A couple of old friends of mine — old in that we've known each other for a long time (in fact, they both were my bosses at various times) and old in that, well, we're old, and let me hastily note that I am older than them lest their defamation lawyers come quickly a-callin' …
Where was I? Oh yeah! A couple of old friends of mine — for anonymity's sake we'll refer to them as Friend 1 and Friend 2 — joined me on a three-day vacation and, because we are internal audit wonks, many of our discussions centered around the theory and practice of internal auditing.
At one point, Friend 1 shocked us by uttering the following phrase:
"I don't have any use for the Red Book."
At this point, an editorial pause. Throughout I will use the terms "Red Book" and "the Standards" in place of "The International Professional Practices Framework" or "IPPF." I think we all know that already; just wanted to provide clarification. Back to our regularly scheduled program.
Wielding our CIAs like swords, Friend 2 and I went unto the breach where a vigorous, bloody, and definitely unbrief battle ensued. I'll save you the time, verbiage, and tragedy that resulted because there was a surprising truth at the root of what Friend 1 had said.
Let me see if I can walk you through some of it.
The first question we asked was, "Well, then how do you perform an audit?" He responded by talking about the commonsensical approach he used. He talked to people, he learned what they needed, he explored what was going on, and he worked with them to obtain solutions.
This led to a discussional fork in the rode. Fork No. 1: "How then do you ensure these discussions and results are properly documented?" Reply: "I document what I need to document. I don't care what the standards say is required; I record what I need to record."
Fork No. 2: "But, because of your prior experience, aren't you effectively relying on your previous knowledge of the Red Book to guide you through how to work with others and how to document that work?" He replied that, while that knowledge did exist, it was unimportant to the work he was currently doing — that the slavish adherence to and quoting of the Red Book had no use in his current situation.
Trust me, you are only seeing the very tippy-top of these discussions. Many a tangent and black hole of loquacity ensued. For example, I cannot tell you how many foot-pounds of energy were spent discussing the role of the Standards in proving that our profession is, indeed, a profession. Suffice to say we explored every useful and useless nook, cranny, and cubbyhole of information that might occur to us. (It was a long trip.)
By this point, you are probably aware that there was much sturm and drang; blood, sweat, and tears; and name-calling and hair-pulling. But, while I wouldn't say it to his face at the time, I think Friend 1 had a very good, very important point. And I think this was the upshot. (Again, I'm digging through a lot of garrulous verbosity to try and understand if points were actually being made, so forgive my faulty memory.)
He had a lot of experience in internal audit. That meant that the concepts inherent in the Standards were ingrained from his years of practice in the profession. And that inherent understanding meant he no longer felt the need to refer to or rely on the Standards. But it also meant that the concepts behind the Standards were ingrained in what he did so that it was not necessary for clients to be aware of the role the Standards had in his work.
His most insightful comment during our discussion was that our clients did not care about the Red Book. He went on to describe that if we are quoting the Red Book to clients, we are only boring them and showing we are out of touch with the business.
In that, he is correct. We should never have to quote the Red Book, quote the charter, use any of the jargon we are so fond of. (I'd even argue that we have to be careful when we use such pedestrian terms as risk, mitigation, and controls — but that is a discussion for three-day road trip No. 2.)
Our clients want to know what is in it for them. They want to know what we are doing that supports them. And, while the red book supports us, it is mindless drivel to those not involved in the world of internal audit
Yes, we have to have the Red Book. While my friend was loathe to admit it, he was actually saying (and almost agreeing — that's the kind of guy he is and the kind of discussions we were having) that the Red Book is the foundation of our work. But no one except the architect cares about foundations aside from one exception — when the structure fails.
So internal audit needs to make sure that the foundation is strong and true. Maybe that strength comes from a deep reliance on and understanding of the Standards. Maybe that strength comes from a deep reliance on and understanding of what internal audit is trying to accomplish. Maybe it is both. Maybe it is something else. But ultimately, internal auditors need to care enough about that foundation that no one else needs to care, needs to worry, or needs to know about it.
And it is highly possible that the only time we need to let the clients know that something like the Red Book exists is when they ask the question "Who audits the auditors?"