Fear or Aspiration – The Internal Auditor’s Choice

BySandro Boeri

ImageT

This year saw the culmination of a project to reform the internal audit profession in the financial services sector. The project was initiated by an implied threat from the Prudential Regulation Authority’s CEO, Andrew Bailey and as a result the Chartered Institute of Internal Auditors coordinated a committee of practitioners to produce a code of practice. The document is designed to support us in playing our role in ensuring banks do not blow up society again.

The failure to apply the code’s contents in a meaningful manner will undoubtedly lead to formal regulatory consequences.

As the end of year approaches, this is an opportunity to pause for reflection – As a profession, we have a simple choice.

We can either deal with the code as a regulatory risk management exercise designed to placate the PRA and the FCA, a reaction perhaps triggered by fear, designed to avoid section 166 reviews and senior internal auditors being named and shamed.  

Alternatively, we could use the code to support the profession and watch it flourish in an age of aspiration.

Personally, as I enter my fifty fourth year, I have concluded that life is short and I would really like to make a difference to the world I inhabit.

With all that in mind I would like to examine the nature of the choices I believe we all face.

Amongst other things, the code gives us choices, choices in respect of the way in which we deal with:-

The code invites internal auditors to get involved with strategy. The fearful auditor will check the accuracy of information used for decision making processes. On the other hand, the aspirational auditor will review the design and effectiveness of the firm’s decision making processes and perhaps relish the opportunity to sit at the top table. Indeed, the more courageous amongst us might perhaps go as far as considering the role of non-executives as the additional pair of eyes in ensuring the business does not blow itself up.

What about change? The code refers to “corporate events” which include acquisitions / divestments, new IT projects, new product launches and other major initiatives. Is it enough for a fearful internal auditor to just sit and observe at a project steering committee? I believe the aspirational individual will want to get involved from the genesis of the initiative and seek to influence the outcome of the project at all key points.

What about culture? The code requests us to comment on the risk and control culture of the organisation. The minimalist approach is to conclude on this aspect from data collected during business as usual activities. Already I know of some internal audit functions that are starting to use corporate psychologists to help them form opinions. Truly aspirational.

Without wishing to sound negative I believe that the aspirational auditor can go even further. Why not take a preventative stance on culture and examine the design and effectiveness of the “cultural control framework? This could include a series of reviews that include:-

  • The mechanisms for setting tone at the top;
  • The communication arrangements that educate employees as to what is expected of them;
  • The arrangements for measuring the culture that prevails;
  • The consequences if individuals do not comply.

Why stop at risk and control? Why not extend the review to examine how the board and senior management seek to ensure that the culture you have is the culture you want?

Let’s now turn to quality. The code suggests that quality should be measured. It does not define quality but urges internal auditors to consider it in terms that go beyond just delivering reports on time.

The minimalist approach is to focus on measuring adherence to audit methodologies. The aspirational approach invites you to look at whether your department makes a fundamental difference to the organisation that employs you. Aspects that could be considered include:-

  • Does management deal with issues raised by internal audit?
  • Has your organisation managed to avoid problems faced by other similar organisations and have issues raised by internal audit helped achieve this?
  • Are your staff regularly poached / wanted by the business?

You choose!

Similar Posts

Auditing Culture – A New Perspective The UK Code of IIA Practice (which comes into force in January next year) requires all internal audit functions to engage with organizational culture….

Stop Press

15th October 2024 STOP PRESS is a daily newsletter provided by Risk Audit to the financial services corporate governance community designed to provoke thought concerning risk management and related control…