I am an avid consumer of news. The global news is depressing and sad at present, nevertheless I think an understanding of the currencies and flows of global events is helpful context for life. So I engage, whilst at the gym, and with a reputable source, the BBC.
This story struck me in particular: https://www.bbc.com/news/world-asia-68738694 It’s a post event analysis of why the recent Taiwan earthquake did not cause so much damage, in contrast to the devastating earthquake in Turkiye or even in the last Taiwanese earthquake of 25 years ago. The article patiently and consistently narrates how a serious of coherent actions in relation to planning and building codes, backed up with consistent oversight and enforcement, also training of the population, building of sensors and establishing disaster response protcols mitgated the impact of this quake.
In a world where creating deep and lasting change seems hopeless and impossible, it is a good, and practical lesson in how this can, and should, be done. I consider the same is true within any signicantly complex or sized organisation. There is a need to take time to analyse the problem, set out some principles within which action can be organised, then develop a plan of consistent and coherent actions, deployed over time, to enable success. This for me is what a control framework is.
The internal audit profession, where it sees controls in either process, legal, or transactional terms, is only engaging with half of the point. Sure a rules-based approach is possible. McDonald’s, most airlines, miltary organisations, show it can be done. Most organisations, however, lack the resources, time, capability and need to enforce such a level of command and control. Most organisations rely on a mix of rules, legal controls, processes and cultural controls. Auditors must understand the latter in particular, for culture eats all other controls for breakfast. If the centre of cultural gravity of an organisation is towards X then it is highly unlikely that anything other than either being rigid in setting, overseeing and enforcing those controls, over an extended period of time, will make any difference.
So for me, I think a control framework is a complex web of activities, actions and processes that requires consistency and application over a period of time. That is not something we, especially in an internet world of immediacy and gratification, are willing to hear. In other words, good control to achieve a difficult or complex objective is likley a marathon, not a race.
Of course, there are things that can speed up change and enhance control. Prioritisation is one – focusing on an overall goal and making it visible and clear to everyone in the organisation. Being proactive and thoughtful about the cultural aspects of control – those that enforce and those that detract from the goal at hand. Good oversight – ideally by managment themselves, but supplemented by good third line oversight. Also a strong commitment to enforce those actions, especially when the actions or overall plan of work becomes tough, for example where money is limited, or the strategic horizon for the organisation is challenging. I recall when I first worked for a professional services firm, it had a strongly traditional male-dominated and toxic culture. This did not change through rules or training or internal communication. It changed when the organisation was brave enough to sack senior staff for not being more humane, diverse and modern in their approach to work. This sent a cultural signal that no amount of all staff emails could replicate. I am glad to report that I see professional services firms now, and corporates more generally, are beacons of diversity and commitment to humane workplaces. They benefit now from ‘seeing’ the many employees they never knew before and never attracted in great numbers previously.
So what’s my point here? My point is that a control framework is marathon, not a sprint. Big change takes time and, like the amazing results in Taiwan, is well worth the effort and energy expended. So next time you are doing an audit, audit longitudinally, not just at a point in time. Let me know how you get on!
I’d like to build on my last blog post about systems and systems thinking. It’s clear that building and maintaining systems is hard work. As an auditor we can see when our clients run out of energy and will to maintain and deliver systemic responses to risks or challenges. Often you see this in organisations that are large, bureaucratic and long-established, but I think it can happen in any organisation. It’s a sense that to oversee and enforce policies and standards is just too difficult or requires too much effort. As internal auditors I think it is our role to point out, push back and energise our clients against such complacency.
A good example is on safety standards. I imagine that following some of the very detailed requirements for operating an aircraft can become tedious. It’s that sense that this is bureaucratic. Keeping the exit row clear, making sure tray tables are up when taking off and landing etc. They don’t feel necessary when things are going well. Yet, they are essential when trying to empty a plane a pace when it catches fire, as in the recent example in the news at Tokyo airport. It’s the same for financial and procurement controls, though of course the circumstances are different. It’s the same for food safety standards in restaurants. Perhaps it doesn’t matter if an employee doesn’t wash their hands once, or food is not thrown out with clear in date rules a few times. Over time, however, the risk increases, and the one certainty about a risk is that, unmanaged, it eventually becomes an issue.
Just as systems can be effectively deployed to ensure things happen, they can be so deployed to ensure things don’t happen. Think about fraud or misconduct prevention. We have the now very public and celebrated example in the UK of the Post Office’s failed roll out of its accounting IT system, Horizon. If you had asked me as an oversight professional how likely it was that vast numbers of staff, systems, data controls, oversight and governance would have allowed, for such a long period, and to such a scale, the scandal that evolved; I would say unlikely. Yet it happened. That scale of collusion seems almost incredible.
This, for me, makes the point that frameworks of control (which are systems) in fact embody very different types of controls. They comprise rational / legal / compliance controls. They comprise risk based, principles-based controls. Most crucially, however, they embody cultural controls. Culture eats not just strategy for breakfast, but also other types of control systems. For, if the culture is to turn a blind eye, or to ignore certain types of risks, or to allow certain types of behaviours, then no amount of training, advice, risk management, governance, will push that inclination back.
