We are living in a golden age of internal audit:
- Membership in The Institute of Internal Auditors (The IIA) is at an all-time high (200,000 members)
- Conferences and programs are filled near capacity around the globe
- We are part of the conversation in board rooms and in management circles
- Career surveys are placing us among the top ten professions to enter into
While these are all great things occurring in our profession, there’s a terrific quote from Andy Grove, the legendary former Intel CEO, that resonates with me. He said, “Success breeds complacency; complacency breeds failure; only the paranoid survive.” So, while we are all excited about where we are today, we should not forget to ask ourselves, “What do we need to do to remain relevant?” The answer is simple, but not necessarily easy: We need to understand the expectations of each of our unique stakeholders.
Those expectations were expressed clearly in The IIA Research Foundation’s 2016 CBOK Stakeholder Report: Voice of the Customer. I recently had the pleasure of revisiting those findings, along with Pam Jenkins, Vice President of Global Audit Services at Fossil Group Inc., in a presentation at ISACA’s GRC Conference 2017, in Dallas, Texas. Without dwelling too much on the findings themselves, I wanted to share some of the highlights of our presentation, and some action items for chief audit executives (CAEs) to help ensure that their internal audit departments meet and exceed their stakeholders’ expectations.
From the CBOK Stakeholder Survey, we know that the top five areas where stakeholders are looking for advisory assistance from internal audit include:
- Consulting on business process improvements (73 percent)
- Facilitating and monitoring effective risk management (71 percent)
- Alerting management to emerging issues and changing scenarios (66 percent)
- Identifying known and emerging risk areas (65 percent)
- Identifying risk management frameworks and practices (64 percent)
Not all stakeholders want the same things from internal audit. Demand for advisory work varied across organizations according to the maturity of the organization and its location, as well as the perceived competence of the internal audit function. There was a general consensus that advisory work should not detract from or diminish the quality of assurance work, which is why we advise CAEs to pursue advisory work only to the extent that it is supported by the competence and capacity of the internal audit function.
CAEs bear the brunt of responsibility of engaging with frontline management and the second line, as well as executives and audit committee members, to develop, socialize and validate written expectations for value that can be measured and reported on with a balanced scorecard.
Here are some specific action items we recommend for CAEs seeking to strike a balance between traditional assurance and ever-changing advisory roles:
- Engage your stakeholders as a business leader, not a technical auditor. Assess your level of business acumen and, if necessary, develop a plan to spend time and effort with those in your organization who can help you think more like a business leader. Become familiar with how your organization defines success – internally and externally, and the risks related to its strategies and businesses.
- Coordinate with the second line of defense. Understand clearly the work done by function in the second line of defense. Coordinate as much as possible with these functions, working toward common views of risks and compliance where possible. Rely on assurance work done by these functions only when the objectivity and rigor of their work has been tested and verified.
- Balance competing demands. Develop strong relationships with stakeholders of all types and levels. Do not hesitate to take positions when they are needed. Stay grounded in your professional obligations.
- Build excellent interpersonal skills and be ready to use them. Perform a self-assessment of your relationships and communications. Be candid with yourself. Solicit input from stakeholders; ask them to identify areas for you to improve.
Communication is a common thread across all of these recommendations. In the CBOK Stakeholder Study, 21 percent of respondents indicated that internal audit does not communicate effectively. CAEs need to remember to communicate what is and what is not being audited and why. Audit committees need clarity on this point.
Finally, if you see a problem, even if it’s not in your scope, do something to fix it, or at least call attention to it. It is part of being a valuable partner to your stakeholders.
If I had to boil down the advice on how to stay relevant to three things, they would be: 1) Know your stakeholders’ unique expectations, 2) Set the right tone and culture, and 3) Build exceptional teams to help ensure you are delivering high-value assurance and advisory services to your organization. If this seems like common sense, good. Just watch for complacency.