The Gardener of Governance A Call to Action for Effective Internal Auditing

PREFACE. ABOUT THE AUTHORS. ACKNOWLEDGEMENTS. INTRODUCTION.  CHAPTER 1 - The 1^st P is about PEOPLE. CHAPTER 2 - The 2^nd  P is about the PUBLIC’s perceptions. CHAPTER 3 - The 3^rd P is about PERFORMANCE. CHAPTER 4 - The 4^th P is our PURPOSE. CHAPTER 5 - The 5^th P is our PLANET. EPILOGUE.

Biography

Dr. Rainer Lenz, Corporate Audit and Financial Expert, University Lecturer, and Mentor

LinkedIn: https://www.linkedin.com/in/rainerlenz/

Google Scholar: https://lnkd.in/euwxX5yZ

Positive, high energy and hands-on leader. Finance and corporate audit professional with 30+ years of international experience as Regional/Divisional CFO and Chief Audit Executive in global organizations. Since 2007, Chief Internal Auditor with 300+ assignments in 50+ countries. PhD in Economics and Management Science from the Louvain School of Management in Belgium. Teaching Governance and Internal Auditing at the Johannes Gutenberg University Mainz (Germany). Awardee (5) as Global Internal Audit Thought Leader (by Richard Chambers). Winner of the Global IIA’s 2023 Bradford Cadmus Memorial Award. Author of a series of articles in peer reviewed journals.

Barrie describes Rainer as “Passionate and energetic, freely sharing his knowledge of and insights into the internal audit profession - a wild thinker, provocative, and he continuously challenges the status quo, which is the hallmark of a true thought leader. He was the first internal auditor I encountered who has these qualities”.

Barrie Enslin, Founder, Managing Director – Pro Optima Audit Services (Pty) Ltd (Pro Optima)

Bachelor of Accounting Science (North-West University, Potchefstroom, South Africa) - 1984

Certified Internal Auditor (TheIIA) – 1993

https://www.linkedin.com/in/barrie-enslin-6934621b/

[email protected]

Barrie has five years of accounting and 35 years of internal audit experience, both in South Africa and internationally. He identified the need for operational audits in the mining industry and decided in 1997 to start Pro Optima. Five of the eight biggest mining companies in South Africa now count under Pro Optima’s clients. Services provided include internal audit outsourcing and co-sourcing, second line assurance services, business process analysis, and other consulting work. Pro Optima has contributed over 2.5 billion South African Rands (ZAR), i.e., ±USD 170 million (considering exchange rate fluctuations) in quantified value added to its clients, with approximately 40% of its projects showing significant quantified value adding, mostly recoupment and prevention of overpayments to vendors and institutions, reduced pricing, curbing of wasteful spending, and improved efficiencies.

Rainer describes Barrie as follows: “The Pro Optima success story is attributable to the team leveraging on the often-unexploited power of internal auditing. Barrie is pragmatic, does not stick to the script, and aspires to seek a fine and healthy balance between a systematic approach and the freedom to be creative. I believe Pro Optima’s unorthodox approach is key in providing the much-needed value adding services to its clients.”

Rainer and Barrie met first at the ECIIA 2019 conference in Luxemburg. Rainer was speaking about “WRAPS - How to make better decisions.” The duo soon realized their views on internal auditing were very similar and identified the need for practical guidelines to effective internal auditing, which they started with in January 2024. While writing this book it became even clearer how similar their thinking is. Although they did not agree beforehand about any of the specific content, their contributions dovetail superbly.

The Gardener of Governance by Rainer Lenz and Barrie Enslin offers a valuable guide for internal auditors aiming to go beyond traditional compliance. The book highlights interpersonal skills, collaboration, and governance innovation, helping auditors shape healthier workplace cultures and contribute strategically. Essential reading for audit and governance professionals seeking to make an impact.

- Hervé Gloaguen, Former Allianz Group CAE and CCO

 

 

This fascinating book could scarcely be appearing at a more opportune time. Internal auditing is at an inflection point. On the threshold of a perfect storm of threats to its future, it is under siege from increasingly fragmented patterns of institutional accountability; from ruthless pressures to divert internal auditing down pathways that serve commercial interests rather than the public good; and from a prevailing intellectual exhaustion characterized by algorithmic thinking and a checklist mindset that numbs creativity. Above all, it faces the existential dangers of a takeover by artificial intelligence and machine learning.

