As long as I have been working in this profession, I have found auditors to be questioning as to the role and effectiveness of the work they do.
On 8th October 2021 IIA Nordic institutes celebrated their 70th anniversary. As part of the celebration guest speaker, Rainer Lenz, gave an inspiring speech on the future direction of internal audit under the title “Gardener of Governance”.
Firstly, let me say I love the metaphor of Internal Auditor as Gardner of Governance. The gardener who helps the organisation grow and thrive. I have also heard the phrase Guardian of Governance, but I agree with Lenz that this places too much emphasis on protecting the organisation from evils – back to the third line of “defence”. Yes, we do have a defensive role but an overemphasis on that can hinder us from taking on a proactive role. As the IIA mission statement puts it “To enhance and protect organizational value…”
The paper gives a new take on the role and purpose of internal audit which I find refreshing. As long as I have been working in this profession, I have found auditors to be questioning as to the role and effectiveness of the work they do. Maybe that is unavoidable that spending our time, as we do, criticising others we also apply the same critical attitude to ourselves. This paper inspires us to place that criticism within a new paradigm consisting of the 5 P’s of Planet, Public, Profession, Prosperity, and People.
I do agree with the paper’s argument as to the focus of internal audit on governance as discussed under the P of Profession. However, when I read this article, I am pleased that I am working as an internal auditor in Norway where the fight to break free from being the junior partner, or even worse, lackey of external audit happened 30 years ago, but I understand that other countries have different experiences. However, here’s a thought: shouldn’t we consider making a clean break with the terminology as well? Why should we define ourselves by contrasting ourselves as internal as exposed to the external auditor? Just as I would rather use the term financial auditor to define the external auditor by what they do i.e. audit financial statements, so maybe we should define the internal auditor in relation to what is actually audited? Maybe “governance auditor” could be such a term?
I come at the justification for internal auditor’s focus on governance from a slightly different angle, I see governance as containing within it the elements of internal control and risk management as illustrated in Figure 1 below. This is a topic that is further addressed in the introduction to the Guidelines for governance – IIA published by IIA Norway:
Looking back over my working life as an internal auditor one of the significant trends has been the rise of the second line of defence. In a time before the establishment of Risk Management and Compliance, these functions used often to lie within the overall responsibility of the internal audit department. Now they have been carved out and manned separately. Believe me, it is not something I regret and that is because these areas have increased focus and professionalism and loosed from the shackles of independence, they can operate more proactively in many cases than internal audit was able to. However, if you have well-functioning Risk Management, Compliance, and IT-security functions we should ask ourselves, why do our organisations still need an internal audit function? Unsurprisingly I believe the answer to that question is yes, but that is because, and I agree with this paper, the efforts of internal audit should concentrate on management systems at a higher level i.e. governance. Here I digress.
In my opinion one of the most important aspects of internal audit is seeing what isn’t there.
In the old, old days internal auditors started by checking what was there or what was supposed to be there (e.g. a manager sign off), but I believe our contribution is to flag missing elements in the governance system, which could be organisational such as missing priorities, missing governing documents, risks and responsibilities that lack an owner, controls that should be in place and processes that should be designed more effectively and perform more efficiently, monitoring mechanisms. A control is a control is a control, but may be internal audit should challenge the efficiency and effectiveness of controls. May be the priority should be on preventive controls rather than relying on detective controls for example. So rather than internal audit competing to be masters in the areas of compliance and risk management, they should rather concentrate on the bigger picture of how internal controls and risk management is an effective part of overall governance.
So clearly, I support the initiative in the paper that we should as a profession promote good governance. This does however pre-suppose that we are agreed on what we mean by good governance. Corporate governance codes have in my opinion too much focus on shareholders’ rights and the responsibility of the Board rather than how an organisation should function as one holistic entity. This was a major impetus behind why we developed in IIA Norway Guidelines for governance. Interestingly enough and unbeknownst to the project team developing the guidelines, was in parallel developing ISO 37000 «Governance of organisations – guidance». We have subsequently mapped that the elements are almost identical between the two documents ISO 37000 vs IIA Norges «Veileder for virksomhetsstyring» in Norwegian, however, in my humble opinion (I was part of the working group that developed the Norwegian guidelines), the Norwegian guidelines are better structured paralleling better a management system with control, feedback and improvement. Also, the IIA Norway version is more organisation-centric whereas the ISO 37000 is framed as what the Board should ensure is in place.
All credit therefore to this paper recommending that more IIA Institutes should consider contributing to the formulation of local corporate governance frameworks – a challenge I believe IIA Norway has already taken up. Furthermore, if we are to be the gardeners of governance we should also have an opinion on what is an appropriate second line function, which is why the IIA Norway originally developed Guidelines for the Compliance Function and Guidelines for the Risk Management Function. Indeed, IIA Norway has further developed the risk management guidelines together with colleagues in the Nordic and Baltic countries in the Good Practice Guidelines for the Enterprise Risk Management Function. As internal auditors I believe we must not shy away from having expectations as to how the second line can perform optimally for the organisation we audit and, a good way of doing this is painting a detailed picture of what we believe is good practice. If you refute that picture that is OK, but at least it forces the clearer articulation of the areas of disagreement and promotes more constructive dialogue.
Internal audit as a profession. In my humble opinion, if internal audit is to be regarded as a profession, then internal audit must be prepared to give an opinion.
If you go to a doctor with an ailment you would expect to end up with a diagnosis. If you ask an engineer to report on the structure of a bridge. You would expect an opinion not just a statement we did some very limited checks but found nothing wrong. Shouldn’t this be the same for an internal auditor? I know the problem from the internal audit side has been that if we were to give an opinion on the areas of our work it would according to the standards, encompass internal controls, risk management and governance. The pure amount of work that would have to be done to give an opinion on internal control with any degree of accuracy would presuppose the need for the audit department to increase 10-fold in size, which is clearly unlikely to be achieved and, even if it could be achieved would provide limited added value. But what if we were to raise the scope of our opinion to a higher level? Maybe it’s not quite so impossible to give an opinion on governance especially if we can measure against benchmark good practice articulated in guidelines.
So, again I agree with the thought that for us as internal auditors this should be our primary focus. Let line management put in place internal controls in line with a system articulated from risk management and let risk management evaluate if those systems are likely to be functioning. Internal audit can focus on governance and what is missing in the systems for risk management and internal control as a part of the governance system of the enterprise. Of course, there is a risk that internal audit ends up as a superficial function that has such a high-level focus as to be worthless. Still, I believe we should never drop the idea of gathering reasonable evidence to support our opinion. This can be done by carrying deep dives into business areas and function responsibilities to justify giving an overall opinion of governance in the whole enterprise. To achieve this focus (and here I am not doubting that some will stamp me as a heretic), I am not convinced that data analysis skills have the absolute necessity as appears to be expressed in the article. Expertise in statistics and technology are however in my mind essential cornerstones of expertise in a risk management function.
May be a gardener of governance needs to build up skills in organisational development and culture, communication skills, fraud, cyber risks amongst others on top of generalist skills in the theory and practice of internal control, risk management and governance.
I too would like to see internal auditors surfing in the wild ocean being aware to the changes in the weather and currents and helping our organisations have the governance systems to navigate safely to the next harbour.