Conducting a multi-location risk analysis for audit planning purposes in a small audit shop

/

The baseline

As CAE of a small audit shop in a complex environment, I have to comply with the IIA standards like any other CAE. The performance standard for planning purposes is of course "2010 - Planning", which states that "The chief audit executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals."

The context

Now, our internal audit department of two people is responsible for an audit universe consisting of an main office, country offices in 18 different countries and about 200 active projects per year, with give or take about 250 million euro in spend in these projects on a yearly basis. These projects are very wide ranging, from building roads to assisting foreign governments in developing strategic plans in certain sectors. As we work mainly in fragile states, the risk profile of our projects is often quite high. This is a signficant challenge for planning the slightly more than 400 mandays per year I have available to me.

So we had to come up with an efficient as well as effective way of complying with the IIA standard 2010 and ensuring our assessment was as relevant as possible as well, to make sure our focus is where it should be.

This is what we did ...

Phase I - Open online questionnaire

While my initial intention was to ask both project managers, country responsibles (equivalent to middle management) and headquarters based middle management for their opinion, we quickly determined this was not feasible from a practical point of view. Why? I decided to work with open questions, allowing all participants to voice their opinion on top five risks ahead of them in the coming two years. If we had to integrate all these open questions for more than 200 participants, it would have been too time consuming. In the end, we queried about 50 people in total, using the forms function of Google Docs as our system.

For each of the five most important risks, we asked the participants to evaluate the following three elements:

  • the likelihood of the risk occurring in the next two years
  • the impact the risk would have on the area under their responsibility if it were to occur
  • the current level of risk mitigation based on existing procedures and controls with respect to the risk

We provided only limited guidance on the quantification of these evaluations, but the evaluation was done on a qualitative, not a purely quantitative basis, but using statements such as 'very high', 'very likely', rather than numerical values.

As was to be expected, the results were quite varied. Some respondents looked at risks from a very high level, with a significant focus on external threats, while others approached it from a very detailed position.

Lessons learned from phase I

We learned the following two important lessons from phase I:

  • Although difficult to reconcile, this exercise brought us a lot of different points of view which were highly complementary. This information has become an important input in customizing the risk model which we will be using next year for the risk based audit planning.
  • We shied away from using a comprehensive risk model as the basis for questioning in our initial open online questionnaire. However, in order to involve more people in this initial assessment, we will be using a structured, closed questionnaire next year.

Phase II - Team meetings per department

After processing the information gathered in phase I, we followed up with meetings in which all middle managers were invited to participate. Some of them declined because they had already shared their considerations in the open online questionnaire. Others felt they wanted to further detail their considerations.

In the meetings, we steered the discussion towards the following three elements:

  • We started discussing risks related to processes in their area of responsibility;
  • we then moved to discussing the risks related to people;
  • and finally we discussed systems at their disposal and risks related to these.

Based on these meetings, which we conducted with each of the departments of our organization, we arrived at an enhanced list of 'risks' related to each of the departments.

Lessons learned from phase II

We learned the following important lessons from phase II:

  • We again used an open format. While this is valuable in the context of such meetings, providing the participants with some information on the structure we intended to follow may have focused the discussion more.
  • It remains a trade-off to be made between focusing the group and perhaps losing essential information on less clearly perceived risks and getting the group to be as broad in its scope and discussion as possible and perhaps losing focus on some key challenges to them.

Phase III - Delphi analysis within the internal audit department

Based on phase I and II, we now had quite some information on risk exposures of our departements. Now we needed to translate this to a comprehensive, internal audit owned risk analysis.

We developed a spreadsheet in which, for each of the departments and functions in our audit universe, we were to assess independently, as internal audit experts, based on the information gathered, the impact and likelihood of the risk and the perceived current risk management level. With respect to impact, we defined different types of impact, i.e. impact on finances, impact on reputation ...

We compared the results of our independent assessments, focusing mainly on those assessments that were significantly different, looking at the underlying scores we each attributed to the different departments and functions. In a very open exchange, we agreed on a final score for each of the departments and functions.

Lessons learned from phase III

The results were quite nuanced. The independent internal audit risk assessment is but one input in the overall planning, which we will detail in a later post. We will continue to own the final assessment ourselves, as this is required if we want to remain entirely independent and objective.

Overall conclusions

In short, we will be using a more structured approach for the first two phases, in order to both involve more people in the exercise in phase I and provide better guidance for the discussions in phase II. However, the two step approach will remain in force.

Using the informatiion gathered to develop an independent audit centric risk analysis, in which we use a Delphi technique, has proven to work very well. It aligned with the risk profile the external auditors estimated for our organization, which was an additional validation for us.

The impact of learned helplessness on audit recommendations

/ CasMo HQ/

Learned helplessness in organisations has become an agent of the resistance

Ron Ashkenas wrote a very interesting article on the HBR blog a while back: in "Learned helplessness in organisations" he addresses the "external" excuses that process owners manage to come up with in order not to change their process. To quote him:

"This phenomenon — which one of my clients has dubbed "learned helplessness" — has the power to permeate the culture of an organization. Like a spreading infection, managers pass on learned helplessness from group to group and level to level. Eventually the standard response to any initiative is some variation of, "We'd love to do that, but we really can't.""

Auditors are frequently confronted with change resistance

It’s a statement very familiar to internal auditors, especially during the recommendation phase. Proposed solutions are rejected or never implemented because the process owners use this phrase as a defense (less frequent) or are genuinely convinced (more frequent) they are not able to change and optimize a process because of external constraints.

It gets worse: lack of or inconsistent understanding by supervisory bodies which are tasked to check compliance with certain rules and regulations, either internal or external, often leads to requirements being imposed on process owners which are (at best) not conforming to the intention of the rules and regulations or (at worst) diametrically opposed to the rules. Let me share a real life situation I once encountered:

During a process reengineering project we were interviewing clients of the organisation we were reengineering. As it was a government organisation with a significant role in checking compliance of actors active in their regulatory space, we wanted to determine the relevance of their compliance requirements. The client of the organisation told us that they had adapted their procedures to comply to the requirements as imposed by one inspector, only to find that these requirements were overturned by the next inspector that visited them. Both inspectors came from the same organisation.

How to approach change resistance

Well, it takes persistence. Ron Ashkenas recalls:

”Undaunted by their response, my colleague asked the managers to simply list all of their reports, approval procedures, reviews, audits, metrics, decision forums, standing meetings, and other management processes. He then had them identify which ones the government required, and which had been created internally. Much to the managers' amazement, the vast majority of these management processes were self-generated — which meant that they could streamline much more than they had thought.”

So the key challenge to the internal auditor is whether you accept the statements of your auditees as to their capability to change certain processes, or whether you are critical enough to challenge aspects that may actually lie beyond the scope of your audit or indeed even beyond your technical capabilities. Another story:

We were once auditing an organisation which did some of its technical testing using certain crystals in a destructive testing procedure. These crystals were either worth a lot or nothing at all, depending on the quality of the crystal. According to the engineers, there was no way to value the crystals other than destructive testing. The value of an individual crystal was material to the financial statements of the organisation. We consulted with an expert, a university professor, who was nice enough to give us his opinion for free, and he pointed us to some recent research which allowed for non-destructive testing and hence better valuation of the crystals. The engineers at the organisation had not been aware of recent developments, and had assumed the only way to test was destructive.

