Radio Four or Three auditing

Tags

Internal Audit, internal audit function, internal auditor, internal auditors

For those readers of this blog that are not UK-based, Radio Four is a voice and news radio service, and Radio Three is a classical music radio station provided by the British Broadcasting Corporation (BBC). I use this as proxy to describe anything I regard as being of high quality. e.g. that’s the Radio Four of cars or the Radio Four of clothes etc. The reason I like Radio Four (and indeed Radio Three) is because they are just great. Things happen. Quietly. Without fuss. Without advertisements (they’re publicly funded). They are good at what they do and whatever they tackle is just done properly, particularly in comparison to the private sector.

In effect BBC radios Four and Three are cornerstones of civilisation for me as self confessed middle class (or at least middle class aspirant) UK citizen. I would put other services and brands in the same bracket, Waitrose food, John Lewis department stores, British Airways air travel, Aston Martin cars, Trickers shoes etc etc. For the ultimate version, try an Anglican English Cathedral evensong (religion but with fabulous music and not too much religion imposing) I think they all, for me, represent a something uniquely British – the very best, well done, well delivered and world class.

So why this jingoistic apologia for Britishness? (well it’s nothing about the upcoming Scottish independence vote, though clearly we’re better together. Scots are great, so are the English (and Welsh and Irish), but as the British we are world-beating). It is because internal audit does not really have brand differentiation. We assume all internal auditors are capable, are equal. Clearly this cannot be the case. When I worked for a professional services firm we, as a big firm, had a good reputation, better than smaller competitors. But even across the big firms it was difficult to identify the competitive edge or brand of the internal audit providers in the market. So why is internal audit not prone to such competition and differentiated branding? The car market provides similar services (cars that allow you to get from A to B) but one can tell instantly whether you would want an Audi, BMW, Mercedes, Ford, Nissan or other for your car (subject to budget). Surely audit services can be differentiated?

I have always taken the approach, once I led my own team as a CAE, that branding and differentiation is important. I have always pitched the audit at being high quality, high capability. Why? Well internal audit is a disproportionally small part of most organisations, so it must be good to make any impact at all. Second the demands on internal audit functions now mean it needs to be excellent to deliver the breadth and depth of role it is increasingly being asked to do. Third, internal audit is meant to be an independent part of an organisation. As such it needs to clearly brand itself as such. The look, feel, quality of documents should be tangibly different to the rest of the organisation. Thankfully in most organisations a half decent grasp of Microsoft Office is enough to achieve this.

So when my audit team gripe that I like a specific blue, or a specific point spacing between bullets and a house style, I show them the lessons I learned at the big four. A green dot, blue square, orange and brown lettering all provide that basic comfort that branding is meant to, an assurance of comfort and quality. This stuff does matter.

But core to any audit function is being right. This the core to an audit brand. Not being 100% right, nor arrogantly assuming that audit has the right opinion and view of all matters (my blog talks about the fact that I do not believe in 100% right, the world is full of greys). It is ‘right’ in the sense of not being ‘wrong’, that is manifestly wrong, getting the wrong opinion. For an audit brand is about having the supporting evidence, thoughtful analysis, appropriate combination of context dependent and context independent knowledge brought to bear to a problem or challenge. For as one buys an expensive car on the promise of trouble free motoring, one purchases a good internal audit service with the expectation of a strong, thoughtful, challenging, independent, but contextually understanding and supportive ally to improve the organisation’s risk management and delivery of business outcomes.

So one wants a strong brand, but not one that shouts or is over the top (for example commercial radio with its loud advertisements or discount airlines with their gaudy colours and equally gaudy service) but a quiet reassuring brand. As soon as something enters my internal audit function, I want it to enter the advertisement and noise free world of a high quality internal audit service, and emerge much the better for the experience.

Is this easy to achieve? No. For quality is not cheap and quality is not easy to ensure. As a CAE however, I would feel I let myself down if I did not at least aim for it. So when you last interacted with your internal auditor, was it Radio Four or not?

Audit talent

Tags

Internal Audit, internal audit function, internal auditor, internal auditors

I have been thinking about the war for audit talent. I think, when I started in the internal audit profession, it was easy to recruit internal auditors. First of all it was clear, you needed accountants. For internal audit was about financial compliance checking. So you listed your Consultancy Committee of Accounting Bodies (CCAB) qualifications criteria. You most probably did not bother with IIA qualifications. All decent candidates trained in the accountancy firms, and who bothered with internal audit qualifications? Really only dyed in the wool internal auditors. So, stick to CCAB accountants, part qualified for junior roles and fully qualified for senior roles. All sorted.

But now the world has changed. Internal audit does not do just accounting it does business risk. So what is the right qualification for now? Well I’ve now qualified with IIA qualifications, both chartership and IT auditing. That’s because the internal audit profession has grown up in my view, it has become something separate from the accounting profession. If the profession now does business risk, it really needs a broad set of supporting qualifications. I’ve chatted before about this and concluded we need a professional qualification supported by an internal audit professional qualification. Of course it makes sense that a broad based set of reviews needs a broad based set of context independent knowledge.

