Tags
assurance processes, compliance, cybersecurity, finance, Internal Audit, internal audit function, internal auditor, internal auditors, line of defence, Risk management, technology
As I come to the end of another year I have been reflecting a little. I have been particularly lucky in my career to have had some fantastic colleagues to work with. Many have been personally and professionally inspiring and, in turn, have brought the very best out in me (I hope). As my roles have been larger, in terms of scope, complexity, mandate, and international, I have grown as a professional. That then brought me into contact with even more colleagues who were inspirational, and so the virtuous cycle of professional growth has continued.
As I have come into contact with a greater range of colleagues and partners, I have realised that internal audit, as a profession, risks missing the bigger picture of independent oversight. By independent oversight I mean oversight that is independent of management. Conceptualised this way one is suddenly much more aware of the great number of actors in this space. For example, on the assurance side of organisations, evaluations; inspections; financial statements audits; grant or contract audits; IT audits and specialist assurance; external inspection units; regulators etc. On the integrity side of things: ethics; ombudsperson; investigations; legal counsel etc.
When I was a young CAE making internal audit excellent was the most important thing to me. Being independent was also, as I saw independence as the core differentiator for internal audit. As I’ve matured (I hope) as a professional and as a person, I’ve come to see a more complex world, where internal audit is only successful if it recognises that it is part of a wider system. And yes, I believe this does mean putting internal audit in its organisational context. You can think about this in three lines if that’s helpful, but at any rate, understanding what the client organisation’s management, governance and other stakeholders need and are trying to achieve, and putting the effort and energy of internal audit into that. In this post however, I want to comment a little on internal audit in the context of the other independent oversight providers in the independent oversight system, rather than the broader organisational context, as that’s for another post.
So why do I see a need for IA to engage with other oversight providers? First, IA is generally small. Small in terms of resources and small relative to its client organisations. So, in order to magnify its impact it makes sense to engage with other partners and parts of the organisation to share the heavy lifting of oversight. Second, IA is a very particular tool. It has its own distinct profession and distinct way of approaching problems. Depending on its formulation (and to some extent where the new IIA Standards end up) it can be a compliance tool, a thinking version of a compliance tool, a risk based compliance tool, or a independent form of risk based consultancy. These may not be the right tools for a particular oversight job, however. Assurance over a highly technical area may require technical inspector, say for airlines or tech companies, or chemical companies. Or the organisational challenge might be one of general management or strategic choices, where consultancy or evaluation is needed. The challenge perhaps might be one where the organisation, or parts of it, are highly sensitive. A public, formal, published internal audit process may not be a helpful solution. One can see a range of organisational challenges which IA is simply not well-suited to.
How can IA go about being helpful to coordinate and get the most out of independent oversight then? Well, there are a bunch of practical steps that can be taken. A coordinated oversight plan, ideally online and in real time. This helps plan the work and avoid practical space and time overlaps. A coordinated recommendations / outcomes tracker. This helps to share and make clear messages from the oversight community. It helps management to respond and senior management to see how things are going. Coordination meetings. People will often say things which they will not write down. So provide a forum as a safe place to share half developed thoughts and challenges amongst the oversight providers.
IA can go further though. It can look at the system itself. Is it a system? Does it work coherently? Is the balance / resourcing of oversight right (i.e., right types of oversight applied to the right issues)? Are there overlaps / duplications? Or are those overlaps sensible and make sense? (I’m a great believer in a fuzzy logic oversight system by the way, so overlaps are fine with me) Are the major issues of the day being tackled in the right way by oversight providers? Similarly is there too much oversight ‘ambulance chasing’ and not enough focus on the boring, but important, long term organisation strengthening type of oversight work? IA can, and should, also have a legitimate role to comment on the system as a whole – it has the skills and abilities to assess the effectiveness of systems, so serving up an assessment of this to particularly senior management, is a service IA is well-placed to provide.
So, at this time of new year’s resolutions, mine is that the internal audit profession lifts its eyes upwards and is less inwardly focused, instead taking a role to see oversight (both assurance and integrity) in systems terms. IA, when I was first a CAE, claimed the third line all for itself. I never thought that true then, and I don’t now. I do, however, see IA as having a critical role in the third (independent of management) line space to make sure oversight works to the benefit of its client organisations and their stakeholders.