15 September 2018

Strategic Audit, Internal Audit's Five Legged Sheep

A little Strategic Audit horror story.

One special treat as a long-term Risk Manager and former Internal Auditor is to see the "latest" slide showing the "Auditor of the Past" and the "Auditor of the Future". I enjoy looking to see if the slide has changed in any material way from the same version twenty years ago. Sadly the slides never change, which either means we have still to reach the future, or that anyone who has been in the industry long enough recognises aspiration in the face of reality. I also like to see some of the perennial entries for the "future":

  • Auditing Strategy (or being a Strategic Auditor),
  • Greater use of technology, and
  • Being a pro-active communicator

Of course the list goes on, but for now, I want to focus on only one of these: Auditing Strategy or being the Strategic Auditor.

The total list is laudable and always has been. The list is also, primarily, a recognition of the capabilities and facets of the people in Internal Audit, our expectations of those people even knowing who and what we have put into those positions, and the value (and price) that the Executive and the Audit Committee are willing to pay for those skills.

Internal Audit is overhead, and overhead is something that is always on the block. But this particular overhead can lead to problems if it is not effectively managed. As an overhead, the desire is constantly to maintain or reduce the cost of the function, to reach that nirvana of low-cost, high-impact internal auditing. Sometimes this is achieved by seconding people from within the business into Internal Audit for a period of time, before returning them, up-skilled, to the business. Sometimes this is achieved by simply hiring cheap and young, all the while expecting professional depth, industry knowledge, and maturity in communication - both written and verbal.

Strategic Audit

We must recognise that to audit strategy, one must be a strategic thinker and must have a depth of profession and industry knowledge, and yes, enough years to understand trends and five (and longer) year business plans and decade-long business cycles. Auditing strategy requires direct experience with strategic planning and the business' own strategic plan, as agreed by the Board of Directors. It also requires a depth of understanding of markets, product lifecycles, customer expectations and potential market entry and exit obstacles.

Mostly, the Strategic Auditor must have the courage to ask Strategic Questions, not just questions about strategy and the strategy process, and the courage to communicate unwelcome messages.

The expression in France is that we are looking for the "five-legged sheep".

Reviewing Internal Audit - where's the Strategic Audit?

I remember performing the EQA (External Quality Assurance) review of the Internal Audit department of a large financial services company. Was Internal Audit complying with the "International Standards for the Professional Practice of Internal Auditing"?

I reviewed their plans (departmental and individual audit), the communications with the Audit Committee, individual audit reports, and walked through sample internal audits from the planning to reporting and follow-up. Their methodologies were sound, and from a compliance with the Institute of Infernal Auditors standards, they were mostly in compliance. To all appearances, this was an effective Internal Audit function.

But there was something about the function that worried me. I even remarked to a colleague that this was a fantastic 1990s Internal Audit Department (this was in late 2011). 

Eventually, I figured out what was making me so uncomfortable; There was no "Strategic Audit" concept in their plans, mission or actual programme. Financial Audit focused on the financial processes and statements, while Risk Management Audit looked at trading systems and trading activity in detail, or as much detail as they could. IT Audit was well staffed, as should be expected for a financial services firm, especially one with "over 100 trading platforms".

Wait, did I just say "over 100 trading platforms"?

This financial services business had grown through acquisition, and actually performed and delivered services through the common company and through a network of purchased but poorly if at all integrated companies. While every trade and every transaction was performed by the core company, actual trades were taking place across a plethora of independent systems, each with its own internal control environment, technology, and support services.

Internal Audit knew this, of course, and could show me how they would, through a multi-year Internal Audit Programme, reach all the of the medium to high-risk units during every three-year cycle. And the audit reports demonstrated that while individual units reviewed did have some issues, on the whole, they were not finding significant control system breakdowns.

Yet the company was also going through difficult times, as had all financial services companies in the years after the Global Financial Crisis, and cost-cutting was an ongoing strategic imperative.

The CAE Speaks

Finally, I was able to interview the CAE, the Chief Audit Executive. We talked through what I had seen so far, my impression on the effectiveness of Internal Audit, and what my findings and report might look like. Where, he asked me, did I think there could be reductions in the Internal Audit department to gain headcount and cost savings?

