Organizations are, by definition, political. They’re composed of people who have different goals, value systems, sources of motivation, and approaches to meeting objectives. Internal audit, with its broad mission and unrestricted scope, is subjected to many of these often-conflicting factors. This reality, combined with the potential for audit results to reflect badly on some individuals — or bring attention to issues that some would prefer not be shared — creates a potentially substantial risk of political pressure for the CAE.
How much of an issue is political pressure? According to a recent survey of CAEs conducted by the authors — as presented in The Politics of Internal Auditing, published by The IIA Research Foundation (IIARF) — 55 percent of the nearly 500 participants say they were directed to omit or modify an important audit finding at least one time, with 17 percent indicating it happened three or more times. Nearly half say they were directed not to perform audit work in an area that the CAE viewed as high risk, and 32 percent were told to perform work in a low-risk area so that an executive could investigate or retaliate against another individual.
Political pressure may be overt or subtle. Some CAEs from the IIARF study say they were asked to take early retirement, or lateral transfers in the organization, and some were even fired. Other, more subtle actions included changing the scope of internal audit and decreasing budgets or head counts. Nearly every CAE interviewed had at least one experience he or she attributed to political pressure, often speaking of it as a “defining moment.” Most CAEs, in fact, will experience political pressure in the organization at some point in their career. Fortunately, numerous key practices and skills can help avoid, mitigate, or deal with these pressures.
Courage, Credibility, Trust
|Weak Governance Spells Trouble for Internal Audit|
A new CAE was hired at a governmental agency following the previous CAE’s departure over conflicts with management. The agency granted various types of licenses to other organizations and maintained a zero-tolerance policy for bribery.
Shortly after taking the helm, the new CAE became aware of a significant and likely ongoing bribery situation involving a key agency employee. The CAE knew the issue was important and determined that it should be reported to both management and the board, consistent with legal requirements and agency policy.
A strong-willed CEO led the agency and dominated the board. There was no audit committee. When the CAE indicated the need to report the bribery to the board, the CEO and the chief legal counsel rejected the idea. Their rationale included:
Nonetheless, the CAE continued to insist on issuing a report. Negative consequences ensued, including the threat of a personal investigation from the human resources director and exclusion from organizational meetings and functions. These actions had a personal impact on the CAE, who had trouble sleeping and suffered family stress because of the long working hours and pressure of trying to meet professional obligations.
- It’s not a big deal — paying these bribes is no different than providing a tip at a restaurant.
- The board would not be interested in this situation, nor would it understand the context.
- The board would not know enough to judge risks, and reporting the events would create confusion.
- Everyone would look bad if the situation became known.
After seven months, the CEO agreed to formally report the problem to external authorities. A prosecutor was presented with the evidence, and the employee was indicted for accepting bribes. Neither the CAE nor the CEO reported the incident to the board directly, although the board became aware of it due to the legal action.
Excerpted from The Politics of Internal Auditing.
To be effective and credible, CAEs must be willing to identify and explore difficult issues, collect sufficient evidence to support conclusions, discuss the conclusions — even in conflict — and maintain an unwavering stance when others apply pressure. If CAEs do not adhere to their principles, they lose credibility and most likely will experience the same political pressures repeatedly. Practitioners need to define the line and criteria whereby they resolve to stand their ground. “Weak Governance Spells Trouble for Internal Audit,” at right, provides an example of a public sector CAE’s courage and firm stance in the face of significant political pressure.
CAE participants in the IIARF study offered several suggestions for maintaining credibility, respect, and trust:
- Raise the right issues. CAEs must understand the organization; strategies, objectives, and priorities; and associated risks and mitigation activities to effectively judge the significance of issues identified.
- Listen fairly and objectively, but remember your ethical compass. While remaining independent, CAEs must be open to hearing the other side and considering the views and rationale of those who disagree with internal audit.
- Build and maintain a strong team. A strong, professional team understands The IIA’s International Standards for the Professional Practice of Internal Auditing; knows how to plan, execute, and document audits; demonstrates professional skepticism; collects sufficient evidence; takes pride in the quality of its analyses; and remains calm and poised under fire.
- Provide fact-based conclusions with clear business implications. Internal audit must clearly establish the factual audit results — they should not be subject to disagreement. However, management may disagree with the impact of those results and the CAE’s subjective conclusion. When presenting results, internal audit needs to be effective at identifying and communicating the impact of its findings and focus on business implications.
- Play on the same team as management. Several CAEs noted that it is never a bad idea to remind a manager who adamantly disagrees with an audit observation that both parties are on the same team. Demonstrating how audit findings relate to organizational objectives helps defuse challenging situations and earns long-term credibility.