I have never worked at the UK Post Office, nor have I undertaken a detailed analysis of the Post Office in this tragic case. It seems to me, however, that culture played a key part in this. A while ago it was fashionable in internal audit circles to look at culture. I think largely on the back of the financial crash of 2008. Perhaps we, as the internal audit profession, should reconsider bringing this back into vogue. Understanding control frameworks, from a perspective of culture and cultural controls, as well as risk / principles-based and rational / legal controls should be embedded into our work as a matter of course. If I was an executive manager of a department of an organisation, hearing some independent view of controls and culture would be very important. It would be even nicer to hear it in the normal course of ongoing oversight work, rather than as a lessons learned report on the back of some corporate failure.
Yet, this requires internal audit to be braver. Courage is one of the new elements of the revised IIA Standards for 2025 (the subject of my next post). It requires internal audit to own the space of subjectivity and opinion forming. It requires internal audit to own its independence. It requires individual internal auditors and internal audit leaders to step into this space more and to be courageous. In some cases it will require tenacity to get to the bottom of something and not let initial signs and indications of problems go. In the case of the UK Post Office, I wonder if a brave CAE, being courageous, could have literally saved lives.
Without prefacing my remarks in my next blog post about the revised IIA Standards too much, I think the new Standards are a big step forward and have some really good things to place the profession in a good space. We can debate whether making internal audit a creature of the board is necessarily realistic or smart, but the inclusion, overtly, of courage is a very clever step.
So my conclusion from this post is that courage, and cultural review, are essential to good internal audit. Saying things ‘as they are’, rather than how people would like them to be, or how they would like them to be presented, is crucially important. Standard 1.1 requires professional courage – are you ready for this?
As I come to the end of another year I have been reflecting a little. I have been particularly lucky in my career to have had some fantastic colleagues to work with. Many have been personally and professionally inspiring and, in turn, have brought the very best out in me (I hope). As my roles have been larger, in terms of scope, complexity, mandate, and international, I have grown as a professional. That then brought me into contact with even more colleagues who were inspirational, and so the virtuous cycle of professional growth has continued.
As I have come into contact with a greater range of colleagues and partners, I have realised that internal audit, as a profession, risks missing the bigger picture of independent oversight. By independent oversight I mean oversight that is independent of management. Conceptualised this way one is suddenly much more aware of the great number of actors in this space. For example, on the assurance side of organisations, evaluations; inspections; financial statements audits; grant or contract audits; IT audits and specialist assurance; external inspection units; regulators etc. On the integrity side of things: ethics; ombudsperson; investigations; legal counsel etc.
When I was a young CAE making internal audit excellent was the most important thing to me. Being independent was also, as I saw independence as the core differentiator for internal audit. As I’ve matured (I hope) as a professional and as a person, I’ve come to see a more complex world, where internal audit is only successful if it recognises that it is part of a wider system. And yes, I believe this does mean putting internal audit in its organisational context. You can think about this in three lines if that’s helpful, but at any rate, understanding what the client organisation’s management, governance and other stakeholders need and are trying to achieve, and putting the effort and energy of internal audit into that. In this post however, I want to comment a little on internal audit in the context of the other independent oversight providers in the independent oversight system, rather than the broader organisational context, as that’s for another post.
So why do I see a need for IA to engage with other oversight providers? First, IA is generally small. Small in terms of resources and small relative to its client organisations. So, in order to magnify its impact it makes sense to engage with other partners and parts of the organisation to share the heavy lifting of oversight. Second, IA is a very particular tool. It has its own distinct profession and distinct way of approaching problems. Depending on its formulation (and to some extent where the new IIA Standards end up) it can be a compliance tool, a thinking version of a compliance tool, a risk based compliance tool, or a independent form of risk based consultancy. These may not be the right tools for a particular oversight job, however. Assurance over a highly technical area may require technical inspector, say for airlines or tech companies, or chemical companies. Or the organisational challenge might be one of general management or strategic choices, where consultancy or evaluation is needed. The challenge perhaps might be one where the organisation, or parts of it, are highly sensitive. A public, formal, published internal audit process may not be a helpful solution. One can see a range of organisational challenges which IA is simply not well-suited to.
How can IA go about being helpful to coordinate and get the most out of independent oversight then? Well, there are a bunch of practical steps that can be taken. A coordinated oversight plan, ideally online and in real time. This helps plan the work and avoid practical space and time overlaps. A coordinated recommendations / outcomes tracker. This helps to share and make clear messages from the oversight community. It helps management to respond and senior management to see how things are going. Coordination meetings. People will often say things which they will not write down. So provide a forum as a safe place to share half developed thoughts and challenges amongst the oversight providers.
IA can go further though. It can look at the system itself. Is it a system? Does it work coherently? Is the balance / resourcing of oversight right (i.e., right types of oversight applied to the right issues)? Are there overlaps / duplications? Or are those overlaps sensible and make sense? (I’m a great believer in a fuzzy logic oversight system by the way, so overlaps are fine with me) Are the major issues of the day being tackled in the right way by oversight providers? Similarly is there too much oversight ‘ambulance chasing’ and not enough focus on the boring, but important, long term organisation strengthening type of oversight work? IA can, and should, also have a legitimate role to comment on the system as a whole – it has the skills and abilities to assess the effectiveness of systems, so serving up an assessment of this to particularly senior management, is a service IA is well-placed to provide.
So, at this time of new year’s resolutions, mine is that the internal audit profession lifts its eyes upwards and is less inwardly focused, instead taking a role to see oversight (both assurance and integrity) in systems terms. IA, when I was first a CAE, claimed the third line all for itself. I never thought that true then, and I don’t now. I do, however, see IA as having a critical role in the third (independent of management) line space to make sure oversight works to the benefit of its client organisations and their stakeholders.