Out of the bleak landscape of today’s internal auditing, The Gardener of Governance emerges like a thunderbolt, offering a startling and powerful means of reform for a profession on the threshold of crisis. As adumbrated in a briefer form in an influential 2022 article “The Future of Internal Auditing: Gardener of Governance” by Lenz and Jeppesen (EDPACS, 66:5), the internal audit profession is challenged to consider the ramifications of the authors’ 5 P’s model (People, Public, Performance, Purpose, and Planet). The authors’ pathway for an evolution of internal auditing might, if implemented, go far beyond merely rescuing the profession of internal auditing by shoring up its relevance – it offers a restoration of its grimly eroded mission of serving the public good. Each of the 5 P’s is rich in ideas and suggestions, from how to deal with a toxic work culture to reflections on the true significance of the term “assurance”.

This visionary, courageous, and prophetic book merits the attention of the internal auditing community. The gardening metaphor has already captured the hearts of many internal auditors: it implies a thoughtful nurturing and evolution of a profession that has lost its way. It liberates the internal auditor from outdated, hackneyed ways of thinking. Even the sanctity of the “three lines model” and the quasi-religious reverence for ESG concepts are placed under careful scrutiny. The authors are not shy about rocking the boat of received opinion.

What Lenz and Enslin are proposing in The Gardener of Governance seems to me to be possibly the last chance to reform internal auditing (or, perhaps more precisely, the Institute of Internal Auditors’ brand of internal auditing) from within, before society imposes major changes or insists on alternative governance mechanisms. Moreover, the book is a delight to read, with an engaging tone. Take your time to digest this book’s contents - it packs a lot of wisdom between its covers.

- David J. O'Regan, Auditor General at WHO/PAHO, Washington D.C

 

 

This book offers a huge amount of energy to internal auditors who suffer the struggles of their daily tasks.

Two seasoned internal auditors, who have been in this role for decades, not only share their own lessons learned and experiences of how internal auditors can become better in doing their job. But the authors go much further than that: they advise internal auditors to stretch their role. That there is more.

The authors invite internal auditors to reflect and come to action. To pioneer.

To my view, the main contribution of the book is however, that it sparks internal audit professionals to more fundamentally rethink their role and their contribution. By doing so, it is also stretching boundaries. Whether or not you agree with all the positions that are taken by the authors, `I am convinced that this helps critical reflections, discussion and growth of the profession. My appreciation as well as doubts can be best described as internal auditors that are part of the football game in their organization.

Internal auditors are traditionally seen as the goalkeepers (‘third line’) of their organizations, who are recognized for their important safes and appreciated when they rescue the team. Like goalkeepers do, internal auditors contribute to team success and can make the difference between winning and losing. In today’s turbulence, internal auditors and goalkeepers have much more to offer than being just a lock on the door for two or three times per game. They are part of the team, they can boost team performance and especially they interact with the other players. The good goalkeeper not only thinks defensively, but also thinks offensively and helps the team to build up from behind. The solid goalkeeper can make other players feel comfortable and be creative. Make the team perform best.

My interpretation of the book is that it provides many detailed ingredients that can spark internal auditors to get out of their comfort zone and encourage them to really help their team. I appreciate that the authors give so many examples of how internal auditors can do this. And indeed, some of them feel provocative and might be stretching far beyond the traditional role of the internal auditor. We all know of the goalkeepers who cross the whole field in the dying seconds of a match in order to help their team attacking. Leaving their own goal empty. The authors coin that internal auditors could have a central role in the organization and play an important role as strategic trusted advisors. I very much like such thought-provoking exercises. Not necessarily that all internal auditors should play such role, but as an invitation to think what competences it requires to play such role, and whether internal auditors can do all of this without leaving their own goal empty.

To my opinion the authors have shared a lot of detailed professional experience in the book and they very well provide food for discussion of how internal auditors could extend their role and contribution. Therefore, I would warmly encourage internal audit professionals to read it and even more: to discuss it.

- Prof. Arno Nuijten, Erasmus School of Accounting and Assurance, Erasmus University Rotterdam

 

 

This book is dedicated to all the 'crazy auditors' out there. I support all voices advocating for different perspectives and alternative narratives of what internal audit is or could be.

In these times of constant change and complexity, voices like Rainer Lenz and Barrie Enslin are essential.

-            Manja Knevelbaard, Partner ACS Insight, The Netherlands

 

 

“The Gardener of Governance" by Dr. Rainer Lenz and Barrie Enslin is a breath of fresh air in the world of internal auditing. More than a typical guide, it feels like a thoughtful conversation with seasoned experts who challenge the status quo and inspire auditors to become truly impactful. In the first chapter, Lenz and Enslin emphasize the human element, showing how internal auditors can foster healthy workplace cultures through strong interpersonal relationships and critical thinking. I found this focus on people is refreshing, reminding us that governance is not just about policies, but about creating environments where individuals and teams thrive. The authors introduce the "Think!" concept, a simple yet powerful tool that encourages auditors to reflect on their behaviors and interactions—immediately improving communication and collaboration. From the broader role of auditors as nurturers of workplace cultures (Chapter 1) to practical tasks that push them beyond compliance (Chapter 2), Lenz and Enslin map out a transformative journey for the profession.

