Two Steps Forward, One Step Back

Why internal audit practice always lags and GRC snakeoil salesmen are alive and well 

I turned 40 recently. And my work is making me feel old. 

You see I’ve become that guy who says things like “back in the mid-90’s when we were rolling out CSA, we used to produce these great assurance maps…” or “that way of dealing with strategic risk is so late-90’s, it’s okay in theory, but you’ll find that…”.

Sure, I was working at the vanguard of audit practice at the time, but with a little over 15 years in the game I find myself as “old man audit” – a source of institutional knowledge on assurance and risk practices. 

There is some wonderful knowledge that’s been lost – what works and doesn’t in CSA programs, how to use internal audit to drive re-engineering outcomes, why CoCo is easier to embed than COSO etc. 

And without this knowledge we’re not sophisticated buyers. The snake oil salesmen are alive and well and the old-rope is sounding pretty good with its new names and marketing narrative.

In part this stems from changes in sponsorship and restructuring in the organisations we serve, but a lot of it is also self-inflicted as a result of how we resource ourselves. 

Internal audit is a transitory game. It draws on people from all walks of life, many who haven’t dabbled in internal audit much before. For many it’s a stepping-stone of 2-4 years, moving onto something else before mastering their craft. The resulting loss of institutional knowledge, and difficulty in moving forward is enormous.

Indeed, in 2011 I see companies implementing 90’s ideas or discovering them for the first time. Worse still, I see some companies reinventing the wheel or going down the wrong paths with ideas that have been tested extensively in years gone by. The level of inherent atrophy and wasted investment is enormous.

While this is a great platform for a business like mine it does raise a big issue for the internal audit profession. We really should be a lot further ahead than where we are today. 

Until we find ways to capture and build on institutional knowledge the profession will continue to spin its wheels. Its aspirations will continue to be for a base level of consistency rather than excellence. And we will struggle to keep pace with the needs of our stakeholders. 

Until we become proficient in institutionalising this knowledge, we will keep on taking two steps forward, one step back.

This article first appeared in the May edition of Risk Management Magazine.