I am an avid consumer of news. The global news is depressing and sad at present, nevertheless I think an understanding of the currencies and flows of global events is helpful context for life. So I engage, whilst at the gym, and with a reputable source, the BBC.
This story struck me in particular: https://www.bbc.com/news/world-asia-68738694 It’s a post event analysis of why the recent Taiwan earthquake did not cause so much damage, in contrast to the devastating earthquake in Turkiye or even in the last Taiwanese earthquake of 25 years ago. The article patiently and consistently narrates how a serious of coherent actions in relation to planning and building codes, backed up with consistent oversight and enforcement, also training of the population, building of sensors and establishing disaster response protcols mitgated the impact of this quake.
In a world where creating deep and lasting change seems hopeless and impossible, it is a good, and practical lesson in how this can, and should, be done. I consider the same is true within any signicantly complex or sized organisation. There is a need to take time to analyse the problem, set out some principles within which action can be organised, then develop a plan of consistent and coherent actions, deployed over time, to enable success. This for me is what a control framework is.
The internal audit profession, where it sees controls in either process, legal, or transactional terms, is only engaging with half of the point. Sure a rules-based approach is possible. McDonald’s, most airlines, miltary organisations, show it can be done. Most organisations, however, lack the resources, time, capability and need to enforce such a level of command and control. Most organisations rely on a mix of rules, legal controls, processes and cultural controls. Auditors must understand the latter in particular, for culture eats all other controls for breakfast. If the centre of cultural gravity of an organisation is towards X then it is highly unlikely that anything other than either being rigid in setting, overseeing and enforcing those controls, over an extended period of time, will make any difference.
So for me, I think a control framework is a complex web of activities, actions and processes that requires consistency and application over a period of time. That is not something we, especially in an internet world of immediacy and gratification, are willing to hear. In other words, good control to achieve a difficult or complex objective is likley a marathon, not a race.
Of course, there are things that can speed up change and enhance control. Prioritisation is one – focusing on an overall goal and making it visible and clear to everyone in the organisation. Being proactive and thoughtful about the cultural aspects of control – those that enforce and those that detract from the goal at hand. Good oversight – ideally by managment themselves, but supplemented by good third line oversight. Also a strong commitment to enforce those actions, especially when the actions or overall plan of work becomes tough, for example where money is limited, or the strategic horizon for the organisation is challenging. I recall when I first worked for a professional services firm, it had a strongly traditional male-dominated and toxic culture. This did not change through rules or training or internal communication. It changed when the organisation was brave enough to sack senior staff for not being more humane, diverse and modern in their approach to work. This sent a cultural signal that no amount of all staff emails could replicate. I am glad to report that I see professional services firms now, and corporates more generally, are beacons of diversity and commitment to humane workplaces. They benefit now from ‘seeing’ the many employees they never knew before and never attracted in great numbers previously.
So what’s my point here? My point is that a control framework is marathon, not a sprint. Big change takes time and, like the amazing results in Taiwan, is well worth the effort and energy expended. So next time you are doing an audit, audit longitudinally, not just at a point in time. Let me know how you get on!
I’d like to build on my last blog post about systems and systems thinking. It’s clear that building and maintaining systems is hard work. As an auditor we can see when our clients run out of energy and will to maintain and deliver systemic responses to risks or challenges. Often you see this in organisations that are large, bureaucratic and long-established, but I think it can happen in any organisation. It’s a sense that to oversee and enforce policies and standards is just too difficult or requires too much effort. As internal auditors I think it is our role to point out, push back and energise our clients against such complacency.
A good example is on safety standards. I imagine that following some of the very detailed requirements for operating an aircraft can become tedious. It’s that sense that this is bureaucratic. Keeping the exit row clear, making sure tray tables are up when taking off and landing etc. They don’t feel necessary when things are going well. Yet, they are essential when trying to empty a plane a pace when it catches fire, as in the recent example in the news at Tokyo airport. It’s the same for financial and procurement controls, though of course the circumstances are different. It’s the same for food safety standards in restaurants. Perhaps it doesn’t matter if an employee doesn’t wash their hands once, or food is not thrown out with clear in date rules a few times. Over time, however, the risk increases, and the one certainty about a risk is that, unmanaged, it eventually becomes an issue.
Just as systems can be effectively deployed to ensure things happen, they can be so deployed to ensure things don’t happen. Think about fraud or misconduct prevention. We have the now very public and celebrated example in the UK of the Post Office’s failed roll out of its accounting IT system, Horizon. If you had asked me as an oversight professional how likely it was that vast numbers of staff, systems, data controls, oversight and governance would have allowed, for such a long period, and to such a scale, the scandal that evolved; I would say unlikely. Yet it happened. That scale of collusion seems almost incredible.
This, for me, makes the point that frameworks of control (which are systems) in fact embody very different types of controls. They comprise rational / legal / compliance controls. They comprise risk based, principles-based controls. Most crucially, however, they embody cultural controls. Culture eats not just strategy for breakfast, but also other types of control systems. For, if the culture is to turn a blind eye, or to ignore certain types of risks, or to allow certain types of behaviours, then no amount of training, advice, risk management, governance, will push that inclination back.
I have never worked at the UK Post Office, nor have I undertaken a detailed analysis of the Post Office in this tragic case. It seems to me, however, that culture played a key part in this. A while ago it was fashionable in internal audit circles to look at culture. I think largely on the back of the financial crash of 2008. Perhaps we, as the internal audit profession, should reconsider bringing this back into vogue. Understanding control frameworks, from a perspective of culture and cultural controls, as well as risk / principles-based and rational / legal controls should be embedded into our work as a matter of course. If I was an executive manager of a department of an organisation, hearing some independent view of controls and culture would be very important. It would be even nicer to hear it in the normal course of ongoing oversight work, rather than as a lessons learned report on the back of some corporate failure.
