job Kvalitet og metode

Internal Audit, 80 years old – a time for reflection

IIA feirer 80 år i år. Livet for profesjonen så langt har vært litt av en reise. Men hvor går veien fremover nå?

Oppsummering

James Patterson, en av nestorene i IIA-kretser og en faglig dyktig og jordnær foredragsholder, som vi også har hatt gleden av å bruke i IIA Norge, oppsummerer tre områder som er aktuelle for videreutvikling av profesjon i dag:

  1. Uavhengighet og objektivitet 
  2. Bekreftelser (assurance)
  3. Innovasjon i arbeidsmåter sett opp mot revisjonsstandarder

Hvor langt kan vi gå i å være agile og hvor mye dokumentasjon og revisjonsbevis er minimum tilstrekkelig?

God lesning! Martin Stevens, Mediakomiteen

After 80 years since the founding of the IIA it’s a good time to take stock of how much our profession has achieved. It’s also a good time to consider where we are now, and where we might be going.

I got involved in Internal Audit back in 2002 as CAE of AstraZeneca. Since 2010, I have been provided training to clients and a number of IIA organisations in Europe (14 and counting). These past 10 years have enabled me to combine my passion for internal audit alongside a love of training and development (I worked in HR and Finance before I became a CAE). Those that know me will appreciate that I am a passionate believer in progressive internal audit, and I wrote the book “Lean Auditing” in 2014.

I don’t think I would have enjoyed working in internal audit if we had not been a profession that:
i) really could make a difference to organisational performance;
ii) offered something important to the wider agenda of purposeful and ethical business and
iii) was prepared to innovate.

The 2017 IPPF statements that we should “strive to enhance GRC” and that we should be “insightful, proactive and future-focused” reflect a progressive agenda.

Our interest in adding value (2000) and co-ordinating with others, even relying on others, (2050) and the latest up-date to the 3 lines model, show that we are trying to position ourselves in a unique role “at the top table”. The interest in lean and agile ways of working and data analytics is heartening, because these innovations look, at the specific ways we can achieve our vision in a practical way. An increasing interest in Auditing culture is also music to my ears (given that I used to work in HR); after all who can doubt that behavioural issues are often important causal factors behind poor GRC performance?

However, despite all of the good things about our profession and the fantastic individuals working within it, I believe there are a number of recurring topics where we can be challenged, and may not always live up our full potential. At the root of this are some key assumptions and dilemmas that are worth examining. If we look at these I think we may be able to unlock even more of the potential of this profession.

What follows is my attempt to examine some of the challenges we face. I do this with thanks to the thousands of internal auditors I have worked with these past 10 years, because these issues regularly come up at our workshops. I will start by examining three key areas, at first, although I think there are 2-3 more that we could explore in due course.

1. Independence and Objectivity

The IIA IPPF standard 1000 is clear about the importance of independence and objectivity, and the importance of an independent reporting line. The IIA Code of Ethics also stresses the need have integrity and to be objective and offers some guidance on what this means. Rightly, work to determine how we live up to these requirements has been done via IIA research resulting in the book “The Politics of internal auditing” published in 2015 and the CBOK “Ethics & Pressure” report from 2016.

These research reports reveal instances of internal audit teams being pressured to:
i. supress findings (55% at least once),
ii. to avoid auditing higher risk areas (49% at least once) and,
iii. auditing lower risk areas to satisfy the personal agendas of senior managers (31% at least once), (i.e. audits as weapons).

The research reports offer some helpful insights on what can be done to manage these pressures, but they also reveal the ways senior managers can try to control IA via budget cuts, or excluding CAEs from meetings, or asking them (even forcing them) to leave. Sadly, the research reports (and what I hear at workshops) reveals that Audit Committee support for internal audit is not always as strong and forthright as it could be.

My training workshops on the “Influencing and political savvy” and recently on “Ethics in the real world” suggest CAEs and internal auditors try hard to get the balance right between flexibility and pragmatism and independence and objectivity. They talk about dealing with challenges on a “case by case basis” and try stay on the right side of the line. However, as we probe dilemmas in detail many realise that it’s very hard to know exactly when a choice to be “pragmatic and flexible” might amount to a loss of IA’s independence and objectivity in a particular situation.

My question is: do we really believe that independence and objectivity is mostly about having the right reporting line and an independent frame of mind, and not something we need to worry about too much? Or should we admit that, despite some safeguards, this is still an area full of dilemmas that we should be examining in more detail? In particular, how much better are we at managing politics as a profession than when we last looked at this 5 years ago?

Taking another angle on this; are external quality assurance looking in depth for the issues around planning/reporting that could be undermining our independence and objectivity, and if so, what are the findings and good practices we should know about? And, more fundamentally, is there a possibility that, because we have expertise looking at matters of integrity and ethics in others, we feel rather awkward bringing up this topic concerning ourselves?

