Norman Marks who often has insightful and helpful things to say about internal audit has commented on audit reports, see http://normanmarks.wordpress.com/2014/05/16/a-satisfactory-audit-report-is-unsatisfactory/ One particular comment stuck with me:
‘Internal auditors need to stop hiding behind rating systems and use the full capabilities of the English (or other language) to inform their stakeholders.’
I agree with this to some extent. We have all had ‘ratings rage’, where the message is lost with some clients behind a colour or risk rating descriptor. I do think, however, that just plain English descriptors do not provide a structure of comparability, of metrics based assessment, that provides a hook on which busy senior managers and non executive audit committee members can understand the world. So if I take my assurance work at my clients, I have put the contextual, English messages, in each assurance report. Yet at the year end, when I come to issue my annual opinion (where it has always been a regulatory requirement) I have wanted to have some sense of what I have found during the year. A qualitative professional judgement is fine, but it requires something a little more structured to support it. This semi-structured approach to the world, a socially scientific approach, where the complexity of a social world is not boiled down to fake scientific accuracy, nor given no explanative structure through artistic description, feels right.
So, do I support internal audit’s ratings systems? Yes, but a qualified yes. I support it as long as it has intellectual consistency. Part of this is my slight OCD tendency (I like things to be tidy and defensible, intellectually). Part of this is because audit committees are (rightly) very demanding of CAEs. They will unpick something that makes no sense. If I cannot defend or explain the report and its rating systems, how can I expect an audit committee to accept and value the reports it is given.
Interestingly Norman’s post is actually about being critical of most rating systems. In particular he is pointing out that ‘satisfactory’ makes no sense unless it is related to risk appetite. In my ratings systems we are risk based, that is we describe (without value judgement) an objective view of net risk. For that is what a risk based audits really should do in my opinion. If this is blindly related to assurance or a value judgement over these, then this will present a problem.
So is high net risk good or bad? Well I would argue it depends on risk appetite. Clearly at an organisational level, high net risk is bad, unless the owners or key stakeholders of the whole organisation want to risk their investment. At an assignment level it can be good or bad. So, as part of an organisational portfolio, a R&D department will be wanting to take risk. A particular business unit may want to take risk. So for audit to say ‘red is bad (high net risk), you need to put in better controls’ this has a value judgement. What if you want to take risk? Internal audit is not there to make organisations either ignore, hide, or feel embarrassed about risk. It should be there to make the organisation more open and accepting of taking managed risk.
So what about assurance? Well, something that is high net risk also has the corollary low assurance over the achievement of objectives. So X scope of review is high net risk, therefore low assurance can be taken from the systems. But, surely, this again is not either bad or good, it depends on your risk appetite. Risk can be independent of the control system as well however. So something low net risk might be due to a natural risk hedge through a portfolio effect, but this is not really a statement on the control framework. It is a natural control over risk. So you could offer a ‘green, low net risk’ opinion but still conclude the control system is weak. You could also conceptualise assurance as being independent of the risk control system. So I could fully assure you that net risk is high. Assurance is then a measure of confidence in the work offered.
All of these things matter. Perhaps not to most managers who will not look beyond the tick or the cross or the colour. But to the audit committee, to the audit trail of opinions offered, to the ability to focus clients on risk. All of this matters. To me anyway! So next time you face ‘ratings rage’ be clear in your own mind about what it is you’re saying and why.
Internal audit for me should not lose the discipline of rating and quantifying its work. It is a key reason why good internal audit is better than consultancy, for it has a structure to express itself and give the work meaning. But it is a discipline that takes time, effort and work. Writing and doing audit work is fine, forming an opinion is the hardest bit in my view. For a narrative report can never be ‘wrong’ we (particularly us CAEs) put our necks on the line, that is what we are paid to do. For that is why internal audit matters.