Yet, this requires internal audit to be braver. Courage is one of the new elements of the revised IIA Standards for 2025 (the subject of my next post). It requires internal audit to own the space of subjectivity and opinion forming. It requires internal audit to own its independence. It requires individual internal auditors and internal audit leaders to step into this space more and to be courageous. In some cases it will require tenacity to get to the bottom of something and not let initial signs and indications of problems go. In the case of the UK Post Office, I wonder if a brave CAE, being courageous, could have literally saved lives.
Without prefacing my remarks in my next blog post about the revised IIA Standards too much, I think the new Standards are a big step forward and have some really good things to place the profession in a good space. We can debate whether making internal audit a creature of the board is necessarily realistic or smart, but the inclusion, overtly, of courage is a very clever step.
So my conclusion from this post is that courage, and cultural review, are essential to good internal audit. Saying things ‘as they are’, rather than how people would like them to be, or how they would like them to be presented, is crucially important. Standard 1.1 requires professional courage – are you ready for this?
As I come to the end of another year I have been reflecting a little. I have been particularly lucky in my career to have had some fantastic colleagues to work with. Many have been personally and professionally inspiring and, in turn, have brought the very best out in me (I hope). As my roles have been larger, in terms of scope, complexity, mandate, and international, I have grown as a professional. That then brought me into contact with even more colleagues who were inspirational, and so the virtuous cycle of professional growth has continued.
As I have come into contact with a greater range of colleagues and partners, I have realised that internal audit, as a profession, risks missing the bigger picture of independent oversight. By independent oversight I mean oversight that is independent of management. Conceptualised this way one is suddenly much more aware of the great number of actors in this space. For example, on the assurance side of organisations, evaluations; inspections; financial statements audits; grant or contract audits; IT audits and specialist assurance; external inspection units; regulators etc. On the integrity side of things: ethics; ombudsperson; investigations; legal counsel etc.
When I was a young CAE making internal audit excellent was the most important thing to me. Being independent was also, as I saw independence as the core differentiator for internal audit. As I’ve matured (I hope) as a professional and as a person, I’ve come to see a more complex world, where internal audit is only successful if it recognises that it is part of a wider system. And yes, I believe this does mean putting internal audit in its organisational context. You can think about this in three lines if that’s helpful, but at any rate, understanding what the client organisation’s management, governance and other stakeholders need and are trying to achieve, and putting the effort and energy of internal audit into that. In this post however, I want to comment a little on internal audit in the context of the other independent oversight providers in the independent oversight system, rather than the broader organisational context, as that’s for another post.
So why do I see a need for IA to engage with other oversight providers? First, IA is generally small. Small in terms of resources and small relative to its client organisations. So, in order to magnify its impact it makes sense to engage with other partners and parts of the organisation to share the heavy lifting of oversight. Second, IA is a very particular tool. It has its own distinct profession and distinct way of approaching problems. Depending on its formulation (and to some extent where the new IIA Standards end up) it can be a compliance tool, a thinking version of a compliance tool, a risk based compliance tool, or a independent form of risk based consultancy. These may not be the right tools for a particular oversight job, however. Assurance over a highly technical area may require technical inspector, say for airlines or tech companies, or chemical companies. Or the organisational challenge might be one of general management or strategic choices, where consultancy or evaluation is needed. The challenge perhaps might be one where the organisation, or parts of it, are highly sensitive. A public, formal, published internal audit process may not be a helpful solution. One can see a range of organisational challenges which IA is simply not well-suited to.
How can IA go about being helpful to coordinate and get the most out of independent oversight then? Well, there are a bunch of practical steps that can be taken. A coordinated oversight plan, ideally online and in real time. This helps plan the work and avoid practical space and time overlaps. A coordinated recommendations / outcomes tracker. This helps to share and make clear messages from the oversight community. It helps management to respond and senior management to see how things are going. Coordination meetings. People will often say things which they will not write down. So provide a forum as a safe place to share half developed thoughts and challenges amongst the oversight providers.
IA can go further though. It can look at the system itself. Is it a system? Does it work coherently? Is the balance / resourcing of oversight right (i.e., right types of oversight applied to the right issues)? Are there overlaps / duplications? Or are those overlaps sensible and make sense? (I’m a great believer in a fuzzy logic oversight system by the way, so overlaps are fine with me) Are the major issues of the day being tackled in the right way by oversight providers? Similarly is there too much oversight ‘ambulance chasing’ and not enough focus on the boring, but important, long term organisation strengthening type of oversight work? IA can, and should, also have a legitimate role to comment on the system as a whole – it has the skills and abilities to assess the effectiveness of systems, so serving up an assessment of this to particularly senior management, is a service IA is well-placed to provide.
So, at this time of new year’s resolutions, mine is that the internal audit profession lifts its eyes upwards and is less inwardly focused, instead taking a role to see oversight (both assurance and integrity) in systems terms. IA, when I was first a CAE, claimed the third line all for itself. I never thought that true then, and I don’t now. I do, however, see IA as having a critical role in the third (independent of management) line space to make sure oversight works to the benefit of its client organisations and their stakeholders.
The IIA’s exposure draft of their new global standards for internal audit is out. It’s traditionally not the most exciting date in my calendar, despite being an internal auditor, because the change between drafts, certainly in the last 20 years, has been so slight.