As far as I am concerned, the value of your audit is of course the reasonable assurance that can be derived from the auditing work itself, but also, and often ignored, the added value of relevant recommendations. These recommendations need to be as relevant as possible, and where required need to break through certain assumptions that have been underlying the current procedures, often for years, that are no longer valid.

The rotational audit staffing model - a small audit department's perspective

/

Richard Chambers recently published an excellent article on the rotational audit staffing model. I wanted to add my perspective as the CAE of a small audit department, active in an inherently complex sector, development aid.

The reality of a small audit department

The size of the audit department is most often a function of the size of the organization it operates in. Yes, I am making abstractions here, there are other significant factors of influence, but look at any GAIN analysis and you will find a significant correlation between size of the organization and size of its audit department. The complexity of the sector and its activities is not usually a factor, although it should be.
As the most important influence is organizational size, organizational complexity is often just something the audit needs to come to terms with. In reality it's unlikely that a small audit department has all the competencies within its confines to adequately audit each aspect of the organizational complexity.
Of course, not auditing this subject area is not an option, quite often because these more complex areas of operations are the more if not the most risk prone. This is an important aspect in our operations. The more complex the project structures, the more exposed they are to risks. So, how do we go about this?

The rotational guest auditor

We actually turned the rotational audit staffing model which Richard talks about around about 180°. Rather than having people rotating in and out of internal audit as part of their management (fast)track, we actually have a small permanent audit team, which is there for the long(er) term, with operational collaborators rotating in and out on an ad hoc basis as a function of individual audit projects. For example, we will use a person with a deep understanding of our different reporting structures and requirements if we need to look at reporting as an aspect of an operational assessment of on of our regional sectoral support structures.
Of course, this approach is not without its challenges. Confidentiality of the audit findings and independence of the guest auditor are aspects which we approach with due and necessary care. Failure to appropriately address these concerns will lead to the loss of confidence in the adequacy of the internal audit process and hence of the validity of the internal audit department's approach. of course we want to avoid that.

What the guest auditor brings to the table

The guest auditor operates as a subject matter expert. He or she has experience in a field adjacent or related to the field being audited. This eliminates the need for a significant investment in audit techniques training, as the guest auditor is surrounded by an audit team well versed in these aspects of the audit process. He assists in developing the audit approach, explaining us what we need to look at and what we can expect to find, he assesses and interprets what we see coming out of the audit tests (as compared to what we expected to find there) and he adds an additional dimension of interpretation to the results which the small audit department not necessarily would be able to offer as quickly or at all.
Even when working in a field adjacent to his or her own, the guest auditor's independence is very closely monitored by critical auditors, in turn supervised by the CAE.

Additional value for internal audit

Our currently limited experience of this new way of operating has already shown that not only does the guest auditor add value to the internal audit work, but the appreciation for the daily internal audit activities increases significantly after a spell as a guest auditor. The guest auditor is often surprised at the level of intensity and the work rhythm of internal audit professionals, which increases the appreciation for our work.
We are actually looking forward to auditing some of our guest auditors. We expect them to both be more aware of our challenges and to be better prepared for the audit itself.

In conclusion

All in all, this approach which was conceptually developed by my predecessor and which we have now implemented seems to work well for our small internal audit department. It actively adds value both to our audits and audit reports and to the guest auditor.

Where to put your internal auditors?

/

Imagine the following theoretical scenario: you have an organization which has a significant number of different activities. It looks a lot like a typical Japanese supercompany, with diverse activities across the entire activity spectrum, not necessarily related to one another. You have one audit committee you need to report to. Where do you put your auditors and how do you ensure they remain as objective and as relevant as possible?

Physical localization of the audit team

Your team or part of your team needs to be as close as possible to the actual operations. Just visiting audit teams are not really enough to develop a thorough understanding of the activities if the width of activities is very large. Being there makes sense for two reasons:

  • First, your auditors will have their finger on the pulse of the management team responsible for that activity. They need to be able to interact, both formally and informally, on a regular basis, with the accountable people in the organization;
  • But not only that … just being able to tap into the discussions on the workfloor allows an auditor to quickly pick up on important issues. Note, this is not being the Gestapo at all. After all, our role is to provide reasonable assurance and advice.

Local team sizes

It really doesn’t pay to have just one person present, who interacts with the organization and calls in semi-external support when audits need to be done. That would be like getting married and having your friend taking your wife out for date night. While ad hoc support in specialized aspects is important, note that the trust which is so essential in tapping into the vein of an organization is quickly lost if responsibilities of auditing are outsourced. And while you may argue that calling in support from a central team is not outsourcing, trust me, it is in the eyes of the auditee. If it is not their trusted team, it’s “someone else”.

Loading the team members and cross-training

Of course, it does not make sense to have full teams with overlapping competencies and too much time on their hands present at all locations. Rather, on the contrary, it makes sense to have specialized people available within the organization to ensure that all specific audit issues can be dealt with. There are two models here:

  • Model 1 proposes a centralized audit service where specialized competencies, such as IT audit skills or governance audit skills or multiple use skills such as public sector budget skills are present. While this may make sense from a theoretical point of view, I don’t believe this is the best possible solution. After all, you get resources which are in essence idle unless they are being called in for specific assignments. The usage of these resources will traditionally be lower than the usage of other, dedicated resources. Their depth of knowledge will be traditionally lower as well;
  • Model 2 proposes embedding expertise, specialized competencies, in the teams themselves. While available for a specific audit, these auditors are planned and used as traditional auditors if not required to exercise their traditional skills. If the planning system is developed well, this should allow for better planification.

Honestly, I’ve seen a number of “expertise” cells in different organizations. As long as they are not actively deployed in the field to engage in work and develop their understanding, their advices remain theoretical. They may be well written, but they make little to no sense.

What should be centralized?

Ideally, planning of the specialized resources should be dealt with at a central level. Exchanges of approaches and methodology is relevant as well. People can be rotated between teams during the early years of their employment as internal auditors, to develop a broad view, but need to be dedicated to one organization at one time. This creates an engagement and a responsibility which will be lacking if you are one step removed. Appointment and rotation of audit directors can be centralized as well. However, audit execution responsibility needs to remain decentralized.

In conclusion

Where to put your auditors is an important decision which, if not well considered, may cost you a lot more than just idle resources. Failing to properly position your people can lead to loss of confidence in your capability to execute an audit and jeopardize the timely execution of the audit plan.

