As a CAE I am required to attend the audit committee. It is something I have done for a majority of my professional career and it is something that has always been professional and personal challenge. It never seems to get any easier.
One thing the audit committee process does is force me to work with my management colleagues. I cannot produce audit committee papers on my own. I need the management engagement, support and response to make the audit committee process work. This presents a professional challenge, for it is the time when I act most like my management colleagues, i.e. using persuasion, collaboration, cross working, shared effort, as opposed to the arguably more detached and institutionally created, demanding approach to audit. I can demand to audit (of course one doesn’t, one works collaboratively, but I could demand to be able to audit). I cannot demand a suitable management response.
In discussing reports and audit results I do have perhaps a more liberal and relaxed approach than that of many of my CAE colleagues. I don’t see the draft audit as fixed and to be ‘responded to’. I see it as a starting point for a conversation, debate and discussion about risk and challenges. I see audit findings as a shared challenge and set of questions that internal audit and the management team should debate and discuss potential solutions to. So in some ways we face the same problem but from different sides of the coin.
Yet, for every audit committee in every client I have ever worked at and with, getting management responses and producing audit committee papers on a timely basis, has been a chore and hard work. At some point the conversation needs to stop and response be provided. I sometimes think this is because we (as auditors) and managers do sometimes linger in the old world of audit being an accountability and checking mechanism. The audit report is seen as a gaming process, to be batted backwards and forwards until a negotiated settlement that is not too ‘critical’ of the management team and will be seen positively by the audit committee as such, is published.
Yet I see it differently. I see audit as a collaborative, shared, cathartic approach, where the value is less in whether the audit report is intellectually or scientifically ‘right’, but whether the process of debating it has really moved our collective (audit and management) thoughts forward. In other words does it prompt change, or a conscious and comfortable adoption of the status quo (both are appropriate outcomes)?
Also don’t see a particular need for an audit report to be agreed at the point of publication. Yes, broadly you don’t want diametrically opposed positions, but does the challenge and debate of an audit report need to be settled at the point of audit committee publication. I would say not. The reason I say this, is because the very best auditors look forward into the future or ask the really big questions. This is the real value of a good internal audit function. They say things the management discourse has not yet got to, or is not yet current currency. So for example, in the Tesco context, the internal audit function should have said, ‘look our business model is becoming unsustainable in a fundamental way here, and I see the pressures (albeit small at this point) beginning to show’. That may have saved Tesco a lot of its current stress. Most of my best audit reports have said, years before the risks became issues, what the real problems were. The management team have looked back at the original audit report and valued it retrospectively. My previous boss accused me of having a crystal ball, I explained that I simply knew that unmanaged risk will, eventually, somehow, become a set of issues.
I don’t really see management as being fundamentally different from audit. We both face the same complex, messy, world, and this world does not get easier and less challenging. So a good audit report should really push the debate on, push the organisation to adopt a position, and be seen as an organisational, process, a risk management debate. It should not be seen as an criticism and judgement of individuals, for control environments are almost never ascribable to a single business unit or process, and never at the level of an individual.
So why then do audit committee papers push two parties with a collaborative and joint interest to adopt such different positions? I suspect it has to do less with how the auditor or individual manager thinks about audit (many now have much more modern views than the traditional inspection model). I suspect it is a fear about whether others still see the audit model in those terms. So do the audit committee members see it as a process of compliance inspection? What about our publics and stakeholders? Again, in reality, a lot of modern audit committees don’t see internal audit in those terms, they are on board with a more collaborative approach.
Yet, whilst modernity is beginning to come to audit practice, it is still difficult to see this in public audit discourse. Our institute is still obsessed with independence and objectivity. It still sees this divide in absolute terms, and in prima facie, two dimensional, terms. For independence is a state of mind, not a set of rules and processes. In pushing this divide it pushes audit and management teams apart. Instead of being two sides of the same coin, it forces us to be different currencies.
So next time you are preparing your audit papers and thinking about why the process is difficult, perhaps take comfort in that a good audit approach pushes and organisation, and that no one likes to be pushed. So are you the other side of the coin or a different currency altogether?