I think this might be a little more of a step forward though. Overall, it does feel like an attempt to write in plain English. Gone are the performance and attribute standards, in are the principles and standards. I like that the Standards for the principles (setting the more detailed attributes) are clearer and are more supported by practical preferred practices and suggestions for how to evidence conformance. The new domains for the Standards make sense too, covering the key things I would be looking for as an internal auditor or stakeholder of internal audit. I even like the glossary – previously left floating around and implied as being part of the Standards – now much clearer as a point of reference for the Standards’ implementation.
So let’s start with the glossary. A number of interesting points struck me here. Words matter – otherwise internal audit would be somewhat dead in the water.
So ‘assurance’, much clearer stated as providing assurance in reference to something defined. This aligns to other auditing standards and limits assurance to attesting to some defined state or intended state. The need for defined criteria moves internal audit’s assurance role away from consulting – i.e. it cannot just be an opinion of the internal auditor, it must be an assurance opinion in relation to defined criteria. It does not, however, specify in a constrictive way, what those criteria should be. So this should give risk-based internal auditors lots of space to establish various management owned or set criteria, or if necessary to induce criteria from management and operational context. For me, this is tight enough to give meaning to assurance, without limiting or condemning internal audit into a compliance, management rules, box-ticking space.
Conflict of interest is less well handled. I am not sure a conflict of interest is something that appears to be a conflict of interest. Surely the clue is in the language – a conflict of interest is a conflict of interest, but there are often perceptions of conflict of interest, and of course these matter as well. They are not, just because they might be perceived to be, conflicts of interest per se. I think the IIA should review this a little more carefully and disentangle the language here.
I’m happy to see control defined, not in compliance terms, but in risk management terms. I’ve long equated control to mean risk mitigation to a target risk (or appetite or tolerance) but to see it clearly spelled out here is good.
External service provider. This interestingly puts internal audit firmly internal to the organisation. I know lots of clients and sectors who have an external provider, but this definitely suggests they are supplemental to an internal internal audit service. Perhaps this is one for a future blog post? Note – the term ‘outsourcing’ in the glossary seems to conflict here, with a clear view that one could, legitimately outsource the whole IA function.
The definition of governance has a major fail in my view. Putting management as a role of governance is inaccurate. In fact it takes most organisations a huge amount of effort to stop governance bodies from managing the organisation. I would rather see governance defined as ‘direction and control’ of the organisation towards its objectives. I can see what is meant by management in the definition, but the language is unhelpful here. The IIA should consider reviewing this further. Note this equating of governance with management comes up in other parts of the glossary – so it should be carefully checked throughout.
The definition of internal auditing is fine as far as it goes. It seems rather to describe what IA does and how it might be useful, rather than situating internal audit with the organisational eco system in a clearer place vis-a-vis other professions and functions. The three lines model could have been useful here, with an independent, but internal, space which IA occupies. It also suggests a sense of IA being a nice-to-have and being optional. I think for any organisation or activity that has got to any sense of complexity or significance, or one which has stakeholders external to the organisation, internal audit should be mandatory. This could have been defined here perhaps?
The definition of risk management also to me seems to get a little confused. Whilst the risk terminology is generally well handled in the exposure draft, the introduction of the concept of ‘reasonable assurance’ over the achievement of objectives seems to me to challenging. If risk appetite is set as high it might be that the non achievement of objectives or unlikely achievement of objectives is fine from an organisational and risk management perspective. The purpose of a flexible risk appetite is to enable organisations to accept failure as a normal part of business as usual (of course not at a macro or organisation-wide level). Perhaps this definition could be tweaked to provide reasonable assurance of the achievement of a target (net or residual) risk level?
On the purpose statement – it does not really state a purpose. It defines the activities of internal audit and sets out how this might be helpful. This is a missed opportunity to situate internal audit with the organisational eco-system, as for finance, HR, marketing, IT etc. and is all the more important, given it is a bridge between management and the governance structures of an organisation. The three lines model would be a good start here. This is the big ticket item for the IIA to tackle in response to this consultation.
Under the Ethics section – the courage point is both welcome and well-made. The world seems unable to disagree respectfully any more. Culture wars and left / right extremism, and a lack of a centre ground and consensus driven action seems to me to be a problem. I am glad that IA’s role to respectively disagree and be sceptical, is endorsed and welcomed in the Standards. I also like that the ethics section puts IA on a pedestal with a higher obligation to point out ethical breaches. In the evidence for conformance section there are a couple of areas which could usefully be reconsidered. For example, there is a point about IA should not disparaging comments about individuals or the organisation. Whilst of course I understand the point, being critical and sceptical were highlighted earlier in the Standards as required. Similarly releasing information without proper authorisation is often used by those against whom IA may need to whistleblow, to silence or sanction IA. Whilst I understand these points in common parlance and agree with them, I think some caveats here could be helpful.
On objectivity, the Standards make a lot of sense. The self review risk is a little overstated in my view. I certainly can be critical of my own blog post less than a week after writing them, such is my objectivity through years of training. Being so specific on banning further work within a year does not to me make sense at a Standards level. I would set the principles, as they have, and let them be interpreted within the context of their day to day application. As stated above, the language seems to equate perceptions of conflicts of interest with actual conflicts of interest. This should be reviewed in this section to make sure that the perception of something is not defined as the thing itself. Otherwise the application of this principle will end up in all sorts of mess.
