Change of guard

Tags

assurance processes, control, external auditor, Fraud, Internal Audit, internal audit function, internal auditor, internal auditors, leadership, line of defence, management frameworks, public sector clients, Risk management

So this week I’ve said goodbye to my CEO boss, in this case a Permanent Secretary. This is not the first time in my career I’ve done this. Sometimes it has been planned and organised but most times, at this level, people suddenly leave, either to take on their next role or in some cases it has been a sudden departure for less clear reasons.  I have been lucky in my CAE career to work with people that I respect and that have all been ethical, moral, talented and capable (I can think of one exception).

Sir Mark, my latest, has been exemplary and I’m sad to no longer be working with him.

The CEO to CAE relationship is key to a successful audit function in my view. For without the trust, engagement and support of the CEO, internal audit is exponentially more difficult to make deliver. Not impossible, but much more difficult. For the tone at the top, as with so many organisational things, makes a difference to not just making things happen, but making change as a result of those things. Outputs can be achieved by an audit function on its own, outcomes require collaborative co-working with the client management team with the support of their leader.

I am grateful to Mark, as with some of the CEO equivalents I have worked with before, for taking me and internal audit seriously. Mark ensured that I reported to him, not just because he felt it was the right thing to do, not because he saw me as his elite police force or praetorian guard, but because he felt internal audit had a role in the organisation, was part of good governance, and was worthy of some of his highly valuable and limited time.

If we go to the International Standards from the IIA, standard 1110 states:

‘The chief audit executive must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities.’

This is framed primarily as being about the CAE being senior enough to be independent, i.e. having a reporting line both outside of the management chain to the board and to the top of the management chain. It is also about status. For internal audit to be successful in getting senior managers to take it seriously, those senior managers that control resources, power, knowledge and access, then those senior managers must know that the work of internal audit is to be taken seriously by the board and CEO and the response to it will have an impact on their futures. That might be in terms of performance targets, performance assessments, future resource allocations (both positively to tackle risks identified and negatively, to divert resource from poor performing activities).

Sir Mark insisted I reported directly to him, which in the UK Government system (due to odd governance arrangements concerning dual accountability to parliament for resources) is both the CEO and one of the two ultimate governance functions of the department to the UK Parliament (the other being political accountability to Parliament). This was an important statement and one that I recognised when I first met Sir Mark in his office, then adjacent to Buckingham Palace in London.

If I reflect on other CEOs I have worked with, this was a strong statement of support. Not all CEOs recognise the importance of having dialogue with CAEs. This is crucial in my view, for a good CAE should have a breadth, and more importantly depth, of view of the organisation that few others in the management team will have. Also a good CAE should be independent and objective, so should have the courage, ability and perspective, to talk truth unto power. This should provide any CEO with a different perspective to those they normally hear. I’ve written about the dangers of management ‘groupthink’ before Group think the Kryptonite of Leadership – Internal Audit the antidote?

This relationship between CEO and CAE also has to be one of respect, and some level of parity, in that the CAE should not just be able to report to the CEO, but talk to them. Dialogue is important. What takes time is for any two CEOs and CAEs to get to a position; where the CAE is a trusted business advisor. This is difficult for anyone to achieve with a CEO. They are typically well experienced, very capable and confident individuals. If the selection process for them has gone well then I would expect them to be the most capable and confident. So everyone else will, to some extent, still be learning and developing compared to the CEO. If a CEO is truly capable, however, they will recognise their ability to listen is important and this should provide a CAE with a basis on which to provide some insights from their perspective and work.

The relationship also works the other way. It is easy for CAE to do what they want. To take independence to be a non listening position and see all different views as ‘wrong’. I know as a younger CAE I did not listen to my client organisations and CEOs as much as I should have done. For the CEO, if they’re good, should know and be able to guide their CAE about what the organisation can cope with and how it will deal with, and hear, messages from audit work better.

The CEO and CAE relationship is not about agreeing all of the time. A good CAE’s most crucial role is to disagree bravely at times. For it these moments that are the crucible for transformative step change to occur. A good CAE should know how to do that, however. When has a ‘red line’ been reached? When will an organisation benefit from a tough message, when will it retract and recoil from it?

