|Everyone||Version 1.0 Beta|
I used to be ‘an internal auditor’. I followed a lot of rules. I got perturbed when the rules were broken.
I then became a ‘manager of audit and risk’. That included the mixed-source audit function and audit committee support, along with enterprise leadership for ‘risk management’ and for business continuity. On the audit side, I spent more time supporting managers through audits than I spent with auditors. I was no longer ‘an internal auditor’.
The skills and attitudes I picked up from internal audit were fundamental. I still get perturbed when rules are broken. But the differences in the roles, and in the rules, were instructive.
There are many roads, and many roads go nowhere
The main lesson I learned was that, outside the role of ‘internal auditor’, governance still has rules, but you also have free choices about what happens and how. Audit and risk work can be, and not be, a lot of different things, in plenty of different ways.
|Here are some glimpses of how varied audit and risk work can be. Audits can cover strategic enterprise management and governance. Equally, an audit can focus on use of credit cards by individual employees, the modern equivalent of petty cash. Audit testing can review executive committee decisions, or it can blindly follow instructions from the financial statement auditors. Managers can be helped with the risk assessment of business plans—or not. Management might benefit from facilitation in implementing audit recommendations—or not. ‘Risk assessment’ can mean anything from inventing new words for meaningless ratings, through reporting the ‘top three risks’, to developing an enterprise strategy to take emerging opportunities. The risk management ‘framework’ can refer to anything from an aspirational statement of principle to a dictatorial database demanding daily declarations, linked to ‘big data’ in real time. You might buy into ‘quality management’—equally, you might find it prudent never to mention the Q-word. You may be dragged into data analytics as a full-time program, or you may decide that analysing data is something you do only within a well-defined audit engagement. You might dabble in ‘best practice’, ‘benchmarking’, or business process re-engineering—or not. ‘Compliance’ can mean almost anything. Sometimes it even means something important.|
But in any given organisational tree, only a few of those conceptions of audit and risk work will achieve anything useful. ‘Setting up an enterprise-wide system’ is not, in itself, a useful achievement.
Anxiety needs assurance, and assurance needs anxiety
The audit and risk activities that produce genuine and lasting results are invariably those driven by an authentic demand for assurance. The demand for assurance must come from a high enterprise level.
The assurance demand must be driven by genuine doubts and by gut-felt anxiety about what might go wrong, or about what might be going wrong already. That demand must be real enough to drive a genuine effort, not just from you and your team, but from the full hierarchy of decision-making managers. It’s their efforts that make or break the enterprise, and it’s their efforts that make or break your little governance program.
As a governance professional, you have two functions:
- Find and meet the assurance demands from the anxieties of people who matter. Don’t waste time generating assurance that doesn’t match anyone’s anxiety. Where there is anxiety, find the best path to matching assurance.
- Make the people who matter anxious, when they should be anxious. If the enterprise is genuinely exposed, make sure that the people who matter know how and why.
The function you don’t have is to roll out any ideal version of ‘enterprise risk management’, ‘best practice internal auditing’, or even less, ‘quality management’ or a ‘compliance program’.
The ideal version of ‘enterprise risk management’ or internal audit might be very beautiful, especially to executives who don’t have to do the work. But those ideals will imply a lot of effort that satisfies no demand, except the fast-fading demands for beauty and a warm glow of idealism. The absence of a text-book governance program is never, in itself, a genuine exposure for the enterprise. Your job may have been described to you as if it were about the theory and the ideals, but the first thing you must do is to move the conversation to governance activities that really matter. Let the idealism fade into the background.
If you don’t shift governance to activities that really matter, it isn’t just your effort that will be wasted. It will also be the efforts of the management hierarchy who really run the enterprise: the people on whom you rely, the people who feed the governance programs that you choose to maintain. The feeding will be much more nutritious if the governance program is an essential enterprise work horse than if it’s a white elephant.
Now, there may be times when you and your management contacts are required to go through the motions: to create paperwork to satisfy some well-intentioned regulation or self-righteous nit-picker. In that case there may be no real anxiety demanding the assurance. Fine. But that sort of nonsense is not effective governance of any flavour. It is not how you want to identify your role. It is no shining achievement to put on your résumé. Do it if you must, but don’t pretend to anyone that it’s what governance, risk or audit are about. Most of all, don’t pretend to managers that it will do them any good. It won’t. That lie will only make it harder to get them on board when they really need to do something governance-related. Something that actually matters. Like calming real anxieties, or guarding against real dangers—perhaps with a business continuity plan that works so well it’s actually boring to activate. That’s the sort of thing that governance leadership is about.
In my personal experience, the biggest time-wasters have been theory-based ‘quality management’ and theory-based ‘risk management’. It has not been unusual to soak up management time in quality or risk workshops leading nowhere useful, even while the enterprise does not have any effective business continuity plan. That’s a clear misdirection of effort. In both ‘quality management’ and ‘risk management’, you have a highly elaborated solution, looking around hopefully for a problem. Actual implementations of these ‘solutions’ can easily do more harm than good. I have seen some of that. Like ‘quality reviews’ that look at everything about a transaction except whether the payment outcome was correct. Oh dear.