Not at the table, but perched on the radiator

/

Headline

A number of recent publications have extoled the virtues of internal audit having a seat at the management table. I don’t agree. I think that a seat at the table for the Chief Audit Executive would probably be the worst place to be. We need to be in the room, but probably sitting on top of the radiator, listening to the conversation, and on a regular basis raising a finger and saying the sacred words, “Yes, but …”

The curse of the “trusted business advisor”

Becoming the trusted business advisor has been a fad for a lot of consulting and advisory organizations for the past 20 years. I know, I’ve had to hear the mantra many times in my years at the other side of the table. I’ve been a consultant. The problem is that it’s a mantra. When asked as to the why, the answer always turns out to be: “to sell more work.”
Anyone speaking about trust without being invited to do so automatically deserves my distrust. I may be cynical, but I’m an internal auditor. I was bred that way.

Our role

Let’s revisit the definition of internal auditing:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

I can’t help but notice that the fifth word of that definition is “independent”. Independence, of course, serves a purpose. I’ve written about that in the past. Independence aims to ensure the highest possible objectivity. And in order to be able to be objective, you need to develop at least some distance to activities of the management team.

I also note the word evaluate which again implies the ability to look at something from a certain distance, without being to distant not to be able to observe it at all (see my rants about where internal audit should be positioned in the Belgian federal government, for example).

Our role, extended

There is another role we have as internal audit, which I have yet to see formalized in the definition. But perhaps I’m reading it wrong. For me, an essential role of internal audit is the following:
As an evaluator of risk management, control and governance processes, we need to be the moral compass of the organization and its management team in a world where competitive and other pressures push relentlessly on the individuals making up such a team.

Where we need to be

I believe we do not need a seat at the table, no matter how enticing it may be for some of us. Getting a seat at the table means sharing the warmth of companionship of your peers which you work with every day. But you’re the auditor, they’re the management. It also means that you may be to close to be able to evaluate objectively. This is called parallax, and it’s an issue in measurement.
However, we do need to be in the room. Perhaps we should be, as I said before, not at the table, but off to the side, sitting on top of the radiator, listening to the conversation, respectfully pointing out where true North is if it tends to get lost.

Weaponizing internal audit - part II

/

I missed an important element when writing the short post in weaponizing internal audit. This post was inspired by a sentence written by Mike Monteiro in his new book, “Design is a Job”.

When we talk about using internal audit as a defensive asset whose presence should ensure higher compliance, it also requires internal audit to be credible. This is an often overlooked core feature of internal audit. Credibility is related to a relevant and thorough understanding the subject matter one is auditing. Lack of adequate credibility is a comment often heard about external auditors, even though they often only work within a narrowly defined field within external audit boundaries. These boundaries are backwards looking and financial.

Proximity to the subject matter makes an internal auditor credible

A key element which makes an internal auditor credible is his or her deep understanding of the subject matter. This is why outsourcing of internal audit to large providers often is not a good idea. This is also why I really don’t support the large internal audit model which is now being pushed at the level of the Belgian federal government.

My audit reporting workflow on a Mac

/

This is a post about my current audit reporting workflow. It's based on working with an Apple computer. Why Apple? Simple, the software becomes ubiquitous. In the many years I used Windows, I never felt the software was not there. With Apple, I have this all the time. It saves me hours each week because the tool switches, if required, are easier and less intrusive, just because the tools are so ubiquitous.

Context

I'm the head of internal audit for the Belgian development agency. We operate in 18 countries, most of these in Africa. We're a small audit team, it a very motivated one. We have a significant audit universe, which we share with the external auditors. These are both CPA equivalents as well as the court of auditors.
Given the size of the audit universe, we need to be very risk focused. Even then, we search for efficiency in auditing all the time. This is why the efficiency and the effectiveness of my workflow is so important. Let me take you through it.

During the audit: nvALT

We try to keep out work papers as tool independent as possible. For any type of text this means for me using txt files. And the most effective tool for that for me is nvALT, the fork of Notational Velocity developed by Brett Terpstra.
nvALT seems a simple txt editor, but it has a lot of functionality. I use only the bare essentials of the application. Each finding and each observation are described in a structured format, which I have developed in Textexpander. I tag the notes. nvALT uses openmeta format tagging. This allows me to easily find my notes for a specific audit back again. Using nvALT really reduces the friction. Either I write during the interviews or detailed testing itself, or I document as soon as possible afterwards.

Structuring the report with Mindnode Pro

I got introduced to the concept of mind mapping a couple of years ago and it has stayed with me every since. I'm not a mind mapping ninja, but I use it whenever I feel that I need more than the traditional hierarchical structures to develop my ideas. Audit reporting is like that. It's important to be able to communicate clearly and condensed to the reader, be that the audit committee or the auditee.
Mind mapping allows me to test a storyline which make retention and recollection for an audit committee bombarded with much information as easy as possible. The better the report is structured, the better the acceptance of the findings and the support for the recommendations will be.
In order to be able to easily restructure during the development of the reporting structure for that specific audit, I mind map and move elements around until the make sense to everyone.

Consolidating the structure with Omni Outliner

Once I'm happy with the reporting structure as developed in my mind mapping software, I lock this structure in in Omni Outliner. All tools of the Omni group are well thought out, and Omni Outliner is no exception. Again, I'm likely using about 10% of its potential, but for my purposes, it's excellent. Moving from the mind mapping software to the outliner happens through an OPML export. This specifically structured txt file allows for easy transfers of document structures.
The outliner is then used to add several layers of structure to the different chapters. Some of these are standard, as each finding is structured in a standard manner. Some of these are specific, or may indicate additional information to get from sources to really lock in the finding.

Final reporting in Byword with nvALT

Once the structure is finalized, it export the OPML to a txt file and start writing in Byword. Byword is a distraction free writing environment with good markdown support, which I use for formatting.
I actually integrate the small text files I wrote in nvALT by copy-pasting them into Byword. I'm sure there is a more efficient way, and I'm thinking of looking into using Scrivener for this, but this is my current approach. I copy-paste the text snippets which I have open on the left side of my monitor into the Byword document open on the right side. And I redact the text as I go. Some parts are written by my collaborator and these find their way in the report as well.
Once the report is in a relatively final phase, I export through Byword to Word. I have to in a non Apple environment. This is where final editing is being done. I dream of a CSS that has the entire report format of BTC ready, and I'll eventually get to that, but not this year.

Concluding

This workflow allows me to focus on the content of the report, not on the aspects of making sure the report gets written. The tools don't get in théâtre. They actually make it enjoyable to write.

The challenges of establishing a centralized internal audit service in the Belgian federal administrations

/

Please note this is an opinion piece. There are some strongly held convictions which I voice here.

My involvement in trying to establish internal audit in the Belgian federal government

Recently, rumors have been building up again about a centralized internal audit service for the Belgian federal government. I think it would be a very bad mistake to make. Truth be told, I’ve been involved in the fight to establish audit services in the Belgian federal government since the early 2000’s.

My current role & responsibility is a direct result of my deep appreciation for working in activities related to government. At BTC, I’m both living a dream as head of internal audit and feeling I can make a contribution. BTC, after all, is the agency, wholly owned by government, charged with development aid.

Note that the early 2000’s were the time of the Copernicus reforms, where giving an increased autonomy to federal government services was high on the agenda. The envisioned reduction of direct political influence on the administrations was an important stated goal. However, increases in autonomy had to be counterbalanced and internal audit was an important aspect of that counter-balance.