On the competency section – I think an opportunity to differentiate the ability to internally audit something as opposed to run it from an executive perspective has been missed. One of the great potential criticisms of internal audit is that they are a jack of all trades and master of none. Often management teams complain that internal auditors don’t ‘understand’ (code for agree) with management’s view. Whilst I am a great believer in internal audit having technical skills related to the organisations they audit, internal auditing is a skill in its own right. There is a big missed opportunity here to define what that might look like, set it out, and be proud about internal audit as a profession. Perhaps another topic for a future blogpost?
On conformance I like the clear statement that the Standards take precedence over other national or organisational standards. This is both helpful and clear. The Standards are framed in a way that I think this should not cause any organisation difficulty in accepting their internal auditors have global standards to conform to, as they do for other professions working in their organisations.
On maintaining confidentiality, it is important to protect the whistleblowing function here. Releasing information here might break confidentiality rules and be done as a public interest to a regulator etc. I would suggest this section is carefully reviewed to ensure this caveat is noted in this section to prevent its use to shut down the ‘courage’ rightly called for earlier in the Standards.
The strong emphasis on the governance of the internal audit function is helpful. For it is this that sets it aside from other parts of the organisational structure – and perhaps could be used to frame IA’s purpose more clearly as I suggest above. To my mind these Standards strengthen the statement of intent and practice in IA’s link to the Board i.e. annual refresh of mandate. I think this is probably good, though in practice this will vary in many organisations and will likely be a step up in the visibility of IA to the Board in many organisations. This is the area where I think the Standards have moved significantly. Again perhaps ripe for a future blog post?
I have a similar reaction to the positioned independently section. There are some strong statements here, positioning IA as a clear tool of, or clearer sight to, the governance structures. In reality this will be a jolt to many organisations where this is not the case. It will also put pressure on governance structures themselves to step up. I don’t disagree with the direction of travel here, but it is an interesting change in mood music and more explicit statement of intent from the IIA. On the non-audit roles I think these are clear, if a little overstated. If IA is to be much closer to the Board, then the space for a well valued and trusted IA function to deliver advisory, consultancy and other products should be protected (for often these help organisations far more and far faster than IA products do). There was an IIA practice note that allowed for such work to contribute to assurance – and this made sense as consultancy is IA in all but name. Perhaps this section could re-affirm this statement so that work that is not a formal, board-reported, IA, is not seen as nugatoiry, second class, or less valuable in Standards terms. For in practice this work is often the most valuable thing IA produces for its clients and has the most impact on real-world outcomes.
On principle 8 – Overseen by the Board – I have the same reaction as above. It shifts IA firmly into a specific governance space. This is more clearly stated here than the previous Standards and I think will jolt a number of real-world practices. I suspect for the good and I don’t object in principle except that it must be carefully done not to lose the ‘safe’ internal to the organsiation space that IA has between management and the board. For it is this special space that creates IA’s real organisational value.
On resources – yes I think stating resources should be sufficient is helpful. I am less keen on the idea that sufficient means to deliver a plan. I would frame this in terms of overall outcome and objective for which a plan should exist. A plan is a means, not an end. This speaks rather to my top level contention that the Standards seem to lack an overall purpose and outcome for internal audit as a profession, and rather focus on activities and practice.
I think the managing of internal audit function section is okay, if a little bit too detailed for global Standards. Why a specify a monthly review of IA’s budget?! The formal view of the charter and its approval is interesting and speaks a lot to the step in the Board-level oversight envisaged in these Standards. On reliance on the work of others – the requirement to do this – not just how to do it if needed, is welcome. Many organisations have lots of independent third line oversight providers, so making IA function as part of this wider eco-system is welcome.
On communications – again nothing to object to here, but the Standards are, at times, absurdly specific on what should be done. A requirement to attend groups that report to the Board for example. I think best to establish some standards and make some suggestions only here.
On performance measurement – this is a welcome addition. To make clearer the requirement to assess performance is a good step forward. So many IA functions either don’t do this at all, or do it in a perfunctory manner, that making this clear will improve matters.
Planning engagements is again very detailed and specific. There is nothing specific I object to, but this guidance collectively amounts to being very detailed about what internal audit is. Perhaps this is a good thing but I wonder if it takes the Standards into a less principles-based space? It may also make IA less agile – which is a clarion call to the profession.
On 15.2 confirming the implementation of action plans. I don’t like the principle of confirming that management teams have done what they said they would do. Surely it makes sense in a risk-based world to confirm that the risk has been mitigated, through actions, to the intended target risk level?
So what’s my overall conclusion from this review? I like the Standards structure. I like its plain English. I like the principles. I think there is an opportunity missed to set out the overall purpose and space of internal audit. I think the overall positioning of IA as being under the board as a part of governance risk losing IA’s space to bridge between management and governance. I think the Standards push IA to be super independent at the risk of becoming like internal regulators. I do think the second half of the Standards are somewhat too detailed and revert back to a very detailed set of rules that have a quite traditional view of internal audit, which is not matched by the ambitious and modern principles up front. Perhaps the latter section could be more principles-based and not so detailed and granular.
It’s a big document and I need to reflect further, but I hope my first scan and thoughts are helpful and useful. I welcome your thoughts too.
It’s the new year. As all of us reflect a little on our lives, our work, and things we want to change, internal auditors and internal audit thinkers are no different.
Per my last blog post I’ve seen a range of signs that the internal audit profession is even more introspective and deliberative this year, and perhaps post pandemic, than it has ever been. Some are pointing out that computers and artificial intelligence (AI) will replace internal audit. Others say that we need a discussion on the fundamentals of what many internal audit practices do, for example providing false assurance, not really auditing the risks and issues that have an impact on the organisations for which we work.