The line between support and challenge is forged in a collaborative, guiding and supportive CEO to CAE relationship. The key is to stretch an organisation, but not to break it. This stretch can be quick with a ‘snap back’ management response to catch up, or it can be a thematic message that builds over time and stretches the gap between internal audit and management views, until the management response begins to catch up. In my experience, compliance and legal issues fit the former; risk management, value for money and governance challenges, fit the latter.

So will I miss my recent boss? Yes, hugely. Both personally and professionally. Do I hope my new boss ‘gets’ internal audit? Yes of course. I have high hopes though see: Do organisations only ‘get’ internal audit when they mature?

So when your guard next changes are you ready?

IPhone 6: when is more actually more?

Tags

Internal Audit, internal audit function, internal auditor, internal auditors

I’ve been travelling again and, upon my return, the iPhone 6 Plus I’d ordered was around, waiting and ready for me to collect.

Now we’ve all heard the bend gate stories, the difficulty for Applephiles like myself to accept a ‘phone needs to be bigger than the previous versions. I took the plunge because the way I’ve used my ‘phone has changed. I make fewer and fewer calls. It is primarily my immediate access to the internet, to data, to information, to email, to my blog, to my online life. I take photographs and record my life in it. It reminds me to do things, tells me when I have not done things. It is my diary and notepad, my records, my books, my music player and my store of information.

So, when i considered what I actually want my ‘phone to do and what I value it for, I was happy to reconceptualise it as a ‘phablet’. Once I’d made this leap, it felt less like a big ‘phone and more like a small but acceptable minicomputer.

So how does this link to internal audit? Well I think organisations, and the profession itself, needs to reconceptualise internal audit. Less as an independent police force enforcing the organisational (and actual) law. Less in adversarial terms, less in a pseudo-scientific conceptualisation of right and wrong.

So how should it be conceptualised? How can this be different? Is the internal audit paradigm moving on? If so, to what? Well I think internal audit is something more. It is not about laws, not about adversarial battle, but a form of independent internal consultancy. For a good internal audit is challenging of the management and leadership team, it is a genuinely difficult process, but not a negative one, a conversational, helpful, open, dialogue and debating one. For the answers to modern organisational problems are not easy to divine. If internal audit is risk based (and we are required to be) we should not be helpful to management to sort out the current problems (for those are issues), we should be moving the debate onto the future, the choices we make, the debates we need to have for tomorrow (risks).

So should an organisation want internal audit as conceptualised now? No. I think organisations need to reconceptualise internal audit as above in a different way, as an internal, thoughtful, organisational challenge and consultancy. We need, as a profession, to make this leap too. Sure, most internal audit functions struggle to deliver consultancy work, we go to great lengths to differentiate it from audit (falsely in my view). We are steeped in rules, in checking and verification, not creative thinking, challenging, debate and have a naturally destructive and negative outlook on life. This does not need to be the case. We have the context dependent knowledge and, when suitably trained, the context independent knowledge to make a damn good job of consultancy.

I am always surprised by others’ surprise, when the internal audit function comes up with an insight and is able to deliver a great piece of work. I think they have either experienced two-dimensional internal audit of the compliance kind, or have not really registered the level of business and organisational insight afforded to an internal audit function by default.

Yet, audit teams I have worked in, with, and led, have been strong in their ability to deliver a unique viewpoint and insight. This is one that is borne of being a trained auditor. It is an insight fairly unique to internal auditors and a viewpoint that takes training to come to. It is this I look for in senior auditors I work with. This is not to say the management viewpoint is less valid, far from it, more that it is different. If the two viewpoints were similar then a good internal audit function would soon run out of insights, viewpoints, and value to add. This is not the case in my experience.