The current state of internal audit in the Belgian federal government

Please note that to date, no formal internal audit activities have been started up in the Belgian federal government. To be clear, this does not mean there is no internal audit activity. On the contrary, several federal government services, understanding the need to have an independent or semi-independent entity responsible for oversight on internal controls, governance and (in the relevant cases) risk management, went ahead and started up their own internal audit departments. Some of these have more than 10 years behind them. Yet, sadly, they were dissavowed by the appointed audit committee of the federal government. Put in place by the last caretaker government Belgium had, this audit committee is not necessarily that experienced in matters of internal audit.

Other control and inspection structures

This of course does not mean there are no independent entities providing supervision of federal government activities. On the contrary, we have the court of auditors and we have the finance inspection. The first reports to the parliament, the second to the minister of the budget. Both structures are most effective, in my opinion, when they have embedded their collaborators deep in the federal government services they are charged with checking.

Internal audit recognition issues at other government levels

There is an active example of a centralized internal audit service in Belgium: the internal audit to the Flemish Administration, or IAVA. Despite being managed by a good manager, and with competent auditors on board, this audit team has had an uphill struggle in becoming accepted as “one of us” among Flemish public servants. In more than once instance, their authority was challenged, and they have invested a significant amount of time and resources establishing themselves as trusted business advisors to the public servants they are charged with auditing. For example, IAVA was instrumental in developing the guide to internal control development. They manage a leading practices database. All great initiatives, but not traditionally what you would expect from an internal auditor.

What’s my beef?

It’s this: developing a centralized internal audit structure within the Belgian federal government will, for at least the next ten years, amount to little more than window dressing. The new internal auditors will need to earn the trust of public servants operating outside of the “circle of trust” of the organization.
I know the president of the federal audit committee will be up in arms and cry foul, stating independence issues. The point is that that is not, in itself, an issue of independence. Independence is not an objective by itself, but a means to an objective audit opinion or an objective audit report. There are a lot of ways to ensure this objectivity, including building safeguards to independence in the way audit is embedded in the federal government service structures.

If anyone needs an example on how this can succesfully be done in an organization linked to federal government, come take a look at how BTC has done this in the past years. I believe we are very independent, yet we work deeply embedded in the organizational structures we audit.

The current structure, as proposed by the federal audit committee would in effect be a “finance inspection plus”, in essence adding to the role of the finance inspection. In that case, let’s call a duck a duck, and integrate this function with the finance inspection. This would mean a redefinition of the role of finance inspector, but that is feasible. The way in which the inspection currently works as it relates to their oversight role is also embedded in the organizations they audit.
However, if the intent to develop truly functional audit departments is a true intent, and not window dressing, I would suggest to stay away from the model currently being proposed. It will not work. I know it, the people who propose it, know it (deep in their harts).
Last, but not least, the argument of reducing the cost of internal audit from a budget perspective is a relevant one, but a centralized structure will end up costing you more, not less … if you calculate cost as a function of audit efficiency. Because your internal audit will not be effective, nor will it be efficient, for years to come. It may add value, but it will not be auditing.

Risk analysis in long term audit planning and audit preparation - part II

/

You can find part I of this article here.

Phase 2 - Analysis at the level of the area of responsibility (auditable area)

Internal audit’s responsibility for the proper application of risk based analysis in the preparation of its audit activities does not end with the multi-year audit planning or its actualisation. Each area of responsibility which has been selected for audit needs to go through a risk based analysis at the operational level as part of the specific audit planning phase.
This second phase assumes there is no structural risk management application present which outputs could be used as input for audit preparation purposes.

Executing the operational risk analysis

We survey all collaborators (“responsibles, accountable and consulted” in the context of the RACI matrix) within the selected auditable area. We use the 80 statements developed in the Risk Identification Model. Note this is not simply executing the initial entity wide risk analysis again. The scope of the assessment is both more narrow and deeper, as it only covers the auditable area but covers it in-depth. In addition, not all collaborators were (necessarily) involved in the execution of the entity wide risk analysis which was used for purposes of multi-year internal audit planning. Remember, the decision to involve them was at the discretion of the person accountable for the auditable area.

These collaborators are asked to judge each of the statements as to relevance and current risk exposure. Remember that risk exposure is a function of their assessment of impact, likelihood of occurrence and current level of risk management and leads to the development of a risk control matrix.

Risk analysis results

The risk analysis results, correctly represented in a risk control matrix, are but one input in the preparation of the audit approach. Of course internal audit remains independent in its assessment and can call on other information to complement the risk analysis. However, note that this, both from the point of view of the IIA’s standards and the effort of the organisation should be considered as a major specific audit planning input. What’s also interesting is that these results allow internal audit to make a comparison with the initial assessment of middle management.

The results also provide us with more information as to which aspects of the auditable area are considered to be important by the collaborators intimately involved with the process. In essence, it’s an appreciation of sorts of their understanding and knowledge of the problems they can be confronted with.

Perhaps counterintuitively, our priority audit areas are not those areas of high risk and low control. We want to ensure that these are subject to a risk mitigation or monitoring plan which is in the process of being implemented. These risks are actually the responsibility of the risk management function, if it exists. When auditee and auditor agree on the existence of a problem and the auditor has gathered enough audit evidence to confirm the existence and the scope of the problem, his audit activities need to end. He can then write this up in his audit report.

Internal audit’s responsibility is to provide assurance. Hence, we look at those areas which are considered to be high risk but under control. We assure the board, the audit committee and management that, based on our assessment, these risks are in effect under control.

Building the audit workprogram

Those areas which are considered to be those high risk high control areas constitute, together with the appreciation of the auditor based on prior experience, the basis for the development of the core of the audit workprogram. Note that the build of the audit workprogram consists of a significant change in the approach from risk to process.

During the risk analysis the auditor focuses on risks. Risks and their appreciation by collaborators in the process are central to the approach. However, once the auditor starts the development of the audit workprogram, all risks with an influence in an auditable area are gathered and covered in the audit workprogram. The process becomes the central aspect and the entire audit workprogram is structured according to the processes covered in the auditable area.

This has a very logical but sometimes difficult to accept consequence for auditors. If a certain process within an auditable area is not linked to one or more risks, if no indication other than the analysis exists that there are risks related to that process, it should no longer necessarily be covered by an audit activity.

Executing the audit

After the audit workprogram has been developed and validated by the CAE, the actual audit can start. The auditors execute all activities planned and described in the audit workprogram. Note that multiple risks can be evaluated at the same time, depending on the results from the audit activities which are executed. In case for example accuracy and completeness of a transaction are to be evaluated, running a test-batch of information through the process can be a test functional for both objectives.

Results

In addition to the standard audit dispositions which need to be reached at the end of an audit activity in the audit workprogram this approach allows us to assess the understanding of risks and relevance of the current risk management measures. Especially those situations where there is a significant discrepancy between the assessment of the accountable people and the assessment of the responsible people. This may be an indication of deeper underlying issues.

Developing good audit recommendations

/

In short

Recommendations should never be developed in an ivory tower. Rather, bringing in the auditees during the recommendations phase and challenging them to develop SMART recommendations will enhance the quality of your recommendations. Proper process should counter any issues with objectivity that may arise.

