As an auditor I’ve spent nearly the whole of my career at the edge of my ignorance, and I’ve loved it. Almost every review I’ve done is new. For when you see people and organisations in their full, wonderful and frustrating complexity, not the simplified representation of reality a systems audit approach would have you believe, everything is new.
Sure, in my junior audit days I did financial statements and data audits. Yes they were repetitive and dull in places. Long checklists of things to ensure were ‘right’. Yet, when I was put as a junior on internal audits outside of these areas, I noticed that people, not paper or processes, controlled organisations. I noticed that personalities came into play. I noticed that people have differing perspectives. I noticed the difference between low and high performing organisations and departments was people.
Two things I look for in a new auditor for my team are common sense and an ability to engage with, and understand, people. Now common sense is a misnomer. Common sense is anything but. Common sense is an ability to take a step back from something and ask the blindingly obvious questions that are not blindingly obvious to others. It is an ability to say – I don’t understand this, it doesn’t stack up, explain it to me – without feeling embarrassed, ashamed or ignorant.
I also look for raw intelligence and analysis. I look for the capacity to think. This is not just locked into the brightest and best from the top universities, it is a way of thinking, an approach to life. It is something that someone either has the ability to do or not. Sure I’ve managed to get those with latent and hidden talent to develop and engage it, but I’ve never been able to teach someone to think. Perhaps other CAEs have, I’m afraid I’ve failed at that. I would welcome stories about how other have managed to do this.
So I consider the ability to engage with organisations in their heterogeneous complexity as crucially important to a good audit. This is uncomfortable for audit. Auditors are used to ignoring people and the soft stuff of organisations. We audit rules, systems; definite things. I know many good auditors and functions that will nuance an audit message, or provide ‘between the lines’ the true position. You read their reports, however, and they point out ‘suboptimal’ areas, things that could be ‘enhanced’, areas of ‘potential uncertainty’ and whatever other euphemistic phrases we get taught at audit school. Yet, when you get the authors of those reports in a pub, with a pint, then they will tell you how it really is. They will tell you the people they think are excellent and those that are, conversely, dreadful. They will provide a detailed and rich organisational narrative that is really genuinely able to explain how things really are. I can assure you, in most organisations, they are suboptimal in my experience.
So how do we, as leaders in our profession, move internal audit discourse into a more reflexive space? How do we enable organisations to benefit from our structured yet rich and contextual analysis? How can we move to getting our professional discourse to be more disco and less royal court-style gavotte?
I would suggest that the Institute is recognising this as well. Richard Chambers in his blog (www.iaonline.theiia.org/blogs/chambers ) is messaging that internal audit needs to change. He is moving (not before time from a British perspective) to the new principles-based approach, enshrined in the new 2015 IPPF – Professional practices framework). This requires internal audit to be less straightjacketed, more nimble, more flexible, and less obsessed with structural independence (instead focusing on real independence – which in my view is a state of mind). He even thinks it may be time to open up the conversation about internal audit helping in second line functions.
This is all helpful from my perspective. This change agenda makes sense. It chimes with the reality us CAEs face and seems to recognise that most second line functions struggle as they are somewhere between management and the professional discipline of internal audit.
Yet internal audit discourse has a long way to go to become engaged with this level of debate. In the meantime, the demand from the first and management lines of our client businesses for professional assurance becomes ever more. Yet the profession, or us as leaders of it, remains too nervous to make the leap into becoming a corporate audit function. Our precious independence remains a barrier to prevent us being more than just a niche provider of machine based auditing somewhere above the organisation but below the board. It is this that is now preventing the profession from self-actualising.
So what is my solution? To allow the profession more space to be independent but also be the corporate assurance function. This would enable a scaling up of internal audit to provide decent coverage of the organisation, not a high level audit of a mythical process machine. It will enable us to engage with the real first line of the business, its projects, risks, and programmes. If you conceptualise the three lines of defence as ‘N’ or ‘U’ shaped, the former being how most organisations are – weak first line, strong central controls and processes, and weak and small internal audit function, then we need to evolve to be ‘U’ shaped. We need to have strong risk-aware intelligent first line business activities, with a light principles-based second line, and a strong, risk based intelligent internal audit function. This will provide the real support and challenge to a business, yet ensure the framework of control (a light principles-based second line) is engaged and effective within the business. It is this approach that will ensure real engagement of internal audit, allow it to be resourced enough to be sustainable, provide interesting and rewarding career options, and take internal audit into the fascinating and real heterogeneity of our client organisations.
How heterogeneous are you?