What makes this book stand out is its seamless transition from high-level principles, like fostering leadership and relational skills, to actionable steps that can elevate an auditor’s career. By encouraging critical thinking and self-awareness, the "Think!" concept helps auditors position themselves not only as compliance officers but as strategic partners and influencers in governance.

The book is packed with practical advice, guiding readers through innovative approaches like integrated assurance models and creative audit techniques, such as the dynamic in-and-out audits explored in Chapter 4. These strategies empower internal auditors to think beyond traditional frameworks and adopt more flexible, impactful methods that enhance their effectiveness and influence within organizations. Their approach is both visionary and practical, illustrated through compelling case studies that demonstrate how internal audit functions can truly reshape organizations. In Chapter 3, they show how auditors can elevate performance and efficiency, moving beyond routine tasks to make a measurable impact. By Chapter 5, the focus shifts to how auditors can play a pivotal role in promoting sustainable governance, especially in tackling ESG challenges.

In short, this book is a must-read for any internal auditor who aspires to not only survive but also thrive in their career. Lenz and Enslin offer both the inspiration, and the practical roadmap needed to turn auditors into key players in governance, capable of adding value and driving positive change in today’s complex business landscape.

- Dr. Suhaily Shahimi, Senior lecturer, Coordinator of Internal Audit Education Provider (IAEP) at University of Malaya, Associate Editor of Asian Journal of Accounting Perspectives

 

The authors will need little introduction to many, and both are very experienced internal auditors.

Many will also have heard a lot about the ‘Gardener’ concept over recent years, particularly if you are a regular on LinkedIn, or vaguely aware of what is being discussed at internal audit conferences, webinars and through associated publications.

The book develops the Gardener philosophy and is primarily structured around five P’s - People, Public, Performance (Prosperity), Purpose (Profession), and Planet. Together these form the core of the call to action.

Some may have other views on whether these P’s work (why not A’s, I love A’s?!) but if you do, put your pen to paper (or ask Chat GPT) and you too can write a book too, I guess! I’m certain that Dan Swanson and EDPACS would be delighted to hear from you as well.

The five chapters contain material from both authors, although there is a lot more content by one than the other. The style and nature of both are very different. You may prefer one to the other. Or one chapter more than another. You may vigorously nod with some of what is stated, or find yourself sighing, tutting or shaking your head.

Such is the nature of books structured in this way.

I like it.

There is some new and interesting thinking in here, for sure.

However, a lot of the subject material is not especially new and has been regularly discussed and debated in internal audit circles for many, many years. And not just by the authors. But it is certainly useful and helpful to see many of the topical issues of the (internal audit) day being discussed in one place.

Well done to the authors for creating the means to achieve this!

And it’s also good to see the Global Internal Audit Standards™ being name-checked throughout.

I’d have personally liked to have seen a bit more on artificial intelligence (et al.) and where it fits into the authors’ thinking, their views of internal audit, and the direction of the profession as a whole. It receives scant mention, and I was left wanting more.

I feel that artificial intelligence is arguably the biggest - and most challenging - subject for the internal audit profession today. It is critical that we get our collective heads around this and address. At pace.

 I’m sure both authors have got more they could contribute to the current internal audit debates in this space, and it would have been to have seen the Gardeners’ plough this furrow a little further.

Despite this observation, there is a lot of very good, topical content in here.

If you simply want a checklist or a bunch of dos and don’ts, then this book is probably not for you. There’s a bit of this, but not much. If you want something to read, ponder, read some more and think about what kind of internal auditor you want to be and want kind of internal audit service you want to deliver, then I’m sure this book will give you plenty of ideas to consider.

Some you may like, and some you won’t.

But it may make you think – something the authors care a lot about.

And I agree. Thinking is critical for an internal auditor, even with the increasing assistance of artificial intelligence!

In the Book Summary, the authors say: “We’re dropping the pebble in the pond. Let’s see how far the ripples spread and to what effect. Having read this book, I am sure that the ripples will spread far and why.

To what effect?

That depends - at least in part - on what anyone reading this then does. I hope you will be inspired to do SOMETHING after reading this.

And finally, in the Epilogue the authors state that “We started this book by saying, this is NOT just another book about internal audit…”

I agree that this is NOT just another book about internal audit.