The other lesson I wanted to draw from the iPhone 6 Plus is that, sometimes, bigger is better. I know long-time readers of this blog will say that this does not match my usual mantra of ‘less is more’, or ‘fewer is better’. I believe in generally higher quality and less in quantity. Sometimes, however, more is simply more. Like my iPhone 6 Plus screen that is excellent and bigger, internal audit in most organisations is just too small to provide enough coverage. Fewer days, even if risk based (and most risk based plans are really justifications for resource that is too small as the third line of defence), are just too few. Most businesses I have worked with and in are complex, and have an international  component to them. You simply cannot audit them without getting into the detail and really understanding the real risks down ‘in the weeds’. Clearly there is a balance, and perfect should not be the enemy of efficiency, but most internal audit functions simply never get into the detail of the businesses they audit.

So my two thoughts are first, that organisations and the profession’s stakeholders should not be disappointed in internal audit for not being like an historical conceptualisation of  what the profession used to be. There is no point in judging internal audit as a ‘telephone’, when it does far more than make calls. Second and similarly, the profession’s current remit and responsibilities will in many, if not most, cases require internal audit to be, simply, bigger. <1% (and in many cases much less than that) of organisational spend on assurance is just not tenable in the context of most organisations, when that 1% needs to deliver assurance over the 100%.

So like the ‘phone, due to our evolving needs, expectations and use of it, has evolved paradigmatically, so internal audit within organisations should and is. Let’s embrace this change and judge ourselves and be judged by our stakeholders as something newer, better, and more fitted to the modern organisations we work so hard to support.

Good enough?

Tags

Internal Audit, internal audit function, internal auditor, internal auditors

So I’ve been on a city break holiday in Europe. I had the pleasure of flying on a budget airline. Not the cheapest airline but certainly in the cheap category. You get the idea – cheap flights means basic service, basic food, a take-it-or-leave it approach to flying. Now don’t get me wrong, it was okay. Sufficient. Adequate. Good enough.

Now the core elements of a good flying experience were there. A clean plane, operated safely, with smart staff and some food available on board. Yet it fell short. It fell short of the more expensive airlines. Little things mattered in the experience: the food was basic with poor choice and not enough to service the whole plane; the luggage was a free-for-all as people had chosen not to put luggage in the hold; seat space was smaller with no extendible headrest; and the staff were just not able to really empathise with the experience of customers.

I wondered whether this was because the staff had never really experienced ‘good’? My holiday was in Paris. This is a classy city by any global standards. The place has good fashion, the good looking people, good food, wonderful architecture, and really knows how to retail! So if you are a company with staff who have never received competitors’ better service and good service in their personal or professional lives, are they able to really deliver it themselves? So CEOs can introduce rules like ‘smile at the customer’ or make sure all customers are offered a drink etc. People are not rules-based, so good customer service requires cultural change.

I think airlines are a bit like audit functions. Internal auditor’s customers only really receive one provider, like flying one airline all the time. So it is for auditors working in these functions. They do not really experience others’ versions of internal audit. That’s why, when a new head of audit is appointed, they change the function as a first port of call, because they refresh the perspective on the service and change it with that insight.

I am reminded of another example of this issue with an email from the Scottish regional IIA of the UK IIA, inviting me to attend a training programme on internal audit reporting. I think my service’s internal audit reports are great, modern, helpful, well-written and focused. Yet what if best practice is much better or much different? It is difficult to tell, being locked into the day-to-day business of delivery of an assurance service. What if my service is just ‘good enough’?

Well benchmarking helps, reading blogs and the work of others helps. I think the key thing is to have a good non executive chair of audit committee and management sponsor. I have been, and continue to be, lucky in my career to have the highest quality of people supporting me in these roles; really high quality individuals. These are able to really challenge and support the CAE in their role.

I would like to think that internal auditors, and CAE’s, as hopefully good practitioners of the profession, are able to be objective and independent enough to put themselves into their customers’ shoes, to get a sense of their perspective and make their audits better than ‘good enough’. I hope and trust that I manage this too.

So are you able to really empathise with those whom you work with? Are you able to know when good enough is not good enough?