But also in my personal experience, the most productive and sustained governance programs have been about maintaining and reporting on controls, that is, on operational measures to prevent errors and to treat risks. My favourite was controls reporting, though that won’t necessarily be right for your enterprise. Your opportunities may vary.
It will not have escaped your attention that any such program would overlap with both ‘quality management’ and ‘risk management’, and probably ‘compliance’ too. So what am I saying?
The difference is that the productive and sustained controls reporting program started from a problem needing a solution. Unlike ‘risk management’ and ‘quality management’, it was not a pre-defined solution looking for a problem. The real-world problem was a distrustful main client, prone to anxiety and detail focus. The anxiety was the key. The productive anxiety was alive and visceral in someone who mattered, the main client for my enterprise. A formal standard was involved, with its own theory and rules. But that standard was just the right one, chosen from many, to meet that anxiety head-on, with calm assurance.
You need not avoid ‘quality management’ or ‘risk management’. You only need understand that those terms can mean all sorts of things. You need to know what they might actually mean in your world, separate from theoretical definitions.
What I learned
Avoid confusing elegant theory and ‘best practice’ with practical solutions to real-world problems. From all the ‘solutions’ you can choose, pick the one that calms the real anxieties of people who matter. As a governance professional, choose the work horse—not the show pony, and definitely not the white elephant.
Qualifiers on this article
Qualifiers for auditors
You might be an auditor, strictly defined, and not a governance or assurance manager.
As an auditor, you may be properly bound by the terms of specific audit engagements. You must stay inside the role of audit. That role excludes many alternative governance processes relying on the management hierarchy to generate assurance. Some alternative processes with comparable outcomes might include a consultative risk assessment or controls self-assessment. Each of those processes might be good ideas, but you don’t always have the option to use them, and I would warn against ‘giving them a try’ without careful strategic planning and long-term reflection on your special role.
But as you know, audit is not all about rules. You will probably have some scope to negotiate the terms of each audit engagement to sharpen the focus on assurance outcomes that matter. It is always important to find the assurance appetite that led to the engagement, or that should have led to it. It is not uncommon for the engagement defined on paper to miss the real point and the real assurance driver, in some degree. You can do something about that before, and after, starting the work. For example, you will always need to establish the balance between assuring key controls and assuring efficiency. You will also need to understand the relative importance (or unimportance) of seemingly peripheral aspects of the audit subject, such as performance reporting, budget management, cost accounting, record-keeping, safety, people management, and so on.
You may also have some ability to vary reporting styles and norms toward achieving better outcomes.
It may legitimately come about that you have been engaged to do some mundane re-performance tests, or to do some other limited work that doesn’t seem to have much value from where you see it. As an example, you might be expected to review employee usage of corporate credit cards, on the less-than-thrilling basis that supervising managers don’t bother with it. Such an engagement is not exactly a good use of the audit function, even if it lands inside your audit charter.
|If you have an apparently mundane engagement that doesn’t exercise your finely-trained judgement, you might first check that you are maintaining standards for independence. For example, carrying out testing procedures set by management is barely legitimate within the independence requirement. Any compromise of independence must be disclosed in audit reporting, and your employer should think about that before you get started. For example, if the Chief Financial Officer is setting testing procedures, the tests are better done by people employed by the Chief Financial Officer, and not by the audit function. You might be one of those people, but preferably you would be seconded out of ‘audit’ to do it, and not represented as ‘audit’ in relation to that assignment.
In my limited personal experience, executives really want to be able to claim ‘audit endorsement’. I would go further to say that most executives will take any possible opportunity to claim endorsement from ‘audit’, even clearly illegitimate opportunities. If they want that kind of endorsement, they can ask, but to make that claim they must keep well out of the way you collect evidence and reach a conclusion. They also have to cop the result if it isn’t the glowing endorsement they wanted.
Assuming that your engagement is ultimately consistent with your audit charter, and you haven’t argued your way out of it, you’d better do it (brilliantly), but be sure to also give your professional advice on how things might be organised better, both for audit independence and for efficient enterprise governance. That advice might be a formal recommendation in the audit report, but equally, you might give that advice in another channel.
The meaning of ‘assurance’
This article uses the word ‘assurance’ in the way that auditors and their clients understand it.
To get to an ‘assurance’ that an activity or statement has a specific attribute, both of the following conditions must be true. You can imagine the ‘activity or statement’ to be a financial statement, and its attribute to be ‘true and fair’.
- A capable and independent person with no interest in the activity or statement, but with a strong accountability for telling the truth, says that the activity or statement has the attribute. (That person is the ‘auditor’.)
- The independent person has a continuing accountability to share objective evidence to back up the view that the activity or statement has the attribute, if challenged.
It follows from these conditions that the activity or statement can be taken to have the attribute in the real world, although that belief can be challenged at any time.
A signed declaration by the manager responsible for the activity is not an assurance in this sense, although such a declaration counts for much more than nothing.