2. Assurance, reasonable assurance

As most readers will appreciate, the IIA standards define internal audit’s role in terms of: “Providing risk-based and objective assurance.” They rightly define what to do when “assurance engagements” or “assurance services” may suffer from an impairment (the latter term explained in the glossary to the standards). The standards talk about the need to exercise due professional care to “assurance procedures” (1220) and the importance of “quality assurance” and improvement programmes (QAIPs: 1310). At IPPF 2000 there is a mention of IA providing “relevant assurance” and in the glossary to the standards, the terms “adequate control”, “control” and “risk management” are defined in terms of “reasonable assurance”. However, the terms “assurance procedures” and “reasonable assurance” are not defined in the IIA standards or glossary, although at 1220.A3 the standards state “assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified”.

So where am I going with all of this? Well, I think we all know that our risk-based approach to internal audits, and the scoping of assignments, helps us to determine relevant assurance. I also believe that communications around the work we have done, or not done, (i.e. the scope of an assignment) helps us to explain that our assurance is reasonable and not absolute. But when I speak to internal auditors about how they define specifically how much assurance, exactly they have provided in an assignment, I find a range of answers, including:

  • “When developing work programmes, we explain to stakeholders that for a given level of resource there is always a trade-off between the breadth of an assignment and it’s depth”
  • “We use the words ‘health-check’, or ‘design review’ rather than ‘audit’ or ‘investigation’ to highlight differences in the depth of our assignments”
  • «We make a general caveat that our assurance is not absolute” and
  • “It’s annoys me to hear the audit committee saying ‘why did you miss that fraud or other issue?’ if something goes wrong; when we could never have found that issue with the number of days allocated”.

I recognise that defining “reasonable assurance” in relation to a specific risk or process may depend upon factors such as the risk appetite for the risk.

I also appreciate (as I know will many readers) that frameworks such as COSO and COBIT, or more specific regulatory frameworks, can help guide us towards whether assurance is sufficient. However, it seems to me that the specificity and complexity of what constitutes “reasonable assurance” means a lot of internal audit teams are determining this for themselves (i.e. what is “reasonable assurance” will depend from audit to audit).

And when we compare what we mean by “reasonable assurance” between different audit teams, there are often significant differences in what auditors mean. I think this puts us on dangerous ground for something so fundamental as assurance, imagine such inconsistencies in engineering or in medicine! It seems appropriate to mention the IAASB statement ISA700 at paragraph 11 which discusses reasonable assurance in the context of external auditing. Here it defines reasonable assurance in terms of “whether the financial statements as a whole are free from material misstatement”. Note that the focus is to determe what would be a “material misstatement” (e.g. an error of less than $10m) and then to work backwards to make sure that the work done supports this level of materiality; i.e. an outcome-based view on what is reasonable assurance. In the majority of IA workshops that I run, IA teams define their reasonable assurances in terms of the work they will/won’t have done – i.e. an input-based definition of reasonable assurance.

I think it’s time to look at “reasonable assurance” again as a profession and to develop more guidance about what represents good and less good practice.

Then we can be sure our work programmes really do match the level of assurance we say we are providing. This would also be timely to in a world of big data, so we can better explain how data analytics, AI and machine learning can enhance the levels of assurance provided compared to traditional audit techniques.

3. Innovation and IIA standards

A final perspective and concern: I very much enjoy hearing about the innovation that is going on in our profession. The passion for moving our profession forward was plain to see when I chaired the second day of the IIA UK virtual conference in October 2020, and when I attended the IIA international on-line conference in November 2020 (I was unable to speak as planned on lean/agile given that I am UK based). I also love reading articles about new ways of working and swapping “war stories” with clients.

Virtual conference

However, I think we need to ask ourselves how often these exciting up-dates regarding new ways of working (i.e. agile, machine learning) are explicit about the way they link to the 3 lines model and our IPPF etc.? When I was writing the book “Lean auditing” I was very concerned that everything I was proposing should factor in IIA standards etc. and I was lucky enough to get input from IIA technical staff and the former IIA Global CEO Richard Chambers to assure me I was on the right track.

I may be wrong, but most of the articles and presentations on new ways of working that I see and read, are comparatively silent about how much these new ways of working do/don’t comply with our professional standards. I’m not making this observation in order to stifle creativity and innovation in our profession.

I think we need a clearer connection between new ways of working and our standards, since this would enable our profession to progress with new innovations hand in hand with our professional disciplines.

I am sure many readers are working hard to balance improvements in what they do with IIA compliance on a day-to-day basis; but I think more visible links between our standards and “the next big thing” will help us to keep our feet on the ground as a profession. It would be such a pity if IA becoming more lean and agile etc. started to undermine our reputation and credibility in the eyes of stakeholders and regulators.

I’ll stop here for now and hope that others in our profession can agree that whilst I am offering some challenging comments, this is done with a belief that we are a sufficiently important and mature profession that we can be open about some of the more challenging aspects of our vitally important work, to help us raise the bar even higher.

Please reach out to me at jcp@RiskAI.co.uk if you want to continue the conversation.