Despite my attempts to move away from my core blogging theme this year onto more diverse and discrete subjects, the overall theme of the profession being in some existential, self-reflecting, inflection point mode for 2023 seems to be valid still. So I am going to go with it.
The thought leaders of our profession are all seemingly aware that the almost surreal certainty the IA profession has had over the last 30 years is now to be replaced with a distinct sense of a need to make a choice. It is a need to make a choice about where the profession sits yes, vis a vis other professions (accountancy, risk, evaluation, audit) but much more importantly where does it sit within the constellation of corporate functions. In this case vis a vis, finance, HR, marketing, IT, treasury, oversight, risk managment, comms etc.
For if internal audit is to be ‘internal’, and I’m great believer that it should always be, then its organisational position is crucial and matters. I think IA has made the argument successfully that IA should be a third line function – i.e. independent of management. The practical manifestation of this, especially but not exclusively in the private sector, can be variable, for example reporting to the COO or CFO. Where IA has made much less headway is in the claim that the third line is only IA. The main reason for this is that it puts other internal to the organisation but independent of management functions in limbo. They are neither regulatory nor are they second line, a term I have always taken to mean management functions independent of line management but part of the corporate oversight. To confuse the picture further, the banking sector tends to create a range of so-called second line functions as independent of management , risk management, compliance, corporate investigations. Some models say IA is the third line, others that it is providers of independence assurance.
Put simply, the corporate landscape, even or especially with the application of the three lines model, is confused. I am increasingly seeing team management getting very confused about what all of these functions do and their standing. It is all becoming a big wall of ‘oversight’. In addition, different business sectors have their own traditions and structures. I have worked across a range of private, public, financial and government sectors and they all have interesting corners of interest in organsitional structure. For example, public sector organisations, particularly those with programmes to deliver public policy often have evaluation. This is a form of objective review that exists in first and second line management – commissioned by management but delivered by a team separate from them, and as a corporate oversight function a la internal audit. Aside from positional similarities its professional modus operandi is to ask big questions of policy and ‘are we doing the right things’ questions. This is markedly different from IA but helpfully complementary to it. To take another example, we can consider corporate investigations of staff / contractor misconduct. In my current sector these sit in a clear third line, independent of management, space, which to my mind makes sense but they are not providers of assurance as the three lines model would hold. For other sectors, including the private sector, these functions are either done by HR or a separate, second line, function. You could argue that banks’ model of having say corporate investigations as a second line, but independent of management, model therefore makes sense as it is a non assurance providing but independent function. To my mind though this then blurs the role of others, say risk management, who have a role to both support team mamagent to delivery better risk management, but provide a measure of independent review of line management’s reivew of it.
My personal preference is to see the second line as a corporate, independent of line management, but not corporate management function. The third line can then be more clearly understood as a those functions independent of management with a line to the board. This makes more sense of the public sector’s use of evaluation, independent investigations functions, ethics and ombuds offices etc. often under the umbrella of an overall oversigth provider, in my case inspector general.
I don’t think, therefore, that the IA’s best strategy is to wait until either the three lines model, or a new theory of corporate organisation takes root and becomes generally accepted. For in the interim period, likely a long time, IA will float about in a sea of uncertainty. What IA needs is some mechanism or hook on which to have a profession-wide debate to discuss and align around a common position. If only there was some process or global document that could prompt this…
So this brings me to my clarion call for the year. Please can we, as a global profession, take the opportunity of the new IA Standards to have this debate. Given the various thought leaders of the profession have raised a bunch of concerns about the draft, including my core observation that the Standards are missing a clear purpose for internal audit, can we perhaps pause their implementaton by a year and have a good debate on it?
I am genuinely happy for everyone that exists in a world of certainty, either professionally or personally. In many ways I am jealous of such people. All I can see, across a range of areas in 2023, is uncertainty. If IA is doing its job properly this should be fertile space for a good risk-based IA function to add real value to its clients.
So, is it time for a the profession to debate our corporate role? Do you have clarity of where you fit within your client?
My thinking about internal audit’s place in the world and the corporate setting has evolved over time. I consider myself to be very lucky to have been a professional chief audit executive, in charge of my own team, for a very long time, since 2006.
Being an internal auditor is a privilege. It affords an interesting career. It enables a strongly cross-cutting view of any organisation, from strategic to operational, cross functional, and global. As I have a low professional boredom threshold, so being an internal auditor has suited me well. No other part of an organisation, apart for senior non-executive management, affords such a vantage point. It does this without the operational burden of executive responsibility. For me, therefore, its the perfect mix of being able to think, theorise, influence, improve and quality assure the client organisations for which I have worked.
I have also been super privileged to work for organisations that have amazing missions. Not for me the single objective of profit maximisation, but the more complex public service and multifaceted worlds of organisations driven by difficult, but worthy, missions. This makes being an internal auditor in these organisations hugely interesting. There is no single, financial and measurable metric of performance, rather a complex web of choices, trade offs, and moral and ethical dilemmas.
Even when I started my career, internal audit was not straightforward. Yes of course compliance was easy – management set out rules, were those rules followed in practice – the rules themselves talked about defined, clear and measurable processes, mostly financial, which could be aggregated into a single statement of internal control. Internal audit even then was reaching out to ‘add value’ by analysing how these rules were applied in practice.
