“Hi, I'm from Internal Audit. Can you spare a few minutes for humiliation over something really petty?”
“I do enjoy having those chaps come around and conduct some penetration testing.”
Commonly referred to as "infernal audit" or "for god’s sakes will you stop asking me stupid questions", Internal Audit is a vital piece of the governance arrangements in any business organisation. Well, if you like having a load of pompous, suit-wearing morons tell you that your procedures are not appropriate and you are at risk level 4 with respect to your management reporting.
No, they won't tell you what risk level 4 means. But you can be sure that it is not even slightly satisfactory.
- 1 Background
- 2 Modern Auditing
- 3 Educational Standards
- 4 Professional Guidance
- 5 How to be Audited
- 6 Alternative Audit Practices
- 7 References
The practice of internal audit was first formally described in 1938, with the foundation of the Institute of Internal Auditors (IIA); despite the looming threat of the Nazi jackboot crushing the freedom of the world, it was felt that many businesses did not have appropriate controls in place to permit full achievement of their strategic objectives. Obviously.
Initially, the IIA comprised only three failed accountants and a bad-tempered secretary. Early work proved surprisingly successful in convincing the Executive Board of IBM that they should spend vast amounts of money having some complete stranger tell them they needed to sign and date all reports to confirm they had been reviewed. Initial fees were in the order of $700 (worth $12bn at today’s prices). These funds were shrewdly invested, by means of a blind trust, to yield an income equivalent to that of a small (well-controlled) country.
In 1939, the Nazi Party were the first government to recognise the importance of having a well-controlled mechanism for running an evil, world-conquering regime. The IIA were contracted to undertake a series of efficiency reviews in the early weeks of World War II.
However, Heinrich Himmler failed to authorise a proper scope for the work, with the inevitable result that everything became subject to a series of "Value for Money" reviews. Even the Gestapo operated under the cloak of fear that, one day, a pleasant-but-determined auditor might demand to see a complete breakdown of the number of traitors who had been interrogated and, hence, reports on the number successfully converted to patriots.
During the next six years, the IIA became the most feared body in the world, consuming resources and eventually crushing fascism into the ground by demanding to current authorised signatory lists relating to the Holocaust and undertaking regular stock takes at the Eastern Front.
Eventually, the ever-increasing need to comply with interim internal audit reports ensured that the war machine ground to a halt. The Allied Forces, apparently unconcerned with appropriate document retention strategies or enforcing segregation of duties amongst senior managers, swept across Europe and introduced democracy. They also introduced an interesting range of sexually transmitted diseases, but that's not important when freedom is at stake.
With the final report on World War II, a total of 6,395 management action points were raised to enhance controls in the remnants of Germany. The resulting emergence of Europe as a global economic power has since been touted as the greatest success of internal audit in terms of adding value.
During the dark years of the 1960s and 1970s, a number of rival organisations began to challenge the professional standards and objectivity of the IIA. These included such august organisations as:
- The Institute of Chartered Accountants in England and Wales;
- EDP Auditors Association (now known as the Information Systems Audit and Mind Control Association);
- Auditing Practices Board;
- The "Real" IIA (a radical splinter faction of the original IIA); and
- Audit Bureau of Circulation.
To this day, regular street rumbles take place as the various bodies try to establish their supremacy above the others as the de facto providers of high quality, accessible and professional management assurance. Common weapons include slide rules, adding machines and cocktail sticks.
Following a number of scandals in 1974, the first auditing standards were developed. These bland and rather non-specific statements aim to provide guidance to internal auditors on appropriate practices to observe whilst adding grit to the wheels of commerce (for example, accepted styles of cheap suit, appropriately patronising tones of voice and writing reports that manage to antagonise everyone equally).
These auditing standards have been unified and passed into the ownership of the IIA. The most important standards are:
- 1100 – Independence and Objectivity
- 1220 – Due Professional Care
- 1340 – Disclosure of Non-compliance
- 2010 – Planning
- 2330 – Recording Information
In an increasingly risk-conscious society, it is vitally important for an organisation to provide evidence to stakeholders that it is compliant with the requirements of legislation. Due to the fiscal influence of the IIA over a number of major national governmenmts in the late 1940s, the recommendation of a Security and Exchange Commission Practice Note read "To satisfy all interested parties, you will undergo a series of internal audit assessments, oh yes, and I'm going to Jamaica".
However, during the early 1990s, a series of reports established common governance practices for publicly listed companies. The first and most important was the 1992 Cadbury Report, titled "Financial Aspects of Corporate Governance". The Executive Summary contained the take-home message, which was "The Committee is clear that action by boards of directors and auditors on the financial aspects of corporate governance is expected and necessary, oh yes, and I'm going to Thailand".
In the present day, internal audit has to address a much broader range of regulatory challenges.
A strict regime of testing to enable the directors of companies, listed on the New York Stock Exchange, to state categorically that they have paid an awful lot of money to auditors to make a series of (ultimately meaningless) statements about internal controls.
