Anyone who reads my blog over time (there must be some!) will know that I consider the heart of good internal audit to be its methodology. CAEs spend all of their time and are professionally trained, to be dispassionate and objective, yet, in my experience, audit methodology is a subject that creates the most passion in most CAEs.
Why is this? Well I think it is because internal audit as a profession is principles based. There is no definitive right and wrong. No law or legally enshrined rules. This for my generation of CAEs, brought up and trained as external auditors, is challenging. It is challenging because financial statements are controlled by rules. Sure there are financial statements judgements, but in the main there is right and wrong. So many CAEs will create a view of internal audit and see that as definitively the only or ‘right’ way to do internal audit. They will bring this to their internal audit work and define a framework of rules to internal audit. Hence audit methodology creates so much passion.
As I’ve grown as an individual and as a professional I have come to see internal audit a paradigm, within which a significant range of choices and options can be taken. So risk based internal audit can be a number of different things. I have also learned that a client’s risk maturity can have an impact on the audit service, but not as much as the IIA or other internal audit commentators would have you believe. I think the real thing that drives internal audit methodology is the nature of your client’s business and how it creates its control environment.
As I’ve posited before, one could think about this in terms of the three lines of defence. In particular I’ve seen two broad models, the ‘n’ and the ‘u’ shaped model. For further commentary see my post Heterogenous Audit. But these models of risk management and control are themselves founded on a fundamental view of the world. Is the world one susceptible to rules and right and wrong, or is more a set of principles based judgements? So what model your client adopts should affect your model of assurance.
I believe the world is too complex and difficult to be effectively run through rules. The building blocks of business, customers, employees and delivery, are all too complex to be controlled through rules. Any auditor that truly believes in a rules and controls based world is either thinking wishfully, or has not enough experience of how things really work and happen. For even in the most rational, ordered, and rules-based organisations, human intuition, judgements, and complexity manages significant risks.
So in my view audit functions, and the very best auditors in my view, see the world as being principles based. Sure have some rules. Have some rational order. Do not expect these to really control the significant risks to the business. I am working my way through a PhD looking at the marketing concept’s use in organisations. Now marketing is an economically rational, scientific process. So an organisation, you would expect, to consider the concept of marketing consciously and apply it in a rational and ordered way. During my study I’ve found that very few organisations have rationalised and ordered their marketing activities in any meaningful and conscious manner. So it is for risk and control frameworks. Very few organisations consciously consider, carefully design and meticulously deliver, their control framework.
So internal audit can continue to believe in the fantasy of perfect risk and control maturity, or it can instead work with organisations as they really are and build a sensible level of ambition and follow through, that makes sense in the client’s market and cultural setting.
So coming back to my original point. It makes little sense for a CAE and their audit function to not consider their client’s control context. It also makes little sense for internal audit not to have consciously considered and designed their methodology to match.
This has two significant consequences for internal audit in my view. First that internal audit must have consciously considered what its methodological standpoint is. This needs to be intellectually, conceptually, and in delivery terms. If an audit function cannot articulate this at a fundamental level, then I think the audit function must be prone to a high risk of failure. The second consequence is that internal audit as a profession must accept differences in methodology. These differences can be quite significant, as clients can be significantly different. So an audit function auditing a charity delivering international aid may look very different to one auditing a private sector airline business.
These methodological differences are important. Whilst all CAEs like to believe their methodology is the ‘right’ one, they must accept that the fact other CAEs have different methodologies must disprove this belief. Similarly all CAEs should have a clear articulation of why they do what they do, not just describe it. Being compliant with standards (principles based as they are) is just the start, it is a necessary, but not sufficient, explanation of an audit methodology.
So do I believe I have the ‘right’ methodological internal audit answer? No. I do have the start though, a clear rationale for the viewpoint, model and consequential internal audit practice I have adopted. Do you?