As I’ve become more experienced in my role, I’ve come to realise that one needs a broader set of skills and people. In other words I’ve come to appreciate diversity. Diversity in terms of experience, age, background, experience, ethnicity, professional background, sexuality etc. What I don’t need as a CAE is to be surrounded with identikit auditors, that is, more of me. When I worked in a professional services firm those years ago, I did not appreciate how similar we all were. From a small pool of universities, small range of social backgrounds, small range of ambitions and aims etc.

I have a great audit team now, really diverse, really different and really challenging; in a good way. They challenge me and challenge my views. That is good. For my audit opinions need to be challenged. They need to be argued against, for that is what strengthens them. I hope that I do the same for them too.

So this brings me back to what am I looking for? I guess nowadays I’m just looking for the ability to think, outside of the box, outside of convention, outside of their own space and thoughts. So, when I am looking, I think I am looking for someone I don’t already have in my team. This could be in terms of profession, or personal background, or personality type. I refreshed my training on unconscious biases this week. It reminded me that we all simplify the world through stereotypes and that these stereotypes bias us towards particular people and away from others. One of the potential solutions was to get others, with different perspectives, to challenge and calibrate our thoughts.

So when I’m looking for a talented auditor, perhaps I need to think broadly, for if internal audit is a broad church, so should my audit department be.

Playing the game

Tags

Internal Audit, internal audit function, internal auditor, internal auditors

Are we all just playing a game? Are experienced CAEs really just identifying and distinguishing the art of the possible from the appropriate (assuming there’s a difference between them). Is the control environment of organisations really as much about playing organisational politics as it is really about real risk management or organisational control? Is the a distinction between what we as CAEs do and recommend and that which we should recommend? In other words – do we game the system?

As long time readers of this blog will identify, I appreciate my view on organisations is that they are not process-led automatons needing their rules and activities changed to promote financial control. Instead I see them as primarily human, human-led, human flawed, organic bodies with all of the rich complexity that brings. So any reasonable CAE should, in this view, engage with organisational politics and have a real sense of what is possible within that culture. A good CAE should also have a sense of what battles and lines they want to draw, in order to win the overall organisational improvement battle.

There does seem, in my experience however, to be a breed of CAEs that see politics as the whole task, as the primary task of a CAE. They almost take pride in how close to their management teams they are and how strong their political sense is. I think there is a line to be drawn here. A trusted and valued colleague in a previous role taught me the value of knowing when to draw the line. She would say ‘that’s just wrong’. To her there was a set of ethical and moral values that organisations, no matter how expedient and ‘doable’ something was, should follow. It was her that taught me a lesson all CAEs should know. Know when to draw the line and say the uncomfortable, know when to refuse to support something, know when to play the audit independence card and when to decide to be brave.

For those CAEs that head up counter fraud units or have done fraud investigations, you will have gained the strength to sit in room and tell people toe-curlinginly awful news, or ask challenging questions. These are good skills for drawing a line in the audit sand too. Norman Marks in his blog agrees that auditors should be brave, pointing out that good auditors do have to deliver bad or difficult news. See: http://normanmarks.wordpress.com/2014/02/09/internal-auditors-should-be-brave/

I am not so sure it’s bravery, much more professional integrity. So when CAEs tell me that play the game and that this is a good thing for organisational control and audit outcomes, I agree to some extent. I am much more concerned, however, that the CAE sticks to giving the tough and difficult messages (in a supportive and helpful way). For this is the true role of the CAE. They are the organisational pressure valve to really unblock organisational constipation and ensure good governance and risk management and control.

Do you understand or play the game?

 

Humans and risk management

Tags

Internal Audit, internal audit function, internal auditor, internal auditors

Just a short post this week, but one that I hope draws on some contemporaneous events. Humans are bad at risk management. There. I’ve said it. Take the flooding in the UK. Suddenly we realise that we needed to do more. We’ve suddenly (despite climatologists saying it for years) identified that ‘extreme’ events are not so extreme. So after having let a risk crystallise into an issue, we’re prepared to do something about it.

Humans always allow risks to crystallise into issues. Why? I think it is because a risk is not seen as ‘real’ until it occurs. This is of course the antithesis of risk management. The whole idea is not to experience the issue in the first place.

Humans also think the absence of issues means the absence of risk. Look at the the way we put too little away for retirement, the way we drive beyond reasonable, the way we don’t prepare for extreme weather events. How many times have I, as an auditor, had the argument – ‘we manage risk, we just don’t write it down’. This is even said when risks have crystallised into issues. My response is usually, well if the risk management is so good (even though I can’t see any evidence of it) how come there are all of these issues?

So given humans are innately optimistic, poor at predicting the future, weak at expressing a real and meaningful risk appetite, should we give up on risk management? Well I think not. In a way, as the world, both in weather and business terms, becomes more volatile, we should increase and double our resolve to manage risk.

So what does that mean for internal audit? Well the risk based approach is a sensible one, as long as it is not used as an ever more elaborate excuse for being under resourced. For whilst no audit function can provide absolute assurance, we should provide, at least, reasonable assurance. I would say a majority of internal audit functions are resourced well below that level of capacity. But why is this? Well in my view it comes back to risk management. Humans will also resource risk mitigation activities once an issue has occurred.

The really good management colleagues and bosses I have worked for have seen the benefit of risk mitigation, not issue mitigation. They have really added value through tackling these items. Perhaps we as auditors should make a greater effort to really focus on long-away, non-proximate, risks in our plans and sell it consciously to our audit committees and management colleagues?