assurance processes, audit committee, control, external auditor, Internal Audit, internal audit function, internal auditor, internal auditors, line of defence, management frameworks, public sector clients, Risk management
It’s advanced level examinations results day in the UK (pre-University examinations for my international readers). Thousands of students will find out whether they have the grades to go to the university of choice. I remember my advanced level history teacher constantly setting out the same mantra – answer the question, the whole question and nothing but the question.
I’ve been thinking about internal audit work and how it has evolved since I started in the profession. I remember, when I first undertook internal audit. Back then it was about looking a few objectives, thinking about a few risks that could affect those objectives, then writing a report with enough observations to justify the fee. We did not even ask what the question was, let alone answer it.
Of course I tried to get the right risks, ask the right questions, evaluate the right risk mitigation action and controls. At that time, however, a lot of internal audit work was about compliance and verification of systems. So yes there was an element of looking at the design of controls, but a lot was about the implementation of controls as designed. In other words, someone else had supposedly done the thinking and as an auditor I was meant to just verify the thoughts’ implementation and perhaps, sprinkle a little added value by suggesting some improvements. Also it was almost all finance and financial control. Who remembers the CIPFA control matrices? (Do they still exist?)
I knew when I took on my own internal audit service as a CAE that this was not enough. I knew I wanted to add real value, to be really risk based. I have since socratically followed the logic of internal audit’s value proposition and it led me to design a proper risk based audit system. One where the balance of effort was not on looking at what was there, because invariably from experience it was poor or could be much better, but to look at what should be there.
Internal audit under this model significantly changes. It considers risk and risk appetite. It has to make the same complex and difficult business decisions that managers make. It has to accept that perfect is not possible and make value for money judgements about what is reasonable and cost-effective. This places a huge burden of responsibility on each auditor and me as a CAE particularly. Every decision we take, every report judgement we publish, every piece of advice we give, has a burden of being ‘right’. Reports need to form appropriate judgements based on real and complex analysis. Reports can no longer be exception reports, picking up some stuff. They need to pick up everything, as appropriate. They need to be complete as well as balanced, as well as right, as well as risk based. They also risk putting internal audit into an executive position, for where a management team is weak, they will rely on internal audit either overtly or tacitly
When internal audit plays in the space of uncertainty and grey, it loses the protection of just being a form of organisational additionality. In other words it is not something nice to have, but it becomes core to an organisation. It is an integral part of a good organisation’s eco-system and governance framework. Internal audit can rightly be held to account when things go wrong. It can make mistakes with consequences.
To do this type of internal audit also requires a step change, not just of CAE but also of the whole internal audit department. You no longer need two dimensional thinkers without an ability to go ‘off piste’. You need both bright and experienced people. You need better learning across the department and increased knowledge sharing. You need a department to become better than the sum of its parts to keep up with, or preferably stay ahead of, management team colleagues. Reports are not longer cut and paste, cut and shut; they are consultancy reports with a narrative, storyline, argument, analysis and conclusion. They no longer answer some questions, but they answer all relevant questions. In effect each assignment becomes evaluative or research based in nature, not systematised or programmatic.
For in our modern, complex, world, real risk does not lie basking in the sun. It is hidden in the complexity of pre and co-requisites, interrelation, culture, people and process. To make sense of a complex world you need higher skills supported by experience.
I am writing up my PhD at the moment and I hope I will do enough to get it. It’s hard, but rewarding, work. Yes the type and standard of writing and line of argument needs to be excellent and every paragraph carefully crafted, so it is different to the writing in my day job as an auditor. I don’t expect every audit report I read and write to be the same but, actually, nearly. For internal audit reports are mini-research and evaluation reports. They do need to ask the right questions and, more importantly, answer them too. They need a carefully crafted and credible argument and they need to form sensible conclusions.
Does your internal audit ask, and then answer, the right questions?