Yet, when I started my career it was clear that for internal audit to be valuable it had to somehow step into the world of management. Not in executive terms – that’s a clear no-no – but in terms of somehow helping management with the daily experience of their lives. Management had to make difficult choices, often with limited resource, unclear or limited data, capacity and people challenges, with an ever changing external world, most especially customer or stakeholder demands. Internal audit had to be credible and meaningful in this space.
Internal audit’s answer to that, in the late 1990s and early 2000s was to be ‘risk based’. Of course, the IIA Standards did not really define this well, as the Standards, certainly in iterations prior to the current exposure draft, were purposely vague. This allowed a broad church of thinking and practice to flourish. The UK IIA, now Chartered, put out some guidance papers, but thinking on what it is to be risk based seemed to get stuck at the concept of an ‘audit universe’. This cut the client organisation into manageable pieces (auditable entities) and then ordered the pieces into ‘risk’ order. This was primarily a complex set of scoring that did little more than slightly amend the order a relatively knowledge person could achieve with the application of five minutes of common sense. Of course the measures of risk were typically gross measures, not net, and took almost no account of organisational objectives or the current control environment or the target or intended risk level of the organisation.
This approach followed very much the ‘follow the money’ adage which, whilst not always wrong, especially on fraud or misconduct investigations, in audit terms really become obsessed with size. I’ve learned however that risk in most organisations is managed through a combinations of rules, processes, people and culture, which are not always about size. Risks as really managed in organisations are also rarely simple and two dimensional and are managed by a range of actions, large and small, tangible and intangible, across an organisation, and require a range of coherent actions to manage them. In other words, risks are more likely to be a thousand cuts, through a thousand control weaknesses, mediated through people and culture. Auditing an organisation, brick by brick, doesn’t cut it.
In my current role I have a specific mandate to coordinate all independent-of-management oversight, and independent-of-management integrity response (i.e. fraud response and investigations). Some of these components sit directly within my control, others not. It’s always been very clear to me that internal audit does not, and cannot, exist in a vacuum. It is part of the wider organisational structure, both within the independent third line entities, and external independent oversight entities and the three lines, including ERM but also HQ corporate functional oversight.
Coming to that realisation, you understand internal audit is but one tool to be used in this space. A good CAE should map and understand how second, third and external oversight fit together. Internal audit should, without taking a dogmatic approach, be able to flex to fill the spaces other providers cannot. For those internal audit functions that include a corporate investigations function understanding the map of integrity providers, ombudspersons, regulators, HR, legal, ethics offices etc. is also important.
I am now, some number of years into my career as an internal auditor, realising that internal audit has come of age and has an invaluable corporate space to occupy. I also see that, and this is my blogging theme for this year, now is a critical tipping point for the IA profession to really think about its raison d’etre.
The IIA exposure standards, given the challenges highlighted by many in their current construction, provide the IIA with a real opportunity to start a meaningful debate about what the strategic purpose and role of internal audit is. This section is blank in the exposure standards at present. I think a good place to start is to understand the space it occupies in reality in many organisations and to try to induce how organisations are using IA at present. That might provide a clue about what is going well and what needs to change. Perhaps the Global or UK institute might step up to the plate here?
Continuing my theme for my blogs this year on internal audit professional angst, I want to give some thought to the relationship between internal audit and the Board (or equivalent governing body).
As an internal audit professional I have always had a measure of ambivalence in my relationship with the Board. I have seen the current IIA Standards and their clear, formal and periodic links to the Board via the Audit Committee. I have, however, interpreted them as a little ambivalent. As a CAE I have always seen the relationship with the audit committee as a key one to be nurtured. After all IA is the key tool, independent of management, that gives the audit committee the ability to do its job of oversight.
I have been exceptionally lucky to work with some great audit committee chairs, who understood the role of the audit committee vis a vis the board, and vis a vis management. The audit committee, though is in some measure independent of the board, is also a creature of it, and is firmly ‘team governance’. Also of course, particularly in the public sector, IA is but one oversight provider, so the audit committee has a range of oversight clients. So that direct relationship with internal audit can be one of many for the audit committee.
The Standards have also been a little bit ambivalent about the relationship between the Board and the IA. Yes, of course there is the formal approval of mandate, the formal approval of the board for a range of IA steps and processes, the accountability of IA to the board through the audit committee. There was, however, in the Standards, a strong recognition that IA also has ‘Team Management’ as its client. Ultimately IA and the board are both oversight of management structures, but the Standards recognised that IA had a strong and equally important, in particular to senior executive management, relationship. It is still the case the IA has a strong reporting relationship often with (ideally) the organisation’s chief executive or (less common and less ideal) the CFO.
As a long serving CAE I, like many other CAEs, have had to balance that careful relationship with management and governance. Whilst teams management and governance are getting on well, this is less of a problem. When those horses part ways, IA risks being stuck holding the reins of the chariot between the two. From experience that is not an easy place to be.
So, to the new, proposed, IA Standards. These appear to push IA into a team governance, oversight and regulation space. To my mind the strength of the Standard’s provisions in this regard risk being problematic. They risk driving a firm wedge between IA and management. A good CAE and good IA function, to my mind, is a bridge between management and governance. They ‘oversee’ or ‘ garden’ the governance of an organisation to make sure the organisation, as a corporate vehicle, is able to self regulate and be effective. It is this subtlety that many experienced CAEs deliver, that is unseen and unnoticed by many, that is critical to effective functioning of their client organisations. It is also the difference between a junior and more experienced CAE. I know in my first CAE post it took me some time to understand and deploy an effective intervention in this regard.