All of that is true in my view, we should have those debates and really give some deep thought as a profession about where we are and where we want to be. More of the same simply won’t do. I do, however, want to pause a moment to reflect on the flip side of this professional introspection. The flip side to this is to look at the opportunities presented to the profession.
I have always said to my colleagues, it is always easier to audit something that is there. Picking holes in something is, relatively, easy. Where internal audit really adds value is to audit what is not there. What should be there? How should / could it work? What is the real challenge or root cause that needs to be tackled and how can it be done?
Ultimately organisations are run by management teams. It is ‘Team Management’ that makes the difference to an organization’s success. Sure, governance bodies provide a steer and direction and oversight, and internal audit, provides correction, challenge and support. It is Team Management, however, that has control over almost all of an organisation’s resources and has the most latitude to decide what to do with them. So the biggest challenge for any internal auditor and audit function is to provide a suggestion or advice that is practical. It has to be grounded in the organisational and contextual reality of the organisation that management faces.
When I was a young internal auditor I felt it was enough just to be right; to prove my point. To point out the problems and to provide a theoretical response as to what needed to happen. Often the suggestion was the converse of what had not happened. I did not take the time to understand why something had not happened. Why the ‘right’ answer was not being followed. How, in practical terms, the theoretical ‘B’ could be reached from the current position ‘A’.
This is the bit of internal audit that cannot be delivered by AI, nor auditors that are not willing to change and embrace the grey, avoiding a white or black mindset. If internal audit is to survive as a key part of organisational architecture the world over, then it must climb up the value chain.
I have a positive view of internal audit, when it is well done. It can say the organizationally unsayable. It has a voice heard by senior management and governance structures. It is, or should be, grounded in a deep understanding of the organisation, in a way that external audit and consultants simply don’t have. It has the anthropological and ethnographic view of the organisation that no other professional, administrative, governance or regulatory structure has.
I started delivering this consultancy style of internal audit nearly 20 years ago when I first become a chief audit executive in my own right. I have delivered and refined my model of consultancy internal audit ever since. It was difficult to implement in my first client and, in retrospect, was too much and too revolutionary for that client at the time. I have since then demonstrated that this more principles and genuinely risk based, consultancy-style, of internal audit can work in practice and pass with flying colours external quality assurance to the IIA Standards.
Yet still, general internal audit practice has a way to catch up in my experience. So I will use 2023 to keep making the case for a higher up the value chain internal audit. I will share my thoughts and experiences in this blog throughout this year and let you know how I get on.
Safe to say, in my view, the future is bright and rosy for internal audit; it is more relevant and needed than ever. Only though, if we can break out of the status quo and make the step change needed.
It seems to me that the pandemic and the period of recovery has, finally, begun to impact the slow and glacial pace of change in the world of internal audit. At least that is my hope for 2023. I wonder if we, as a profession, and the professionals within it, have finally reached an inflection point?
I had thought the financial crash and various corporate scandals over the years would ask the question, in a meaningful way, Where was internal audit? Finally I thought the pandemic, with all of the woe and disaster it brought, might also have brought one small good thing; some meaningful thought and introspection from the internal audit profession to drive modernisation.
Sadly, no. None of these things have yet transpired meaningfully. We are now, having some discussions about risk management and what it means to be risk based in our audit work; though sadly this seems to be confined to a quant versus qualitative debate, rather than asking much bigger questions of the organisation’s risk management with which internal audit works. We’ve had the ‘audit at the pace of risk’ discussions and how internal audit needs to speed up and become more ‘agile’. Though some of this debate misses the point and rather denudes the whole point of looking at risks (future uncertainties) a long way out, and to encourage management colleagues to do the same. Instead it risks internal audit auditing at the pace of issues – which is the space many management teams seem inexorably and happily drawn to.
Finally though, I think we can as profession step into a more meaningful space. I sense a real tipping point from leaders of the profession seeing the world, as messy and under strain as it is, to take up their responsibility to help their organisations to make meaningful change.
For internal audit I think this means a number of things. Yes speeding up our work, but not to the point of meaningless, two dimensional traffic lights, nor slide decks, but well placed, thoughtful, evidence and analysis based, diagnosis. It means ‘putting the fish on the table’, that for me is saying what needs to be said without fear or favour. Whilst being politically savvy in an organisation is important, it should not translate to being obtuse or obscure about what internal audit is saying, no matter how uncomfortable that may be.
It also means being comfortable that when pointing out risks, by their nature they are uncertain. They most certainly are not facts. Nor should we as internal auditors fool ourselves that there is only ever one objective truth to be identified. We need to get our management teams comfortable debating and tackling uncertainty – and for the big challenges of the day, these are likely less clear and less black and white in their interpretation. For the real benefit of internal audit is not being right or wrong, but prompting our management colleagues into the debate and discussion around the risks. For in this dialectic can we hope to grow our organisations and their capacity.
Finally I think we really do need to look at the methodologies and methods we employ as a profession. We need to do this not just in terms of practice and practicality, but also in the assumptions that underpin those. We also need to take a good, fresh, look at how the global institute and its national counterparts really engage in change.
I sense an inflection point coming this year, though I am not yet sure of the steepness of this change yet. Perhaps you can see some change too?
So COVID has finally required us all to home work. Since our young school days we’ve worked at home. At university for my undergrad I recall my college room was as much a place to work as a place to relax and sleep. When I trained as an accountant with KPMG I worked many hours at home. For my MBA I did it distance learning over 3.5 years – I worked many hours at home.