It’s a jolly good - and thought-provoking - book about internal audit. And the profession. And more than a little bit more.

Enjoy!

I certainly did.

Well done indeed to the authors on helping the garden to flourish that bit more!

- John Chesshire CFIIA. Owner, JC Audit Training Ltd/Internal Auditor/Audit Committee Member (et al.)

 

Rainer and Barry’s book titled The Gardener of Governance brilliantly encapsulates how Internal Auditing is akin to Gardening for Governance (be it a large plot of land or be it a large organization).

Just like Gardening which involves the laying out and care of a plot of ground devoted to the growing of plants such as flowers, herbs, or vegetables, Internal Auditing is a refined and evolved profession, practice, process, art and science for effective Governance. 

An organization / garden in its ornamental sense needs a certain level of civilization before it can flourish. Wherever that level has been attained, in all parts of the world and at all periods, people have made efforts to shape their environment into an attractive display. Similar to the Gardening processes of tending plants through timely and necessary attention to the seasonal changes, and to the myriad small “events” in any shrubbery or herbaceous border, improves their understanding and appreciation of gardens in general. Large areas of gardening development and mastery have concentrated on persuading plants to achieve what they would not have done if left in the wild and therefore “natural” state. Gardens at all times have been created through a good deal of control and what might be called interference. The gardener attends to a number of basic processes: combating weeds and pests; using space to allay the competition between plants; attending to feeding, watering, and pruning; and conditioning the soil. Above this fundamental level, the gardener assesses and accommodates the unique complex of temperature, wind, rainfall, sunlight, and shade found within his own garden boundaries. A major part of the fascination of gardening is that in problems and potential no one garden is quite like another; and it is in finding the most imaginative solutions to challenges that the gardener demonstrates artistry and finds the subtler levels of satisfaction. 

In the book, R & B have superbly captured the vital role played by IA (with several examples) in the areas of five Ps which are the very foundation of organizations. 

An amazing perspective and a must read for all Internal auditing evangelists !  Superbly written , extremely rich perspectives and examples! Am sure that all the crazy internal auditors are going to love this ❤️ 

- Bhaskar Subramanian. Board Member, Past President IIA India, Trustee -Global Internal Audit Foundation, Seasoned Management Professional, Ex-Tata Capital Ltd., Ex-Hindustan Unilever Ltd.

The Gardener of Governance is an inspiration not only for seasoned Auditors but also for Board Members and Executives who value governance, compliance, and performance - and who appreciate an engaging and thought-provoking read that leads to meaningful introspection. It invites, and at times provokes, a rethinking and redefinition of responsible and effective leadership.

Corporate failures or underperformance manifest in many forms, but they often stem from deficiencies in governance, experience, ethical common sense, personal integrity, or even sanity - compounded by external challenges of our times (or any time). Achieving better results requires us to act differently. The Gardener of Governance offers more than just “food for thought”:

A. The book is profoundly theoretical yet highly practical, presenting a balanced relationship between the two. It echoes Kappler’s 1988 insight: “Only practice contains all theory.”

B. Its exploration of “human Authentic Intelligence” (hAI) alongside “robotic Artificial Intelligence” (rAI) provides a timely reflection on the evolving relationship between humans and technology - especially in leadership and auditing.

C. The 5P framework - people, public, performance, purpose, and planet - offers a holistic guide to navigating leadership and governance with confidence and purpose.

D. Questioning and critical thinking are foundational to auditing (and leadership), rooted in the Latin audire - “to hear.” Though this may seem obvious, the art of questioning, active listening, and deep thinking is increasingly underutilized.

E. “Authenticity” stands as a central anchor, alongside “logic” and “empathy.” This approach introduces the self into the reflective auditing (and leadership) process, transforming it from an aseptic, tick-the-box exercise into a deeply personal and meaningful engagement.

F. The book’s practicality is further grounded in real-life phenomena, such as “Lana’s purge journal.” Curious about what that entails? You’ll have to read the book to find out!

The Gardener of Governance is a call to action for those committed to better governance and leadership.

- Richard Gerstenberg, Board Member and Audit Chair at Weleda AG, Switzerland

LinkedIn: https://www.linkedin.com/in/richardgerstenberg/

Not Just Another Book on Internal Audit!

I wholeheartedly recommend The Gardener of Governance by Rainer Lenz and Barrie Enslin to every professional in internal auditing and corporate governance. This book doesn’t just revisit well-trodden paths—it boldly redefines the internal audit profession as a strategic enabler of trust, integrity, and cultural transformation.

