Difference class

Anyone who thinks internal audit is a desk job should chat to someone who works at the Department for International Development (DFID). Anthony Garnett took on the role of head of audit and of counter-fraud a mere 15 months ago and has already travelled to eight countries, including Jamaica, Ethiopia, Pakistan and Ghana, to see the department’s work in practice. 

This hands-on approach is not just for senior management – new recruits to the team are told to expect about five trips abroad of around a fortnight each a year. It’s part of what makes this job a unique challenge, but also what makes it so fascinating, Garnett points out. And he stresses that he never has trouble finding auditors to go to even the most intimidating destinations.

However, internal auditors at DFID need to be flexible about more than location. The international aid work that DFID supports – it has 22 policies listed on its website, each one sounding like a lifetime’s work in itself (from “Improving the lives of girls and women in the world’s poorest countries” to “working for peace and long-term stability in the Middle East and North Africa” and “Supporting international action on climate change”) – also calls for a flexible attitude and open approach to discussion, and sensitivity to the unique challenges and cultures of each location. Add to this the many partnerships that the department works with and through in different locations, from other UK government departments to international bodies such as the UN, and the breadth of the role seems daunting.

In contrast to the multifaceted demands on his department, Garnett’s own role within it is deceptively straightforward. “I’m responsible for giving crucial assurance to the permanent secretary over risk management, governance and controls as well as being responsible for overseeing and managing our counter-fraud work and fraud investigations,” he says. 

Much of this assurance is of course financial, given that DFID’s overseas operations are responsible for spending about £10.3bn each year. However, Garnett points out that one of the department’s greatest risks is really reputational – in terms of public opinion, its reputation with government ministers and the regard in which it is held internationally. It also takes its duty of care to its staff seriously, since it regularly sends them to conduct audits in countries that are both off the beaten track and, at times, dangerous.

“We are slightly different from many other departments in that our internal auditors actually go to the countries, get into jeeps and follow the money to where it’s spent,” Garnett explains. “We speak directly to our delivery partners and our suppliers because you can’t really understand our work and the difference it makes any other way.”

The complexity of the local environments plus the many aspects of the individual programmes and relationships between those involved mean that the delivery maps and assurance maps can be very complex, Garnett admits. Much of his team’s work can also involve assessing the levels of assurance given by various partners. This puts a lot of responsibility on Garnett’s team to come up with their own judgments and assessments of situations, rather than being able to rely on simple, hard and fast rules.

He stresses the role of discussion and debate in this process, both within internal auditing teams and DFID senior management and with those being audited.

“We are a world leader in international aid. We have to take risks and we have to go to places where others won’t go and do things others won’t do,” he says. “This is how we make a fundamental difference to real lives.”

He points out that his team works in the real world, which is messy, complex and human. “It’s not that we don’t have processes and systems, but in many areas we need scope for judgment and for dialogue about risks in individual situations. There can be no one-size-fits-all system,” he explains. “Old-school internal audit sees itself as a science with an objective view of right and wrong. We see it more as a social science. We try to understand the world and simplify it, but recognise that we can’t always take what works in one place and expect it to work in another. We need intelligent people who can assess risks on the ground and understand the cultural background.”

One thing that attracted Garnett to DFID from his previous position at Durham University was the sense that the department was not only world-leading in what it did, but also had the potential to be at the forefront of developing the role of internal audit. He sees the function as ideally placed to act as a consultant to the wider organisation with the added benefit that it will take responsibility for its opinions and suggestions when they’ve been tested.

DFID and its internal auditing team have to be more open to risk than many government departments. “Risk is not a bad thing,” Garnett points out. “We don’t necessarily want all audit reports to be labelled green – if we achieve this it might just show that we’re being too controlled and not taking enough risk to do what we need to do.”

Garnett came in with a remit to change the way the department works. One of his aims is to increase the integration between counter-fraud operations and the assurance team. While some fraud investigations naturally have to remain confidential, he believes that it would be useful to create teams that mix the skills and outlook of both groups of staff and to use some of the counter-fraud team on overseas audits. 

The department undertakes three types of fraud work. “The first is reactive – investigations when things have happened. The second is proactive – identifying places where it could happen. And the third is audit assurance work. The second of these can send work to the first or to the third so that we can investigate further or provide the controls and systems we need to manage the risks identified,” he explains.

“Our assurance and counter-fraud teams pass the results of their work to management for risk treatment, to avoid taking executive responsibility,” he says. We provide a counter-fraud, fraud assurance and investigation service that is independent of management. This is designed to ensure that fraud allegations and investigations are looked at objectively, distinct from the business. The assurance over our work on counter-fraud, whether proactive counter-fraud, fraud assurance or investigations, is independently reviewed as part of our overall departmental periodic assurance review,” Garnett adds.

