It is an interesting thing to watch an internal audit department become recognized and respected in an organization, particularly when that department has spent significant time being unrecognized and/or disrespected. There is a tendency to respond like Sally Fields at the Oscars. "You like me; right now, you like me!" (And, yes that is the actual quote. You could look it up.)
Starting a couple of weeks ago, I had a few posts centered around the concept of internal audit finding the problems that need to be solved — how this
helps find the value internal audit can provide for the organization, and how it can lead to
corrective actions that are better understood and acted upon by the clients. I followed it with a somewhat cautionary tale about the impact and necessity of timely corrective actions.
So, since we've gone down that cautionary tale road, let's go into tale No. 2.
A surprisingly large percentage of audit departments are sliding down the slippery slope of becoming the control.
Yes, I can already hear you screaming, "Nay, Nay, Not us." But before thou doth protest too much, make sure you've taken a close look at all the work you are doing. I'm willing to bet that every internal audit department, one way or another, for a short or long time, has found itself in that trap. I know it happened at Farmers Insurance a couple of times. In fact, a significant portion of our audit work was taken up with something that, when we were willing to open our eyes and look, was actually us being the control.
Quite a few times (most recently last week) I've mentioned that our internal audit department did a lot of reviews over the agency force — half-day audits that looked at (among other things) the agents' cash collection, receipting, and banking practices. I want you to understand how ingrained this was within the organization and the department. It was a fundamental part of internal audit's work when I started in 1983, and had been going on since the inception of the internal audit department back in the 1970s.
It was a part of our work that we never really question. (Suggestion No. 1: Always question everything.)
Some time in the 1990s, we started looking more closely at everything we were doing and an interesting realization smacked us upside our file-stuffed briefcases. We were, effectively, the control. Yes, others were supposed to be reviewing the agents' work, but those reviews had no real teeth and no real effect. Internal audit was the only group digging into operations, reporting on operations, and telling the agents (no, not telling, suggesting, always strongly suggesting) how they needed to run their operations. We told them (sorry, again, suggested to them, strongly suggested to them) what controls should be established.
Of course, as soon as we began to realize we were effectively the control, we jumped right in and …
You guessed it; we did nothing. Instead, we worked real hard to justify the work we were doing. (Suggestion No. 2: When you're looking at why you do things, keep the fraud triangle in mind — justification will always rear its ugly head.)
It took until somewhere around 2010 for us to finally face the facts and make the necessary changes, moving those reviews of agency operations into the marketing department — the department that was actually in charge of agency operations.
And the audit department did not come to an end. And the agency force did not come to an end. And the world did not come to an end. (Suggestion No. 3: Don't use "the end of life as we know it" as justification to keep from changing.)
"Well," you might be saying, "That is indeed a fine little story and a dandy cautionary tale, but it is a very specialized situation. I find it hard to imagine most audit departments would fall into such a trap."
Unfortunately, you are not correct. More and more I see internal audit departments fall into the trap of being the quick fix, only to find themselves the permanent solution.
Let me ask the question this way. How much of the second line of defense's work are you doing because they don't have the expertise, the people, or the time? Or, because, somehow, it wound up in your lap?
A while ago I worked with a group whose schedule was more than filled with internal audit work. Lots of reasons why they were so inundated (none of which I'll go into now; after all, I am attempting to allow them some anonymity.) It was important work and they were seen as an asset to the organization. It was, indeed, a good thing.
However, on top of that work, they were also doing a significant amount of work that should have been completed by second line of defense departments such as risk, compliance, and finance.
Oh, the audit department had its reasons for jumping in, primary among them that those groups were understaffed, under-skilled, and overwhelmed. Throw in a lot of regulatory requirements, and you can see that something definitely needed to be done. Since there was a problem that would seriously impact the organization, internal audit stepped in to solve that problem.
I can't tell you how it all got started. Maybe everyone always intended internal audit to be a short-term, stopgap solution. But, no matter how it started, internal audit had become the control.
Let me quickly add that, while this group was one of the more egregious examples I've seen, I've also seen a lot —
a lot — of other audit departments that have fallen into this same trap — some only toe deep, others up to their necks.
To understand the value it will provide, internal audit must understand the problems it intends to solve. But far too many audit departments get their heads turned by suddenly being in the limelight. They are Sally Fields at the Oscars. They are the wallflower finally asked to dance. They are the department buried in the basement next to the dumpsters who finds someone finally knocking on the door and saying, "Can you give us some help?" And, in response to finally getting picked somewhere besides last as everyone choses up sides for the baseball game, they jump at the chance to do anything and everything they are asked.
Yes, we want to be asked. Yes, we want to provide value. Yes, we want to be a solution. But that solution will be valueless if we do not remember the only real value our profession brings to any operation — the ability to maintain independence and objectivity.
The second line of defense isn't doing their job? Maybe, on a one-time basis (One Time! Only!) you step in to help. But that isn't help, that is doing the job yourself. Give a person a control and they are under control for the day; teach a person to be a control and they will be under control for a little while longer. A bit strained, but you get the idea.
Use the power of independence and objectivity, use the power of finding the problem that needs to be solved, and use the power that internal audit has in its ability to report what is actually occurring to help departments get the resources, training, and processes they need to be an effective first or second line of defense.
One of the final projects I had with Farmers Insurance internal audit was putting together the transition of agency audits into the marketing department where they belonged. And it was painful. That is, it was painful for me to change, it was painful for the department to change, and it was painful for the organization to change. Is it better now? Can't say, I'm not there anymore. But I can tell you that internal audit is no longer the control. And that has to be a good thing.