So I’ve come across a good blog post by Richard Chambers of the US IIA.https://iaonline.theiia.org/auditing-at-the-speed-of-risk It’s worth a read because it puts to bed the idea of a static assurance plan. I think most CAEs only really value a static audit plan when it comes to two dimensional quality assurance (where variance is seen as bad and chasing days of audit resource seems to be all important).
In the real world most CAEs already change plans. We need to to make sense to a management team that is dealing with a constantly changing business environment. Anyway, who has an audit plan anyway? I would also have an assurance plan, for that is the currency we trade in, nobody wants an audit, they want assurance.
I do, however, have a significant problem with Richard’s blog post. The post argues internal auditors should be more responsive and move away from a static audit plan. I have found management teams I have dealt with, across my many career-long clients and across many industries, dealt with issues, not risks.
Internal audit, let’s be clear about it, should not good at dealing with issues. Issues require a quick response, quick analysis and action. Well first, internal audit is not able ,under professional standards, to take executive actions. Second, we are trained to analyse, review, assess from afar and think in risk terms. In other words we are forward looking, trying to look at what needs to happen in the medium to long term. But the real problem is that we, as internal auditors make great consultants, we have context independent and context dependent knowledge and have the ear of the top of the organisation and hopefully the respect, to sort things out. Where I have got involved in these things the input has been welcomed. I believe internal audit has made a real difference. There is a risk then, that the management team see internal audit as a troubleshooting, consultancy function, not an independent assurance function.
Clearly there is a balance between the two; the model of internal audit as an internal consultancy service; and as an independent assurance function. Now doing too much of either can create problems. Too much consultancy means too strong a focus on proximate risks and issues. Then internal audit is not providing assurance over risks, but sorting out today’s issues. If we as internal auditors get drawn into this position we should be pushing the risk management system to move the organisation onto a more risk management footing. i.e. shifting the balance of its organisational effort away from proximate issues and today’s risks, to look to the longer horizon.
The opposite, doing too much risk assurance is the static assurance plan model; being too focused on the horizon. Here we as internal auditors seem too remote, irrelevant and unhelpful and esoteric. The risk in this model is that the board and the senior management team do not see internal audit as relevant, and as delivering items of value. That path leads to small, ‘strategic’ audit teams, with little resource and little relevance.
So I think there needs to be a balance. This should make sense with the organisational setting, so should vary between clients and industries. A good assessment of risk assurance maturity will enable a CAE to get a sense of whether the organisation’s balance between dealing with risks and issues is right.
So can internal audit help with issues – yes we’re perfect for it. Should we? Well yes, but in balance with risks. For ultimately humans and organisations are poor at managing risks, and love to focus on issues, so internal audit’s role as one of the few counter-weights to this natural centre of gravity is important.
I don’t buy the internal audit standards of not getting involved in management or the assurance of issues. Of course these are important, we should help to deal with issues and proximate risks, for this helps to make an argument for our relevance and our value and resources. So overall, I think Richard’s article is wrong, we should not audit at the pace of risks, for risks are slow. What we should do is balance the pace of issues compared to risks.
It would be really interesting benchmarking to see what pace i.e. balance between issues and risks auditing various audit functions do. Perhaps it could be the subject of research? So what’s your balance?