I know a range of thought leaders in the profession are finding the draft IIA Standards challenging, and I think I would add this board relationship aspect of IA to the pile of things to be considered deeply before finalising the revised standards.
I am a passionate believer in the power good IA can bring to any organisation. This subtlety and link role between teams governance and management is absolutely critical in my view, and should not be disturbed by any revised IA standards lightly.
So as we reflect on another round of corporate failures, this time in the banking sector, we see once again that governance is the issue. Yes, sure the regulators are partly to blame – but controlling a global industry from outside of corporate entities, via a set of global or country-wide rules, is not easy. One size does not fit all when it comes to regulation. It doesn’t matter what the regulator is regulating – schools, childcare, policing etc. the regulator can only go so far.
So I read, with interest, Andrew Edgecliffe-Johnson’s piece in the European edition of the Financial Times. He points out that the two American banks at the centre of the recent problems had poor governance. Not just weak governors, or governors that were a little below par, but obviously weak governance. At Silicon Valley Bank, for example, none of the risk committee had relevant banking expertise, though one had experience of the premium wine industry. In Signature bank three of the CEO’s relatives were employed. On the back of these facts (assuming Andrew is correct) then I would add another question – Where was internal audit?
We’ve been agonising as a profession in the last few weeks, prompted by the issuance of the draft IIA standards, about internal audit’s purpose. For me, internal audit’s purpose is clear. It is to be the guardian of good governance. It should exist to provide the regulators and stakeholders of any organisation, in any industry or field of operation, with assurance that the organisation is well-run, efficient, effective, well controlled, and operates with good governance. Internal audit, being inside the organisation, but independent from it, should have the detailed knowledge and independence to call out these issues. Perhaps if IA had done so for some of these banks, then they might exist now.
We can all point, in our industries and business areas, at organisations that have failed. Sure some failed due a complex set of circumstances that only became visible with the benefit of hindsight, for example those companies that got left behind by technology, or a significant change in customer demands. For most, however, they fail due to egregious governance, or business failures, usually driven by self interest for higher returns without considering the related risk. This is a space where a dispassionate internal audit function can add value. It can point these things out without fear or favour, to management, governance and regulators alike.
Now I don’t see internal audit filling a space of being an internal regulator. An internal audit function, in my view, will not be successful if it becomes the policing function of an organisation. Internal audit is at its most effective as a partner and trusted advisor, willing to point out problems when needed in a supportive and encouraging space. IA must sometimes however be brave (a point in the new exposure draft of the Standards) if necessary to protect all of an organisation’s stakeholders.
As I suggested in my last blog post, and those throughout this year so far, the IA profession is at a bit of a crossroads. It does seem to need to find its purpose in life. Do we need any more hints before we take up this important mantle?
Please IIA Global – have a proper debate about IIA’s purpose, and add it to the new Standards!
What’s the point of internal audit? That’s a question anyone in the profession from the seasoned CAE, to the new IA intern, should be able to answer. Sadly, it’s not.
Why is that? I believe it’s because the IA profession is reaching a point of inflection and facing a growing pain. The profession emerged from the dungeons of the financial controller’s department and is now, in so many places, an integral and expected part of organisational stucture. Yet, I think there are a number of debates that challenge, at an existential level, the IA profession.
First, there is team management. How do management teams feel about internal audit? Helpful? Useful? Necessary? Nugatory? I was told by a member of team management once that IA exists only because the organisation’s stakeholders don’t trust it – IA in effect offsets a deficit of trust in management. If that’s the case, not only is it a terrible indictment of team management but also a super depressing role for internal audit.
Then there is the next challenge around team management, that is the perennial inability of many management teams to organise, manage and ‘police’ themselves. A lot has been written by business school academics and others about organisations and their inclination towards dysfunction. Similarly lots has been written about what ‘good’ governance, management, bureaucracy etc looks like. Yet, we see the same corporate failures, bureaucratic dysfunction, ethical lapses, and inability to become fully ‘risk mature’. I’ve heard the promise of the sunlit uplands of good second line control and oversight and if, done well, the need for internal audit becomes much more limited and smaller in scope. Yet, fully mature initiatives in this space are few and far between.
Secondly, there is the challenge around governance. Defining it and improving it has been a near constant obsession of human endeavour since large scale industrialisation took place in the 19th century. Governance is a field of study in its own right, but the basic principles that a stakeholder group should ‘direct and control’ the organisation, without managing it, seems to be quite clear. So why do we continue to see organisational failures which get laid at the feet of ‘governance failure’?
Thirdly, there is the issue of risk management. The risk management profession is also facing a growing pain, alongside IA at present. It’s having an existential crisis around what it is. Quant or qualitative? A corporate governance or management tool? For decision making or supporting direction or control? Risk mitigation or risk acceptance? The IA profession, having so closely hitched its wagon to the risk management profession, shares some of this angst as well.
Somehow, amongst this maelstrom of professional anxiety the IA profession needs to set out its stall for 2023. In my previous but one blog post I specified how I saw a risk based internal audit working. In my blog post immediately previous I set out my views of the new exposure draft IA standards. I see from public commentary that my view that IA needs to be proactive and clearly state IA’s purpose is shared by other commentators. The Global IIA needs to listen to IA practitioners or risk a period of decline and irrelevance of internal audit to the modern corporate organisation.
