In some senses the pace of change in internal audit during my career has been fast. In the UK the profession has matured, taking Royal Chartership and is no longer the internal financial controls work overseen by the CFO. Yet in other ways the pace of change in the profession has been slow.
Take the idea that we produce audit reports. Audit reports are the measure of output, the measure of the department, the core product of any audit department. Yet we blindly still worry about how many of these things we’ve produced by the end of the year and compare to our annual plan. Any variance from the annual plan is seen as bad and we will stand or fall on the plan.
Now all CAEs know that setting the annual plan is challenging. I don’t for one minute want to say that the annual plan is unimportant, it is not; for one should always have a work ‘budget’ that gives some sense of planned work, some sense and working through of how it is going to be delivered, and some sense of defining what ‘success’ at the end of the year looks like. The annual plan and the number of reviews is only one element though.
There are a number of obvious points that bear stating. Not all reports are the same. Not the same in terms of scope, complexity, size, organisational importance, political sensitivity or value. Some of the most hard-hitting and transformational pieces of work have been ‘small’ when reported, but taken significant work, effort, negotiation and, frankly, blood, sweat and tears, to produce.
Second one needs to look carefully at the audit report classifications to look under the numbers. Not all reports are equal. So a full risk-based assurance report of a significant process, area of the business, strategic risk or policy, is likely to represent some significant effort. A short review of a specific question or subset of any of those units is likely to be a lot less effort. A grant audit and opinion is much less, as they have a short standard audit report format, a workschedule (so less thinking) and less effort all around. CAEs, like me, will spin the outputs to suit our year end performance narrative. So be aware at taking things at face value. So do we have clear classifications of full scope risk based assurance report; limited scope review; grant opinion; advice note etc? No. I would encourage CAEs in their annual or periodic reports to do so, to enable better quality comparative views to be taken.
Third, there is a question over whether we should use the audit report as a unit of measurement at all? The global CEO of the IIA, Richard Chambers, argues we should audit ‘at the pace of risk’, meaning the world is fast moving and so should we be. So is the slow, report unit-based, world most CAEs live in still fit for purpose? Should we be auditing continually (or is this second line management?).
Well on one side I think it makes sense for audit reports to be considered more in their wider form, assignments. One output from an assignment is the assignment report, sure. There are a range of other assignment outputs, however. I like to consider an audit assignment to be for life, not just for the audit. So my team don’t walk away having delivered the report, we stand shoulder to shoulder with our management colleagues to help them solve the issues and risks we’ve identified with them. This makes sense if audit is to deliver the value we truly can bring to organisations. It also means that audit is less of a scary process or wringer to be put through, and more of an ongoing piece of consultancy.
Yet as a CAE I need to be able to support the allocation of resources provided to me at the end of each year and commencement of the next, so being clear about what outputs have been delivered is really important. So I would always want to capture any significant support (not just assignment reports) in some way. So I believe the real politik of most organisational resourcing processes requires audit reports to be counted, bagged and tagged.
Would I like a world where the audit function was judged less by outputs and more by outcomes? Sure. Would I like the lack of accountability given to other functions (finance, HR, IT, marketing, PR, etc) to be applied to internal audit? Yes – for equity purposes (although I would rather see proper accountability applied to all of them).
So are we going to see a move away from audit reports: a move to continuous assurance; slide packs; multimedia presentations; or assurance through the medium of modern dance? Hmm possibly, though my ability at the latter may not be up to par. I would however like to defend the audit report. It is hard work. It is a well crafted, deliberate and purposeful intervention. It feels less ephemeral than management slide packs. It has to be well-written, stand the test of time, and be both intellectually rigorous and stimulating. So I would always judge an auditor and an audit function by the core, risk based, audit reports; for that is the core mark of an internal audit function and its quality. Should we count how many of these are produced by an internal audit function? Yes. It matters.
So how many have you produced?