Relevant recommendations are hard

This is a no-brainer for most auditors. Concisely describing your findings in a manner that all relevant readers can understand is an often underestimated task. Developing SMART recommendations related to these findings can be even more challenging, especially in a subject area which is technical.

Nevertheless, auditors often insist on their independence and objectivity as an argument to only involve the auditees in the report finalization phase. The auditees are confronted with a set of well-intended recommendations with proposed deadlines, and often only have a limited time to react. And that's a problem.

Recommendations are not after-thoughts

Rather, they are core to the relevance of internal audit as a profession. Hence, ensuring relevance and feasibility of recommendations should never be the last item to check off the checklist before issuing the report. Rather, it should be core to a separate audit phase, the recommendation phase, where auditees and auditors come together to analyze how to best approach the findings.

But what about independence and objectivity?

We can't involve the auditees in the recommendation development phase because involving them will impede our independence. Will it really? I'm not too sure about that.

Independence is a means to objectivity. Objectivity allows to judge adequate due diligence and report on that. That's at the level of findings.

However, adapting processes, systems or behaviour to improve due diligence in an organization is, at the end, a management decision. As auditors we have the right to independently point out the direction we believe to be most optimal to address the issues raised. We cannot take the place of management and force them in a certain direction.

Hence, rather than believing that involving auditees in the recommendation process will impede our objectivity, I am convinced that not involving them in the recommendation development and only allowing their input as an after-thought will empede our future independence. Why? Well, imagine they will chose a route different from the one we as auditors proposed. Imagine that we invested a lot in developing this recommendation. Pride is a human characteristic. I sincerely believe the risk of not being able to objectively assess auditees' response is a bigger issue than involving them in the process to begin with.

Mind first, words later

There's another element to take in account. Most of the obvious solutions we as auditors with a limited working knowledge of practical, technical situations can come up with have been tried, tested and often dismissed as not feasible or ineffective in the past by those auditees.

"Most complex problems have simple solutions, which are most often wrong."

I don't remember the source of the above quote, and I'm not quoting it verbatim either, but there is quite a lot of thruth in it. To not only patch but really solve certain issues, we need to look at creative solutions for them. The best possible way for me is to combine the critical attitude of the auditor with the in-depth knowledge of the auditee to examine new, creative ways of issue resolution.

But what if you don't agree?

Auditors are independent. Imagine an auditee supports a certain solution which you are convinced will never really address the issue. The audit report should clearly state this and describe both the proposed solution by the auditee and the solution or ideas of the auditor, as well as the motivation why the auditee response is inadequate. This way, the audit committee and the board have all relevant information to decide on a recommended course of action.

The external specialization fallacy

/

You can't oursource your core tasks

There are a couple of essential tasks you cannot outsource:

  • If you're about the execute a coup d'etat, you can't bring in mercenaries in key roles or positions and assume you will remain in control;
  • If you want to rule a market, you cannot have key product development and innovation done solely by third parties;
  • If you want to fundamentally change the way your organization functions, you cannot have a full successful reengineering done by an outside consultant;
  • If you want assurances your business is run with due diligence, you cannot outsource your internal audit function

Why? Because the people you outsource this function to don't care as much or are not as informed as people on the inside. After all, they are but guns for hire. When the job is done, their work is done, and they move to another role or responsibility. Even worse, who do you believe defines when the job is done? You, the client? Don't bet on it. The job usually is done just about when the money runs out.

Providing assurance on due diligent behaviour is a core task

Your organization is likely to be about a very specific set of services, products or solutions. That's what makes your organization special. That's what clients come to experience or purchase. Some organizations are more specific than others, but the way they function internally is usually very specific and requires both a deep knowledge of the processes themselves as well as a thorough understanding on how these processes came to be what they are.

Now, in order to provide assurance on due diligent behaviour by all people involved, you need people who understand what is going on in the organization and why it is going on. Your assurance providers need to be specialized, not only in your business, but in your organization. In order to provide your organization with the most relevant value for money findings and recommendations, the internal auditor needs to be able to take the time and develop a deep understanding of your functioning.

The specialization fallacy

Most internal audit service providers will try to convince you of their uniqueness (let's be real here, they really aren't that special) and the skill set of their advisors. A couple of issues:

  • The leverage model dictates a 1 to 3 (123) hierarchical structure to make a project profitable. Remember the mercenaries above who leave when the money runs out? A typical service provider aims at providing you with three juniors for every senior, with three seniors for every manager, with three managers for every director or partner. Given that deep expertise on average requires 10.000 hours of hard work, and that real chargeability will run at around 60% for seniors or above, which is where the real learning happens, you can make the calculation yourself. The more experienced the advisors are, the less likely you are to find one of those on the team being proposed to you;
  • Service providers often claim sectoral experience. At the same time, they claim fire walls between their teams. This to me just doesn't add up. In a competitive environment you either have sectoral knowledge gained at a competitor. In that case, you should not be on the team. Or you have no knowledge of the sector that is relevant to me.
  • If not sectoral experience, they can bring technical experience. I agree that under certain, very strict conditions, it makes sense to outsource a very technical aspect of a job because you don't have adequate knowledge of the area. However, the number of cases in which this is applicable are limited to mainly specific ICT areas. And even then ...

Bottom line, the specialization you need access to the most should not be available due to firewalls in place between teams in a sector. And it's unlikely someone will have invested significantly in your organization ... because the return usually isn't there, except for really large organizations. And if this is the case, if a consultant has invested so much in your organization, where is his independence? How independent can you remain if your goal is to be paid by this organization?

But what about experts? Experts working for a service provider are most often no longer actively involved in the practice. They have an expiration date.

Even the best technical auditors cannot make up for a lack of knowledge about the specifics of the business and the organization.

What works

In order for internal audit to be relevant, to be able to provide adequate assurance on due diligent behaviour by the collaborators of an organization, requires deep expertise in the business or the possibility to develop this expertise. An external party often does not have the means nor the intention to invest adequately in building this expertise.

Deep expertise needs to lead to good risk assessments and the development of efficient, effective and economic audit activities focused on relevant audit objectives and audit areas.

When using external support at all, this external support can at the earliest be asked to assist in developing audit work programs. Their aim should be to optimize the audit approach, not the objectives nor areas.

The actual audit execution should, where possible, remain with the internal auditors, supported where required by ad hoc expertise which can then be acquired at the best market value.

Final reporting should always remain with the internal audit responsibles.

Providing assurance on due diligent behaviour

is a core responsibility of internal audit. The audit committee needs to have adequate assurances that the work done is not determined by the available budget for outsourcing, but rather by a deep understanding of the need of the organization to function at the best possible level, an understanding most efficiently developed from the inside.

The opposite of a bad system - an internal auditor's perspective

/

The opposite of a bad system

I recently read this statement, and I can't remember where I read it. It goes "The opposite of a bad system isn't chaos. It's a good system." The statement got me thinking about the fallacy inherent in the current thinking about the crisis and lessons learned from the internal audit profession which may be applicable to the problem at hand.