The authors masterfully argue that internal auditing transcends processes, risks, and controls; it’s about cultivating relationships and fostering a thriving organizational culture. As they put it, “The gardener of governance doesn’t just inspect the soil; they nurture the roots of trust and transparency to help organizations flourish.”

The innovative 5 P’s model—People, Public, Performance, Purpose, and Planet—provides a holistic framework for elevating the internal audit function. In an age of artificial intelligence and automation, we don’t need humans who behave like robots. Strong human skills—such as authenticity, awareness, honesty, consistency, sincerity, and curiosity—are more crucial than ever. The authors emphasize that these qualities are the cornerstone of effective auditing, enabling auditors to build trust and drive meaningful change.

If your internal audit function isn’t helping your organization thrive, maybe it’s time to ask: Are you nurturing the roots—or just pruning the weeds? This book will guide you toward finding the answer.

- Paulina A. Pietrasik, Risk Management & Internal Audit professional, CIA, CRMA

Enterprise Risk Management and Internal Controls Director at Polpharma

The concept of the “Gardener in Auditing” fits perfectly into the efforts we are undertaking in the public sector to raise the quality of internal auditing. It aligns with the concept of Internal Audit 2.0, with tools like Quality@w, the Competency Model for Internal Auditors, and the Assurance Mapping Tool. It also supports the Knowledge and Skills = Competencies program, which allows us to develop the competencies of our colleagues in public finance in the areas of internal control and internal audit.
The Lenz-Enslin 2025 book is both a catalyst and a complement to our efforts and initiatives. It offers a fresh, modern, and practical perspective on the internal audit profession — an inspiring journey into mindful auditing grounded in empathy, trust, and added value. It’s a much-needed break from technical and procedural manuals. It’s the “fertilizer” that can help us lift Polish auditors out of stagnation and routine. We really need this — as auditors, as coordinators, and as a country. We need strong, effective, and efficient internal control — and we can only achieve that with effective internal audit.

- Dr. Joanna Przybylska, Assistant Professor at the Poznań University of Economics and Business, Department of Public Finance and Wojciech Ogiela, Expert in Public Sector Internal Audit & Control in Poland

Every function in an organisation, and especially the support functions, need to
prove their added value; their contribution to the future of the organisation. A function
that doesn’t provide significant value has no reason to exist anymore, especially in a
fast-changing business environment. In quite some organisations, the internal
auditing function has long been in the ‘danger’ zone when it comes to added value.
In this book, Lenz and Enslin provide a unique and refreshing framework to make
sure your internal auditing function adds significant value to your organisation. I am
very glad to see that my former PhD student Rainer Lenz continues to contribute to
the development of the profession. I am proud that he became a real thought leader
in his field.

25 August 2025
Gerrit Sarens, Founder & Co-CEO at Ambits, www.ambits.eu 

 

I have finally found time to do this book review. I promise I will do more in the next weeks. I had to start with this one! In a time when internal auditing faces existential challenges, from AI disruption to diminishing stakeholder trust, The Gardener of Governance arrives as a bold, timely, and transformative manifesto. Dr. Rainer Lenz and Barrie Enslin reimagine the
internal auditor not as a passive “third line” but as a proactive, strategic “gardener” of governance, nurturing ethical cultures, strengthening controls, and preventing organizational decay.
What sets this book apart is its blend of visionary thinking and practical wisdom. The authors introduce the 5 Ps, People, Public, Performance, Purpose, and Planet, as a framework for redefining internal audit’s value proposition. They challenge legacy models, advocate for behavioral insight, and offer actionable tools like the SWIM methodology, Risk Materialization Testing, and the “Think!” model.
With over 50 years of combined experience and a global footprint, Lenz and Enslin bring credibility and candor to every page. Their call to move beyond checklist auditing toward creativity, empathy, and strategic influence is both urgent and inspiring. Whether you're a CAE, audit committee member, or aspiring auditor, this book is a must-read. It’s not just about auditing better—it’s about auditing with purpose.

01 August 2025, Winnipeg, Manitoba, Kanada
Yves Genest, Senior Executive and Experienced Internal and Performance Auditor

 

If Internal Audit Vision 2035 is the destination, then The Gardener of Governance is a fantastic map to follow.

Bhavani Jois
Executive & Leadership Coach | Speaker | Power skills trainer | Mental Fitness
Coach | Blogger | Previously Internal Audit head/co-head of Infosys

This book is more than a guide—it’s a manifesto for change. Drawing on decades of global experience, the authors blend thought leadership with hands-on techniques that redefine what effective internal auditing looks like. From advocating creative audit methodologies like SWIM (Start With Intuition Method) to emphasizing human skills such as empathy and authenticity, The Gardener of Governance inspires auditors to think beyond checklists and embrace innovation.
The timing couldn’t be better. With new Global Internal Audit Standards and increasing stakeholder expectations, auditors need fresh approaches to remain relevant. Lenz and Enslin deliver exactly that, encouraging professionals to move beyond procedural thinking and become catalysts for governance excellence. It’s a refreshing, engaging read that will resonate with auditors, executives, and governance leaders alike.