Somehow we all seemed to have forgotten how to work at home. We get put into office work and big shiny offices and, as we progress up the career ladder, these offices became more than a place to work but an organisational status symbol in and of themselves. Indeed, when I joined the UK Government it was not that long before I joined that one’s job grade determined the size of office, number of windows, floor, coat stand, furniture etc.
In all of this time, we got taught or cultured into, consciously or unconsciously, an idea that work was done in an office from 9-6pm with a lunch break (eaten at the desk in the UK mainly). People who did not come into the office, or who worked from home, were seen overtly or covertly as not working and somehow skipping work.
When I joined the UK Government I joined the then Department for International Development (DFID). DFID was the aid and development international bit of the UK Government. It has its corporate headquarters located in both Whitehall and East Kilbride, Scotland. This meant that, for me with a split location team, having video calls became usual. It, for me, meant adjusting to waiting for technology time lags, making sure to include all parties on the call into the conversation, and adjusting speaking time and pace to accommodate the lack of social and visual cues present in face-to-face meetings. This also meant calculating meetings carefully to include different time zones. All of this video stuff was ‘normal’.
When I worked in London the commute was a genuinely aversive experience. In particular during rush hour. Luckily I was able to use the Thames Clipper boat service that made the whole experience much better. London-based organisations had progressively moved to a culture of open plan, flexible space. In other words, working from home was not just encouraged it was required. The office space was no longer 1:1 with a desk for everyone, but a much smaller ratio with hot desking. Gone were the specific desks and hat stands, in came soulless carrels and conformity. Private sector companies seemed to get the sense of working together and flexible space as well as the need for frivolities such as ball pits, slides and table tennis tables. Despite the variable success with which London-based organisations rolled out this flexible working, it was clear – home and flexible working was valued, recognised and valid.
Once I moved to the multilateral sector, first at the Red Cross and now the UN, I expected a similar culture. Of course, this was the case to a degree. Video calling and working in a fully global footprint is still there. I found , however, that work can still be considered by some as something that largely happened at the office. Now don’t get me wrong, home working is not for everyone, every organisation, or every role. Lots of jobs require physical presence to perform them. Neither do I think a wholly home-work culture works. Social interaction, sharing of ideas, of humanity, is important. There is, however, a need to reconsider what that balance is. The pandemic has forced that debate.
The pandemic has showed us that our propensity to travel via car, plane, train etc is not needed to the same scale. It has also cruelly exposed organisations’ lack of digital and data maturity. The tools exist for much of our work to be automated, remotely delivered, monitored and overseen at scale through carefully designed, digital, mechanisms. The core digitisation of many organisation’s basic activities is still to occur and this has limited the capacity of those organisations in the pandemic lockdown period.
What does all of this mean for audit and oversight? I think it means there will be internal audit pre and post COVID. I don’t think internal audit will be automated, at least not fully. I think audit will need to move up the value chain to becoming more thoughtful, more digitally enabled, more able to think about the wider organisational goals, less intensively and labour intensively focused on compliance. This will require different auditors than we have currently. They will need to be more digitally nimble, more intellectually broad-based, focused on constant continual professional development. For those auditors that have moved truly into a risk-based mode, I think this leap will be less far, for others the step might be a greater one.
I don’t foresee a space where management assurance (second line) takes over from the need for third line work. Third lines are normally exceptionally thin – they are normally lucky if they’re >1% of the organisation by spend or staff. I think instead the oversight load will become more seamless and integrated.
So I think it is time for organisations to really reflect on what PC looks like. What do their offices look like when we all return? Will we continue to see those working from home as, in some way, not working fully or well? We as internal audit leaders should also reflect on what it means for our work as well. What is our relationship to field work? What type of people do we need to do this work? How do we really digitise our work? How do we work with our second and first line colleagues?
We’ve been talking about these challenges and changes as internal audit professionals for well over a decade now – perhaps we should really take these forward, post COVID.
It’s advanced level examinations results day in the UK (pre-University examinations for my international readers). Thousands of students will find out whether they have the grades to go to the university of choice. I remember my advanced level history teacher constantly setting out the same mantra – answer the question, the whole question and nothing but the question.
I’ve been thinking about internal audit work and how it has evolved since I started in the profession. I remember, when I first undertook internal audit. Back then it was about looking a few objectives, thinking about a few risks that could affect those objectives, then writing a report with enough observations to justify the fee. We did not even ask what the question was, let alone answer it.
Of course I tried to get the right risks, ask the right questions, evaluate the right risk mitigation action and controls. At that time, however, a lot of internal audit work was about compliance and verification of systems. So yes there was an element of looking at the design of controls, but a lot was about the implementation of controls as designed. In other words, someone else had supposedly done the thinking and as an auditor I was meant to just verify the thoughts’ implementation and perhaps, sprinkle a little added value by suggesting some improvements. Also it was almost all finance and financial control. Who remembers the CIPFA control matrices? (Do they still exist?)
I knew when I took on my own internal audit service as a CAE that this was not enough. I knew I wanted to add real value, to be really risk based. I have since socratically followed the logic of internal audit’s value proposition and it led me to design a proper risk based audit system. One where the balance of effort was not on looking at what was there, because invariably from experience it was poor or could be much better, but to look at what should be there.