I countered that what appeared to be missing from his team was a Strategic Audit function, and any Strategic Auditors.  Who was performing the strategy and strategic level reviews, for example, a review of trading platform strategy and the risks associated with having so many trading platforms? This was not in the plan, he told me, because he didn't have the resources to undertake such a review, and besides, he didn't expect that the results would be of interest to the Board.

I told him that I was very concerned that there were so many trading platforms, in an environment of cost-cutting and headcount reductions, that the overall level of risk would increase significantly. After all, if there were one or two (or ten) trading platforms, then his audit resources could focus on that more limited number of control environments. Further, cost reductions could only lead to a greater risk of controls being ignored or bypassed within the individual trading units. Wouldn't he expect to take a report to the Audit Committee suggesting a consolidation of systems?

His response was that such a recommendation would carry costs that would be beyond what the Audit Committee or the Board would want to hear at this time, and that after all, a greater number of trading platforms meant that their risk was diversified.

His Strategy was to avoid conflict, and he already knew that such a set of recommendations would only bring him into conflict with a Chief Executive and Board that were determined to drive down costs at any price. 

My conclusions (from the EQA)

It was now clear that the interview and discussion were over. I was to provide a report on their processes and procedures as aligned to and with the Institute of Infernal Auditors Professional Standards. Indeed that is what I provided.

Certainly, there were a few areas where they needed some attention, but so much seemed to be best (or good at least) practice.

Certainly, the customer satisfaction processes could have been improved. Likewise their budgeting per audit and communication of cost/value to the auditees and management. For a financial services enterprise, there was an unfortunate lack of effective automated and continuous testing, and it was recommended that the IT Audit unit look to introduce such processes.  

Going a little further, I also recommended that they should be linking their audit plan and programme to the risks included in the MD&A (Management Discussion and Analysis) section of their annual SEC 10K regulatory report.

But without the Strategic Audit capability, and the willingness of the CAE to bring difficult reports and recommendations to the Audit Committee and the Board, it was my belief that the function was inadequate. Of course, we were not allowed to say that, so we didn't. It never made it into the report.

Aftermath, and a slight problem

The EQA report was delivered and discussed. The findings were agreed, and promises were made to implement almost all of the recommendations. Some were disputed, as is to be expected. There was no discussion of the need for a Strategic Audit unit. That was not to go in the report.

So everyone was "satisfied", and the invoice was promptly dispatched.

If you look back to 2011, you'll see that one of the top-10 bankruptcies took place that month. Needless to say, our invoice was never paid.

Did the wide range of trading systems lead to their collapse? Not directly. Was it a symptom of a company in which effective internal control and a strategic outlook (especially from their Internal Auditors) was missing? I would suggest so. The inability or unwillingness to deliver hard truths and to speak strategic risk can damn an internal audit function and can have lasting damage to the company.

My Conclusions about Strategic Audit

I said at the beginning that Strategic Audit or Auditing Strategy requires knowledge and experience, and a strategic mind. It also takes courage. The courage to look at the strategic situation of the company and its market position, future plans and where it came from. 

Also to look strategically at the leadership and Director team, and communicate clearly (and frequently privately) what you are seeing, and why it makes you, the Internal Auditor, uncomfortable, and why that should make the Executive or Director uncomfortable.

Strategic Auditing takes courage. And what I've learned, though this particular series of events and others in small and medium-sized companies, that the courage is not common in Internal Auditors. Not as common as the profession, and their employers, need.

The fifth, and too frequently missing leg of the Internal Audit sheep is Courage. Most frequently, the courage to not be a sheep.

1 comment:

  1. Great article - and, yes, strategic audits are missing in most cases. Unfortunately. Strategy should drive everything. But clearly it didn't in this example. This is when tactics and operations become the purpose, instead of executing the strategic objectives. Not to mention the importance of foresight development and how it is incorporated in the strategy - i.e. what is the medium and long term trends, emerging issues and weak signals? Strategy is about the future, but, ironically, strategies rarely address the medium and long term. Shortly, most strategies lack foresight.