I wrote some time ago – and it is my most popular blog post – about Why internal audit is important. In this post I stated that organisations are simply not able to control and govern themselves with what Erica Schoenberger calls ‘strong objectivity’. This is the ability to be ultimately independent of one’s self in the corporate interest. In it I said ‘the executive turkeys are not willing, ultimately, to vote for Christmas, no matter how objective, strong or compelling are the reasons to do so.’
This was prescient. As we hear today about two scandals, first the peoples’ car – Volkswagen, appears not to be so people-oriented after all. BBC News – Volkswagen Second we hear about BBC News – Charities Regulation where even nice ‘fluffy’ charities cannot be trusted to behave as corporate entities, responsibly.
Now I am going to ask the usual question we auditors do – where was internal audit in Volkswagen? I ask this not to say that such a small bit of coding, in a chip in one car engine, could not be missed by internal audit – of course it could. I ask this because did internal audit not pick up the cultural controls that allowed such actions to be deemed acceptable? For let’s be clear, such actions would not be the actions of one rogue individual, they would not be signed off by one local manager in one small business unit, they are intentional fraud. So how far up the organisation, or from the top of the organisation, was the approval to commit, knowingly, fraud, approved? This says something much more about organisational governance, culture and control. Surely internal audit would pick this up across the business?
For charities, for the ones that are implicated in the UK review published today, fundraising is not a minor, marginal, activity. It is a major, business related, activity. It is core. So should internal audit have some understanding of the right or wrong ways to do fundraising and should it have reviewed the ethics of doing so? In my view, yes.
What does this tell us about internal audit as a profession more widely? First I think it reaffirms the importance of internal audit. Organisations cannot self govern. They need strong independent governance, audit and regulatory structures to ensure that they do not act in their own personal or even organisational interest. Of course we do not know the details or extent of the Volkswagen’s wrong doing – simply that there was wrong doing and that it could be very, very big – £4.6bn big according to today’s news. This could, of course, not just be Volkswagen, it could be other car manufacturers as well.
Second I think it reconfirms my view that internal audit is not some small rarefied bubble in the organisation, testing the controls theory of organisations. It is a needed and core part of most organisations. It needs to see more, do more, interfere and intervene more. I have been having a debate on this blog with James Paterson and others who think my view of internal audit risks taking internal audit beyond its third line of defence position and, being more expansive and pervasive in an organisation, inherently weaken the second line of management control. I disagree and consider internal audit’s third line position does not mean it has to be small, weak, and review the theory of organisations. I see the third line position as one of objectivity and independence, not a prescription of reviewing just systems in theory or necessarily being small, marginalised and organisationally weak.
If Volkswagen had a well resourced internal audit, and had a stronger third line, with an interventionist position, then I think it could have spotted the £4.7bn disaster. That would pay for many years of very good internal audit even in an expanded third line form in my view.
I know those who hold to the established internal audit wisdom that organisations are run by first and second line management controls, by rational and organised organisational machines, and that internal audit’s role is to validate the correct and appropriate working of that machine, from a organisationally moral Mount Olympus will disagree with me. For me, however, organisations are not run like machines. People are not all rational. They are selfish, complex, self oriented and prone to moral relativism (I should say they can be amazing, honourable, giving and special too).
I believe internal audit’s unique proposition is objectivity, independence and its organisational position (between management and governance elements of the organisation). These can, and should, be applied at greater scale in most organisations. Why? because organisations cannot self govern. Layers of management are not independent of each other, they are one command chain. We learn time and time again that the lines of defence model, whilst a helpful typology, is not real – management cannot control or help themselves, even where it is organisationally rationale to do so – otherwise someone would have calculated the fines per vehicle and decided whether to risk it in Volkswagen and decided no.
So I come back to my core point. Internal audit matters. Internal audit must be bigger, better, braver, and be seen as a normal functioning part of any organisation that is serious about wanting to be run properly. It must look deeper and more into its clients, this takes money and resource, but the payback (if only in fines avoided) must surely justify this leap of faith? Are you ready to leap?