There is a severe danger that internal auditors, those most innocuous of
souls, are about to be caught in a pincer movement in the painful heart of a
nutcracker. And what is most galling of all is that it is not their fault.
Finance directors need to leap to their defence.
So why are internal auditors in a painful place not of their making and
certainly not of their choosing? As ever, it is because the rest of the world
has changed, arguably for the worse, around them.
The first issue was Sarbanes-Oxley. Internal auditors probably welcomed it
initially. After all, the most notorious part of it, Section 404, was, frankly,
current practice in any well-organised company. The bases should be covered and
directors sign off on them. Standard practice. Or rather it was standard
practice. What happened was that the audit business in the US, aided and abetted
by US regulators, suddenly saw this as an opportunity to show a sceptical public
that they were as pro-active and rigorous as need be. So the whole business was
hyped beyond recognition. Service layer after service layer was introduced.
Supervisory staff turned up in their millions. They wanted to be seen as the
cavalry arriving to save both companies and the US audit profession’s
reputation. And also, of course, to turn more than a few bucks at a time when
fees could have started to slide.
So the regulatory side of large US companies became hugely overburdened in
spurious process which was, ostensibly, there to ensure the integrity of
reporting systems. At first, internal auditors thought this a good thing. It
wasn’t quite their core business, but it did boost the importance and role of
making sure that all was well in the internal systems.
That is one side of the nutcrackers slowly moving on internal auditors. The
other is the risk culture which the corporate world has embraced so
wholeheartedly. Once upon a time, risk was something which was assessed and
dealt with. It was a relatively simple process and carried great value,
particularly in allowing the board of directors to slumber happily of a night.
Then, as we all know, the consultants got a hold of it. They saw an
opportunity for new service lines. But even they could not have dreamed of the
mass of fees that they would make out of it. Complex risk processes were
invented and sold to companies. Gradually, the tentacles wrapped themselves
around the whole company. Risk processes turned into a discipline which, the
consultants argued, were finally the drivers for the whole corporate model, its
strategy and its decision making. From almost nowhere risk management as a
whole-company system became the cuckoo in the internal auditors’ nest.
So the internal audit functions have been outflanked. The role of independent
auditors at the heart of the organisation ensuring that all was well, healthy
and trustworthy with the corporate body was compromised. The processes of Sarbox
and risk management were doing similar work and, quite probably, doing it well,
though at a far greater cost. The essential difference was that the concept of
independence had gone out of the window. The Sarbox process and the risk
management work was all done in cahoots with, and designed by, an alliance of
consultants and management.
The real value of internal audit is something else. It is the skill,
scepticism and rigour of an insider taking an outsider’s view. Under the new
model the role moved from being a compliance function to be part of the
management toolkit. And its value to the company itself was devalued.
This is a real and genuine threat to independence. It comes down to a simple
dilemma are you doing or checking? Are internal audit departments now seeing
themselves as helping the effectiveness of the processes rather than being the
independent checkers? And that sets in train another doubt. If you are involved
in management process then who is doing the checking?
This change has seriously complicated and compromised the role of internal
audit within a large company. And internal audit itself needs to get to grips
with attempting to clarify the position. In a sense, it is self-preservation. If
the board of directors doesn’t have a clear understanding of what internal audit
are there for then there is every chance of misunderstandings. If internal audit
starts to overlap with other roles, like commenting on the lack of a clear
strategic plan, for example, then you may find directors wondering: “Why are
internal audit looking at that?” This would swiftly be followed by outraged
squawks of: “Are they stepping out of their remit?” Hackles will be raised and
the credibility of the internal audit department will be lowered.
This is where the nutcrackers become painful. From one side comes Sarbox and
from the other comes the risk processes. And in the middle the very independence
of internal audit, its real defining role, is diminished. It is not a very
helpful thing to happen within the corporate culture.