Whenever I am talking to people about the current economic crisis, I get the feeling there is an acceptance of the inevitability of the chaos we're descending into. People are so battered and bruised by the 2008 crisis that a certain lethargy appears to have taken hold in the minds. This is what it is, and this is what we will need to face and confront. Two issues I have with that:

  1. I'm not sure either a descent into chaos or patching the current bad system are the only two options. They appear as the only two viable options because we keep starting from the same position in our assessment of possible solutions;
  2. I'm not sure that a mere confrontation of the current chaos is the way out. Yes, conventional wisdom states "the only way out is through". This, by the way, is a Robert Frost quote, and is not the verbatim one either. He actually puts the words "The best way out is always through", in the mouth of one of his characters in A servant to servants. The other character agrees, but conditionally.

My issue with chaos

As the statement I started with reads, chaos is not the only alternative to a bad system. However, arguing chaos is the alternative allows for the incumbents to not have to confront the fundamental issues with the current, bad system. Putting the current, bad system in opposition to chaos is asking for a temporary solution at best. "Assist us with all your assets, then let us be, we'll fix it. Trust us." It's a traditional defensive move of an incumbent who wants to stay in power.

In "So long, and thanks for all the fish", Douglas Adams tells the story of a civilization of humans with a ruling political class of lizards. The humans only vote for lizards, not for humans, because of they would vote for a human they are afraid the wrong lizard may get in office. The book was written in 1984 and although it's light entertainment there are some very interesting ideas and positions in it. Among which is the one about the lizards.

The erroneous assumption

The assumption now, as the assumption by the civilization which Douglas Adams refers to, is that there is no alternative to the bad system but chaos. This argument was pushed to the limit and apparently abused in 2008. The banking system as an example of the 'bad system' needed to be rescued by massive money infusions as a hemorrhage would lead to chaos. So we patched the system. We all did. We effectively all paid for it. Once the bleeding had stopped on the outside of the patient, further intervention was not needed. Was actually refused by the patient. No real structural changes were implemented.

Think about the comparison to a patient: he comes into the ER bleeding profusely from multiple wounds. The doctors have clear indications there is massive internal bleeding going on as well. The patient, barely conscious, submits to some tests and emergency treatment. However, after a couple of days in treatment and feeling a bit better, the patient decides to leave the hospital, right before a more in-depth assessment is made. And leaves to continue on his traditional path, without really, fundamentally changing anything essential about his behavior.

Changing the diet

The point being that a fundamental life change often do increase the chances of survival of the patient. It will require a significant adaptation in lifestyle. It will require a change of diet, at least. It may not really be that enjoyable, especially when compared to a prior life of debauchery. But it will, in the end, lead to a better quality of life and longevity of both the patient and those around him invested in him. And that's what really matters.

So, think about it. The opposite of a bad system is not necessarily chaos. It can also be a good system.

Conditional treatment

Up to today, I have yet to see real conditional clauses being linked to treatment of a bank or a business in trouble because of lack of due diligence. That should change: we will save you, subject to certain behavioral changes on your part. Perhaps our banks, business and institutions need these clauses. Public means have been too readily available to bail out those who did not exercise due diligence. Let's be honest, due diligence has become a very empty concept. Future treatment should be subject to clauses which are measurably leading to a good system.

The internal auditor's approach

I'm an internal auditor. As an internal auditor, I usually see issues before they become common knowledge. I also know, from an experience point of view, how difficult it is to make people, departments and entire organizations change their behavior.

As internal auditors, our challenge is to ensure recommendations are implementable. They should not be too high level, because that makes them not implementable from a practical point of view. They should not be too distant from the daily reality either, even when concrete, because that would make them not implementable because they are not in line with current practices, which would make the change trajectory too complicated. And they should not be too determined by the incumbent responsible for the issue, as that would not create enough change to make a real difference and solve the problem.

The necessary steps - an internal auditors' perspective

I think the move from a bad system to a good system, avoiding chaos, will require the following aspects which are an integral part of the mindset of the internal auditor:

  • We need to create awareness that a change is needed. For this, a thorough diagnosis of the entirety of the issues is needed, not based on opinion, but on facts and figures. What is going on, and how will it impact our future?
  • We need to identify the deficiencies in the current system at the right level of detail. The right level is the level at which a change in the processes and procedures will result in a reduction of the exposure to the failures of the bad system.
  • We need to co-develop solutions with the incumbents, without being influenced by their logical need to maintain the status quo. The systems needs to be improved, and in some cases it will result in a significant redefinition of the current process.
  • We need to plan the improvement actions in an overall approach to fixing the systems. These improvement actions and the overall plan needs to be transparent and communicated to all stakeholders.
  • We need to closely monitor the execution of the improvement actions.

In conclusion, there is an alternative to chaos. It will however be bad tasting medicine for the incumbent bank and business owners. They will not like the taste. However, their responsibility is social as we all partake in saving them. They therefore need to be held to very clear objectives which will structurally improve their functioning. Even if it means significantly changing their business models.

Reducing the effort of risk based internal audit planning

/

Risk based internal audit planning

The IIA's standards require us to prepare a risk based internal audit planning. However, if risk assessment and management is not (yet) embedded in your organization, it requires a concerted effort from the auditees to provide you with the relevant information. Given this is not necessarily a priority to them, are there more efficient ways to gather more relevant information you need for risk based planning without overburdening your auditees?

Defining the auditable space

In the end, our assurance role as internal auditor is to provide assurances to the audit committee, the board and management. We developed the risk control matrix to properly segregate the responsibilities of management and the responsibilities of internal audit:

  • internal audit is responsible to provide assurance in the high risk areas where management considers the risk management measures to be adequate;
  • internal audit is responsible to assess the relevance, appropriateness and effectiveness in the low risk areas where management may have provided too many risk management measures;
  • management is responsible for developing actions plans for high risk areas where risk management measures are considered inadequate;
  • management is responsible for monitoring issues in low risk areas where risk management measures are low, to ensure timely identification and management of emerging risks;

The risk control matrix is a good concept, but how do we ensure completeness of identification of all elements that need to be included in the matrix? In talking with the both the actual and the ad-interim head of internal audit at the Belgian federal government service Mobility & Transportation, we came up with the following ideas.

Identifying risks related to action plans

Action plans are developed when management deems specific risk management measures inadequate. Action plans are prioritized, ideally as a function of the risks they aim to cover. Hence, the identification of risks in quadrant I comes down to the identification of which risks the current action plans aim to cover. A good approach would therefore be to either ask management which risks they aim to cover with a specific action plan. An alternative would be to read the action plan and identify the risk which should at least be referred to in that action plan.

I am aware completeness of identification is not assured if the budgets are not adequate to fund all required action plans. I would at least expect management to have developed a list of future actions to be taken, which can be traced back to the risk we need to identify.

The assurance function of internal audit in this risk control matrix quadrant is limited. We can assess the relevance and adequacy of action plans, however, given it is the discretion of management to manage the business, and given they know there are issues, our assurance contribution would be limited. We can act in an advisory capacity, as long as this does not influence our independence and objectivity now and in the future.