Internal audit under this model significantly changes. It considers risk and risk appetite. It has to make the same complex and difficult business decisions that managers make. It has to accept that perfect is not possible and make value for money judgements about what is reasonable and cost-effective. This places a huge burden of responsibility on each auditor and me as a CAE particularly. Every decision we take, every report judgement we publish, every piece of advice we give, has a burden of being ‘right’. Reports need to form appropriate judgements based on real and complex analysis. Reports can no longer be exception reports, picking up some stuff. They need to pick up everything, as appropriate. They need to be complete as well as balanced, as well as right, as well as risk based. They also risk putting internal audit into an executive position, for where a management team is weak, they will rely on internal audit either overtly or tacitly
When internal audit plays in the space of uncertainty and grey, it loses the protection of just being a form of organisational additionality. In other words it is not something nice to have, but it becomes core to an organisation. It is an integral part of a good organisation’s eco-system and governance framework. Internal audit can rightly be held to account when things go wrong. It can make mistakes with consequences.
To do this type of internal audit also requires a step change, not just of CAE but also of the whole internal audit department. You no longer need two dimensional thinkers without an ability to go ‘off piste’. You need both bright and experienced people. You need better learning across the department and increased knowledge sharing. You need a department to become better than the sum of its parts to keep up with, or preferably stay ahead of, management team colleagues. Reports are not longer cut and paste, cut and shut; they are consultancy reports with a narrative, storyline, argument, analysis and conclusion. They no longer answer some questions, but they answer all relevant questions. In effect each assignment becomes evaluative or research based in nature, not systematised or programmatic.
For in our modern, complex, world, real risk does not lie basking in the sun. It is hidden in the complexity of pre and co-requisites, interrelation, culture, people and process. To make sense of a complex world you need higher skills supported by experience.
I am writing up my PhD at the moment and I hope I will do enough to get it. It’s hard, but rewarding, work. Yes the type and standard of writing and line of argument needs to be excellent and every paragraph carefully crafted, so it is different to the writing in my day job as an auditor. I don’t expect every audit report I read and write to be the same but, actually, nearly. For internal audit reports are mini-research and evaluation reports. They do need to ask the right questions and, more importantly, answer them too. They need a carefully crafted and credible argument and they need to form sensible conclusions.
Does your internal audit ask, and then answer, the right questions?
I’m a member of three audit committees; a national charity; world-class university; and a global multilateral organisation. In my career I have been to thousands (literally) of audit committee meetings.
Whilst audit committees vary in terms of effectiveness, form, nature, personalities, remits, scopes and charters, there is I think an ideal (in a Platonic sense) of what an audit committee should do. i.e. any good audit committee should do certain things.
I don’t want to list all of the things an audit committee should do. Instead I wish to focus on one core thing – its dialectic. So let’s define this (per wikipedia):
Dialectic or dialectics (Greek: διαλεκτική, dialektikḗ), also known as the dialectical method, is a discourse between two or more people holding different points of view about a subject but wishing to establish the truth through reasoned arguments.
This is a core process for audit committees. It is not aggressive or conflictual. It is a joint process to discover the ‘truth’. Who holds those opinions? Well the management team; independent auditors (both internal and external) and the independent audit committee members. What is truth? Long time readers of my blog will understand that I have epistemological and ontological issues with the concept of ‘truth’. Simply, I don’t believe in truth. Evidence and ‘facts’ can be interpreted in different ways to create different ‘truths’.
So what is dialectic process in audit committee settings? Well I think it is the core process and point of audit committees. An audit committee is delegated a role of independence and organisational oversight by the board. Most audit committees oversee as their core task, the suitable application of risk appetite (as set by the board) through ensuring there is a reasonable system of risk management and that risks taken are within the board-approved risk appetite. They also oversee governance. So they will ensure the management and the board are working to ‘direct and control’ the organisation effectively (which is the definition of governance). They also oversee the implementation of control.
Now there are various definitions of control – one that sees control as compliance with rules and procedures and another that sees control as mitigation of risk through control actions to be within the organisation’s risk appetite. It may appear that control can be detached from risk and risk appetite, but what is a system of control if not a designed set of actions to ensure risk is mitigated to within risk appetite? Personally I would cut out the middle man and just define control as mitigation of risk within appetite, rather than set it up as being something independent of risk, which ultimately is a documented version of risk appetite control in any case.
So how does the audit committee dialectic fit? Well a good audit committee will receive data (normally reports from the management team or auditors) and it will debate these. Through this debate it will attempt to discover the ‘truth’ of the data presented. At a fundamental level do these data tell the committee that the board-approved risk appetite is being breached or not? Are the systems and processes of governance, risk management and control working adequately?
So this means it is incumbent on all parties at the audit committee to bring their opinions and be willing to debate them. This for most audit committees takes the form of debating reports, considering the author’s view and comparing them to the response or to the committee’s own views. So for management reports the audit committee should decide whether it is happy with the data and views presented and approve or not modifying actions. This is the basis of its consideration of reports, fundamentally to approve the actions taken / to be taken as proposed in the report. For audit reports the audit committee should consider the audit and management view and then decide to approve the management response to risks or not.
Yet I’ve been in so many committees that do not do this. They either don’t consider reports (there are too many of them); or they are conflict avoidant (and yes some tension and conflict is helpful and necessary in an audit committee); or they are not presented with anything to consider. Far too many of my audit colleagues are guilty as charged on this one. For what value is an audit report without a conclusion or an opinion? How much less valuable is a report that does not include a risk based opinion.
So all of my audit colleagues will claim to be risk based. Yet they do not form risk based opinions, or in many cases, any conclusion. For the presentation of a list of risks and issues is not an opinion or a conclusion. There is no ‘truth’ to test.
I work hard with my team to make them form an opinion. It is difficult. Often there is no right or obvious answer. So, as an example, is a complex aid programme in a conflict state good or bad? Is net risk too high? Hmmm. Difficult to tell. But if an opinion is not formed the audit committee cannot do its role. It cannot approve the management response (to do less, nothing, or more) to the report. It cannot apply, on behalf of the board, the organisation’s risk appetite. A series of decisions to improve the organisation either in terms of control or value cannot be made and implemented.
