So this week we learn from Exeter University that snails are more intelligent and complex than imagined and that they follow trails to go faster. This got me thinking about trails, audit trails. One of the reasons, perhaps the key reason in my view, why internal audit fails to get the corporate exposure and respect it deserves is the apparent lack of rationale for the work done and not done by internal auditors.
I have written a number of times about internal audit not being either a science or an art. Good internal audit in my opinion is socially scientific. It uses models to understand and make sense of a more complex social reality, for this is what organisational risk management and control is. As such, internal audit attempts to simplify the complex organisational and social reality that most, if not all, organisations represent.
Thus the real test for internal audit in this setting is not whether it is always right, but whether it feels broadly right. Those models of internal audit that claim, and are based in internal audit being, a science, to me are wrong. Their over-reliance on risk universes, digital ‘right and wrong’ judgements, prescriptions for solutions as recommendations for management to reject at their peril, all feel wrong. The adding together of a complex web of ‘limited’, ‘weak’ etc assurances in an ever more complex sausage machine of internal audit judgements, without recognising that such an approach would require a genuinely much greater and more complex mathematical machine than any internal audit service is ever given to resource, try to impose a false sense of scientific comfort on artistic judgements. Similarly those internal auditors, driven by some artistic mystical judgement,’professional judgement’, feel wrong too. Simply saying the audit looks like this because of a hidden calculation in the head of CAE is not enough. Reporting in long wordy narrative reports and making no attempt to categorise, organise and explain the world as found by the internal auditor, is similarly lacking as an approach.
The world is somewhere in between. As an auditor I need to be clear about the question I am asking, why I am asking it, how my work is going to answer it, and have a framework and context to put that answer in when I get it. If you like, I think there should be an audit trail for each audit, at assignment and plan level. An audit trail for the auditor.
We often ask the management team to be able to justify and explain their actions, requiring this to be able to conclude that they are adequately managing risk. So, for me, the internal audit should be able to have a risk-based framework to justify as an audit trail, their work.
Yet this framework, as it is for management, is complex to build. It requires a priori, in-depth, knowledge of the organisation. Yet this is deducted from the organisation. So as a CAE I need to understand the organisation in order to gather the knowledge to really direct the audit. As a CAE I do not believe I will ever get enough of this to provide a scientific prescription for audit, yet I feel the need to be able to at least have a model that understands and directs my work above artistic ‘judgement’ and has a in depth, social, understanding of the business. It is for this reason that I believe externally provided internal audit does, generally, struggle. There are either falsely scientific, or conversely organisationally unaware, lacking in in-depth organisational understanding, to provide a meaningful socially scientific basis for their work.
So can we really address this gap? Yes, I think we can. We can impose a framework, a social model, that makes sense of our complex, social, clients. We can have a ‘bottom up’ audit universe, combined with a strategic risk register ‘bottom down’, and a business process analysis ‘sideways in’, assurance and audit plan. We can add non-risk based features. We can provide a framework at risk levels that provides a framework for understanding and reporting on the social reality we find. These risk-based models take time and patience to build, including an attempt to map other sources of assurance as well.
This is all doable. If only our profession would all at least try. Then we can hold our heads high and justify our existence and resource allocations through a justifiable stream of work to try to build organisational risk capacity and understanding. Our audits would have a meaningful audit trail.