I’ve come across an interesting phenomenon recently, the idea that internal audit must be bound by rules; or at least guidance. So I was asked the question, when I posited that internal audit should give a periodic (normally annual) opinion over the adequacy of its client organisation’s governance, risk management and control, well wouldn’t that just be your opinion? With the follow up, why is your opinion any more valid than anyone else’s?
It’s a good challenge. Why should the CAE’s view be taken any more seriously than the CFO’s, CEO’s or COO’s? The answer I think is because it is grounded in internal audit work. Let’s go back to the definition of internal audit:
‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.’
So the opinion is independent and objective. This is why is should carry greater weight from a board perspective than the management team’s views. It is grounded in a planned, and hopefully risk based, programme of assurance and consulting activity. This is designed, or should be, to cover risks that matter, and the core elements of the assurance opinion being given. i.e. the work provides evidence and support to the opinion.
This line of questioning extends further, how can you provide an opinion if you are not attesting to something? So standard audit methodology requires that attestation must be against something, a framework, a set of rules, a management assertion, a set of measurable things. So for some, internal audit can only provide an opinion where there is a set of rules to compare practice against. i.e. I compared B to A and found these deficiencies between B and A. This leads to the school of audit thinking that says – I can’t audit that – there are no rules. The management team has not yet put in ‘controls’ (by which they mean business rules), so I cannot audit it yet.
In my career to date I see that many auditors struggle when a clear set of rules is not in place. Let’s be clear, there is a place for compliance work and minor control design improvement work in internal audit. A truly risk based auditor should be able to work ‘off piste’ however. They should be able to look at what needs to be there based upon the objectives and risk appetite in place and take a view. Consultants seem to struggle little with giving their view, why should auditors?
Most organisational activity is not defined via rules and most management teams are poor at defining rules and even worse at enforcing them. The breaking of rules per se does not relate to risk. Most organisations do not follow rules most days, yet they succeed or have a level of risk that is bearable. So the idea of ‘control’ as compliance or conformance with rules, has little relation to risk in my experience.
Thinking is incredible difficult. We all try to avoid it. I know that it’s the hardest bit of my role, yet the one, as CAE, I do almost exclusively. When I review my team’s work and reporting I am not primarily looking at what is there (well yes obviously for grammar and presentation etc as my team will attest), but primarily I am looking for what is not there. What are the obvious or less obvious things that are missing? What should be there? What is the management team not doing? What will come to bite me later if I don’t pick it out now? What are the logical end points for the area under review if the organisation continues as it does? That is what a CAE and all auditors should do. We can all get wrapped up in compliance and get the wrong answer ultimately.
I love doing audit work. I still do audit work as a CAE and I love the thrill and chase of audit. I adore looking at something new, researching it, thinking about it, bringing 20+ years of experience and formal training to bear on a scope of work. I do struggle to do this whilst having my day job of being a CAE, but given some time, I love auditing. I love the ‘private words’ people want to have with you, the cultural and organisational intrigue and interest, the satisfaction of my naturally curious and nosey nature. I ultimately love producing something that, if engaged with positively, will make a lasting difference to clients. In my current role I have the added satisfaction that this will ultimately improve and save lives of some of the poorest people in the world. Now that’s something worth getting up out of bed in the morning for!
I don’t love internal audit when it becomes the policemen for rules. When the creative and value adding thinking element is cut out of it. When the risk related bit (i.e. seeing that risk is good, not bad per se) is taken out of it. When you can only express an opinion as an attestation of conformance.
So thinking about the line of questioning I experienced, I was asked what framework or model of control I would use to provide my opinion. I was at a loss. Why would I use a framework? Most frameworks are merely other people’s documentation of what they think should exist, i.e. their thinking, not mine. These frameworks, to have any generalisability, are required to be high level or vague. Sure, COSO has some nice structure and thoughts, but it tells you little about what control should look like in context A or context B. It tells you little about sub elements of control – what should cash controls look like? IT controls? Marketing controls? Surely anyway these frameworks are merely other people’s thinking? Why can I not think myself? Why should I not take account of how the management team thinks about control? Why should I not use and range of other specialist various frameworks of good financial, risk, IT, governance etc. control?
For the truth of the matter is that the world is complex and good quality audit opinions come from good quality CAEs. If a CAE needs to have a control framework as a crutch to support wooly or low quality thinking then you should change CAE. Sure a framework is helpful starting point or logic check – particularly for completeness, but it is no more than that. It is no more than non context dependent thinking of others. The CAE should be providing the context-dependent insight and thinking.
I know all of this sounds dreadfully British (I also appreciate that the UK’s international currency – quite literally – is low now). It is important, however, that we as a profession must avoid a rules based, dare I say it, US-centric view, of the world. We are not a world bound by rules, where ‘guidance’ is sought and becomes very quickly proxy rules. Pragmatism, agile, adaptive approaches driven by intellectual curiosity are a fantastic quality of the UK and its internal audit profession. Sure there is a risk that you get a bad CAE and they don’t do this well, but the opportunity of getting a great one that makes a real exponential difference to an organisation is worth taking a risk on. For if an organisation sticks with rules and the slow evolutionary approach it precipitates then it will not change with the times and atrophy.
So how rules-based are you?