Gary Craven, P.Ag., FCMC, ITCP, Partner, Paradigm Consulting Group

The “Gardener of Governance – A Call to Action for Effective Internal Auditing” by Rainer Lenz and Barrie Enslin is both an inspiring perspective on the future of internal auditing and a practical handbook on how to conduct effective audits. I am not an auditor, but I have worked closely with internal audit teams across different industries—as Chief Compliance Officer, Member of the Executive Committee, and now Supervisory Board Member. Throughout this time, I have observed not only the high value that internal audit brings but also the challenges the function faces, as it is sometimes still perceived as a mere control body. I therefore greatly appreciate Lenz and Enslin’s advocacy for a more versatile and agile approach to internal auditing within the overall assurance structure of corporations. In redefining the paradigm of the “Three Lines Model,” it is crucial to have strong voices, visionary perspectives from all parties involved, and an open dialogue on the future of good governance and the roles of the board, management, and various assurance providers. The “Gardener of Governance” is an impactful contribution from two thought leaders that will leave a lasting mark on the audit profession and beyond.

Dr. Klaus Moosmayer

Board Member, Ethics Risk and Compliance Executive, Governance and Integrated Assurance, Strategic Advisor, Author and Lecturer

Book Review: Lenz, R. and Enslin, B. (2025), THE GARDENER OF GOVERNANCE – A Call to Action for Effective Internal Auditing, CRC Press, Taylor & Francis Group, ISBN 978-1-032-85816-6.

By André Ludwig (2025)

Introduction

I got stuck in the introduction part of the book because of so many incredible thoughts that immediately triggered further thinking – and even laughing because of the comment that this book for IA practitioners “may be a stretch for the [IA] purist, insisting on adherence to traditional rules.“

What stuck with me the most was the clarity and uniformity of Prof. Mervyn King („Godfather of Corporate Governance“), Kato Plant and David J. O’Regan joining the President and CEO of the IIA Anthony Pugliese’s wake-up call for an urgent transformation of the Internal Audit profession. Here, a clear „paradigm shift“ of the profession itself is demanded – from the „box-ticking mode with adding limited vale“ to „tangible-value-adding services“; a „profession of foresight“ that helps to identify whether the organization’s „strategy can be controlled successfully“ (Strategic Advisor as suggested by IIA’s Vision 2035). Exactly, what the GIAS 2024 want: more pragmatism and a holistic approach.

The metaphor “Gardener of Governance” contributes to this overall transformation process because it “symbolizes the nurturing role of Internal Audit on the corporate governance ecosystem”. The short but very essential sections “There is more” (referring to IA) and “knowledge is power” are crucial in the argumentation for the IA being the strategic advisor. Through auditing the whole organization and “having seen it all”, the internal auditor would be the greatest and (hopefully) objective advisor for the organization and therefore the executives. The prerequisites for the “new” internal auditor should be “[k]knowledge, combined with talent, original thinking, excellence and interpersonal skills”.

The introduction part ends with an unexpected “tackle” of the “Three lines Model”, pointing out its lack of “addressing the complexities of our hyperconnected, fast-changing world” and suggesting to view “internal auditing no longer as the third line”. The internal audit as “a connector” that “champion the GRC agenda, the governance, risk and compliance activity.”

Chapter 1 “The 1st P is about People”

“Business is about working with people” – an ostensibly simple statement, yet at the same time an appropriate bridge to Internal Audit (IA). IA is a “people business”, which makes interpersonal competencies a key success factor. In this context, “effective” communication and, in particular, “listening” are placed at the forefront – a notion that is entirely plausible given that the term “audit” derives from the Latin word “audire” (i.e., to listen). However, it is essential to emphasize: “listen to hear, not to respond”. Auditors should always be well prepared, yet enter an internal audit engagement without preconceived opinions and with the “right questions”, as a “judgemental attitude” conflicts with the standards’ requirement for objectivity. Internal auditing must remain flexible, adapt to an uncertain and evolving future, and engage in continuous learning.