Anticipating Pressure and Understanding Motives
Effective CAEs from the IIARF study say they consider how they will handle political pressures before they actually occur. Some suggest having a discussion with the audit committee and the CEO about potential pressures and developing an understanding of the role of the audit committee in such situations.
CAEs who say they successfully navigate political risk also often have a decision framework for stressful situations. They think ahead to identify decision criteria that are relevant and important. One CAE respondent shared criteria for determining when to quickly escalate a finding:
- Any time lives may be in danger.
- Any time there is a significant reputational risk to the organization.
- Any time it is financially material to the organization.
When an important business issue is identified, members of the internal audit team should also determine who is involved and what would concern them if they were in that role. Understanding other perspectives can help identify approaches to mitigate political risk.
The personal relationship among the CAE, the audit committee chair, and the CAE’s administrative report is a critical factor in dealing with political pressure. A solid relationship built on quality work, demonstrated business acumen, shared objectives, reasoned judgment, and impeccable integrity means executives are much less likely to distrust or dismiss a CAE who raises valid concerns. Organizational knowledge that the board and CEO support internal audit may preempt pressure from occurring.
When meeting with executives and the board, CAEs should go beyond routine interactions. Respondents to the IIARF study shared several suggestions,
ranging from quick and informative reporting to developing programs that help the board or audit committee members better understand new risks — or even leading educational programs on emerging topics such as the impact of implementing a new internal control framework.
Culture and Tone at the Top
|CEO Expenses: Personal or Business?|
The CEO at a major U.S. manufacturer had adopted a lifestyle that he felt was commensurate with his role as a company executive. During an audit of customer-related expenses, internal audit found that nearly US$1 million of the CEO’s personal spending was billed to the company inappropriately. The expenses included vacation trips for the CEO and his spouse and parties at his home.
The organization’s CAE reported functionally to the audit committee and administratively to the chief financial officer (CFO). The CEO was a strong figure who had placed like-minded individuals in officer roles, ultimately leading to a team of “yes men” who believed their first job was to protect the CEO. Moreover, the company had recently experienced a major change in governance with considerable turnover on the board, including the loss of a very supportive audit committee chair who was replaced with one who had less interest in internal audit.
The CAE shared the expense-audit findings with the CFO, who in turn discussed them with the CEO. The CEO subsequently offered to pay back the expenses, but estimated the amount due to be a small fraction of internal audit’s finding. The CFO wanted to accept this payment, close out the audit, and inform the audit committee — without a special report. But the CAE continued to push for full repayment, based on the team’s detailed analysis of the data.
Eventually, full repayment was made. Less than a year later, however, the CAE was asked to move to a different position and was subsequently “eased into retirement” after more than 20 years at the company. The CAE believes these actions were taken in retaliation for the expense audit.
When sharing this story, the CAE expressed amazement at how quickly corporate culture can change with a shift in senior leadership. For many years, the CAE said, the organization had a positive culture with strong values. But the tone at the top deteriorated rapidly, and management began focusing on protecting individuals instead of the company and its stakeholders. The CAE emphasized the need for preparedness in anticipation of such change. Despite having a passion for the organization, the CAE considered changing jobs after the shift in tone at the top, but ultimately took the early retirement offer instead.
Excerpted from The Politics of Internal Auditing.
A weak ethical culture, generally due to poor tone at the top, significantly increases the risk of political pressure. Ethical weaknesses could stem from a narrow focus on growth, market share, or earnings, and a willingness to bend the rules to achieve metrics. Or it could simply be the result of a senior executive who cannot accept looking bad.
A strong ethical culture can change rapidly — especially when a new leader joins the organization. The CAE must be alert to this possibility, as the rest of the organization will often mimic new leadership, and formerly unacceptable behavior may become acceptable. Concerns about leadership changes should be discussed with the chair of the audit committee or similar function. “CEO Expenses: Personal or Business?”, at right, illustrates how significant cultural change can lead to political pressure.
In some instances, organizational culture’s influence on political pressure may be much less overt. An “invisible hand” of pressure may guide employees’ behavior — whether they realize it or not. For example, the culture may subtly discourage challenges to authority or even open inquiry. CAEs need to consider whether such acculturation could be affecting them personally, or their staff, and explicitly communicate with staff their expectations for independence, objectivity, and integrity.
The CAE also needs to understand, in advance, whether the organizational culture is a good match for his or her personal values. Participants from the IIARF study encouraged discussion with board members and executives regarding their values and their expectations for the audit function. This is best done when interviewing for a CAE position, to ensure compatible expectations.