Risk Control matrix

Identifying risk related to measures deemed adequate by management

Quadrant II and III of the risk control matrix is where the core assurance function of internal audit is situated. Again the question occurs how we can best (as complete as possible with minimal disruption of day-to-day activities) identify the relevant risks? A suggested solution to bring the questioning our of the theoretical realm of risk to the level of day-to-day operations is to ask management to provide us with a list of risk management measures they deem adequate. The measures need to be linked to processes (elements of the audit universe) in order to allow for development of risk based, process related audit programs. We would identify risk by asking management to explain why they have taken these measures. The why is often the relevant response to which risk a control aims at covering.

Our assurance function then needs to focus on both assessing the adequacy of the risk management measure as it relates to the risk as well as the completeness of risk coverage. But how are we sure that all relevant risks under responsibility of the different members of management have been appropriately identified, assessed and covered?

Closing the risk gap

Based on the above, we now know which risks management covers with its action plans. These are reactions to risks the consider inadequately covered. We also know which risks they consider relevant and adequately covered as they offer these to us for auditing. But what about the risks not identified.

Here, we need to revert to the risk identification model, but not as a full-blown identification tool, but rather as a trigger list. A trigger list is a list which a manager reviews on a regular basis to assist him in jogging his memory on exposures known but not formally identified. If by going through the risk trigger list a manager would discover a risk not formally identified in the prior assessment, there are a couple of possible outcomes:

  1. The risk is known, managed, but not formally identified. This is an issue linked to formalization which does not necessarily leads to a specific exposure.
  2. The risk is known, not formally identified and not managed. This could indicate an exposure to be managed. Risk severity will impact the urgency.

Conclusion

Rather than having management and their collaborators go through a theoretical exercise each year, we can use information generated by them in the course of their day-to-day activities as a good basis for risk identification and prioritization. This would allow us to reduce the effort required from management in risk identification as well as reducing the effort we need to put in risk assessment for audit purposes.

This approach does not alllow for identification of the so-called Black Swans. I am a taker for any good solution that would not influence the efficiency of my audit planning process.

Audit "assessments" are like analyst's ratings

/

The popularity of audit assessments

An audit assessment is like an audit, but not really. It takes less time, costs less and is executed by people referring to themselves as experts in a subject matter. These assessments are becoming rather popular. And that evolution is worrying to a “traditional” internal auditor … not as a threat to our own business model, but because it reminds me too much of ratings by analysts. If this is the future of audits and audit findings, we need to be very careful about what comes out of the audits. Because that will be opinion, and not positions based on validated facts and figures. Let me explain why by comparing these assessments to analyst’s ratings.

Analyst’s ratings

How does an analyst develop his ratings? It’s not necessarily a well known or well understood, but hardly a secretive process. You could compare it to a journalist with a track record in a certain sector and based on that track record, assessing an organization active in that sector. Rating agencies bring in an industry or a content expert, ask him or her to do interviews with key people within the organization and analyze available information to form an opinion about the expected future evolution of the organization. Now, are we so naive as to not expect the interviewees to be carefully vetted by top management to provide the analyst with the right information for the message they want to bring tot the market? In addition to the interviews, analysts are provided with information about the company, sometimes strategic visioning about the future of the organization in its sector or sectors adjacent to it. Again, this information is being provided by the organization they are assessing. They compare this, ideally, to market information, and based on their expertise, they come to a conclusion. And this conclusion is rather determining for the financial future of the company they are analyzing.

Am I the only one to see the flaw here? Probably not.

Audit assessments

Let’s compare this to the new trend of audit assessments? How is an audit assessment executed? An organization or its internal audit calls in an expert in a certain subject area who - on the basis of interviews and assessment of a selection of available information - will take position with respect to the area under audit in which he is an expert. He uses his available expertise to come to a conclusion … and the conclusion will be rather determining for the future of the department under assessment …

Comparing this approach to the analyst’s assessment, I don’t see too much difference. As an auditor I mainly see the flaws in this process.

What is wrong with audit assessments?

Audit in general and internal audit in particular is about fact finding and corroborating these facts with other facts and figures to come to a substantiated opinion based on repeatable assessment on all available data, not ignoring any information. It’s about not forming an opinion before all the facts and figures are in. It’s about keeping an open mind. It’s asking to see the thing that quacks like a duck, swims like a duck and smells like a duck to make sure it looks like a duck. It’s being the four wise Indian men who touched different parts of the elephant and NOT coming to a conclusion.

Assessments on the contrary are rather often about ensuring consistency in interpretation by not taking in account facts that don’t fit the preconception and replacing facts and figures by interpretation and expert opinion. And like wolves in the woods, if one of them starts howling, pretty soon you have a concert … not necessarily pretty, not necessarily relevant, but certainly loud.

This is bad … what is worse is that a lot of the expert interpretation is under the assumption that the market, the sector, the process is not subject to disruptive influences. Current reality dictates otherwise. So I very much doubt the relevance of the expertise being brought in to assess as long as that expertise is not open to look for other interpretations and making sure all the facts fit.

Solutions

Let’s be clear, internal audit is not bad journalism. There is to me only one way to ensure consistency and relevance of audits, and that is to make each and every audit about our prime responsibility. We need to be open to the facts and figures. We need to reserve opinion until every cost-effective avenue of analysis has been exhausted. But mainly, we need to design our audit tests for those key aspects we test: existence or occurrence, completeness, accuracy, timeliness … and we need to be open about our approach, and willing to exchange ideas and learn from others. Only then will we be able to do what both analysts and audit assessment experts regularly fail to do: to provide our users with a relevant opinion based on an objective interpretation of facts and figures.

The auditor as a storyteller

/

What audit is about

Most of us familiar with the (internal) audit profession know what it is about. I’m not rehashing the excellent definition of the Institute for Internal Auditors. As auditors we need to use our independence to objectively gather, analyse and test facts and figures on the organization’s governance, processes, risk management and controls through the methods and tools at our disposal. Based on the understanding gained in this process we can then assess the performance of the organization and make recommendations to improve its functioning.

These are the cold, hard facts of the profession of internal auditing. We may differ in slight ways in defining what we do, but this is about it.

However, is it?

Where’s the end of the line?

Audits too often end there, by stating facts, but often lacking context. This can lead to significant misunderstandings by those who are confronted with that information, such as the members of the audit committee or the auditees.

The objectively gathered, analyzed and tested facts need context. And to position facts correctly in context, you need narrative. Thus, the end of the line is not establishing the facts and figures alone. At least the Chief Audit Executive needs to be able to convey in an accessible way not only the facts, but also the context in which these facts need to be seen.

Let me illustrate (and I’m heavily borrowing from Stephen Covey for this example) Read the following phrases one by one and try to “feel” a reaction to them:

  1. “The man did not seem to notice his loud cousins on the subway.”

  2. “After having lost his brother and their father, the man did not seem to notice his loud cousins on the subway.”

You have noticed the second part of the second sentence is identical to the first sentence. But because of the added context, it creates an entirely different sentiment about what is written. But the words written are exactly the same.

