A lean government needs strategic internal audit

In the short period of 1999 to 2003, the Belgian federal government was making some real progress, at least conceptually, in improving its functioning. The Copernicus reform, which eventually failed, had some essential ideas on how to turn the Belgian federal public sector into a (reasonably) lean organisation.

Come the 2008-2009 financial crisis, and we find a federal public sector that no longer wants reforms after what it suffered through under the past reform. But what it wants is not relevant, as it is forced into significant restructuring of operations, because the money is no longer there to support what many stakeholders (the population) believe to be bloated institutions. But rather than a concerted, structured effort to optimize and make the government organisations lean, cuts were being imposed across the board, with little consideration for efficiency and optimizing service performance. Many inside of government believed we no longer had the time to critically assess and optimize, we just needed to reduce expenditure. No one believed there were change agents in place to guide government services through this optimization process.

The notion there were no instruments of change available to ministers in 2009 is incorrect. Even more, these agents of change reside inside of the administrations and can assist in making the required analyses to optimize the cuts. Those resources are called internal auditors. But right now, they are not used to the maximum extent possible.

Why are the current crop of internal auditors not ready nor used? Because, not always by their own will, they have been limited in scope to just their role in internal controls assurance. This is a traditional internal audit role from the early 1980’s and modern internal audit departments have moved far beyond that role.

Let’s examine what internal audit could offer to a public sector that has all but forgotten about it.

Assessing the effectiveness

Once certain “new” public sector tools are structurally put in place, such as management agreements – tools currently already being used by many state owned companies – internal audit can provide reasonable assurance on the effectiveness of the government entity in reaching the strategic and operational objectives as defined in the management agreements. Effectiveness is about doing the right things. Internal audit can provide the key stakeholders of the federal government service, usually the minister and his cabinet, a reasonable assurance on whether the government service’s management team is actually doing what it is supposed to be doing.

In addition, this work allows the management team to communicate, through internal audit, about the incompleteness of such management agreements. If a government service is doing a lot of work which is essential but not adequately represented in a management agreement, perhaps the agreement is incomplete. Or perhaps the federal government service is doing work that is no longer deemed relevant.

Providing key stakeholders with information about what the auditees are actually doing as compared to what they are supposed to be doing is a core competence of an internal audit department.

Efficiency

If effectiveness is about doing the right things, efficiency is about doing things right, in the correct and ideally in the most economical manner. This is important for government administrations as they need to provide the same or better services to their stakeholders in a reality of reduced budgets. Internal audit can assess the efficiency of government operations as well, by benchmarking activities. We’re actually missing a wonderful opportunity to cross benchmark administrative services which are comparable across different government services, and looking for good practices.

But what I have described thus far is a quite traditional internal audit, in both public and private sectors. While these assessments bring true added value, they are but the top of the iceberg when considering what internal audit can bring to the table. Which is why it is quite surprising that some of the assessments described above are not executed by internal auditors, but by external consultants, whose added value in process improvement if not adequately immersed in the organization’s culture is limited at best.

Internal audit’s tactical added value

Internal audit has a role to play in risk management. Attempts have been made to implement the concepts of risk management in many organisations, among which some of the federal public sector organisations. I co-authored one of the methodologies which was en is still used in several public sector entities. The problem is that risk management has not reached the level of maturity which sees it taking its place among other management tools, such as balanced scorecards and key performance indicators. There is a lot of talk about risk management, but only limited action.

Internal audit, however, has traditionally used risk analyses to plan its short, medium and long term audit activities. Risk analyses scan for risks within and around the organisation by using a combination of questionnaires, self assessments, historical data and, most important of all, common sense.

Risk management assumes an organisation is a car, not a train. It needs frequent tugs at the steering wheel, and if a corner presents itself in the road to the objectives, action needs to be taken.

Internal audit is allowed to take on certain roles in assisting the organisation in implementing risk management as a true management tool. It’ll no longer be internal audit in the crow’s nest, without binoculars, screaming ‘iceberg’ just a minute too late … rather, the entire organisation will be aware of the fact that no matter how well designed your internal controls, there are problems out there that may not be resolved by putting in yet another internal control.

Internal audit’s future: a strategic added value

But creating awareness and teaching people to look around before engaging as an organisation is not where internal audit’s responsibility should end. After all, knowing something big and bad is heading our way is not enough to avoid it. I believe internal audit has a responsibility to assess the adequacy of an organisation’s governance structures to evaluate it’s respons readiness to the evolving situation on the road to achieving its objectives.

For a long time, we believed that governance, the foundation of the organisation, should be cast in stone. But recent experience has shown that the only certainty is uncertainty. No one structure is capable of dealing with all eventualities.

Internal audit, with its deep knowledge of the organisation has a responsibility to provide its stakeholders with insight in the adequacy of the current structures in responding to risks as well as providing recommendations on how these governance structures would best be adapted to most adequately respond to these risks.

By providing these insights to stakeholders and management team alike, internal audit will really live to the fullest its strategic role.

It also shows why internal audit should never be too far removed from the organisation it’s auditing. The auditors are (currently still) there. Why are we not using them?