So in this post I want to consider the work of Tim Leech from Risk Oversight Solutions. He is critical of internal audit’s paradigm paralysis, see Risk Oversight Solutions critique. I have to say I do think there is at least some truth in his view, but disagree its paradigmatic.
In this blog I have been critical of internal audit’s adherence to working in a way that means that, in many organisations sees internal audit marginalised and ignored. It’s something to do with the paranoia that internal audit has of there being one right answer to how internal audit is done. Most CAEs I know have a strong, almost religious, quality to how they see the work being done. These religions have their own practices and cultural totems and mean that CAEs find it difficult to accept differences of style and structure.
So what’s Tim’s critique?
First that enterprise risk management (ERM) is a flawed concept as practiced by most organisations. I think I would agree, not because the process of being clear on objectives, writing down risks, and then considering their mitigation is inherently wrong or unhelpful, but that it becomes an exercise to be done, rather than lived. Most organisations define control outside of risk management, i.e. good control is not the adequate mitigation of risks to be within a desired or target appetite, but is something detached. In other words, risk does not relate to the real management. So I think Tim’s criticism of this is valid. He makes a leap, in my view, that, by implication, if internal audit is then hitching itself to this faulty waggon, then it, by implication, is problematic. Tim’s suggestion is objective-centric registers. I agree, but this is a risk management in practice point, not a theoretical point, as risks derive from objectives.
He then suggests internal audit provides and annual opinion on the data prepared by the management team on these residual risks. Well I agree, and those internal audit functions that opinion on ‘control’ as distinct from the quality of the mitigation of risks are missing a trick. This is not, though, a problem within internal audit per se or its standards. A risk based (properly risk based) audit approach is compliant with the standards. Perhaps the issue he is flagging is that a non risk based approach is also perfectly possible within the IIA Standards, and I agree that is problematic.
He then talks about the paradigm of internal audit being about starting with an audit universe (dividing the organisation into pieces) and then auditing them. He is critical not of the direct report or attestation on a management assertion point, but of the link of those plans to risk. Here I think Tim is critical of internal audit practice, not the paradigm. I’ve said on this blog before Roots or routes of strategic audit, it’s difficult for anyone to audit strategic risks and they need to be broken down. As risk management changes constantly and is a web of control, not a conscious simple framework, is it any wonder that any break down of this into meaningful chunks is difficult? I don’t hold that this is paradigmatic issue per se, but is one of effective practice. I am not a great fan of audit universes Audit planning: helpful or not? Universal success? but the idea of breaking something down and trying to focus with limited resources in each period, seems sensible to me.
So the critique by Tim seems to be that internal audit does seem to focus on the net risks flowing from key strategic and value creating objectives. Well this critique may be true, but this equally applies to management teams who do not always focus on the things that matter either. Again this is complex. Who would have thought that the biggest threat to value creation in Volkswagen would be the emissions testing department? So I do think the issue is not paradigmatic, but one of the quality of application.
The core criticism seems to be that internal audits are limited when they form subjective opinions on the adequacy of controls are effective or not. The whole point of internal audit in my view is the formation of an independent opinion. It is its independence and objectivity that is its unique contribution to the organisational eco-system. If that opinion is a risk based one, i.e. forms a view whether risks are as the management team has assessed them, are mitigated to within the organisation’s risk appetite set by the board and mediated through the management team, and that the consciousness within which they have been developed is mature, then I think that is valid.
These are implementation challenges, not paradigmatic ones. I think internal audit is more needed and more valid now than ever. The globalised world is full of complexity and mature, large-scale organisations that need meaningful challenge and independent support. Surely we, internal audit, are well placed to do that? I don’t deny the challenge of relevance, quality, the non-risk based nature of some audit services etc. but these are not paradigmatic issues, nor ones the current standards mandate.
What do you think – internal audit – blackberry or pillar of good governance?