Another critical success factor identified is “healthy collaboration”, whereby friendliness must not be mistaken for “softness”: “weich im Miteinander und hart in der Sache”. Internal auditors should be approachable and less “over-controlling”, “over picky”, or “too task-oriented”. The objective of an internal audit—which typically represents a snapshot in time—is to apply realistic standards while simultaneously considering the organization’s level of maturity. The author further suggests—perhaps not without merit—that a considerable number of internal auditors derive their sense of self-worth from identifying findings. In this context, common criticisms of internal auditors are also highlighted, including self-righteousness, a “one fits all”-mentality, and “living in a perfect world”.

Equally noteworthy is not only the referenced “trust triangle” (as part of the “pyramid of competences [2025]”), consisting of authenticity, logic, and empathy, but also the call for holistic thinking—positioning IA as an “enabler of learning and change”. This establishes a clear linkage to Richard Chambers’ concept of the “trusted advisor” as well as The Institute of Internal Auditors Inc.’s Vision 2025 [tech-savvy] “strategic advisor”: IA as an indispensable (independent) value-adding partner to executive management. IA should act as a constant companion, monitoring the organization’s progress and supporting decision-making—the “Gardener of Governance”.

Finally, the authors aptly remind us that the quality of governance determines an organization’s success and cite Pav Gill: “Not investing in corporate governance will eventually lead to your downfall.”

Chapter 2 “The 2nd P is about the Public’s perception”

This chapter begins with many thought-provoking ideas and insights worth "expanding" or challenging. How can IA be promoted, or how can its acceptance, relevance, and influence be improved? How can awareness and appreciation for the “value creation” of IA be increased? And how can it be shown that IA is more than just “qualifications and experience,” but also requires a certain talent?

Very important is the clear call to all stakeholders to understand that Internal Audit and External Audit are not "the same” but rather differ from each other. IA needs to move away from the [rigid, one-dimensional] methods of external audit, which were adopted, for example, during ICoFR and SOX. Of course, in my opinion, the willingness to change within IA as well as across the entire organization (especially within management) is essential – and should therefore be demanded.

While IA internally aims to be more than just “the police”, it is generally – as Lenz noted back in 2013 – still searching for “an identity and a unique selling proposition (USP)” in order to play a more important role in the broader governance debate in the future. It is important not only to play “defense” and protect values (value protection), but also, above all, to proactively generate added value (value creation). For this reason, the authors believe that the Three Lines Model (3LM), in relation to the needs and demands of the current "permacrisis," is no longer sufficiently adequate. Since auditors have "invaluable insights across the organization," IA must also be considered at multiple levels and not just as a “parallel line” in the 3LM: proactive, visible, contributing, dynamic.

However, successful "value creation" by IA can only work if there are shared goals, shared knowledge, mutual respect, and effective communication within the entire organization (especially in collaboration with the 2nd-line functions) and with external auditors. The authors suggest an “Aligned Assurance Program” or “combined or integrated assurance,” with IA taking on the role of the “key coordinator” [connector] in the Corporate Governance Ecosystem. It is "uniquely and best positioned" to help prevent "Corporate Governance failure" and support decision-making processes.

But to establish IA as a “strong(er) pillar in the overarching Governance system”, Internal Auditors themselves must first change their mentality, ways of thinking, and attitudes, because according to “The Vision 2035 report” (2024) only 9% of Internal Auditors are “proactive”. 37% of auditors are still “purists” (or “by-standers”), and 54% are categorized as “practicalists”. Therefore, the path to becoming a “Strategic Advisor” might still be a long one.

Chapter 3 “The 3rd P is about Performance”
 
This chapter starts right away with a kind of unambiguous demand that should – in my opinion – be part of every internal audit charter: “Internal auditing must find ways to contribute to the overall value proposition of its clients. Internal Audit and good controls are not ends themselves but the means to an end, i.e. to improve an organization’s governance. Auditing what truly matters in the private sector, governance, strategy, operations, and the business model are vital.” Thereby, the authors are creating a link to the IIAs Vision 2035 (Hashtag#StayingRelevant) and call at the same time the internal auditors to break the mental block caused by procedural thinking and to reconsider the term assurance. An Internal Audit function could potentially malfunction despite passing an external quality assessment with flying colours.

Very stimulating are the impulses regarding a possible (new) House of Governance with performance at the top floor, ABC (attitude, behaviour, and culture) at the bottom, and risk management in between (see Lenz & John Chesshire, 2023). Performance, risks and controls should be thought of as intertwined, and risks and controls should be embedded in the pursuit of performance. Likewise refreshing and perfectly reasonable is the demand for internal auditors to me more critical of themselves and about their work and value add, referring to a survey of The Internal Audit Foundation (2024) where Internal Audit is internally still perceived as “police”.

