrepresent the world and to be comfortable enough in the relationship to be able to tell you both good and bad news. It’s the ‘you’ve got food in your teeth’ relationship.
The most important thing and the one that strikes the strongest note of alignment between family and a good internal audit relationship, is the one that draws on a shared lexicon of understanding, of working on the issues and risks of the day together, of really having shared cultural totems. For an internal audit function to really understand a client takes a strong level of proximity, both literally and in shared experiential language.
In other words good internal audit needs to be, well, internal. Here internal does not necessarily mean that the audit service needs to be in-house, but for me it is very few and far between that an external provider really has that internalisation of their clients. I have worked externally, and thought I really understood my clients, but I never did. I never really understood the ‘soft’ elements of their work and businesses. The stuff that, bizarrely, really mattered. For although many clients profess to have scientific frameworks of control, a la COSO or equivalent, very few clients actually do that. Why?, because to put in that proactive control framework requires compliant humans (they are not), it requires lots of thinking and work to identify the controls that really matter (organisations don’t because managing the potential, rather than the actual feels like a waste of resources), it requires a sense that the complexity of business can be boiled down into a set of rules that cover all cases (it can’t). This is simply not life. So most businesses rely on trust, on hope, on culture and on people, to deliver their control framework. This is massively unreliable.
So internal audit does need to understand these real control frameworks. It can only do this through being internal. Yes it feels then, for the management team, as if the police are sitting in the room with you. This leads to the linked point. Internal audit is independent, objective, yet part of the family. A bit like parents. You would not want your parents around all of the time, but you would turn to them to help, assist and really support you when you need it.
So to those management people who read my blog (if there are any), trust and value your internal auditors. They need support and encouragement and to be treated as part of the family. For those internal auditors who read my blog (there are some), please work hard to be seen as part of the team. Independence does not mean being detached or remote. Remember you are part of the family too. It is this family membership that makes your unique USP.
Let’s, as the year draws to a close and new one appears on the horizon, think about shaping and creating the future of internal audit in a helpful and supportive way, for therein lay the strength of the profession and its value proposition.