Back to my team. Finding a set of issues or risks is fine. If one reads them, however, and is none-the-wiser whether those tell me something is good, bad, or indifferent, then what is the point? My team has the very brightest and best and they are getting great at forming a view, though it takes constant work in my experience. If, later, we discover that opinion turns out to be wrong then fine – if we could predict the future we would be in the business of buying lottery tickets, not audit. At the time we issue the report however, through the audit committee dialectic process we will have created organisational change through stating an opinion and a ‘truth’ to be tested. That is the point.
So why do we as auditors fail in this? Well, as auditors we confuse audit with science. We confuse complexity with impossibility. We apply our conservative nature to avoid taking risk ourselves. We are conflict avoidant (though a dialectic process is not meant to be conflictual). Yet having an opinion and sharing that in a proportionate, justified, way is our core job. We are best placed, being independent of management, to do this. We can say what we like and we should (must) do that. As auditors we should work hard (with Socratic questioning if necessary) to enhance our audit committee’s dialectic processes.
So this week I’ve said goodbye to my CEO boss, in this case a Permanent Secretary. This is not the first time in my career I’ve done this. Sometimes it has been planned and organised but most times, at this level, people suddenly leave, either to take on their next role or in some cases it has been a sudden departure for less clear reasons. I have been lucky in my CAE career to work with people that I respect and that have all been ethical, moral, talented and capable (I can think of one exception).
Sir Mark, my latest, has been exemplary and I’m sad to no longer be working with him.
The CEO to CAE relationship is key to a successful audit function in my view. For without the trust, engagement and support of the CEO, internal audit is exponentially more difficult to make deliver. Not impossible, but much more difficult. For the tone at the top, as with so many organisational things, makes a difference to not just making things happen, but making change as a result of those things. Outputs can be achieved by an audit function on its own, outcomes require collaborative co-working with the client management team with the support of their leader.
I am grateful to Mark, as with some of the CEO equivalents I have worked with before, for taking me and internal audit seriously. Mark ensured that I reported to him, not just because he felt it was the right thing to do, not because he saw me as his elite police force or praetorian guard, but because he felt internal audit had a role in the organisation, was part of good governance, and was worthy of some of his highly valuable and limited time.
If we go to the International Standards from the IIA, standard 1110 states:
‘The chief audit executive must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities.’
This is framed primarily as being about the CAE being senior enough to be independent, i.e. having a reporting line both outside of the management chain to the board and to the top of the management chain. It is also about status. For internal audit to be successful in getting senior managers to take it seriously, those senior managers that control resources, power, knowledge and access, then those senior managers must know that the work of internal audit is to be taken seriously by the board and CEO and the response to it will have an impact on their futures. That might be in terms of performance targets, performance assessments, future resource allocations (both positively to tackle risks identified and negatively, to divert resource from poor performing activities).
Sir Mark insisted I reported directly to him, which in the UK Government system (due to odd governance arrangements concerning dual accountability to parliament for resources) is both the CEO and one of the two ultimate governance functions of the department to the UK Parliament (the other being political accountability to Parliament). This was an important statement and one that I recognised when I first met Sir Mark in his office, then adjacent to Buckingham Palace in London.
If I reflect on other CEOs I have worked with, this was a strong statement of support. Not all CEOs recognise the importance of having dialogue with CAEs. This is crucial in my view, for a good CAE should have a breadth, and more importantly depth, of view of the organisation that few others in the management team will have. Also a good CAE should be independent and objective, so should have the courage, ability and perspective, to talk truth unto power. This should provide any CEO with a different perspective to those they normally hear. I’ve written about the dangers of management ‘groupthink’ before Group think the Kryptonite of Leadership – Internal Audit the antidote?
This relationship between CEO and CAE also has to be one of respect, and some level of parity, in that the CAE should not just be able to report to the CEO, but talk to them. Dialogue is important. What takes time is for any two CEOs and CAEs to get to a position; where the CAE is a trusted business advisor. This is difficult for anyone to achieve with a CEO. They are typically well experienced, very capable and confident individuals. If the selection process for them has gone well then I would expect them to be the most capable and confident. So everyone else will, to some extent, still be learning and developing compared to the CEO. If a CEO is truly capable, however, they will recognise their ability to listen is important and this should provide a CAE with a basis on which to provide some insights from their perspective and work.
The relationship also works the other way. It is easy for CAE to do what they want. To take independence to be a non listening position and see all different views as ‘wrong’. I know as a younger CAE I did not listen to my client organisations and CEOs as much as I should have done. For the CEO, if they’re good, should know and be able to guide their CAE about what the organisation can cope with and how it will deal with, and hear, messages from audit work better.
The CEO and CAE relationship is not about agreeing all of the time. A good CAE’s most crucial role is to disagree bravely at times. For it these moments that are the crucible for transformative step change to occur. A good CAE should know how to do that, however. When has a ‘red line’ been reached? When will an organisation benefit from a tough message, when will it retract and recoil from it?
The line between support and challenge is forged in a collaborative, guiding and supportive CEO to CAE relationship. The key is to stretch an organisation, but not to break it. This stretch can be quick with a ‘snap back’ management response to catch up, or it can be a thematic message that builds over time and stretches the gap between internal audit and management views, until the management response begins to catch up. In my experience, compliance and legal issues fit the former; risk management, value for money and governance challenges, fit the latter.