Let's put the existing (1999) definition of internal audit aside for a moment. A lot of thought went into the choice of language and there is a lot of meaning in every phrase. But, sometimes, it is easy to focus on that language and lose sight of the bigger picture.
Instead, let's see if we can step back and use a metaphor to paint a picture that helps explore the role of internal audit.
The metaphor is a ship. It might be a cruise ship, a cargo ship, or a naval vessel: your choice. The principles are the same, just as they should be for internal audit, when it is within a for-profit, not-for-profit, or governmental organization. But, to simplify the discussion let's assume that it is an owner-operated vessel.
The owner-operator, our valiant captain, stands on the bridge. He has received a commission to take a cargo of bananas from Rio to Singapore. Before he accepts it, he needs to know:
- How reliable is the company offering the commission? Do they have the necessary import/export licenses? Will they pay in full and on time?
- What do we expect the cost of such a voyage to be? How reliable is that estimate; how profitable will it be, especially compared to alternatives; and what factors could affect the cost estimate, both positively and negatively?
- Is there sufficient funding to pay the expenses, as most will have to be paid before the revenue is received?
- Is the ship in good condition? Is it ready for the journey, with everything working as needed? When and where is maintenance required; can it wait until the voyage is completed; and if it has to be done immediately afterwards, will the cost of sailing from Singapore to the maintenance provider's port make the commission unprofitable?
- Is the crew ready? Are all key positions filled? Is anybody in a key position expected to leave before the trip is completed? Has everybody received the training they require to operate the equipment, etc.? Will they work effectively as a team? Are the officers respected and able to command?
- Are there sufficient materials on board (e.g., fuel, food, medical supplies, water, etc.), or able to be brought on broad during the trip?
- Is the cargo safe? Will it present a risk (e.g., poisonous spiders) that needs to be addressed?
- Will the ship be permitted to enter the harbor in Rio and bring the cargo on board? Have the necessary permits been obtained, and will the dock workers be able to load the cargo within the necessary timeframe? How about the permits and off-loading arrangements for Singapore?
- What work is available once the voyage is completed? Will being in Singapore limit the possibilities for another profitable commission right afterwards?
- Will the voyage be safe? What weather conditions are expected? Is there a risk of piracy at any point on the course?
- What is the best route and why? Can we make the trip and arrive safely on time?
- What contingency plans do we have? How will we know if any of the assumptions behind the answers to the questions above turns out to be wrong?
- Am I ready for this? Am I in good condition and the best person for this command, or would it be better to hire a captain and for me to do something else? Do I have the confidence of the team?
He may know some of the answers to these and other critical questions. For the others, he will rely on his direct reports and the organization they manage — the people, the systems, and the processes.
Let's say the captain accepts the commission. He will continue to rely upon himself, his people, the ship's systems and processes to make the decisions necessary to complete the voyage successfully.
How does internal audit fit in, assuming that there is an internal audit activity?
In my ideal world, internal audit provides the captain with assurance that the people, processes, and systems he relies on to provide him with reliable information and to make decisions in their areas of responsibility will perform as desired.
In an ideal world, internal audit is focused on the people, processes, and systems that provide information and enable the decisions that matter: the level of fuel, the proximity of other vessels, the precise location of the ship, the depth of the ocean, and so on. While you might consider information about theft of prescription pain killers to be important, that is clearly less important than knowing whether you are about to hit an iceberg.
The value is that the captain can make decisions with confidence: that the information he uses in making decisions are reliable, and that the ship and its crew will respond to his commands in the way he needs.
Internal audit provides assurance when it tells the captain that the design and operation of the ship's organization, systems, and process can be relied upon. They cannot provide perfect assurance. They cannot say with 100% confidence that everything is OK and remains OK throughout the voyage; that would take immense resources. Instead they provide reasonable assurance and they focus on the areas most important to the vessel's success. Internal audit takes reasonable steps, using a risk-based approach, to assess the design and operation of these areas. They then use their professional judgment to make their assessment, based on the evidence they have obtained.
The risk-based approach is all about understanding what the captain needs, which is assurance on the more significant risks to the success of the voyage: risks to his decision-making, risks to the quality and reliability of the information he relies on (such as the ship's position and speed, the state of the engines, the likely weather conditions, the presence of other vessels, changes in requirements from the port authorities in Rio and Singapore, etc.), risks to the ability of the ship to respond as he needs to his command (due to, for example, the health of key personnel, the availability of fuel, etc.)
Now let's go back to the definition of internal auditing:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
I have been talking about internal audit providing assurance "on the people, processes, and systems that provide information and enable the decisions that matter." Where do those lie? Governance is far broader than most mention, as it encompasses organizational design as well as the selection and monitoring of executive management. It includes setting objectives as well as performance management, monitoring, and reporting — and, frankly, it includes the management of risk. Controls provide reasonable assurance that the processes and activities will be performed as intended, and that risk to the achievement of objectives is at acceptable levels.
Perhaps "governance, the management of risk, and internal controls" is too much like a set of code words rather than a clear description of what we should be auditing, and we should be talking more about how the enterprise is directed and managed to create value.
What do you think?