A Strong Foundation
To position internal audit for success, CAEs need a strong, approved charter with a clear mission and mandate, appropriate authorities, unrestricted scope, sufficient resources, and an independent reporting line. The charter should be reviewed with management and the audit committee, and should document internal audit’s unique and valued role, authority, scope, and reporting relationships, as well as executive and board expectations.
The CAE’s status also plays an important role in minimizing political pressure and establishing a foundation of support for the audit function. The right level of organizational clout is necessary to stave off political risks and lend authority to audit findings. It is hard to imagine a CAE standing up to an executive vice president on an issue when the CAE reports administratively to a mid-level manager and rarely has access to the audit committee or the executive suite.
Sound business judgment builds respect for the internal audit function. The CAE must decide which battles to fight and be able to determine the difference between major and minor issues. Raising minor points or overlooking significant but controversial issues — or choosing not to report them — opens the door to future pressure. “Executive Witch Hunt,” below, describes how one CAE used sound judgment to help withstand pressure from the organization’s CEO.
Internal audit must also demonstrate effective judgment to determine the level of evidence needed to support conclusions. More substantive testing on large issues may be necessary to ensure auditors have sufficient facts and persuasive information. Issues need to be compelling, clear about implications and risks, and based on solid data.
Board and Audit Committee Effectiveness
Independent and effective boards and audit committees are crucial to managing political pressure. In some situations, however, board members empathize with managers whose backgrounds are similar to their own, deferring extensively to management while too readily dismissing the CAE’s concerns. CAEs need to have a frank discussion with the board/audit committee and management, in advance, regarding approaches to responding to political pressure.
When a politically charged situation arises, the board/audit committee needs to be objective and knowledgeable about the risks to the organization. It also needs to understand the challenging role of internal audit and have sufficient experience and judgment to exercise its fiduciary role. The IIARF study found several examples of nonexistent or ineffective audit committees, particularly in areas such as governmental units or smaller businesses.
The CAE and audit team must be sensitive and effective communicators when dealing with a politically charged situation. Awareness of who is, or may be, affected by the audit findings and an understanding of their viewpoints are essential to handling political pressure. Learning how to communicate well in negative situations can be the difference between success and failure.
The tone for an audit is set with the first communication management receives about the role and objectives of internal audit. Proactive CAEs explain why the audit will be performed and the advantages to everyone concerned. They lay the right groundwork so that management understands the risks that will be assessed, and that internal audit is working to find mutual areas of interest — such as managing risks to achieve objectives. As issues are identified, CAEs need to communicate timely, at the right level, and in the right way.
An Organizational Constant
Due to the nature of organizations — and our basic human desire to succeed and be respected — political pressure will always exist. The good news is that a proactive approach can be implemented in most situations to mitigate political pressure effectively. The mitigating factors all start with a strong corporate culture that embraces clearly defined organizational governance and values, competence, and objective, fact-based discussions and decisions.
But the onus lies not just with the organization — internal audit must assess itself and determine whether its value proposition is understood by, and aligned with, that of its clients. Moreover, the CAE must build and staff a strong function that provides that value. The CAE needs to possess integrity and gain credibility and respect by understanding the business, building relationships, demonstrating objectivity and good judgment, and communicating tough issues fairly and thoughtfully.
Addressing political risk is not an easy task. But it is essential to the success — and even survival — of the internal audit function, and the organization it serves.
|Executive Witch Hunt|
At a major retailer, the CEO asked the CAE to audit an executive’s travel and entertainment expenses. Upon asking what prompted suspicion of policy violations, the CAE was told there were no known or suspected breaches. Instead, the CEO said the executive was ineffectual and hoped internal audit would find evidence to support termination.
After examining the situation, the CAE determined that an audit was not warranted. The motives for the audit seemed unethical and would divert audit resources from risk-based work. The CAE declined the CEO’s request and advised that it conflicted with internal audit’s overall purpose to provide independent assurance that governance, risk management, and internal control processes are operating effectively. The CAE also recommended addressing the performance issue through the company’s established performance improvement protocols.
When relating this account, the CAE pointed out that buckling under political pressure invariably undermines the internal audit function’s ability to live up to The IIA’s definition of internal auditing and to its International Standards for the Professional Practice of Internal Auditing. It would also undermine internal audit’s credibility and its ability to stand up to future pressures that may be exerted. The CAE added that this type of pressure directly conflicts with the concepts of independence and objectivity; internal audit’s commitment to taking a systematic, disciplined approach to gather and analyze evidence; and its ability to address key risks and help the organization achieve its objectives.
Excerpted from The Politics of Internal Auditing.