Unconscious biases

Tags

Internal Audit, internal auditors

Is audit cultural? Is there a sense in which we, as auditors, both need to understand the cultures we’re auditing and also accept and understand that our auditing viewpoint is also culturally conceived? I’ve written about internal audit culture before: https://chiefauditexecutive.wordpress.com/2012/06/10/culture-club/

Taking internal audit culture first. I think that there are five elements of culture that are relevant. First the culture that is specific to internal audit and its training. A colleague of mine described internal audit as a mindset. A very specific mindset. They described being in a restaurant and instead of just accepting the meal and enjoying the place, they were ‘auditing’ the business – this could be better, this control is weak, this process is wrong etc. So I do think we as internal auditors do have a common culture.

I would like to the see internal auditing as a positive culture. One that looks for improvement, is challenging of the status quo, is thinking things can be better and we can come up with reasonable suggestions for improvement. There are downsides, however, perhaps an over attention to detail; a need to get things best, rather than just better; an overly strong focus on control rather than risk management; and a rather naive belief that people want to get things better and do the right thing (which is not always the case).

Then there is the second element. Do we as internal auditors have cultural elements to our approach borne of our geography or our business sector, or our own department? I suspect that we do. For example the British approach to internal audit appears to me to be more principles based than our US colleagues (yes I appreciate that is a huge generalisation) but it generally holds true in my experience. Also the UK approach is more about risk mitigation (holding risk related to risk appetite) rather than controls based as in the US. It is inconceivable, in my view, that a UK Government would ever introduce Sarbanes Oxley or anything so draconian and unreflexive in its approach. 

Then there is the third element – do we need to understand the cultures we’re auditing? Does it matter? I have argued in my previous blog post that we as internal auditors do (see https://chiefauditexecutive.wordpress.com/2013/09/21/do-we-need-to-understand-the-business/). Culture affects how organisations see the world and understand it. It allows organisations to not ‘see’ risks and problems, or ignore problems over a long period of time – the international banking community prior to 2008 perhaps? It also affects how organisations tackle problems. Some put in lots of guidance and controls, others take a more sanguine approach to risk management, still others do very little.

The fourth element is our own version of internal audit and the models we use to underpin our work. For example, I was asked to think more about the three lines of defence model in the last few weeks. I am not uncritical of it (see https://chiefauditexecutive.wordpress.com/2013/07/07/attacking-the-three-lines-of-defence-model/). In thinking about it, however, it struck me that some people saw it as a perfect and un-challengable objective truth. It struck me that in some geographies and organisations the three lines of defence is becoming almost religious and totemic in its use and application. For the record I think it has some uses but is a long way from an objective description of the objective truth. Yet irrespective of the model, it does fundamentally affect how organisations are advised and tackle risk management.

Another element is our internal audit methodologies and processes . As CAEs we impose our view and model of the internal audit world on our departments. We set and define the methodology. These methodologies do contain some element of our cultures, viewpoints of the world and perceptions. Thus, analogous to research, our world view, both epistemologically and ontologically, matters, at a fundamental level, to our work (see https://chiefauditexecutive.wordpress.com/2013/01/12/audit-epiphany/). Are we really able to exercise strong objectivity over our own perceptions of the world? Can we really know what it is that shapes our views, fundamentally, without us even recognising it? For like research, it is not that we are either right or wrong in our assumptions (perhaps right and wrong do not exist, merely different viewpoints), it is that we should try to be aware of these assumptions and acknowledge and be aware and critical of our work based upon them.

For as humans we naturally summarise, simplify and generalise in order to help us make sense of a complex, difficult world. We do this in business through models, through mathematics in formulae and social interactions through prejudice and classification. I attended a great training session the other week asking about ‘unconscious biases’, the discrimination we all apply, unthinkingly, in our day-to-day interactions at work and home. The key point is to work on awareness, how we can reduce our unknown prejudices. If you like reduce the unknown and unconscious element of our personal ‘johari windows’.  The trick is to get the balance between having a useful process to help us understand the world and being over-reliant on a single or limited view, that distorts, unhelpfully, the world.

So, what does this tell me as a CAE? I need to challenge myself more, get challenged more (by my team and management), and really think, when forming my professional opinions,  is there a cultural distortion here?

Party time?

