So it’s just been The Great British Bake Off season again. A quaint British baking competition on television. Each week one baker comes last in the judging of their baked goods and one wins; the star baker.
So what makes a star auditor or a star audit function? Well I’ve written lots of times about audit quality and also the traits of good internal audit. My recent period of work has brought me in contact with many other audit teams and their outputs. The one thing that bothers me about those that are less good, is their inability to be truly risk based.
What do I mean by that? I mean that they do not provide a risk based opinion. For me this is the entire point of internal audit. For if we cannot be risk based how can we preach it to our clients? This means forming an opinion (which many audit shops don’t, either at an annual or assignment level). It means delivering an opinion that expresses a view based upon risk and stated in risk terms. It means linking control to risk; that is good control means managing risk to within a target risk or risk appetite. It means giving an opinion that accounts for risk appetite. I’ve written loads about this, but I find myself still surrounded by auditors and audit functions that still do not do this, and many that don’t even understand it.
I presented to the UK Institute of Internal Auditors’ annual conference last month. I made these points again. I am not sure whether the points echoed agreement or echoed into an unreceptive void. I hope the former. I know from my many roles that fully risk based internal audit works. It adds value. It makes a real difference the quality of he organisations to which it is applied. It works for governance committees. Yes it is complex. It requires our two dimensional scientific positivistic models we use in our profession to grow. It moves IA up the business value chain.
We are not the poor relation to finance. We are internal organisational consultants that are the guardians of ethics, good governance and organisational achievement of objectives. Done right, risk based IA is the senior management team’s best friend.
Returning to my cake theme. Too many auditors think rough, dry, unappetising cake is fine in terms of their product. We should aim for a ‘showstoppers’, fully iced and beautiful creations that our management colleagues want more of. Sure it takes hard work, effort and expertise. That’s what anything of value requires. This means that the thing needs not only to look good, but also needs to taste good, that is to say for an audit report it needs to be meaningful.
I genuinely think our profession is scared of risk. We as accountants, many of us, have been brought up in a world of laws and rules, right and wrong. When faced with complex and uncertain risk we struggle. For only once we let loose our fixation on rules and control defined independently of risk, we will add real value.
It is said that management science does not exist. Management has no right and wrong, just a complex set of choices. We as auditors should recognise this and be more ‘management’ in our approach. This means engaging with risk and celebrating its complexity and in most cases the lack of a right or wrong answer.
So back to baking – we as auditors need to use our CAKE (cumulative audit knowledge and experience) to make better products, more appealing products, more complex products. We need to have reporting that compares the tough choices our management colleagues make and makes some contextual sense of them. Done well these ‘showstopper’ products move an organisation forward in a way that it cannot do through any other function or governance activity. We are an essential part of any organisation’s eco system.
So when is your next showstopper bake?