I have been thinking about what makes a successful internal auditor. This is because my year end appraisal is due. I think it is difficult to appraise a CAE. We are perhaps the strangest job in any organisation.
First of all there is who is best placed to do it? Normally your line manager does it. This makes sense because they direct and control your work. They decide what good looks like. They define your objectives, resources and activities. A CAE, however, is meant to be independent of the management. The whole point is that the management chain does not define your objectives as a CAE, limit your activities or direct and control your work.
So then we turn to the non-executives, most particularly the audit committee. Most non executives only see a portion of the internal audit’s work, in a formal and presented setting. I’ve been lucky to work with some good chairs, in particular one, who spent time with me and the team to evaluate and understand what we did in some detail. In the main however, feedback and input into your work from a CAE is by exception as non executives do not see your work day to day.
Then there is the fact that most CAEs have a formal reporting line to the CEO, but in practical terms there is a ‘pay and rations’ line reporting relationship, most often to the COO or CFO. Either way, both the CEO and COO are unlikely to see the full panoply of an internal auditor’s or CAE’s work, particularly as internal audit moves away from just financial control ticking. We work across the organisation, top to bottom, side to side. So it is difficult, in a way not true for other managers in the business, to present your achievements and delivery.
Then there is the fact that internal audit works in both formal and informal ways across the business. If an internal audit function is any good, then it will provide a good source of informal support to the business. It should have a good database of knowledge and experience, and understand the overall strategic and corporate messages and contexts for local decisions. I would say I spend at least 30% of my time assisting the business in this way.
Perhaps the most odd thing about appraising a CAE is that being challenging, difficult and disruptive, is part of the role. A good CAE should avoid the management ‘group think’, the politics of the sayable and unsayable, the limitations placed on the rest of the business about asking challenging questions. To some extent a good CAE should receive a proportion of grumpy feedback. If they don’t, then I would argue they are not assisting the organisation to genuinely grow.
In the same vein, an audit function that does not receive at least some aggressive ‘shooting of the messenger’ is not delivering the right messages. I would say at least 20% of my reports are regarded and ‘completely wrong’ or not ‘how we recognise the business’ when first published. For me, sometimes this is a problem with the analysis, or the engagement of the team with the client, for which I am accountable. Most of the time it is because the report is, painfully, spot on. I have lost count of the times a ‘completely wrong’ report has either been adopted in full by the relevant report recipients six months later, or ignored and the risks stated have, unfortunately, crystallised as predicted. I guess a good CAE knows when something is just too right, or genuinely wrong, and amends and edits accordingly.
The role is contradictory and demanding: so you have a role (CAE) and function (internal audit) that is meant to be all-knowing yet cover the whole business; be both unpopular and popular; is appraised primarily by those it is institutionally set up to working independently with and sometimes hold to account; support change against all the challenges that any change brings; and work across the whole business whilst competing for attention with those management in the thick of the strategic priority areas of the organisation. Hmmm, a relatively tall order for any individual or function.
I think, however, the biggest issue is that internal audit is set up with a completely different lens and mindset to the management team. The internal audit function’s lens, is and should be, according to the International Standards of the Practice of Internal Auditing, risk based. So we trade not in the current, not in the accomplishment of the here and now, not in the delivery of lots of currency. We trade in the possible prevention of something that may not have occurred in the first place. In other words, we focus on risks, not issues, a totally different currency to the management team. This was the subject of my first substantive blog on this sitehttps://chiefauditexecutive.wordpress.com/2012/01/ and I still haven’t changed my mind on this since.
So we are a function and individuals that are the antithesis of management in practically every sense, yet we are all appraised within a management appraisal paradigm. Should we feel hard done to? Well not completely. A CAE still has to manage people and delivery business processes, run a department etc. A CAE still has to influence colleagues and organisations in the same way as our management colleagues do. We still have to balance our role with maintaining a permission to operate (we are not without accountability or any boundaries).
Yet we are unique and special (I think in a positive way). We are organisationally renaissance people, we need to be extra special to be appreciated. I am of the view that a good CAE should be noted, for both the irritation and plaudits for support they deliver. For both are good for any well governed organisation.
So when you are next appraised – are you being appraised as a manager or an auditor?