The non executive nature of internal audit can be problematic. This vexes many of my professional colleagues as it seems to stop them doing all sorts of things: re-reviewing their own work; getting usefully involved in project assurance; debating how frequent should auditing be before it becomes ‘management assurance’ as opposed to audit; and most tellingly being confident enough to have an opinion on the business as non experts.

So if we are non executive and we are non experts what do we bring to the party? Well if we allow our own insecurities as a profession and as individuals show, very little. I trained with one of the big four accountancy firms. Despite having my first three years telling me what I could and should do and file structures and sampling methodologies pushed down my throat, I survived this to make it to manager. Now, suddenly I found the game changed, it was not about what you couldn’t do, but what could you do. Can you ‘get things done’. The reward was not for being ‘right’ and ‘technically accurate’ but for social skills, responding to clients’ needs and making stuff happen through others (your team) and bureaucracy (even the private sector has that). I then took up the opportunity after that to head up my own in-house audit service. I took this not for the pay or reward (definitely not!) but for the chance to establish my own modern vision of internal audit without constriction and rules. Thankfully I had the benefit of an excellent colleague who went on the intellectual and experimental journey with me. We both studied with the IIA (use the UK one it has an excellent set of qualifications).

Yet the profession as a whole is still stifled by a need for rules and guidance, not a sense of pragmatism, adventure and contingent, principles-based delivery. For here is the key lesson in my view. A good CAE should have confidence. Not arrogance, as we are a fellow and complimentary part of the organisation’s governance and management structure. Think about managers for a moment. They have no rules – management has no intellectual orthodoxy or must-do approaches. No prescriptive rules. No even principles based international standards. Yet managers everywhere are held firstly responsible for all of the things we audit. To succeed in management you need a can-do attitude. A sense of confidence and self-belief. Not qualifications or rules.

So for internal audit. We share manny of the resources as senior management have to address and tackle the management problems of the business. We have a broad remit; cross cut at a strategic, tactical and operational level; have access to the senior people and governors of the business; are able to say and write what we think; and are able to look at a wide set of skills and activities to address problems. Yet we have something more. Freedom from accountability for the results; a systematised and disciplined view of the world; a good understanding of finance and risk; a requirement to formalise our thinking within a reported format; a need to form opinions and step back from day to day activity.

This is what internal audit brings to the party. Management with an intellectual and rigorous structure. I come back to where I started. The key lesson I have learnt is to have confidence in myself and my profession. I have learnt time and time again that a good internal audit review will be prescient and meaningful. How many times have I predicted something will go wrong and, eventually, it has. This re-inforces my view that as generalist and inexperienced I feel at the start of each review, that managers are in exactly the same position. They may internalise the language, social totems and symbols of their work, but this gives them problems, not advantages, when solving an organisations’s problems. This baggage can be a barrier, not assistance to move forwards. Internal audit’s obsession with objectivity and independence is helpful and welcome, because it keeps us sharp.

So what stops internal auditors bringing this value to the party? Confidence. Have confidence in common sense. It is not common. It is the key thing internal audit brings. So go forth and take the confidence with you!

Opinions – how do you form yours?

I’ve always been a fan of diversity and equality. I am particularly so in an audit context. Why? Well audit is fundamentally about forming an opinion. The more diverse the people forming the opinion (by age, background, experience, qualifications etc) the stronger the opinion is.

The opinion is of course the accountability of me as the CAE. The opinion is, in reality however, formed by the whole team. At an assignment level it is formed not just by the in charge auditor, but also those who support them in their work and those who review the file. In my view, the more views of the opinion, the more robust it is, the opinion is ‘tri-angulated’.

Now, as a CAE, I feel the weight of forming the opinion particularly. This is because I am the one who sits in the audit committee and presents the opinion. Thus what if the auditor’s opinion is not persuasive or I can’t support it? Well, simply, I have changed it, or I have asked for further work to persuade me of the auditor’s view. I do, however, find this rare. Whilst I may have different emphasis to auditors over opinions I have often used my strategic and cross-cutting view to argue back to the auditor why my view is correct.

