So I’ve been Christmas shopping. Yes it’s all done. Just wrapping and sending to go. As part of my final day of Christmas shopping today I had afternoon tea at the Waldorf Astoria Hotel in Edinburgh. Now if you’ve never been – do; it’s the best in Edinburgh.
As I was sitting there enjoying the experience I noticed that nothing about the hotel ‘shouted’. The decoration was subtle, the service unobtrusive, even the signage was muted and subtle. Everything felt quiet and orderly, even the music in the background (played on a harp) was pleasant and civilised.
So it got me thinking about audit. When we ask our clients to document process, to be clear about decisions, to more explicitly analyse a position, are we asking them to be gauche and ‘loud’? So when I’m told ‘we do risk management, but never write it down’, should I accept that from an audit perspective? For I know there is never enough time to write things up, to record decisions, to document analysis. So am I being an unreasonable auditor by asking for this?
Well I know when things do go wrong, not having an audit trail becomes crucially important. When circumstances are replayed back in slower time and someone in a public or regulatory forum says ‘you decided to spend £Xm and had no analysis or documentation of the decision?’ it sounds bad, and is. So, if we can agree that this sounds bad and is, perhaps the decision is much more around knowing which ones to document? For we all take decisions and we don’t document in full detail every single one.
Perhaps this is a risk based decision (except with this it is really difficult to know which decisions will be second guessed later)? If so, is the role of audit to be more sanguine about decisions and to say some should be documented with a supporting rationale?
Coming back to my afternoon tea experience, I think the answer is there. It has the music, the waiters, the lighting, the safety fire escape signage – it’s all there. Yet it is subtle. You are free to enjoy afternoon tea without knowing the work involved in making it happen, without seeing the control framework. Yet when you go into less high quality establishments there are loud menus, loud music, loud signage, intrusive service and gauche decoration.
So in business sense I am looking for a coherent control experience, driven less by process and documentation, but more by culture and quality. There should be sense that good control ‘just happens’ and when you look closely the control framework should appear.
I have tried to build this into my audits. My clients are not aware that I force them to engage and risk manage. You cannot respond to one of my reports without engaging in this debate. Engage with it from any other basis and it holds no water and makes no sense. So if a response to report is about ‘we’re doing okay’ (fine but the report makes no judgement or comment on how well we think the management team is doing); or if it is ‘we’re doing our best’ (fine but that does not affect the risk and net risk judgement); or it is ‘we have a high risk appetite given to us’ (fine, first prove it – in a meaningful way, second let’s share that understanding, as the report is shared with senior management, across the organisation – would head office agree?); and if the response is ‘we have good controls’ (really – how so if they do not mitigate risk? – they may be good per se but if they do not influence net risk they are the wrong controls.
The only reasonable engagement has to be within the risk-based terms of the report’s argument. i.e ‘we think the net risk is lower because of X Y or Z’. I’m always happy to be wrong – as I am engaged with facets of the business in each assurance review for only part of the year, unlike the relevant management team for the whole year. Then I have got my internal auditor way – I’ve prompted risk based thinking. In other words the output of the assurance review and audit is less relevant, much more the risk based cathartic process of debate, discussion and engagement with audit. On this basis there is no bad internal audit, even a ‘wrong answer’ audit has value to the client organisation.
So what am I looking for when I audit? A great afternoon tea experience. For I love engagement with good management teams, especially when they are struggling with high challenge and risk (for we are all struggling with risk and it is not my role to be critical of teams’ work, more to point out, objectively, where net risk actually is).
So my advice to my management colleagues – look to establish a clear control framework, but a subtle one, established through culture, through being lived, through clear values. For much like the best afternoon tea experiences, they are subtle and ‘just happen’.
So ask yourself – are you an Earl Grey auditor?