Being a lifelong professional internal auditor is strange career choice. Certainly for my generation, internal audit was less of a choice and more something we fell into. The profession of internal audit, despite having been founded in the middle of World War II, was still a young profession. Most internal auditors did not qualify as IIA members. The Institute in the UK was still to receive its royal charter, something the accountancy institutes had achieved in the 19th century. It was perfectly acceptable to take a role as a head of audit as a qualified accountant, with really only a glancing blow of professional experience with internal auditing. Certainly the global reach of internal audit, as we see now, had not been achieved.
So we all know the story of internal audit. Born out of the financial controller’s section to enforce financial controls, seen as a compliance and ticking boxes function, with a remit to follow money and assets. Gradually this remit expanded into broader operations oversight to support a ‘statement of internal control’, most of which, to this day, are still statements of internal financial control. Then the profession jumped on the risk management bandwagon. In doing so, slowing the growth of the risk management profession and their developing institutes, and claiming a set of expertise which many internal auditors don’t really have to great degree. The mantra of ‘risk based’ is still far stronger than the reality. For many functions, risk based means ordering the organisation or world by notional risk size, mainly driven by gross risk indicators. It does not really focus on the net risk (as actually experienced by the organisation as a result of its risk mitigation efforts) nor have a strong (in some cases any) link to the organisation’s objectives of risk appetite (tolerance or target risk – take your pick).
So here we are. A profession to some extent, as I said at the top of the year in my first blog post, somewhat at a crossroads. Perhaps a good historical perspective and analysis might be helpful? Perhaps there is a good IA history out there (links and suggestions welcome)? History is often a good indicator of the future. It can situate us in a broader, longitudinal, context and enable us to take more purposeful and confident steps forward.
I am yet to read the new exposure draft standards. That is my task for this week. It will be interesting to see if the new Standards really tackle what internal audit is at its core, rather than just the core attributes and practices of internal audit. If not, perhaps this is the opportunity for a wider debate for IA’s position in the corporate hierarchy? To be fair to IA as a profession, I don’t see much of this debate for other professions, accounting, comms and marketing, HR, IT etc. or perhaps I just need to go and refresh my MBA to catch on these live debates?
So to my blog headline. Taking into account how I see the internal audit profession, are we a creature of HQ, or operations (or ‘the field’)? My view is that we are, of course, both. I like to see myself much more as a creature of operations however. Why? First, if internal audit is done properly it should see the reality and complexity of getting stuff done in the external and internal, organisational, context. Secondly, internal auditors ‘get around’. Certainly in my current client sector, internal auditors travel a lot. They see operations on the ground. This has been true for all client organisations I’ve ever worked for. Thirdly, and perhaps I am atypical in this regard, I am not a rules, compliance, based person. As a social scientist at heart I recognize and validate the human aspect to organisations. These are so much more powerful than compliance and rules. It is very hard to enforce rules and compliance. Very few industries and clients have ever enforced this. It is far better, in my view, to look at the incentives and culture and change those, than to mandate behaviours and rules that are not aligned to these very human drivers of behaviour and action. Win the hearts and minds of staff and this will drive a change in a way that simply mandating a set of rules will not.
It always surprises me how management colleagues confuse internal audit’s non-executive role with an inability to be able to manage, not least because we manage our own functions but also because we have often seen many more, strategic, tactical and cross-cutting, things than many management colleagues have in the same time period. For if an internal auditor cannot, in a meaningful way, actually step into the shoes of management they likely potentially ineffective as an internal auditor. I would say a good, risk based, internal auditor would make a great general or strategic manager.
Internal audit should also, however, be a corporate darling. I think internal audit must understand the governance and senior executive management perspectives in their organisation. After all, internal audit at its core, should assist its client organisations to achieve their objectives. If not, we should pack up and go home. So understanding these perspectives and their politics should be a core role for any chief audit executive. Rainer Lenz published a good 4×4 diagram on this some while ago – arguing CAEs should avoid being naive or engaged in politics, but be politically aware and savvy. I support this view. A good internal audit function is a praetorian guard for the C suite – bring the reality and challenge perspective to what can often be an isolated space.
So overall, I see internal audit as a link between reality and theory. C suite and shop floor. Both strategic and street wise. Theoretical and policy oriented, but practical and pragmatic. It’s a tall order – so how do you do?