Now this process can sometimes bruise the auditor, they feel that their work has been rejected or that their opinion is not valued. Far from it though in my view. It comes back to the epistemological and ontological assumptions I mentioned a few posts ago. In other words I see audit in a realist social science setting. Thus there is, in my view, objective knowledge, but that this knowledge can be seen differently by different people. It is perfectly legitimate, therefore, for different people to have different views of the same ‘facts’.

How can I as a CAE, over-stamp an auditor’s opinion then? First I would seek to ensure that the auditor had triangulated the opinion against appropriate and sufficient numbers of others to ensure it bore scrutiny. Second I would seek to ensure that the expression of the opinion was consistent with the audit department’s stated reporting methodology and risk-based calibration. Third I would seek to ensure that I triangulated the opinion against my own knowledge and experience, which as a CAE would include strategic organisational awareness and knowledge.

The CAE is then primus inter pares in terms of their opinion. Indeed I think this is so in all matters for a CAE within an audit department. Opinions – how do you form yours?

Taking a step back – the vantage point of internal audit?

As an internal auditor I spend a reasonable amount of time learning something new. In fact a majority of my time. Whether it is about how human tissue should be controlled (for research purposes) or how carbon’s reduction should be measured and reported, or what is the best configuration for school teachers’ CPD programmes? The factor I’ve found most useful for this is to take a step back. Ignore the detailed rules, the day-to-day ‘noise’ over how something is managed and delivered, but to focus more on why is it done? What  is the purpose of this activity.

This is a relatively new approach for internal audit which has always historically focused on means rather than ends. Often though the means can be more effectively assessed for usefulness, effectiveness, efficiency and often just how sensible they are, when you take a step back. I think this approach is one that internal audit is uniquely placed to do. It has the time and remit to think through a particular challenge and is free from the day-to-day grind of doing the activity. It also has a long-term risk (rather than issue) focus.

So let’s take some examples of this in practice. I was shopping for my Christmas presents and I thought I wanted a Nike+ compatible IPod for my music. I had settled on the IPod Nano. This was small, square, had a clip to attach it to your gym clothes whilst running. Great. So imagine my dismay when I saw the ‘new and improved’ IPod Nano. Yes it is small and slim and I guess more technically capable but it’s lost its purpose. Clearly a small IPod is designed for times when having a larger device is unhelpful, like the gym. I do not want to purchase a special strap to use one at the gym. Similarly I don’t want to want video on a tiny screen. I can do that on my IPhone or IPad when on the move, or on my computer when not. Clearly someone at Apple has not taken a step back on this.

Another example. Taxation legislation in the UK and the row over the small levels of UK taxation paid by some large corporations. Clearly the purpose of transfer pricing taxation legislation is to ensure that the right level of taxation on profits earned in the UK is paid. Clearly the details of the rules matter much less than the spirit of them. Even UK Starbucks seem to agree. So why then has this approach not been applied?

As state-provided services and service providers face financial cuts, so mere efficiencies and short term changes are not going to yield the change required. Thus organisations need to re-think how they do things. The key point is think. I have recently had the pleasure to work with an organisation that links academics to public sector bodies. This is so much needed in so many businesses. Why is this new though?

Lest you think private sector business is any better at this, look at those businesses that need to take a step back and re-think. An example is HMV. My prediction is for a January closure of this business. It’s business model no longer exists and it has not adjusted. Another would be WHSmith. What is it for (except at airports and train stations)?

Let’s take the third sector, universities. What are they for? Well taking a step back I would say universities are there to discover and create knowledge and to then disseminate it, possibly via teaching but also other methods. Yet the UK and also internationally has got itself stuck into a consumerist understanding of education as a private benefit to rational individuals selecting in a market. This model makes no sense, because knowledge is not created to a market order. Second because knowledge is a public good, not a private benefit. Now if study of students is private benefit, why then have universities as charities and why publicly fund them? Why not just fund research institutions? Well because the process of study means that students move from receiving disseminated knowledge to  creating it. In others words it is not easy to disaggregate and separate the UG learner from the PG researcher. Most research universities cross fund research from teaching monies in any case. So here the legislative framework in the UK and other countries seems to misunderstand the overall point and substance of what universities do.

