What is the purpose of any audit? Don't jump to the rote answers you memorized to pass the CIA exam; I'm talking about a more general, more easily understood answer. (Here is a challenge I have given more than one group: Define internal audit in a way that your kids can understand. That's the kind of answer I'm looking for.)
Here's my quick, right-this-moment-as-I-type-it answer. The purpose of internal audit is to make things better.
No extra fluff about corporate objectives or efficiency and effectiveness or partner to the business or advising the board or adding value or professionalism or independence or objectivity or assurance or consulting or any of the myriad other words we throw around because they sound good and we think they have real meaning and they can have actual resonance and value but often cause our listeners to go wall-eyed as they fall back in their chairs succumbing to the monotonous tone of our self-righteous justifications. Nope, none of that; just "make things better."
Not that there's anything wrong with all those other things. They do, indeed, make up who and what we are. But we lose sight of what we really want to be when we find ourselves knee-deep in the muck and mire of day-to-day audit work. I know you don't think this/I don't think this/no one ever thinks this, but pay attention and you will catch yourself falling into the mindset that the purpose of internal audit is to test, is to interview, is to document, is to write a report, is to get out with the fewest review notes, is to hit the due dates, is to complete it in the prescribed hours. We find ourselves taking on the mindset that the purpose of our work is the completion of a series of tasks, not the achievement of an overall objective. And, in so doing, we forget that the audit is a tool to be used in completion of that broader purpose – make things better.
At the start of this series, I provided two examples of relatively significant "fails" in audit work which I had been a part of. If you haven't read them or, because this has taken me so long, you have forgotten the stories, take a moment to look at them now
In my description I also provided some of the insights our audit group came up with as we performed the post mortem on why the audits had not succeeded – why, in relatively short order, areas to which we had given effective opinions were subsequently identified as failures.
The lessons we learned were good ones; they helped us do better audit work in the future. But as I have already said, I do not think we really recognized the bigger issue. This realization came to me as I thought back on a presentation I saw by conductor Benjamin Zandor. You can go back and see my thoughts, as well as part of his presentation
, to catch up on those ideas.
The first big lesson for internal audit has to do with the way we audit organizational initiatives and projects. Start with this question: Why do so many of these initiatives and projects fail? We hear a lot of interesting stories – things didn't come together, we missed the timelines, the project team was on different pages, the software didn't work, the suppliers didn't come through, there weren't enough meetings, ad infinitum, ad libitum, ad nauseam. And so our audits focus on helping ensure controls are established to address these issues.
However, if you really look back on what you've seen, you begin to realize it is not these individual issues that are the problems. In fact, if you audit to these issues there is a significant risk that you will provide an effective audit over an ineffective process. (See above) This is because people are focused on the pieces and, even with enough oversight meetings to bludgeon the most stouthearted project manager into a coma, the overall purpose gets lost.
To use an analogy based on Benjamin Zander's presentation, there is a focus on the notes, measures, and the phrases, but no one is trying to understand how these come together to build the finished piece. The team has come together to ostensibly play the piece commissioned by the organization titled "new project for a new day". In the meetings they discuss the notes, they discuss the measures, and they discuss the phrases to ensure that they are all in place. However, when it all comes together – because no one has really gone back to understand how they should mesh in the final performance – the final product is a disaster.
What this means for internal audit is that, when we are looking at projects or initiatives, we need to ensure we have an understanding of the big picture second to none, and that we consider that big picture as part of our review. We should continue to include assurance that the mechanisms are in place to ensure those notes, measures, and phrases are in place and being properly controlled. But, if we agree that our purpose is to make things better then we also have to step back and listen for the entire piece – ensure that the notes integrate to become measures, the measures build together into phrases, and the phrases will fit into the entire performance. We should ensure that the whole is greater than the sum of its parts.
That is lesson number one. But in the profession of internal audit we need to be able to take as well as we give – if we point a finger, we should also point it back at ourselves. Leading to lesson number two, and the subject of tomorrow's post.