A short while ago, I attended the very successful international conference of the Institute of Internal Auditors (“IIA”). They had a great range of speakers from Alastair Campbell, talking about dealing with disasters in government (of which he says there were five in the Blair years), Michael Woodford talking about Olympus and Professor Mervyn King talking about Integrated Reporting. There was also an introduction to the idea of Integrated Reporting and sustainability from HRH Prince Charles.
It seems to me that there are some fundamental issues that the IIA needs to address. On the one hand it is promulgating the Three Lines of Defence model (one speaker thought that the TLD had been developed by the IIA – I am sure Dr Angela Smith might have a thing or two to say about that!) with all of the zeal of a convert come late to the party, and yet there is a determination that they should focus on strategic risks and advising boards and management teams in a consulting role.
Simultaneously they are also taking risk firmly under their wing, despite the famous (or is it infamous) fan of acceptable, permissible and forbidden service offerings for internal auditors. Then to cap it all, Professor King was urging them to be forward looking strategic consultants embracing the precepts of Integrated Reporting.
I think there is a clear case of scope creep emerging here. I know it is boring issuing parking tickets, and no self-respecting internal auditor wants to be caught dead actually checking that controls are operating – after all continuous auditing systems should do all of that now, right? But I cannot help thinking that somewhere in the organisation, someone somewhere needs to be making sure that the fundamental accounting controls continue to operate. Call me old fashioned, but would some of the more egregious ethical scandals have been nipped in the bud somewhat earlier if sceptical auditors had been looking at fundamental controls, rather than having internal audit away with the fairies in strategic la-la land?
Of course the whole idea of risk-based auditing has been around for years now, whether internal or external. So it was little surprise to hear the emphasis on this at the IIA’s conference. But does that mean that the internal auditors should be the guardians of risk management – especially given their clear preference for being the “third line” of defence? So I was curious to attend a session titled something like “Are we addressing risk?” Three highly experienced and senior internal auditors were on a panel, facilitated by the current Chairman of the IIA’s global board. It occurred to me that if they are to act as the risk experts, it would be interesting to know how much formal training their team members have had on risk management. The answer, not surprisingly was that the FCA are pushing banks and insurance companies firmly in that direction, but unregulated businesses are relying on perhaps one or two risk professionals plus perhaps some training from their Big-4 auditors. So what, precisely, gives the Big-4 the market permission to provide training on risk management?
My bottom line conclusion was that in the land of the blind, the one-eyed man is king… Time for more people in internal audit AND in the first line to get a LOT more training in risk management. Self-serving? Not at all: I see it as a fundamental necessity for the salvation of our economic security, especially as we live in times of VUCA: volatility, uncertainty, complexity and ambiguity, in other words in a time of chaos and paradox!
Richard Anderson is the principal consultant at AndersonRisk. He can be contacted through their website: www.AndersonRisk.com/contact/ Richard consults on risk management with organisations worldwide.