So what is my underlying point? Well I think all businesses need an independent think tank that is not just ideas based, but is linked to and understands the underlying capacity, capabilities and abilities of the organisation. It needs to be both thoughtful and practical. It needs to be detached enough to ask the questions back to the fundamental, why? When I trained as an accountant we learned the phrase substance over form. That is when the rules and paperwork gets too much, step back and go back to what is really going on. I think internal auditors are the people to do this for organisations, private, public or in-between. What do you think?

Negative auditors

It has struck me, reflecting on my training and development this year, that our profession, internal audit, is still very immature. It struck me for two reasons. First, that the profession still has a long way to go to establish itself within its host organisations and on the professional scene. Second, that it has a long way to go before it has established its intellectual core which is internally consistent.

Let’s take the second first, establishment of an intellectual core. This sounds a little pretentious, but what I mean by this is that the core of ideas that represent the core of ‘internal audit’ are still only rough formed. What I noticed about internal audit from my training courses was that the ideas expressed seemed so 1990s. I think the internal audit profession seems to obsess and spend all of its time defining itself negatively as the anti-thesis of management. We are not management, not executives, not responsible for detecting fraud, not responsible for identifying all control weaknesses etc. Internal must not do this, that, the other. Why can’t our profession talk about itself positively? What we can do. Why should we not try to detect all fraud and provide more than reasonable assurance? We expect that of our management colleagues? In fact the task and challenge faced by internal audit is exactly that faced by senior management; to analyse, understand and identify actions to address uncertainty and risk, in line with corporate objectives. We just do it from a non-executive position (third line of defence if you prefer).

This takes me to the first point, the lack of establishment amongst professional colleagues. A profession is only relevant and needed if it has a USP (unique selling point), if it makes  contribution that no other profession does. Finance and accounting established itself in the 19th century with the advent of the modern corporate world. The legal profession (arguably the world’s second oldest profession) many centuries before, as rational-legal authority is established. More examples, engineers in the 19th century, when construction and industrialisation established themselves. Marketers in the early 20th century, when the mass market established itself. Even personnel and HR, in the late 20th century as capital intensive businesses moved to being driven by human capital.

Yet internal audit seems, instead of defining its value and use to others, as the world becomes more complex, uncertain and risky, to get wrapped up in what it cannot and should not do. Yes internal audit’s value proposition is unique, its independence and risk-based strategic overview. Thus internal audit should in my view be focused on selling what it can do. This should be enough to establish itself as a profession. Internal audit can focus on the longer term risk horizon;  to do the heavy lifting on tackling long term uncertainty without the day to day pressure and group think that managers face; to identify and articulate the issues that those within the management fear that they cannot for fear of sanction; to be in a position to oversee and ensure good organisational governance.

I think internal audit has a lot going for it, but by defining itself as not being anything else, it loses its chance to define itself positively. Is it possible that we could look to internal auditing standards being about performance rather than conformance? Just a thought.

Ethnographic auditors?

It is interesting how, when working on different things, ideas and thoughts collide. In this case my research and my professional work.

Internal audit independence and objectivity are two areas that are of constant  interest to me. As the Institute of Internal Auditors (IIA) defines them: ‘independence = independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.’ ‘Objectivity = Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.’

In research I have been looking at a social science research methodology called ethnography. Ethnography is a type of research, derived from anthropology, where the researcher describes a culture through being immersed in it. It emerged from living with social groups to understand their societies. The researcher describes the culture of the organisation or society through understanding the viewpoint of the researched people, yet remains independent of it. The research method is designed to understand events, practices and other phenomena in the context of the culture and practices of the individuals within them. In particular it is the meaning ascribed to the those phenomena by those involved. In effect ethnography is the ‘systematic description of the single contemporary culture often through fieldwork’. The interesting element of this research methodology is the reflexive nature of the research write up, that is the person writing about the research can recognise the social and cultural forces at work shaping the individual.

So it struck me that being an internal auditor is much like being an ethnographic researcher; part of group yet detached from it. Able to look systematically and holistically at the organisations, its phenomena, and culture and to challenge and write up about it. It is the auditor’s ‘agency’; that is freedom to act independent of the structure and organisations in which they work, that is important to enable this. A good ethnography recognises phenomena and the meaning given to them by the organisation.

