Are we all just playing a game? Are experienced CAEs really just identifying and distinguishing the art of the possible from the appropriate (assuming there’s a difference between them). Is the control environment of organisations really as much about playing organisational politics as it is really about real risk management or organisational control? Is the a distinction between what we as CAEs do and recommend and that which we should recommend? In other words – do we game the system?
As long time readers of this blog will identify, I appreciate my view on organisations is that they are not process-led automatons needing their rules and activities changed to promote financial control. Instead I see them as primarily human, human-led, human flawed, organic bodies with all of the rich complexity that brings. So any reasonable CAE should, in this view, engage with organisational politics and have a real sense of what is possible within that culture. A good CAE should also have a sense of what battles and lines they want to draw, in order to win the overall organisational improvement battle.
There does seem, in my experience however, to be a breed of CAEs that see politics as the whole task, as the primary task of a CAE. They almost take pride in how close to their management teams they are and how strong their political sense is. I think there is a line to be drawn here. A trusted and valued colleague in a previous role taught me the value of knowing when to draw the line. She would say ‘that’s just wrong’. To her there was a set of ethical and moral values that organisations, no matter how expedient and ‘doable’ something was, should follow. It was her that taught me a lesson all CAEs should know. Know when to draw the line and say the uncomfortable, know when to refuse to support something, know when to play the audit independence card and when to decide to be brave.
For those CAEs that head up counter fraud units or have done fraud investigations, you will have gained the strength to sit in room and tell people toe-curlinginly awful news, or ask challenging questions. These are good skills for drawing a line in the audit sand too. Norman Marks in his blog agrees that auditors should be brave, pointing out that good auditors do have to deliver bad or difficult news. See: http://normanmarks.wordpress.com/2014/02/09/internal-auditors-should-be-brave/
I am not so sure it’s bravery, much more professional integrity. So when CAEs tell me that play the game and that this is a good thing for organisational control and audit outcomes, I agree to some extent. I am much more concerned, however, that the CAE sticks to giving the tough and difficult messages (in a supportive and helpful way). For this is the true role of the CAE. They are the organisational pressure valve to really unblock organisational constipation and ensure good governance and risk management and control.
Do you understand or play the game?