Accountancy Age magazine recently described Sarbanes-Oxley as "the most exciting money-making opportunity that we, as a profession, have ever had. Fill your boots!"
A strict regime of testing to enable the directors of companies, with computers, to state categorically that they have paid an awful lot of money to auditors to make a series of (ultimately meaningless) statements about IT controls.
Computer Weekly magazine recently described SAS 70 as "the most exciting revenue-generating opportunity that we, as a profession, have ever had. Line your wallets!"
A strict regime of testing to enable the directors of companies, operating in financial services, to state categorically that they have paid an awful lot of money to auditors to make a series of (ultimately meaningless) statements about compliance controls.
What Risk? magazine recently described the FSA Arrow II assessment as "the most exciting cash-raising opportunity that we, as a profession, have ever had. Raise your invoices!"
Benefits of Modern Audit Practices
Of course, the only people who ever really do well from these auditing are the Big 4 accountancy firms - KPMG (Killing Paper Machine Goblins), E&Y (Evil&Yams), Deloitte. and PwC (Pricks with Calculators). Oh, and any company that offers affordable rates on storing the huge volumes of paper that have to be retained after an internal audit review (for a minimum of seven years).
Ideally, an internal audit should be conducted by an individual who has been fully trained in the mysterious art of auditing. There are a number of qualifications available, most of which can be obtained on successful completion of a series of formal examinations, supported by evidence of professional work experience. The others (for instance, anything offered by the Institute of Brown Paper Envelopes) require only that an auditor show how willing they are to be an auditor. Advanced qualifications are available to those who document a reconciliation of their willingness to audit against the amount of money they go on to leave in Cubicle No. 6, Gentlemen's Toilets, London Bridge Train Station.
As hinted above, an Internal Auditor should be fully trained. However, for those who just can't be bothered with all that tricky reading and sitting exams, there is the fall-back of using a rule book - a common practice amongst those individuals with no real intelligence. However, professional guidance also means that, if anyone calls you on an audit, you can quote some obscure rules at them and insist that it proves you were right to refer to the Chief Executive as an asshole. If you don't believe it, perhaps you should check paragraph 49 of subsection 28.
Good examples of professional guidance are:
Now established as a genuine international benchmark, the full set of International Standards on Auditing were largely developed from the UK Statements of Auditing Standards. This means that, globally speaking, all Auditors can unswervingly follow the same dogmatic rules without thinking about what might be happening around them.
The Generally Accepted Asshole Practice rulebook is actually blank, so you can create any old rules you like. It's usually better to do this in pencil - although it looks slightly less professional, it does mean you can change things if someone demands it.
Face it, pretty much everything is in there. If you look for long enough, you might find it. Alternatively, you could write it yourself, since everyone believes that Wikipedia is true. Especially since that guy told the truth about all those qualifications and experience that he didn't like to talk about.
Poor examples of professional guidance are:
The Story of "O"
A variant of the "...for Dummies" series, but hasn't actually been written yet, hence not very helpful.
Harry Potter and the Internal Audit of Doom
A thrilling story for the 8-12 age group, about a boy Auditor and how he overcomes his tragic origins to detect a hidden fraud in Hogwarts School of Accountancy. Unfortunately, this is stil pretty useless as it's completely made up by J.K. Rowling.
How to be Audited
An internal audit is going to happen to you, whether you like it or not. It's just a matter of time.
Common procedures are: initial meeting to discuss your current practices; a walkthrough of your system; detailed testing over key controls; prolonged buggery; immediate remediation of control weaknesses; draft reporting; bitch slapping; and issue of the final report to senior management.
For the auditee, the best approach is to just lie back, relax and let them take you through it. The pain will end eventually...until the final report comes through with a comment something like "staff appeared to be disinterested in the appropriate application of controls; we recommend that an appropriate training regime should be established to remind staff of their responsibilities".
Alternative Audit Practices
Auditing is not just confined to prolonged buggery and demands to show a consistent trail of approval for journals. As business practices have evovlved and expanded, so have the types of auditing required to provide management with an excuse to hire consultants.
A detailed review of computer security, password configuration, software changes and exactly how much horse porn can be downloaded before the network collapses. The field often covers ethical hacking, up to and including the much-feared penetration test.
Regarded by many as being the most boring field - largely consists of working through long lists, before being told that your website isn't up-to-date.
Not even really a form of auditing, more about counting magazines and making up numbers. Furthermore, it's never the kind of magazines you really want to count.
Essentially a penetration test, to determine the worst-case scenario. You really don't want to try this.
Perceived as being auditing for pessimists, requiring only that you think of the worst thing that could happen to someone or something, then you tell them all about it.
- Many of these instances are recorded in the Spike Milligan novel “Adolf Hitler: My Part in His Risk Assessment”
- Yes, the full stop is important. It's also green.
- Between 3pm and 3.15pm on the second Tuesday of every month.
- It is pretty good though - loads of kinky shagging and that, so buy yourself a copy anyway.
- There are quite deliberate reasons for leaving the description of this wide open.