So what has inspired me this week? Well a phrase a colleague used ‘well we will see if the rivers run dry’. This was meant to refer to the case when a client makes strategic or top level comments and promises about controls and strategies, but when you follow this river it gradually dries, turning into a brook or dry river bed. In particular this applies to the control framework – grand risk management promises fail to crystallise into a meaningful set of tactical and operational controls.
What a great a well-observed phrase. For often in the first set up meetings of audit a client will set out how things are meant to work; give you the sales and risk management narrative. I often find that it can happen to chief executives and top management individuals at clients over the year, where their understanding of the reality of control and risk mitigation below does not match the narrative they’ve been given or assured is the case.
So there is a key benefit of internal audit. Far from being critical of senior management, we are there to provide assurance that what they think is happening is indeed happening. So often it, however, it isn’t. This is not the fault of senior management. Junior staff rarely want to say how things really are, because they think it is career-limiting. So here we have the second benefit of internal audit – we are not in the management line, so being less sanguine about reality is not (or at least should not) be career-limiting.
Weak control is also not the fault of junior management and staff. Often the point is that you need to see cross departmentally and cross organisationally to see the complex web of processes and people that work, collectively, to mitigate risk. I would not fault senior management for not seeing this either. They do not have the time to test the logic, veracity and delivery of the complex web of controls. So here we have the third benefit of internal audit. We are the only people, with the time, practised skills, and remit, to test the complex web of organisational risk management controls.
So it is a role of internal audit to go into water divining mode and seek out the risk management controls? Yes of course it is. It is a key role of internal audit to test the control framework, in design and operation. How often have we found that you can stop at design – that will never work, even if applied.
You can only really see if a river has run dry if you follow it. To follow a river takes time, effort and skill. Most, if not all, internal audit functions are not resourced to follow every river. Of course it makes sense to follow the riskiest rivers (where the river is not fast or well flowing enough), but it also makes sense to look at those which are well and fast flowing to check that the flow is sufficient to arrest risk (high gross, but low net, risk situations).
So does your audit team really wade often and deep enough?