An absolute highlight is the discourse “Challenge legacy terminology” and the authors clear statement to challenge “assurance” (a word mentioned 141 times in the GIAS 2024; while “versatile” and “agile” are not mentioned at all); while citing Dr. David J. O'Regan (2024) where assurance “is one of the most slippery of terms in the auditing lexicon”. I agree that internal audit is neither an “opinion maker” nor a “verificator of the accuracy of accounting records”. The authors also challenges “objectivity” as a core component of the internal audit value proposition. Is there really a one hundred percent “objective truth”? Hard to believe. “Can the internal audit function get it so wrong that they provide false assurance?” The author’s explicit answer is Yes – and he might be right since unsuitable and ineffective audit methodologies and lack of business insight may not provide an (useful) level of assurance. The GIAS define assurance as a “Statement intended to increase the level of stakeholder’s confidence about an organization’s governance, risk management, and control processes over an issue, condition, subject matter, of activity under review when compared to established criteria”.

Chapter 4 “The 4th P is our Purpose”
 
The article synopsis delivers the uncomfortable truth right away: “The profession lacks its commonly shared core and is therefore constantly at risk of overpromising and underdelivering […]. If Internal auditing seeks professional recognition, it will need a knowledge base that can link the profession to the work it does.” Here, the authors are again aligning with the IIA’s Vision2035 (“We must transform now or risk becoming irrelevant by 2035”). However, they are bringing one aspect into play that is crucial and massively underestimated as a central roadblock in this transformation process: “Internal auditing must focus on what differentiates it from external audits, such as engaging with an organization’s governance processes” [“and must differentiate its knowledge base from financial auditing”]. But therefore, “[i]nternal auditing can and should break out of monotonous procedural ways of performing audits” in order to “become a stronger force in the governance mosaic”.
 
The next thought nugget is also aptly described: “Unchecked power and inadequate accountability cause governance failures”. That is why “the effective internal auditor as THE GARDENER OF GOVERNANCE “ has to complete the “directors and senior executives as GUARDIANS OF GOVERNANCE (concept of Prof.Mervyn King,SC). “[I]nternal auditors need to be good at addressing ‘WHAT IS?’(Assure), ‘SO WHAT?’(Consult) and ‘WHAT IF?’(Build) type of questions”, so that they help preventing governance failure. Hence, Internal Auditors must function as “coordinators in the corporate governance ecosystem” (see respective figure attached to the images of this post) and champion for “the Governance-Risk-Compliance (GRC) agenda in the organization” – a link to the new GIAS2024 where IA should assess Governance, Risk Management and Control Processes.
 
While Domain I (GIAS2024) defines IA’s purpose as “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight”, the authors are raising the bar for our profession by suggestion a much simpler but more overarching purpose statement (metaphor): “Preventing Governance Failure as the purpose of internal auditing”. They garnish their thought with a “sticky idea”: “The Gardener of Governance: Our Nature is Nurture” – also, applying the SUCCESs-model (Heath&Heath, 2008) “Simple, Unexpected, Concrete, Credible, Emotional and/or tell stories”. Regardless of the specific definition of the purpose statement, Internal Audit has to play an “instrumental role in building and strengthening an organizations journey” towards “Aligned Assurance”. Starting NOW!

Chapter 5 “The 5th P is our Planet”:

To conclude their book, the authors do not want to lose sight of a topic that, in recent years, has not only stirred public debate but also caused considerable agitation within companies and organizations – ESG. Then came the EU with its Omnibus Regulation, which “softened” the originally very “strict” requirements for companies. Nonetheless, this chapter remains highly relevant – not because the authors describe ESG as “not [only] a nice to have,” but as a matter of “do or die”; for society, for companies, and for Internal Audit alike. What makes their perspective particularly interesting is already reflected in the way they write it: esG. Governance „as overarching concept“, serving as the “prerequisite for effecting many E and S dimensions.”

Here, the authors ask the very same question that audit executives face: “How best can Internal Auditing contribute and support the mitigation of […] global challenges” (and thus also with respect to esG)? They answer this by expanding the scope of Internal Audit’s “traditional” role of “Assure + Consult” into an ABC: Assure + Build + Consult. Once again, they call for a more active role for Internal Audit – one that leans more toward “doing” and does not hide behind “objectivity.”

And this finally closes the loop to the beginning of the book, where once more the authors refer to Anthony Pugliese, President and CEO of the IIA, and his statement on the future of Internal Auditing (IIA Vision 2035): “We must transform now or risk becoming irrelevant by 2035.” So, let’s get to it – more Builder, less Observer.

André Ludwig

Associate Director | Certified Internal Auditor (CIA), Prüfer für Interne Revisionssysteme (EQA-Auditor) und Compliance Officer (univ.) |