This tension between being close enough to understand the cultural and organisational meaning of events, yet detached from it with enough agency to both see and act independently of those structures, is the unique property of internal audit. I like to simplify this statement into close enough to understand, yet far enough to challenge that understanding.

Perhaps a good internal auditor is not unbiased. Perhaps a good internal auditor is just as connected to the organisational and societal structures as any other member of the organisation, just as biased. Surely the key point is the auditor’s ability to recognise this, step outside of it, and then to analyse, write and report reflexively. The internal auditor’s key ability is therefore to have social agency.

This all confirms my view that independence is in fact a state of mind, not a state of condition. We are all bound to society, structures, culture, current viewpoints. The auditor is able to recognise and see this though. Do you have agency?

Consultancy or imposition?

Here’s a view I heard the other day. That consultants and consultancy is a misnomer. Why? Because consultants do not ‘consult’ they impose. Consultants and consultancy firms are in fact impositioners and imposing firms. Interesting, as all pictures of consultants show smiley co-operation and listening people or shaking hands. Does this view stand up though? This particularly interests me as the older and more glamorous brother of internal is said to be consultancy. Let us not forget also our claim to be a consultancy activity.

Well one of the great myths is that someone independent of the organisation, and by that we mean outside of it, must necessarily have better and clearer answers than the specialists and experienced people inside the organisation. I am sure that the logic goes that the organisation has a problem, therefore the people inside it are not able to solve it. This would probably be because they are incompetent, lack experience, or are in some way less good than the people outside of the organisation. Well I am not so sure that analysis stands up. Sure, sometimes that is the case. Oftentimes the issue can be genuinely difficult to solve and deal with. The blockage to the solution’s implementation is rarely one of a lack of ability or understanding in my experience. More likely than not resources, politics, individuals, culture or other things block it.

The second myth in my view is that consultants listen, consider a problem, and then design a bespoke solution. While this is sometimes the case, consultants are bringers of experience, but are often bound by it. they are not necessarily programme to listen in the same way auditors are.  Their context dependent knowledge may be dependent on a completely different or inappropriate context. Or worse, they are tied to a particular solution, software or scheme that they then sell. This latter element is particularly questionable. Let’s stick with considering consultancy as a thinking activity. Do the consultants really think in the client’s context? Some do, not all though. Some of this is confidence. An internal auditor is normally acutely aware that they are not the expert and can use this effectively to listen to the management ‘expert’. Consultants are normally supremely confident ‘experts’. This limits their capacity to listen, reflect and adapt their thinking.

The world and organisations are complex. They take time to learn. The soft, unwritten, unstructured, elements of the organisation are difficult. Sometimes it is helpful to have a view independent of this. But a view that is just not cognisant of it? So lifting and shifting an intellectual answer to a problem may simply not work. That’s where consultants really struggle. Diagnosis is easy. Treatment back to health is somewhat more challenging and difficult.

So if context independent knowledge (theory) needs to be combined with context dependent knowledge (experience of the area being reviewed) and context dependent knowledge of the organisation being treated (e.g. in depth client knowledge) is  a consultant the right answer? Well I think consultants can combine all three elements and can do it effectively, but it is not often done in my experience. Perhaps we as internal auditors need to get the three elements right to be consultants ourselves. We have the context dependent knowledge of the organisation (probably more than many within the organisation because of our unique overview position). We have context dependent knowledge from our current and previous clients. Do we have the context independent knowledge. Not in all cases. This is where good training and development programmes come in.  This is where external consultants with specialist knowledge will be useful. Why not link them with the audit team to get the real value. Focus them on thinking and using their specialist knowledge rather than learning about the organisation and not understanding the context into which they will deliver their ‘solutions’.

Internal auditors are true consultants in my view. We as auditors have to consult with our clients because we are there all year around. We cannot fly in and then out. We must live with the consequences of our work and track record. Perhaps if more organisations listened to the consultants on the doorstep and developed their own staff they could avoid the ‘imposers’ altogether?