I’ve been thinking this week – what does good look like? More specifically, what does good internal audit look like? I could be all academic and weigh the arguments and say it depends on the client you are working with. Well, yes that is true to an extent. But that would not really assist or help to provide some sense of what good, in terms of an ideal, should look like.
So I have been thinking some more. I think the underlying one single thing a good audit service should have is clarity. Clarity about its methodology and purpose. This is hugely important. For if an audit service is unclear about what it should be doing and worse, is unclear about why it is doing it, then it should go and pack up.
Now throughout many years, with many clients, across many professional areas, I have seen organisations, functions, departments and individuals be unclear or lose contact with their core purpose. So what are we as internal auditors trying to achieve? It is ironic that one the uniquely special elements of internal audit is its ability to take that step back on behalf of our clients and challenge them to refocus on what it is that they are hoping to achieve and are the things that they do efficient and effective to get them there.
So I think it is with the internal audit profession. Our quality assurance processes all talk about what we do, the resources we do them with, and the costs and time taken to do it. Very rarely (I would say almost never) has a quality assurance review ever focused on the outcomes. What is it internal audit is there to do and does it have a clear intellectually justified methodology for doing it?
Let’s tackle the what is it there to do. Yes we can trot out the IIA, disciplined evaluation of risk blah blah blah. But does this really do it for me? Well partially. Yes a good audit service does bring a systematic approach to the evaluation of risk, but the really important question is what does this achieve? A good internal audit function for me should enhance, challenge and support their clients to achieve their objectives with the minimum of unmanaged risk and certainly fewer issues arising. It should ensure that this is done morally and ethically. It should ensure that good governance is operated (that those who direct and control the business genuinely do so) and that those who manage it are held accountable for their work.
So let’s consider the intellectually justified methodology bit. This is problematic, for a vast majority of internal audit functions I have seen, when you really start to challenge what their internal audit reports are actually trying to say, fall apart methodologically. In other words, when you work through the report, it is either internally inconsistent, or unclear about whether it is dealing with risk, control, net risk, gross risk, assurance etc. Its judgements are two dimensional and do not reflect a particularly defensible process or outcome. This is normally fine, as internal audit audit (despite claiming to be risk based and therefore linked to strategy and strategic objectives) is often a bit player lower down the organisation, or buried in finance, checking off boring and largely inconsequential SOX type controls.
So, put simply internal audit doesn’t matter. It doesn’t have a seat at the top table, it doesn’t recruit the brightest and the best, its work is second fiddle at audit committee to the guys who check one document, per annum, to a massive margin of error (external audit). For if internal audit took the important role it should, it would be held accountable, it would be in the limelight, its views would be sought by the top of the organisation, its work would have to be intellectually robust and justifiable.
I have been a journey with my audit career, first as a trainee, then in charge, then assistant manager, manager and senior manager and latterly directing the internal audit function. It has taken me some time to come to this core truth. Internal audit does matter, its does and should make a difference, and it absolutely must have a clear basis for its work and outputs.