He uses the analogy of someone shining points of light at a painting. “It’s not enough to join up the dots to make a picture,” he says. “You need also to make an argument and narrative from the points that fully takes into account the complex risk environment.”

To do this, he argues, you need to use all the skills from across the teams. It is why different teams of auditors are brought together for each audit and why they also have a cooling-off period when they return from overseas to discuss their findings with colleagues who were not on the assignment and with a senior manager. Overseas audits are also interspersed with projects looking at thematic controls, such as the way the department engages with multilateral partners or uses IT, and top-down projects looking at how the function mitigates DFID’s main risks and supports its strategies. This way, all individuals learn to appreciate the framework within which the department operates.

Since joining DFID, Garnett says that every day has been an immense learning curve. “Why would anyone not want to be in internal audit?” he asks. “It’s the best place to get a grip on strategy, management, organisational controls and to make a real difference.”

But to do this, he believes, internal audit has to support management and challenge managers with useful insights and alternative viewpoints. This is why he is also passionate about diversity – “It would be awful if I recruited only people who thought like me,” he says. 

“You need people who can step away from the rules to see the world as it really is and to accept that there may not be an ideal answer and it may not be a question of right and wrong,” he explains. 

One change that Garnett has introduced is that reports now come up with “suggestions” rather than “recommendations”. This may be an intellectual nuance, he admits, but it encourages his team to follow up the risk rather than any “solution” that emerged from the report. “We ask how this risk has been monitored or whether it has been accepted, rather than whether our suggestions have been followed to the letter,” he says. “The situation may have evolved because the world moves on, so our suggestions may no longer be relevant.”

The kind of issues that internal audit raises in many cases are around large, complex problems – “if they were easy to solve they wouldn’t be an issue,” Garnett says. This means that it’s unreasonable to expect management to put together a complete solution in a month in an immediate response to an audit report, he explains. 

This kind of flexible, discussion-led focus supports his idea of internal audit as a consultant, but it also demands a lot of talent and confidence from the 32 internal auditors and fraud specialists who work at DFID – and an appreciative management.

Garnett believes he has all of these. 

“I have an holistic change agenda,” he says. “I have to identify what excellence looks like and how to introduce this. We need to attract the brightest and the best people into the department and really sell what internal audit does and what it’s evolving into. It’s not a pale shadow of other departments, such as risk management or finance, and it still has a huge amount of untapped potential. Internal audit has a deep understanding of the organisation that no other function can match, while remaining independent of it.”

In order to achieve this vision, Garnett is focusing on attracting diverse talented staff from outside and inside the business. He admits that at DFID he is starting from a strong position, but he is urging people in his team to use their own judgment and imagination. 

“I ask what happens if we remove the walls around them and they can go any way they want and we’ve seen some amazing results from new graduates who came up with great insights. And we are also taking in people from elsewhere in the department – we’ve just started a guest auditor scheme to draw on the expertise of those who know different parts of its work really well,” he says.

He is happy when people leave to go elsewhere in the organisation as well – “I don’t struggle to hold on to staff because what we do is so interesting,” he says.

On the management side, he reports to the audit committee as well as to the permanent secretary and the department is externally monitored by the International Development Committee, the Independent Commission for Aid Impact and the National Audit Office. Some of DFID’s projects also involve cross-departmental involvement with colleagues at, for example, the Department for Business, Innovation and Skills or the Ministry of Defence.

The internal audit agenda is set on a five-year plan and Garnett says that in DFID new development programmes are constantly starting. He aims to ensure that programmes at all stages from planning to fully operational are covered.

“This is a fascinating, intellectually stimulating job,” he says. “It’s not just invoice checking (although we do check invoices), so people are prepared to fit their lives around its demands. The countries we visit may be difficult, but they are amazing and that’s what’s so exciting about what we do. We help, as part of DFID, these places to become as amazing as they can be and realise their potential.”

Garnett in brief

• 1996 – BA in politics, Durham University.
• 1997 – Joined KPMG in Newcastle and qualified with ICAEW.  
• 2000 2006 – Headed KPMG’s North East public sector assurance practice. 
• 2006 – director of business assurance at Durham University.
• 2007-10 – Qualified as CMIIA.
• 2013 – Head of internal audit at DFID.
• 2013 – Awarded IIA Global’s certificate in risk management assurance (CRMA).

This article was first published in Audit & Risk July/August 2014.