So what is my big purpose statement for internal audit? Well I won’t propose specific wording, but in essence I see internal audit as being unique because of its qualities of independence and objectivity, whilst being internal to an organisation. This is a powerful position to protect organisations’ achievement of its objectives. It does this through its independent reviews of governance, risk management and control and its position within the organisation as bridge between staff, management, governance, stakeholders and publics. IA also holds the baton to protect itself and other independent third line entities (for example, evaluation, ethics, investigations functions) and extend that to second line semi independent entities (for example, risk management, legal, HR etc) from being distracted and pressured by any parties, including management. Finally, I see internal audit as having a role to provide the glue of coherence, coordination and understanding of risk and oversight messages from all independent or semi independent parties to the organisation. This last point is a revelation that is quite new to me and so I will blog about it in another post in more detail. Suffice to say, the positional power of IA to pull together oversight and integrity messages is significant.
So what is my ask from the Global IIA at present? I think to please leave a placeholder in the new Standards for a meaningful purpose statement. Forming this will not be easy, but it is essential and apposite to do it. I recommend recognising this gap in the response to the ongoing consultation and launching a global dialogue to form a view about what that might be, even if it follows from the update of the rest of the Standards to be finalised in 2024. The current activity based definition of IA is simply not going to address what I see as an existential crisis.
The IIA’s exposure draft of their new global standards for internal audit is out. It’s traditionally not the most exciting date in my calendar, despite being an internal auditor, because the change between drafts, certainly in the last 20 years, has been so slight.
I think this might be a little more of a step forward though. Overall, it does feel like an attempt to write in plain English. Gone are the performance and attribute standards, in are the principles and standards. I like that the Standards for the principles (setting the more detailed attributes) are clearer and are more supported by practical preferred practices and suggestions for how to evidence conformance. The new domains for the Standards make sense too, covering the key things I would be looking for as an internal auditor or stakeholder of internal audit. I even like the glossary – previously left floating around and implied as being part of the Standards – now much clearer as a point of reference for the Standards’ implementation.
So let’s start with the glossary. A number of interesting points struck me here. Words matter – otherwise internal audit would be somewhat dead in the water.
So ‘assurance’, much clearer stated as providing assurance in reference to something defined. This aligns to other auditing standards and limits assurance to attesting to some defined state or intended state. The need for defined criteria moves internal audit’s assurance role away from consulting – i.e. it cannot just be an opinion of the internal auditor, it must be an assurance opinion in relation to defined criteria. It does not, however, specify in a constrictive way, what those criteria should be. So this should give risk-based internal auditors lots of space to establish various management owned or set criteria, or if necessary to induce criteria from management and operational context. For me, this is tight enough to give meaning to assurance, without limiting or condemning internal audit into a compliance, management rules, box-ticking space.
Conflict of interest is less well handled. I am not sure a conflict of interest is something that appears to be a conflict of interest. Surely the clue is in the language – a conflict of interest is a conflict of interest, but there are often perceptions of conflict of interest, and of course these matter as well. They are not, just because they might be perceived to be, conflicts of interest per se. I think the IIA should review this a little more carefully and disentangle the language here.
I’m happy to see control defined, not in compliance terms, but in risk management terms. I’ve long equated control to mean risk mitigation to a target risk (or appetite or tolerance) but to see it clearly spelled out here is good.
External service provider. This interestingly puts internal audit firmly internal to the organisation. I know lots of clients and sectors who have an external provider, but this definitely suggests they are supplemental to an internal internal audit service. Perhaps this is one for a future blog post? Note – the term ‘outsourcing’ in the glossary seems to conflict here, with a clear view that one could, legitimately outsource the whole IA function.
The definition of governance has a major fail in my view. Putting management as a role of governance is inaccurate. In fact it takes most organisations a huge amount of effort to stop governance bodies from managing the organisation. I would rather see governance defined as ‘direction and control’ of the organisation towards its objectives. I can see what is meant by management in the definition, but the language is unhelpful here. The IIA should consider reviewing this further. Note this equating of governance with management comes up in other parts of the glossary – so it should be carefully checked throughout.
The definition of internal auditing is fine as far as it goes. It seems rather to describe what IA does and how it might be useful, rather than situating internal audit with the organisational eco system in a clearer place vis-a-vis other professions and functions. The three lines model could have been useful here, with an independent, but internal, space which IA occupies. It also suggests a sense of IA being a nice-to-have and being optional. I think for any organisation or activity that has got to any sense of complexity or significance, or one which has stakeholders external to the organisation, internal audit should be mandatory. This could have been defined here perhaps?
The definition of risk management also to me seems to get a little confused. Whilst the risk terminology is generally well handled in the exposure draft, the introduction of the concept of ‘reasonable assurance’ over the achievement of objectives seems to me to challenging. If risk appetite is set as high it might be that the non achievement of objectives or unlikely achievement of objectives is fine from an organisational and risk management perspective. The purpose of a flexible risk appetite is to enable organisations to accept failure as a normal part of business as usual (of course not at a macro or organisation-wide level). Perhaps this definition could be tweaked to provide reasonable assurance of the achievement of a target (net or residual) risk level?
On the purpose statement – it does not really state a purpose. It defines the activities of internal audit and sets out how this might be helpful. This is a missed opportunity to situate internal audit with the organisational eco-system, as for finance, HR, marketing, IT etc. and is all the more important, given it is a bridge between management and the governance structures of an organisation. The three lines model would be a good start here. This is the big ticket item for the IIA to tackle in response to this consultation.
