Here’s a thought. When we as auditors refer to ‘management’ (and I hate the use of this in audit report by the way) do we really think for a moment that management are a coherent, well planned, consistent whole? If we do I think we are missing out some element of thinking. I would suggest that it is not reasonable to expect that any collection of humans operate as a coherent, holistic whole.
Humans are messy, complex, at times irrational, at times rational, but for very different reasons for those we expect, and not prone to being organised into systematised structures.
So what does this mean for auditors? Why is this relevant? Well I think it is relevant as it means that the ‘management response’ is in fact potentially many responses. Do we as auditors think enough about the softer elements of our reports? Do we think about how various individuals, sections, parts of client organisations will feel about a report? I suspect we don’t.
This type, level and depth of thinking is often, in my view, left to the CAE. I have often said, we can’t say that, or report this in that particular manner, because part of my role is to understand organisational and human politics.
Yet also I think that it is relevant for all auditors, as they should perhaps understand management in layers. I call then sedimentary, as the lower layers have the burden, pressure and direction of the top layers of management upon them. We should understand that their ‘organisational room for manoeuvre’ is limited; limited by policy, resources, time and freedom of discretion.
It is therefore a CAE art to be able to understand these, think about the messaging and sequencing of messaging, in order to get the sedimentary layers of management to be best placed to respond to a report. No wonder, therefore, that I have at times got this complex process wrong. It cannot be perfect, no CAE, unless they are not being independent and robust, can always please all people all of the time. I can assure you I have not during my career!
It also affects how auditors deliver reports. If you need an organisational response it requires a top down and bottom up management response mediated through the middle tactical control layers of management. This takes time and takes effort, particularly from the audit team and the CAE to manage.
I know the purist internal auditors out there would say that it is not the role of internal audit to manage or interfere in the management response. Of course I agree in theory, but in practice a good audit team should engage in a dialogue with management teams and support them.
This then is the real point of sedimentary management. It is yet another argument that effective internal audit outcomes (ultimately the reduction in unmanaged net risk) requires a team that really understands its clients. It needs to be internal. For only those teams that are able to work with, in dialogue, the layers of management, will ever be effective.
So what layer of management are your reports aimed at? All? None? You should be clear when writing those messages and the overall report narrative. For working with sedimentary management requires thinking about this from scoping right up to the moment you sit in your audit committee and deliver the report. So next time you are working on an audit, think about the very human change process that will (hopefully) be prompted from it and try to see if you can ease its passing.