I spend a lot of time on this blog taking about what good internal audit is, but very little time about what bad internal audit is. I guess, bad is the converse of good, so take my views of ‘up’ and reverse it to see what ‘bad’ is.
So I guess a very narrow definition is an audit service that is non compliant, or partially compliant with international auditing standards from the IIA. I’ve commented lots on standards Generally conforms?, so I think they are rather binary, rather limited, and not a particularly good measure of performance, more conformance.
So let’s think more about about what bad is. Something is bad when it does not meet its core purpose. So what is internal audit’s core purpose? Not the production of audit, not the production of assurance. If we take the lines of defence model, as the third line we are to prevent problems, at least at an organisational level. So the non prevention of organisational failure from a risk’s or risks’ crystallisation could be seen as a failure. Whilst we are non executive, we surely are accountable for the prevention of failure of our client organisation? So when an organisation fails, so the CAE has in my view.
Again this measure is a little digital. Also bad internal audit is only discernible in this model when something falls to pieces. Not very helpful as preemptive and forward looking measure of badness.
So let’s keep reviewing the situation and we better think it out again. So another thing I think internal audit should be is be relevant. It should do stuff and be an element of its client organisation that matters. So if the internal audit function is irrelevant, if it performs a perfunctory role at the audit committee, if the opinion of external audit matters more over business risk (and why should it, they check the veracity of one document per year – why would they have any valid view on business risk?), then internal audit is doing badly.
But what does irrelevance look like? I would say it means internal audit looks at small things; it: looks at things solely at the direction of the management team (i.e. it is not independent); it conversely is never asked by the management team to do anything (so is unloved by the management team); it does not do any work outside of a too small audit plan; large chunks of the business do not see or feel the impact of internal audit for long periods of time; internal audit reports (even strongly expressed positive or negative ones) have little impact; and the head of audit is a junior member of the team, with no access to the c suite and little in demand from the organisation’s CEO and board.
For the real test for me of bad internal audit is when something goes wrong and internal audit is not involved. It is not looked to for support, for additional assurance, its prior work is not reviewed to see if lessons could have learned earlier. Internal audit is of course not the only part of an organisation that could possibly solve these issues, but it is well placed to. It is independent, skilled in risk management, governance and control, and has a good and in-depth knowledge of the organisation. So why would it not be a natural partner for the CEO, C suite and the board?
Another measure of bad internal audit for me is poor quality opinions. Perhaps they are wrong (and for those of you who know me I don’t believe in wrong, but things can be a long way from the range of ‘right’ answers). They are absent, meaning that no opinion is given or the opinion is limited to the work done on an exception basis. The opinion is really difficult to determine or divine from the audit reports and work. For me an internal audit function stands or falls on its opinion quality. Does it say the things that matter? Even if it’s difficult to say it. Does it say things in a way that is balanced and supported by evidence? Does it say things in a manner that is clear, but supportive of creating positive change? This can mean being really tough – it can mean being really gentle – but never means being unclear.
Another indicator is people. Is the internal audit department populated with people of the same or better standard than the business they audit. Coming from a big four firm we always believed we were better than our clients. In many cases we were. Certainly we would never regard ourselves as being below our clients. This is with good reason. For an effective audit function should attract the very best. It has a great qualification; teaches generically valuable skills of governance, risk management, control, value for money, and report writing; encourages operational, detailed, tactical and strategic thinking; provides a fantastic oversight of the business; and gives both breadth and depth in experience. Why then would internal audit not attract the very best talent from the business and also export it? If your function has only career internal auditors, who ar not of the standard of the management team you audit, you need to look again.
The biggest indicator for me of a poor internal audit is that is does not amount to a whole hill of beans. In other words, the sum total of its efforts does not enhance or improve the host client. If after a five year audit or assurance plan, is the client better? Better at achieving its objectives (which is the entire purpose of risk management). If not then why not? It may not be entirely or even partially internal audit’s fault – we are non executive after all, but does internal audit deliver meaningful improvements to a client’s capacity to deliver and manage risk?
I know various audit services that measure the implementation of recommendations by the management team, but for me this misses the point. Surely the point is that the risks to the achievement of the organisation’s objectives are the things that matter? So I would follow up the exposure to net risk above the board approved risk appetite, that is the ultimate measure of internal audit.
So are you bad or good?