I am belatedly setting my objectives for the coming year, both for and at work, and also personally. It’s a good thing to stop and think about what you wish to achieve and setting measures and metrics to assess those.
Whilst I know every chief audit executive considers their audit service to be more than just themselves, there is a still a temptation for it to be seen as, and genuinely be, a reflection of the CAE leading it. This is especially so in internal audit for two reasons. First many audit services are relatively small, so the span and depth of control of the CAE is relatively all encompassing. Second because internal audit provides a principles based framework of standards and compliance, that allows quite a wide latitude to how the actual service manifests itself. Third, internal audit services are held together by their methodology. This methodology is not just the processes and documentation used by the service, but is also a view on the world, which is as much intellectual and ideological as it is practical and process based.
So that’s why, when I: set the standards for the year for my service; review the templates and processes; and when I look at the skills and needs I have for my service, I am as much as anything else, reflecting on my own development and view of the world. I take a granular interest in this things; they matter. I have said in this blog before (Radio Four or Three auditing) much like a business, internal audit has a brand. This brand is set and controlled in large part by the CAE. They set the tone, basis of engagement, style, content and method of engagement with their clients.
My current team will, no doubt, say that I am too detail focused and obsessed with format and style. Like a top restaurant or a upper class retailer, the image and the way the service is delivered is as important as the content (though in my view one must be supported with the other). This is inculcated from the methodology, the training, the leadership (in practice) from the CAE. It is enforced through quality assurance and review. Eventually in my experience the team will self edit and review with very little input from the CAE.
So what should be the bedrock for those standards? I think it should be the International Internal Audit Standards. These have, built in, the need for compliance. In particular the need for an external quality assurance assessment (EQA) by a competent third party every five years. There are many ways in which reviewers assess these standards, but the one that seems to have gained traction is the ‘fully / generally / partially / does not conform to the standards’ opinions.
When I’ve been benchmarking services, I’ve found that ‘generally conforms’ is the most given opinion. Generally conforms ‘indicates that an IA activity has a charter, policies, and processes that are judged to be in accordance with the Standards, with some opportunities for improvement’. So that sounds good. Or does it?
If we look up the word ‘conform’ it means comply. That means meeting the standard. So it is a binary judgement. That must therefore mean generally conforms also conversely means also, does not comply in parts. It seems odd to me that a profession obsessed with being ‘risk based’ would then have such a two dimensional, binary, and non risk based compliance opinion applied to itself. So is a ‘generally conforms’ service at significant or minor risk of not meeting its objectives? How impactful are the areas of non compliance? Not complying with ethics is presumably much worse than not issuing a form of opinion on an assignment level piece of work, or not immediately drawing the board’s attention to an error in an audit report? Who knows?
When I had my service’s EQA at the beginning of this year I was clear with the reviewing party that I did need the requisite badge, and yes expressed in terms of compliance, but that I was much more interested in how good that compliance was. Did my internal audit service make a difference to my client? In other words did the work of my service amount to a whole hill of beans or not?
That’s not something that is so easy to express. Particularly in terms of the Standards, as the Standards require basic compliance only. They do not require any particular measure of quality. Compliance with them neither guarantees nor prevents quality audit work being done. As an example let’s take attribute standard 1100:
Threats to independence must be managed at the individual auditor, engagement, functional and organisational levels.
Well you either do or do not manage independence at these levels. The standard does not require it to be done well, or to a low risk appetite, or high quality, merely to be done. Let’s take a performance standard:
The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.
Again – there is no requirement for the risk assessment to be good or high quality. Merely for it to exist, be done annually with input from senior management and the board. So I wonder, how do so few audit services not fully comply? I consider the Standards, therefore, in terms of a risk based quality delivery, to be merely the basis and required baseline framework. I ask again how then do so few audit services obtain fully compliant?
I expect and inculcate in my audit team a methodology and set of professional standards and ethics that mean they naturally comply with the Standards, both collectively and individually. This does take time, but high quality auditors will comply with the standards without even thinking about it. I know and trust my team will comply with the standards, because they know that they should and because I, and my senior team, have inculcated good internal audit as an instinctual response. That does not mean I don’t check and review, and never have to correct the tiller individually or collectively to make sure it remains so. Nor does it mean I do not undergo an EQA as required (indeed it’s a useful process).
For those of you wondering about my EQA, my service was deemed fully compliant, as well as identifying things that I and my service could do better and more of. That’s a long way from non compliance in my view, and as internal audit has so much expectation upon it now, can any of us afford not to comply?