In a week where the ‘hacktivists’, allegedly from North Korea, have taken Sony pictures to a decision about rejecting the publication of their film about the North Korean leader, I wonder if it is worth considering the freedom of speech of internal audit?
Of course, on paper, internal audit has all of the right independence and status protections to ensure it has freedom of speech. Internal audit can say the unsayable. I would argue it must and should say this, for by doing so it unblocks the organisational and governance constipation that most large organisations and bureaucracies suffer from.
Yet, as a CAE, I am always faced with a quandary. My model of internal audit and modus operandi is to be a friend. I’ve written about this before on this blog. It is not any CAE’s or my intent to harm or damage our clients. So being robust and firm, as you would with any friend, can often be the right answer.
Sometimes, however, writing something down or highlighting genuine, close to the bone risk, is difficult. It is difficult because by doing so, internal audit may well crystallise the risk itself. So, pointing out total dependence on a key supplier, if leaked, would damage a commercial entity. Identifying a fundamental flaw in a manufacturing process could damage sales of the good manufactured. Pointing out health and safety risks could damage the reputation of our client.
Internal audit is just that, internal. So it should be a safe space to debate, discuss, disagree and argue (in an academic sense) with our clients’ management teams. I like to argue that under the three lines of defence model (about which I have written on this blog to make this point) that internal audit is more like the 2.5 line or third amongst four lines of defence. External audit and regulators (the unfriendly auditors) make up the fourth line in my view.
Yet there is pressure for internal audit reports to become public property. For a start our partner, customer and supplying organisations all want to share our assurance and map and understand sources available. In the international arena in which I work, we seek and have sought from us, the nature of assurances available about our client organisations. This all seems reasonable. Yet it is a countervailing influence on the ‘safe space’ we seek to have as internal auditors.
This in turn creates an odd set of behaviours in organisations that do publish reports. A sense that internal audit becomes a ‘boiler plate’ exercise – something to be managed. Messages to be massaged and manipulated or an adversarial process to be batted away and mitigated. Or the other route – bland and vague audit reports alluding to risks and issues. Neither is particularly helpful in my view. Gone is the open, reflective, supportive, encouraging and change-oriented internal audit process. Gone is the meaningful and free engagement with management, in its place a discussion ultimately oriented to how the report might play out in public.
Now of course any CAE is aware of the externalities and end point of a report and indeed should be. So it is never a case of having a completely free internal space or a totally public external space. In reality it is spectrum and the CAE should be aware, report by report, where on the spectrum the report’s subject matter is.
If, however, something is on the public end of this spectrum, it is possible and in my view, likely, that it will be a space the management or governance body of your client may well seek to limit internal audit’s freedom of speech. The more important or challenging the issue, the less free to speak internal audit may be.
So what’s the remedy? Well internal auditing standards simply require the same freedom of speech as for all internal audit activity. This is naive though. In reality most CAEs have the ‘it’s not a good time to audit’, ‘I’m not sure internal audit can add much value at this point’, ‘we know what the problems are in this area’ comments. All of these misunderstand internal audit (we can audit good as well as bad things, we may well have insight the management team doesn’t, we will always add value, for to think about risk is a cathartic process in itself).
I think the remedy is of course for internal audit to say what it needs to say. It should feel free to say what it requires and what the organisation, more importantly, requires. Internal audit should also not have any no-go areas. It is not acceptable for internal audit to be restricted in this way. Yet there are times when a CAE needs to take a step back and not use lots of organisational capital to push through the smaller review or issue, when a larger point exists and requires a stronger stance. Sometimes though, when a CAE does this, they risk losing credibility. They flex in a unhelpful way and lose the respect of their team and the business.
Ultimately a CAE needs to think at the annual or periodic planning stage, what each review is likely to yield and the diet of messages and change challenges being delivered. Then at the assignment scoping stage, the CAE needs to think, when setting the question, to decide how the report might play out. For a poor CAE has no idea how a report might ‘land’ or what messages it is likely to deliver.
So does internal audit have free speech? Yes – potentially, but not without consequence. For free speech is not consequence-free speech. I’ve always found as a CAE the issue is not whether I am confident or willing to have free speech, much more am I using it responsibly for the good of my client organisation (note not management or governance parts of it, but the organisation as a corporate body)? This is a difficult judgement that, for most CAEs, is embedded in an underlying plan of messages across the year and across years strategic audit plan and is made much earlier than the assignment delivery and report writing stage.
In my view internal audit’s access and use of free speech is the essential gap that organisations have. When I see organisations that fail I always ask where was internal audit? and what I mean by that is, why was internal audit not using its uniquely free speech to shout out about the problems. For as an American air steward once said to a difficult airline passenger, ‘I’m here to save your ass, not kiss it’.
Are you free?