Under the Ethics section – the courage point is both welcome and well-made. The world seems unable to disagree respectfully any more. Culture wars and left / right extremism, and a lack of a centre ground and consensus driven action seems to me to be a problem. I am glad that IA’s role to respectively disagree and be sceptical, is endorsed and welcomed in the Standards. I also like that the ethics section puts IA on a pedestal with a higher obligation to point out ethical breaches. In the evidence for conformance section there are a couple of areas which could usefully be reconsidered. For example, there is a point about IA should not disparaging comments about individuals or the organisation. Whilst of course I understand the point, being critical and sceptical were highlighted earlier in the Standards as required. Similarly releasing information without proper authorisation is often used by those against whom IA may need to whistleblow, to silence or sanction IA. Whilst I understand these points in common parlance and agree with them, I think some caveats here could be helpful.
On objectivity, the Standards make a lot of sense. The self review risk is a little overstated in my view. I certainly can be critical of my own blog post less than a week after writing them, such is my objectivity through years of training. Being so specific on banning further work within a year does not to me make sense at a Standards level. I would set the principles, as they have, and let them be interpreted within the context of their day to day application. As stated above, the language seems to equate perceptions of conflicts of interest with actual conflicts of interest. This should be reviewed in this section to make sure that the perception of something is not defined as the thing itself. Otherwise the application of this principle will end up in all sorts of mess.
On the competency section – I think an opportunity to differentiate the ability to internally audit something as opposed to run it from an executive perspective has been missed. One of the great potential criticisms of internal audit is that they are a jack of all trades and master of none. Often management teams complain that internal auditors don’t ‘understand’ (code for agree) with management’s view. Whilst I am a great believer in internal audit having technical skills related to the organisations they audit, internal auditing is a skill in its own right. There is a big missed opportunity here to define what that might look like, set it out, and be proud about internal audit as a profession. Perhaps another topic for a future blogpost?
On conformance I like the clear statement that the Standards take precedence over other national or organisational standards. This is both helpful and clear. The Standards are framed in a way that I think this should not cause any organisation difficulty in accepting their internal auditors have global standards to conform to, as they do for other professions working in their organisations.
On maintaining confidentiality, it is important to protect the whistleblowing function here. Releasing information here might break confidentiality rules and be done as a public interest to a regulator etc. I would suggest this section is carefully reviewed to ensure this caveat is noted in this section to prevent its use to shut down the ‘courage’ rightly called for earlier in the Standards.
The strong emphasis on the governance of the internal audit function is helpful. For it is this that sets it aside from other parts of the organisational structure – and perhaps could be used to frame IA’s purpose more clearly as I suggest above. To my mind these Standards strengthen the statement of intent and practice in IA’s link to the Board i.e. annual refresh of mandate. I think this is probably good, though in practice this will vary in many organisations and will likely be a step up in the visibility of IA to the Board in many organisations. This is the area where I think the Standards have moved significantly. Again perhaps ripe for a future blog post?
I have a similar reaction to the positioned independently section. There are some strong statements here, positioning IA as a clear tool of, or clearer sight to, the governance structures. In reality this will be a jolt to many organisations where this is not the case. It will also put pressure on governance structures themselves to step up. I don’t disagree with the direction of travel here, but it is an interesting change in mood music and more explicit statement of intent from the IIA. On the non-audit roles I think these are clear, if a little overstated. If IA is to be much closer to the Board, then the space for a well valued and trusted IA function to deliver advisory, consultancy and other products should be protected (for often these help organisations far more and far faster than IA products do). There was an IIA practice note that allowed for such work to contribute to assurance – and this made sense as consultancy is IA in all but name. Perhaps this section could re-affirm this statement so that work that is not a formal, board-reported, IA, is not seen as nugatoiry, second class, or less valuable in Standards terms. For in practice this work is often the most valuable thing IA produces for its clients and has the most impact on real-world outcomes.
On principle 8 – Overseen by the Board – I have the same reaction as above. It shifts IA firmly into a specific governance space. This is more clearly stated here than the previous Standards and I think will jolt a number of real-world practices. I suspect for the good and I don’t object in principle except that it must be carefully done not to lose the ‘safe’ internal to the organsiation space that IA has between management and the board. For it is this special space that creates IA’s real organisational value.
On resources – yes I think stating resources should be sufficient is helpful. I am less keen on the idea that sufficient means to deliver a plan. I would frame this in terms of overall outcome and objective for which a plan should exist. A plan is a means, not an end. This speaks rather to my top level contention that the Standards seem to lack an overall purpose and outcome for internal audit as a profession, and rather focus on activities and practice.
I think the managing of internal audit function section is okay, if a little bit too detailed for global Standards. Why a specify a monthly review of IA’s budget?! The formal view of the charter and its approval is interesting and speaks a lot to the step in the Board-level oversight envisaged in these Standards. On reliance on the work of others – the requirement to do this – not just how to do it if needed, is welcome. Many organisations have lots of independent third line oversight providers, so making IA function as part of this wider eco-system is welcome.
On communications – again nothing to object to here, but the Standards are, at times, absurdly specific on what should be done. A requirement to attend groups that report to the Board for example. I think best to establish some standards and make some suggestions only here.
On performance measurement – this is a welcome addition. To make clearer the requirement to assess performance is a good step forward. So many IA functions either don’t do this at all, or do it in a perfunctory manner, that making this clear will improve matters.
