Internal audit units around the world exist in startlingly different degrees of maturity, depending on the culture of the business environment they inhabit, circumstances, direction and ambition.
Traditional - the origin of the species and a thing of the past, when the focus was solely on financial and compliance matters, the approach was transactions-based and inspectorial, and assignments were routine and mundane. The function added little value except the independent verification of figures and assets and the reporting of peccadilloes and peculiarities.
Conventional - what most auditors do now and what many have been practising for the past 25 years. A professional, systems-based evaluation of business activities aims to provide objective assurance on the adequacy of an organisation’s control and risk management frameworks, giving impartial, practical advice on their improvement. It is designed to achieve business objectives and the desired level of performance. Responsibilities include:
Leading edge - the refinement and greater acceptance of the standard role (without prejudice to its objective stance); developing it into a vital component of the organisation’s governance structures; working effectively at board level; extending its range of value added services.
Off the edge - the auditors who have gone too far, stretching their ambitions beyond what is acceptable, exceeding their legitimate authority and remit, and acting beyond their capabilities. For some, the legitimising of consultancy as an internal audit function through the new Institute of Internal Auditors’ definition and standards is a step too far. Certainly, assuming the mantle of ‘risk manager’ is off limits. Managing risk is an executive responsibility. Internal audit, by its very nature, must be independent of the line activities of the organisation.
What internal auditors offer
Modern internal audit is an exploration of the interrelationships between the objectives, risks, environment, and controls of an organisation, its constituent systems and their inter-acting parts. The role of the auditor is to negotiate with management and other stakeholders to agree a level of acceptable residual risk.
The more successful internal audit units have been proactive. They build on previous work and reputation to demonstrate how their organisations can develop and implement effective governance arrangements and integrated risk management systems, both as a part of the overall control framework and within specific operational areas. For these auditors, it is not simply a matter of ensuring compliance with internal or external demands; they actively work with managers to help them to reconcile the apparently competing pressures of corporate governance and corporate performance.
At the operational level, the development of risk-based audits, a recognition of the broad range of risk mitigation activities, the fostering of fresh management attitudes, and the introduction to management of new techniques, such as risk profiling, can encourage greater risk awareness and a bottom-up approach to risk management.
Auditors are now beginning to share some of their secrets and skills to help others do a better job. They are starting to accept that, although their outlook may be relatively narrow, those in the front line do tend to have sound insights into problems and sensible ideas on tackling them. Similarly, many managers are coming to appreciate that a positive, practically-minded auditor can be useful as a constructive risk adviser, acknowledged control expert, and impartial solution facilitator.
Internal auditors can also use their authority, and their increasing confidence in evaluating strategic systems to operate usefully at the corporate level. In one sense, governance structures, risk management processes and the projects devised to introduce or modify them are systems that would naturally fall within an audit’s scope.
The internal auditor’s role
There are five possible roles, not all of them compatible.
Advisory - providing briefings to the board, audit committee or senior managers on corporate governance developments; summarising conference proceedings; producing objective interpretations of published codes, guidance or standards.
Promotional - taking or sharing the lead in encouraging the creation of appropriate arrangements throughout the risk management cycle, through audit proposals, initiatives, training or design of pilot workshops.
Participative - the auditor is prepared (or required) to be actively involved in developing, implementing and even operating systems, through team membership, joint exercises, systems design, drafting codes and so on.
Evaluative - the pure audit role - the completely independent appraisal of systems, and their controls, both those in existence and those under development. Such audits cover the overall structure and the various components: the internal control framework and environment; risk management processes; the work of the board and audit committee; relations with external audit; ethics and value systems; accountability and reporting arrangements; review, assurance and monitoring mechanisms.
Compliance and verification - a traditional, narrow role applied in a new area. This includes reporting on compliance with Turnbull, progress in introducing the necessary arrangements, adherence to internal policies, codes and procedures and, possibly, the verification (or even certification) of statements and representations.
What is not acceptable is a managerial or operational role. It is not within the auditor’s remit to assume executive duties, and become a substitute for arrangements that should be in place irrespective of audit activities. Much as they may relish the task or the grandeur of the title, no auditors should be risk managers. The only risks they manage are their own. Nor should they be given responsibility for introducing or running risk management, governance or control standards and systems. Recent recruitment advertisements seem, however, to indicate some trend in this direction. Is this through bad drafting, misunderstanding, or conscious decision?
The pragmatic auditor
There are three types of auditor: the purist, pragmatist, and pragmatic purist.
The purist reflects the stance I have taken. Principles are more important than profit. But such an attitude can be dangerous. The organisation may believe the auditors are not maximising their contribution, while unprincipled competitors (from within or without) may take advantage. The purist may not survive.
The pragmatist is prepared to abandon principle in favour of value and gain. Independence gets in the way. Carpe diem is the watchword. Expediency is all.
The pragmatic purist invented the third way, refusing to jettison principles entirely but allowing for some compromise, recognising that if audit work does not add demonstrable value to the organisation, then what is the point of it? Being negative or inactive are rarely options.
In my experience, most internal auditors involved in risk management projects are adopting the third approach. They have been active in introducing risk management systems for genuine business reasons, have learnt from experience, experimented with control and risk self-assessment in its many guises, modified their approach and, in many cases, have started to disengage.
Unlike successful consultants, enlightened auditors talk themselves out of a job. The aim is to transfer responsibilities and skills to directors, managers and staff, teaching them to accept and successfully discharge their responsibility for achieving objectives, managing risk and maintaining a cost-effective level of control. The auditor can then be a truly objective assessor and impartial adviser.
Multi-disciplinary
The modern audit unit is sociable, working in partnership with management. Today’s audit functions need to be multi-disciplinary - there have been far too many accountants among their number in the past.
The range of necessary disciplines must be complemented by the development of close working relationships with others who have a legitimate interest in the area and a useful role to play. The partnership approach will not necessarily compromise independence or objectivity. It involves recognising one another’s roles, strengths, interests and limits, avoiding overlap and duplication while providing a cohesive and valuable service.
No one has the monopoly on risk. Directors and their managers have the primary responsibility to evaluate risk exposures. Others – risk managers, internal auditors and other specialists – have roles to play. These must be carefully defined and cost-effectively discharged in practice.
There is still much to be done to clarify responsibility, develop trust, agree a common language and understand risk as a generic concept. On their own, internal auditors may struggle. But, jointly, risk managers and internal auditors should be able to persuade senior management of the business case and give advice on developing and maintaining intelligent risk management systems.
Auditors do still count. But not in the way most people think.
Keith Wade is founding director, CATS International, an independent training and development consultancy specialising in internal audit, business control, risk management and governance processes.
CATS International is planning empirical research into the internal auditor’s role in relation to corporate governance. If any organisation would like to take part in this research, please contact Keith Wade, Tel: 01732 783520, E-mail: keith@catsint.co.uk