The strength of the auditor

The strength of the auditor is not only determined by the quality of the analysis, but by the ability to convey facts in context to his audience of audit committee members and auditees. Weaving context and facts together with narrative is what storytelling is all about. And storytelling is not only about fairytales.

The true bard

Only the true bard will have the ear of the king. The true bard should be the internal auditor, bringing the king, the audit committee and the board key information and insight, unburdened by hierarchy, like the joker did in the Middle Ages. But to get the king’s ear, you needed a good story. Or you needed to be funny. But any stand-up comedian will tell you it’s impossible to be funny without a great story.

Think about it

Consider your audit planning phase. Does your proposed audit planning sequence make sense, even to those not necessarily familiar with all the technical aspects of audit planning? You should not only focus on what you will be doing and how. You need to explain the audit committee members who will approve your planning why you are proposing the audits you are proposing.

Consider the audit execution. The how is often quite easy, once you have determined what you want to audit. But do your audit collaborators understand why you ask them to execute the work program steps you task them with? In essence, are they just putting one brick atop another one, or are they building a cathedral?

What narrative brings

Well developed narrative in a story lends credibility, recollection and relevance to your audit findings and recommendations. They will be remembered more easily, and will in turn lead to better communication to and with the audit committee and the board. They will be able to send a clearer message to the management team, which ultimately may enhance adoption rate of recommendations and even implementation speed.

Increasing internal auditor's relevance

/

It’s not (just) about independence

The IIA recently released a paper on this IPPF on independence and objectivity. Independence is sometimes used by internal auditors or organizations executing the internal audit function as an argument to motivate a distance from the organization they’re auditing. And while independence is an important factor to ensure the objectivity the internal auditor needs to maintain in his or her work, it is a means to an end. And the means can result in the end not being met, especially if the internal auditor is too separated from the organizations he’s auditing.

Learn the specifics

Internal audit occurs in a sector. Its findings will be significantly influenced by which sector it operates in. Practices are not similar everywhere. And to be relevant as internal auditor, you really need to understand the specifics of the sector you are working in. An external internal auditor, an outsourced internal auditor or an internal auditor too separate from the operational reality has a significantly higher threshold to cross to gain that level of understanding.

Gain the trust of your auditees

In addition, it’s about trust from the people you are auditing. While it may seem bizarre because of the role of the auditor, the more trust an auditee can put in the contextual competence of his auditor, the more relevant the findings and recommendations will be.

Be close to your auditees and their issues

Now, to become trustworthy to an auditee, as an internal auditor you really need to care about the organization you are working for and the sector they’re operating in. One way to prove your relevance is by making recommendations that matter. But how do you make sure your recommendations will be relevant? In order to be able to do that, you need to learn, and listen, and be interested. Be present, in proximity. That’s not counter to independence. That’s necessity.

Independence, objectivity and proximity

/

Context

There is discussion ongoing at the Belgian federal government level about the (minimal) independence requirements for internal auditors active the Belgian federal administrations. I want to weigh in with some thoughts on that. This article is partly based on a recent position paper by the IIA on independence and objectivity, which I found very clarifying.

A short history of internal audit in the Belgian federal government

Internal audits are not new to these administrations. They existed, some had active audit committees, but the Copernicus reform of the late ’90s and early ‘00 embedded them. Sadly, the control and monitoring pillar of this reform was never implemented.

The initial royal decrees were rewritten from their original 2002 texts to correct for some inherent contradictions and dysfunctions and republished in 2007. Over the course of these years, internal auditors were either embedded into program management offices or maintained their assurance functions by adding a significant amount of consulting activities. The audit committees which had been disbanded because of pending re-establishment in the context of the Copernicus reform were not there to shield the auditors from the management teams of the federal government services … so the auditors protected themselves and created a modus vivendi. Quite often they reported to the president of the federal government service, in absence of the availability of any other structure. This survival strategy is now considered to be a main factor in questioning independence.

An off-topic remark: whatever the criticism thrown at these people and their functioning, I admire the way in which the auditors survived in this often initially quite hostile environment. It’s a sign of their persistence and commitment.

Why independence is important for an auditor

Now, independence is at the core of the internal audit profession. The internal auditor performs what is essence amounts to an oversight activity for the board or its equivalent, and provides that board with a reasonable assurance that the internal controls and the systems of risk management of an organization are under control. In order to be able to provide that assurance in the most objective manner possible, factors which may impede this objectivity need to be reduced as much as possible. The more independent internal audit is from management and operations, the less likely impairments of objectivity become.

The objectivity and thus the need for independence is most relevant in the assessment of the required aspects to cover (establishing the audit universe, performing the risk analysis and the resulting audit planning) as well as in the way in which the internal audit activities will be executed.

For certain operational aspects, internal audit often needs to consult with the management team. An example would be the funding of internal audit activities, as these represent a cost to the organization. The wages and expenses of internal audit are real expenditure and represent an opportunity cost for other projects. For this reason and because it may be used as a weapon against objectivity, the audit committee acts as an advisory committee to the board for two broad roles:

  • to act as an oversight committee on overall audit activities;

  • to act as recourse for internal audit in case of disagreement with management.

This may seem to be adequate basis for an as complete independence as possible. However, there are limitations to that independence.

Limitations of independence

The need for independence is not the only relevant need that exists. Given internal audit in itself is a cost to the company, it needs to be relevant. Now, what may impede relevance?

Internal auditors that are too far removed from the operational reality of an organization will operate and audit outside of the true or relevant scope of operations. Quite a few outsourcing projects have borne witness to that in the past. This has little to do with ill will or incompetence. In order to assess the true risk exposures, there is a need for understanding the operational reality in which the organization works.

This is one of the key limitations of independence: the lower the proximity to the day-to-day operations, the lower the true operational relevance of the internal auditor, even if he or she understands the context in which the activities are executed. Understanding is not enough. There needs to be a true proximity to the daily reality. There’s another reason for this as well …

The incremental nature of recommendations

Being the first to audit a process or a function is usually a great experience, especially if you understand how the process is organized and can be improved: process and control deficiencies are easy to identify and recommendations are quite easy to formulate.

However, assuming recommendations are implemented, even if not completely as recommended by the auditors, the more often you audit a process, the more incremental the recommendations tend to become. Small corrections in process and controls which may have significant impacts, but which require a thorough understanding of what can be done in a process to be relevant. After a couple of audits, there is no low hanging fruit left. It’s about understanding not only the process, but also the environment in which it is being executed.

The proximity requirement

In order to be able to provide an organization with relevant recommendations, even after a couple of audits, you need mature, well-trained, objective internal auditors that understand the operations they are confronted with. I am not convinced a centralized internal audit service is the solution. I believe that the audit committee should be one of the major safeguards to ensure that the internal auditors present in the federal government services have adequate independence, not by creating an entity physically separate from the federal government services but by making sure that the active internal auditors can be as objective as necessary while still maintaining a proximity to the daily operations of a federal government service.

Only then will the combination of assurance activities and consulting activities, as described in the definition of internal audit, yield the most optimal results.