Sorry for not blogging for a few weeks, pressure of work, study and preparing for audit committee meetings has affected my writing time.
I am lucky to work for an international organisation that deals with international emergencies and humanitarian disasters. As such, whilst my organisation has built some resilience and capacity to be ready for these, as there is, inevitably, a pressure on the organisation each time this occurs.
I have written many times before that internal audit should be a part of the organisation that has a different focus from the management team. In particular, as internal audit is risk, not issue, focused, it should be forward looking. Being part of an organisation so focused on delivery and with a remit to both focus on, and allow, issue management however, how does a risk based internal audit function work in this context?
First there is the issue of resourcing. When an organisation is issue focused, it can be tempting to allocate resources purely to issue management. So why fund something that helps in the long term, where the direct benefit from the resources and issues is never immediately and clearly felt? Is the delivery of a service to help the organisation prevent something happening that may never have happened in the first place a good basis for funding?
The second issue is more practical. Where is the role of internal audit during a crisis? Other corporate departments can get stuck in. A crisis will need resourcing, so finance, IT, HR and procurement will all be needed. The top management team will need be engaged in overseeing it all. It can feel in audit as if we get left out, left at home whilst others get involved.
Then there is the question of auditing emergency responses. How does one apply normal audit practice? Rules and compliance can be at best, weaker. Where these are broken, the organisation is likely to justify these on the basis of ‘need’. Also, of course, because internal audit is unlikely to have been there in the thick of it, it is difficult for us as auditors to challenge judgements made on the ground without that context.
What is the timing of this audit? During? At the end? Some time afterwards when the dust has settled? At the very least it needs to be soon enough after operations for the audit function to still have the relevant functions and management structures around to hold accountable. It also needs to be early enough to be before regulators get involved, so that the business can have a safe, sensible and genuine lessons learned conversation. It needs to be early enough that the audit trails of people and paperwork are in place to review. Fundamentally it needs to be timed to be meaningful.
Yet, there is a role for internal audit prior to this, to be a corporate service that adds value. It requires careful embedding into emergency response, it requires for internal audit to move into a continuous auditing mode and be flexible, and it requires for internal audit to be comfortable with risk based audit judgements.
Internal audit has unique attributes that other functions do not have, and that has real value during an emergency response in particular; independence and objectivity. The ability to float above the crisis, to provide an independent perspective and to help decision makers on the ground is important. The ability to think ahead to the accountability questions to be asked in due course is key. The skills we have in risk management, governance, accountability, commercial awareness, counter fraud and experience across the businesses we audit could all be brought to bear.
So why is internal audit always left at home in a cinderellaesque manner when crisis or emergency hits? Well partly because stopping and thinking is not always welcome in a crisis. There is a pressure to do, and be seen to be doing. Pausing and planning is not a welcome voice and viewpoint in such moments. Also I think people are aware that accountability standards do fall during a crisis. Call it an increase in risk appetite or a recognition that difficult accountability questions can always be batted back with a ‘it was a crisis’ response.
Then there is the practical element of internal audit discourse. Internal audit communicates in slower time, purposely, carefully, using a written medium. Who wants this in the middle of a fast-paced, fast-moving crisis? I wouldn’t.
So can we find a paradigm of internal audit that makes a difference in this environment? Can we present via slides? Can we contribute to daily action meetings and wash-ups? I think we can. I think we will need to reconceptualise what emergency and crisis-auditing looks like. I think we will need to move beyond the concept of continuous assurance into something more like normal audit, just on speed.
I think as a profession we can no longer idly stand aside in these events. I think we should be part of the core team. That will require a change in auditor and client mindsets however. Have you been part of, or seen crisis auditing? I’d welcome your comments below.