Of what exactly? Or whose? Who need these? Those who intend to use these? Or those who know how to use these and thus understand their significance? Or those for whom these are just what everyone has? Or those for whom these are good to have? Or those for whom these are for just in case?
Yeah, the auditors are the eyes and ears. But for whom? Who needs them? Who wants them? Who understands them? And for all those who do understand why they need auditors, do they need them to fulfill any statutory / regulatory / best practices requirements or because they are looking and in fact rooting for the value auditors deliver?
Hardly a lot! Even though the corporate governance champions would want you to think otherwise. But that’s exactly one indicator of how it’s not a lot. When we need the corporate governance champions, championing for our cause, the eyes and ears might not hold the substance these should.
However, it’s imperative that one should understand, it’s hardly a problem of the audit profession and more about the people not understanding the significance eyes and ears have. It thus means that it is taken as given, even when benefitting from their use. The use is neither well thought out nor guided or evolved because it’s just there.
But in Internal Audit it’s not always there. Those who don’t have it are clueless about the ways and means it could help and add value, even though at times they’re getting the audit work done in an utterly unprofessional and unfulfilling manner. But the most troublesome lot are the entities who have invested in internal auditing, even if out of mere compulsion, yet they’re unable to benefit from their investment.
But let’s first look at those who haven’t invested in Internal Auditing but are getting the internal auditing work done somehow by a disfiguration of what auditing does through their (mis)understanding:
- Reviewing and approving each and every transaction irrespective of its material significance.
- Having a so-called team of auditors to pre-audit every or a select quantum / nature of transactions.
- Investing in firefighting and rescue operations, rather than in improvement and evolutions.
- Making the operational staff responsible for reviews and evaluations (self-reviews and evaluations!)
- Reactive approach to risk management; risks materializing and then taking actions.
- Investing in symptomatic treatments, rather than process improvements and evolutions.
- Investing in people dependence, increasing HR costs and then rounding up those same people for errors and omissions.
- Designing and implementing controls without any mitigation of risks or controls that cost far above the cost of risks!
For this lot, demonstrating what internal auditing could do and how it does it is an exercise in futility, because they will always come around saying they’re already doing it in their own profane and nonsensical ways, rendering their systems, processes and controls irrelevant and useless.
Even when owing to their disregard for systems and people dependence, the routine work suffers lags and goals and objectives take a backseat, they’re still unable to see the return on investment in having a systematic, detail-oriented and disciplined approach to do what they’re doing. To even think about what evaluating and improvement interventions in Governance Risk Management and Controls (GRC) could achieve in such a case is both meaningless and stupid!
And now for the troublesome lot! In fact, let’s call them the brazenly stupid lot! Simply because they’re not just living in the evolved IA aware era but also being subjected to it. Still, that’s what they like to do about it, continue being subjected to it and being the core audit subject. But they do ensure that on record they’re perfectly aligned with the IA being the eyes and ears.
Whose eyes and ears? Well, that’s another story. The story that needs unravelling. And that’s only possible when there’s not just a willingness to break it down but the ability to comprehend it too. And that’s where it gets tricky, yet obvious. Tricky because it needs more than eyes and ears to start making sense of what these are and what these could help with. Obvious because eyes and ears are nothing if not for cognition.
This tricky yet obvious matter is grey matter and that’s the whole matter which actually matters! See the eyes and ears need cognition and coordination and that happens within the grey matter, the brain, the intellect! Those who lack it can’t make anything out of eyes and ears, even if they have these.
They might believe that because its grey they’re not supposed to get it and that that they can only comprehend what’s in black and white. But it is the IA’s job to identify everything from black to white and what’s in between these….and that’s where usually the managements lie….in the grey!
So, it’s no wonder when they’re lying in the grey, they aren’t cognizant of their position! But yes, IA gets them covered. Because IA is the eyes and ears of….the Board, not the management! Management is where those eyes and ears are focused on for and on behalf of those charged with Governance, which is the Board.
For those charged with governance,
- Internal Audit is your eyes and ears on management’s stewardship. It is not required to be aligned with the management’s vision or support its stance.
- It is required to be independent of management and ensure its objectivity.
- Purpose behind Internal Auditing investment is GRC aided accomplishment of objectives which does not just make accomplishments attainable but also sustainable.
- Internal Auditing’s purpose is not Corporate Governance driven. It was here before the corporate governance became a thing back in the day. It’s just that it got its requirements re-emphasized.
- It’s not there for best practices sake only or a feel good to have investment, it’s there to deliver value through its systematic and disciplined approach to evaluation and improvement of GRC.
- Take charge of your IA investment to derive the best value out of it, this is the only investment that you have to manage, providing comfort on the management of those all others, managed by the management.
A tale was told recently. A member of the Board aligned with the management remarked that if the HIA has so many problems with the management, maybe it is time for change in IA. The discussion happened when the HIA had already put up an exit notice.
Thankfully, this member of the Board wasn’t a part of the Audit Committee of the Board, which was fully cognizant of the work Internal Audit was doing. And thankfully, that’s what the corporate governance codes got right, change in IA is only possible through Audit Committee’s recommendations.
Unfortunately for the management though, this parting note came with the last and one of the most scathing reports of all! Not that it was timed that way, the HIA keeping it as the last deliverable, but because the control environment erosion he had been pointing out was picking up pace. Something came to the fore that took all governing members by surprise, something that’s trigger enough for a change where it was already overdue.
Finding your way out is way better than being shown the door!