Planning engagements is again very detailed and specific. There is nothing specific I object to, but this guidance collectively amounts to being very detailed about what internal audit is. Perhaps this is a good thing but I wonder if it takes the Standards into a less principles-based space? It may also make IA less agile – which is a clarion call to the profession.
On 15.2 confirming the implementation of action plans. I don’t like the principle of confirming that management teams have done what they said they would do. Surely it makes sense in a risk-based world to confirm that the risk has been mitigated, through actions, to the intended target risk level?
So what’s my overall conclusion from this review? I like the Standards structure. I like its plain English. I like the principles. I think there is an opportunity missed to set out the overall purpose and space of internal audit. I think the overall positioning of IA as being under the board as a part of governance risk losing IA’s space to bridge between management and governance. I think the Standards push IA to be super independent at the risk of becoming like internal regulators. I do think the second half of the Standards are somewhat too detailed and revert back to a very detailed set of rules that have a quite traditional view of internal audit, which is not matched by the ambitious and modern principles up front. Perhaps the latter section could be more principles-based and not so detailed and granular.
It’s a big document and I need to reflect further, but I hope my first scan and thoughts are helpful and useful. I welcome your thoughts too.
Being a lifelong professional internal auditor is strange career choice. Certainly for my generation, internal audit was less of a choice and more something we fell into. The profession of internal audit, despite having been founded in the middle of World War II, was still a young profession. Most internal auditors did not qualify as IIA members. The Institute in the UK was still to receive its royal charter, something the accountancy institutes had achieved in the 19th century. It was perfectly acceptable to take a role as a head of audit as a qualified accountant, with really only a glancing blow of professional experience with internal auditing. Certainly the global reach of internal audit, as we see now, had not been achieved.
So we all know the story of internal audit. Born out of the financial controller’s section to enforce financial controls, seen as a compliance and ticking boxes function, with a remit to follow money and assets. Gradually this remit expanded into broader operations oversight to support a ‘statement of internal control’, most of which, to this day, are still statements of internal financial control. Then the profession jumped on the risk management bandwagon. In doing so, slowing the growth of the risk management profession and their developing institutes, and claiming a set of expertise which many internal auditors don’t really have to great degree. The mantra of ‘risk based’ is still far stronger than the reality. For many functions, risk based means ordering the organisation or world by notional risk size, mainly driven by gross risk indicators. It does not really focus on the net risk (as actually experienced by the organisation as a result of its risk mitigation efforts) nor have a strong (in some cases any) link to the organisation’s objectives of risk appetite (tolerance or target risk – take your pick).
So here we are. A profession to some extent, as I said at the top of the year in my first blog post, somewhat at a crossroads. Perhaps a good historical perspective and analysis might be helpful? Perhaps there is a good IA history out there (links and suggestions welcome)? History is often a good indicator of the future. It can situate us in a broader, longitudinal, context and enable us to take more purposeful and confident steps forward.
I am yet to read the new exposure draft standards. That is my task for this week. It will be interesting to see if the new Standards really tackle what internal audit is at its core, rather than just the core attributes and practices of internal audit. If not, perhaps this is the opportunity for a wider debate for IA’s position in the corporate hierarchy? To be fair to IA as a profession, I don’t see much of this debate for other professions, accounting, comms and marketing, HR, IT etc. or perhaps I just need to go and refresh my MBA to catch on these live debates?
So to my blog headline. Taking into account how I see the internal audit profession, are we a creature of HQ, or operations (or ‘the field’)? My view is that we are, of course, both. I like to see myself much more as a creature of operations however. Why? First, if internal audit is done properly it should see the reality and complexity of getting stuff done in the external and internal, organisational, context. Secondly, internal auditors ‘get around’. Certainly in my current client sector, internal auditors travel a lot. They see operations on the ground. This has been true for all client organisations I’ve ever worked for. Thirdly, and perhaps I am atypical in this regard, I am not a rules, compliance, based person. As a social scientist at heart I recognize and validate the human aspect to organisations. These are so much more powerful than compliance and rules. It is very hard to enforce rules and compliance. Very few industries and clients have ever enforced this. It is far better, in my view, to look at the incentives and culture and change those, than to mandate behaviours and rules that are not aligned to these very human drivers of behaviour and action. Win the hearts and minds of staff and this will drive a change in a way that simply mandating a set of rules will not.
It always surprises me how management colleagues confuse internal audit’s non-executive role with an inability to be able to manage, not least because we manage our own functions but also because we have often seen many more, strategic, tactical and cross-cutting, things than many management colleagues have in the same time period. For if an internal auditor cannot, in a meaningful way, actually step into the shoes of management they likely potentially ineffective as an internal auditor. I would say a good, risk based, internal auditor would make a great general or strategic manager.
Internal audit should also, however, be a corporate darling. I think internal audit must understand the governance and senior executive management perspectives in their organisation. After all, internal audit at its core, should assist its client organisations to achieve their objectives. If not, we should pack up and go home. So understanding these perspectives and their politics should be a core role for any chief audit executive. Rainer Lenz published a good 4×4 diagram on this some while ago – arguing CAEs should avoid being naive or engaged in politics, but be politically aware and savvy. I support this view. A good internal audit function is a praetorian guard for the C suite – bring the reality and challenge perspective to what can often be an isolated space.
So overall, I see internal audit as a link between reality and theory. C suite and shop floor. Both strategic and street wise. Theoretical and policy oriented, but practical and pragmatic. It’s a tall order – so how do you do?