I’ve been reviewing an article posted by Professor Andrew Chambers on the UK IIA’s website ‘where are we now? http://auditandrisk.org.uk/features/where-are-we-now
It’s a list of various rules from Basel to IIA practice advisories, to the IIA standards, to the US federal reserve. The intention of the article is to try to divine from various regulatory and standards interventions where internal audit, in role terms, is. I think it is a helpful aim, but the article lists a set of rules, there is not much analysis, apart from a statement at the end of the article:
‘There is little point having standards that are wholly aspirational with limited conformance, or standards that support the lowest common denominator of best practice.’
I agree with the second part, what is the point of a lowest common denominator of rules? I fundamentally disagree with the first element of it. Old school internal audit is uniquely obsessed with conformance and a scientific rules-based view of the world. But if we follow the conclusion a little further:
‘We need more public pressure on internal auditing to enhance the standard-setting process, the rigour of the Standards, their public interest and their general enforcement.’
Here’s where I really disagree with Professor Chambers. The last thing we (by we I mean the internal audit community) need is to put lots of public pressure on us with ever greater rules. It is typical of yesterday’s internal audit generation to have a rules-based view of internal audit. We are lucky that our rules-based leaders of our profession cannot agree on the rules, so the IIA standards have remained resolutely principles-based, despite efforts to change it by the regulators listed in this article.
For the reality is that there is no body of knowledge, right and wrong, for internal audit, like there is for medicine or law, so a rules-based approach makes no sense. Internal audit is not the pale and ill-defined shadow of external audit. It is a completely different profession. We may share the name ‘auditor’ but we must, as a profession, stop rules-based external, financial statements, auditors from defining their compliance regime on us.
I bewail the US’s rule based culture being established as the dominant paradigm for internal audit. Thankfully the UK is better than most at resisting this culture. The British have been excellent over centuries to work with what works and not obsess over the rules. We’ve never written down our constitution, rather used culture and values. What is it to be British has constantly changed yet with some underlying sense of what way is ‘up’.
If we take the small insight into the Basel banking audit rules in this article I am glad I don’t work in banking audit – all of those ‘shoulds’, ‘should nots’ ‘must’ ‘must nots’. The world is moving quicker and is more complex. A rules-based view of the world jars with this and makes no sense.
Another point – internal audit does report to the board as the article says, but is not a puppet of it. Boards can fail as much as management. Internal audit is there to look after the body corporate, if a bad set of governors (directors) are in place, then internal audit should stand up to them as much as a bad management team. I also take issue that Professor Chambers says the IIA standards don’t require engagement or overall opinions from internal audit’s work. It does, for example in standard 2410. It caveats this with ‘where appropriate’. This is a good principles based rule set in my view.
So in answer to the article’s question – where are we? Well I think we are a profession that has a generational gap. I would identify three, possibly four, generations of internal audit. First an audit universe, rule based, obsessed, two dimensional compliance audit. Second a more risk based, from an audit universe, audit, with some sense of beginning to see beyond compliance (perhaps doing ‘consultancy’ as well as audit). Third a fully risk based audit service that sees the world in socially scientific terms and as an internal form of consultancy. The fourth is a variation on the first, a financial compliance ticker. That’s how I imagine banking audit or US-based audit service. Perhaps my blog readers can propose their own typology of generational types?
My point is that this article is an old school version of internal audit, of type 1 perhaps 2. Why worry about the rules? How about internal audit as having a risk based work allocation and reporting framework, populated by bright people challenging how rules are being mitigated and managed? If you like, a form of organisational consultants?
So overall, the article is not a hit with me. In fact whilst it picks up lots of interesting points, it comes to the wrong conclusion. Not more rules please! – but more thinking and more good old British adaption, principles and a contingent approach. Free internal audit!