I’ve had a few comments this week about detail. One stating that I provided too much detail in a presentation or perhaps too much content. Another in an audit committee that I attend that internal audit was praised for being able to provide a précis of the busy unit under audit review, in other words to balance detail provided.
This got me thinking about audit and detail. Is it a good thing to be able to provide detail? Is the devil in it, or does it show that well-worn criticism of not being ‘strategic’ enough?
As a CAE you are meant to be able to do both, to see the bigger and more important picture and also have a grip of the detail (at a forensic level for most audit committees, I find). Sometimes, and this is this true of our management colleagues as well, the connection between the ‘dots’ of detail are difficult to join up into a ‘strategic’ narrative. This is the bit I, and my audit teams, find really difficult. We have been trying to find a good way to do this. My solution, and it works with some teams and not others, is to get the team to sit around a table or videoconference and talk about the story, the narrative of the report. For as we know facts (if indeed there are such things) do not give meaning. As an example, is a project that has had all sorts of management responses an indication of a good or bad risk and control environment? Well, I guess it depends, it depends on the detail.
So this brings me back to the issue I began with, detail. It matters. I often use the phrase that ‘real organisational risk is down in the weeds’. This is true in my experience. It would be nice to think that the IIA standard audit universe and focus on those high risk items above the risk appetite line, would work. It doesn’t. First organisations are not really systematised. They are full of people who are not systematic. Also maintaining and controlling a system takes a lot of work and effort. Also people, if they do not like the control the system applies, will bypass the system. Second most IIA-based universes try to create ‘auditable entities’. I contend that auditable entities change constantly. They are in effect the roots of strategic risk reaching ‘down’ into the organisation. These change as the agenda, mission, power and cultural relationships of senior management teams change. I would contend the effort of truly creating a meaningful or accurate enough audit universe is not worth it, versus the saving of having invested in an audit function of sufficient size to cover the organisation in depth. In other words, the costs of cutting corners to support a small audit function with targeted and limited assurance coverage, via the development of a good enough audit universe, is greater than paying for greater audit coverage to pick up issues across the organisation (some of which may not be the most strategic or value adding). The latter is a cheaper path to a sufficient and suitable annual or periodic assurance opinion in my view.
Should we CAEs or auditors do detail? Yes I think we should, because control is vested in detail. Control is buried in detail. Complex, human, messy, detail. Do I believe there are strategic themes and messages to taken from the detail. Yes of course. To get at those messages needs coverage, it needs some send of sifting through examples and building a case.
For most management teams I have worked with need ‘evidence’ of risks. By evidence they mean instances where the risk has crystallised into an issue. For otherwise there is no risk unless issues arise. As CAEs our purpose is to avoid issues arising in the first place, so as you would not stop servicing a car just because it had not previously broken down, so a CAE needs to ensure businesses do not stop risk managing just because business issues have not arisen.
So what is the right level of detail for audit? I would say very detailed, because it is through detail that the reality of control is divined and identified. A CAE always needs to take the detail and work out what this is saying in terms of the bigger and wider picture. The CAE should always still engage with detail though, as we as CAEs need to have the grip that is so often not afforded to senior management. Senior management I have worked with have always valued the real world perspective provided by audit, and the real world is that seen day in, day out, by internal audit on the ground. So I would caution any CAE who wishes to become grand and remote not to, for therein in the path to a lack of grip over the audit plan, the organisation’s risk, and ultimately to a weaker assurance opinion.
I will still always therefore be a pedant for detail – will you?