I have often argued that internal audit is co-produced. That is, the ultimate product and benefit of internal audit, the reduction in unmanaged business risk, and independent assurance that this is the case, is co-produced with your client. Now this is not strictly true, in that whilst the process of producing independent assurance and reduction in unmitigated risk is cooperative between internal audit and management, the production of independent assurance is not. Otherwise it is not independent (by definition). Also the reduction in unmanaged risk is produced by management (as a result of good internal audit – hopefully).
The production process for internal audit is collaborative and co-produced. But what if internal audit and management are not in the same place? Does that make internal audit impossible to do? Well my twin brother (who wanted to be credited with these phrases – and they are uniquely his) who works in a consulting capacity has, in his many years, come across both great and less great, clients. He tells of one of those clients that, despite warning a particular project would not deliver, and despite making best efforts to support the client, the client was not interested. He then says he’s left essentially stating that ‘this project started out aiming to be gold plated, now there is not enough glitter to roll the turd of the project in’. He characterised this is trying ‘to sell smoke detectors to firefighters’. In other words, the client was not interested.
Now I’ve had that experience with my clients in the past, and I am sure any internal auditor with any reasonable set of experience will have come across this approach. Even within clients you get differing levels of engagement. Now of course, as an auditor, it is sometimes pleasurable to warn of something and have the ‘told you so’ moments when it goes wrong (one audit team I worked with had a dance to accompany this). I take greater pleasure, however, in helping a project or strategy take off and make a real difference. This is all the more so when the client is doing something I believe in.
Ultimately, though, it is difficult to deal with a client that is not interested. What does internal audit do in this case? Withdraw? Ignore the position? Force change through? Well I guess it requires a cross-client approach, perhaps get the board involved (they generally are engaged in assurance matters), work with senior management. I think, in the final analysis, if a client is just not interested, it is internal audit’s moral and ethical role to continue to put pressure on that client to better risk manage, to improve its operations, and deliver its own strategies. Does this mean internal audit moves from being a community policemen to a full-on officer of the law? Yes, I think so.
There are strategies to deal with this before you get to this stage though. Identify areas where internal audit can make a difference. Then sell the (hopefully positive) results to the senior management team or those that are not interested. Really challenge those areas that are not interested. Send a note of your views and then back this up in time, pointing out how issues could have been avoided with early intervention. Also ask to be involved in big projects and strategies as they occur. You can then steer and add value during, rather than being the 20:20 hindsight person afterwards.
So do we as internal auditors always sell smoke detectors to those wanting only to fight fires? No, not all the time, but if you do, have the strength and conviction (and use the uniquely powerful position of internal audit to say the unsayable) to extol the benefits of smoke detection. For ultimately we’re here to save our clients’ arses, not kiss them! (a phrase borrowed from another dear friend of mine!)