In my last blog I said I was going to spend a little time on control frameworks. This is key to understanding how a risk based internal audit should proceed in my view. Colleagues of mine don’t like this term – ‘ it’s too complex, technical and unintuitive’. All of that might be true, but I think it describes what I want discuss well, so I am going to stick with it.
So, what do I mean by ‘control framework’? For me, a control framework is essentially who does what, where, why, in order to ensure the risks to the achievement of corporate objectives are ‘controlled’. Yes, I do equate control with risk mitigation. For in a risk based system, one that most organisations seek to apply, control mitigation and risk mitigation are one and the same thing.
I was once asked at interview what control framework would I seek to apply as a chief audit executive. This question rather stumped me. For the only control framework within an organisation is the one that management seeks to apply. I, as an independent CAE, would not apply any control framework – save that I wanted to apply to my own audit and investigations function. It turned out, that the ‘correct’ answer was COSO. COSO is a framework for control frameworks in my view, not a specific mandated set of actions designed specifically for a particular organisation.
I do think, however, there is utility in setting out a typology of control frameworks. To my mind, and from experience, there are three broad types of control frameworks. First those that apply compliance methods, for example rational, legal, financial, Kaizen, control frameworks. Secondly, those that apply cultural controls, i.e. rely on people, personality, organisational behavioural norms to drive control. Thirdly, principles-based or risk based control frameworks, where rules exist, but they are flexible and applied – ‘freedom within a framework’. These control frameworks are not mutually exclusive and can be applied simultaneously within an organisation in many and complex permutations and distributions.
So why is this nomenclature important? I think it’s important because it has different fundamental assumptions about what ‘good’ looks like within the organisation. These assumptions matter. They matter because the auditor takes on a different role in each, the auditor needs to use different tools in each, the frameworks are better or worse suited to operational activity in each. As an example of the latter. If I was sat in a plane ready to take off, would I want ABC airways to be using a cultural control framework to achieve its flight safety objectives? i.e. to rely on the cultural norms of the pilots to ensure safety was achieved. I suspect whilst that approach might work for a while, as a compliance framework has driven strong airline industry cultural and normative standards, these would soon degrade and vary over time, in a way that my personal risk appetite for flying would be unhappy with.
Let’s take compliance control frameworks. ‘Good’ in this framework is the application of consistency between the rules and deployed activity in reality. The role of the auditor, in my view, here is to independently and objectively, assess whether the control framework as designed makes sense to mitigate the risks to the achievement of objectives; to ensure the management team’s risk assessment and risk mitigation system is good enough to design rules well; to test whether it is being deployed in accordance with the rules; and finally to assess whether the management team has a system to ensure the rules in the control framework are followed. The internal auditor’s toolkit here is quite factual. Review of documents, data, processes, data dashboards etc. Internal audit reports become a discussion of objective and factual, data based, objective reality. There is a sense of right and wrong and internal audit reports make recommendations to be followed. Internal audit has a police-like quality and discussions become quickly oriented in win-loss discussions.
For cultural control frameworks there is a reliance on a common sense of experience, skills, values, morals and ethics of staff in the organisation. Through this common approach, values and ethics, the organisation’s risks are controlled. These control frameworks apply in the corporate world, more so in mission or mandate-led organisations. Internal auditors should not underestimate cultural controls – they are often very powerful to drive a set of behaviours and performance. Internal audit in this space should review the culture through interviews and a form of ethnography. Here internal audit becomes the outsider, perhaps if the service is internal to the organisation, with some level of acceptance. The role of the auditor is to look at the controls and drivers over culture, for example, HR rules, practices, communications practices, language used, stories and cultural totems of the organisation. It is also important to understand, and engage with appropriately, the organisational politics – this point is well made by Dr Rainer Lenz in his writing. In this control framework there is no right and wrong, except as mediated by accepted culture. So internal audit’s role is produce deliberative and qualitative reports with advice and suggestions on how to amend, edit or change culture.
Finally, principles based control frameworks. Here, a set of core rules and principles are set out that are used to provide freedom within a framework. This should allow a risk based approach to control, i.e. what judgements are acceptable or not within a delegated framework of risk appetite as set, ultimately, by the governing body or board. Internal audit’s role here is, in part, a compliance exercise – i.e. what are the core rules or legal obligations that must be met? It is also in part a judgement exercise, i.e. is the management approach to risk management of risks to corporate objectives within the scope of the review, ‘reasonable’? I set out the audit role to review the logic of the ‘risk equation’ in my last post, so I won’t repeat it here. Suffice, to say, and internal auditor’s role is to focus on this equation and to report where it doesn’t make sense. Here internal audit reports provide advice and guidance, not diktats or demands on management. There is likely no right or wrong, just difficult choices, and internal audit reports take on a consulting and advisory tone.
Another key task of a risk based internal auditor, therefore, is to understand what control framework, or mix of frameworks (often many are in play at once) are being used. This drives then the audit response or mix of responses.
I know this makes internal audit far more complex. It will demand much greater and higher-level skill sets than many internal auditors have now. Internal audit will drift further from financial compliance and closer towards consulting and management. I hope internal audit does drift further up the value chain. I hope this complexity will attract the very best talent. I hope it will drive internal audit to become more integral to most organisations and cement its place at the top of the organisation chart.
What control frameworks do you use and how do you respond to them?