David Smart, the audit committee chairman at MEK Corp., called a meeting with the company’s CAE, Michael Smith. “Michael, please highlight for me internal audit’s accomplishments during the year,” Smart requested. “And describe how you and your team have reached out to gain the respect of executive and line management. Do your team members understand the corporate strategy, the way the company is governed, and the most significant risks the company faces? Does your audit plan align with this understanding? Do you believe our executive leadership understands how internal audit can add value?”
Smith’s blank stare suggested he was not prepared to answer these questions. The following month, Smith learned that MEK would be outsourcing its internal audit function. Internal audit had been caught up in measuring its performance based on the standard metrics such as the number of audits completed, the number of findings, and basic compliance activities. The audit committee’s position was that this basic type of audit work did not address the company’s compliance, operational, and strategic risks, and could be outsourced cost-effectively. It didn’t perceive that internal audit was engaged with the business in a way that would merit its inclusion in management meetings and strategy discussions.
In this fictional scenario, Smith could have seen a different outcome if his internal audit function was considered a trusted adviser by all of its stakeholders. Many internal audit departments aspire to be trusted advisers and encapsulate similar aspirational language into the department’s vision and mission statements or audit charter, but fail to achieve or sustain that status.
David Maister, Charles Green, and Robert Galford introduced the concept in their 2000 book,
The Trusted Advisor, to enhance client relationships. The fundamental principles of the Trust Equation they developed can be applied to improving internal audit’s understanding of its relationship with its stakeholders and potentially enhance the audit function’s performance. But this requires thinking about internal audit in a different way.
Shaping the Perception of Internal Audit
The ease or difficulty of the trusted adviser journey is influenced by an important determinant that is outside of internal audit’s control — how the department fits within the organization’s governance structure. Does internal audit truly operate as the third line of defense in the organization’s response to risk? From where does internal audit receive the broad delegation of authority that defines its role and accountabilities — to whom does it report? Is it the audit committee, the CEO, the chief financial officer (CFO), the chief operating officer — or is it some combination of reporting lines that compromise both independence and the wider understanding of its role?
The current recommendations for internal audit to report administratively to the CEO or CFO and functionally to the audit committee establish the ideal environment for the audit function to achieve trusted adviser status. Internal audit needs to establish such trust to ensure that the first and second lines of defense understand and support its independent, third-line role.
On the journey to becoming a trusted adviser, the internal audit department must create a brand identity that all stakeholders, including the audit team members, buy into and understand. This may require discussions to expand the remit of the function, which may need to come from the top down. But before embarking on such a journey, a level of self-awareness and honesty about the current state of the function is required. The Trust Equation can facilitate this self-realization.
The Trust Equation
The Trust Equation has four components that define the level of trustworthiness of an individual or entity (see formula below). Focusing on each component in the context of what internal audit does can identify strengths and weaknesses that define the level of trust that stakeholders have in internal audit.
Credibility is established in the realm of words. Are the audit department and individual auditors considered believable and trustworthy? Internal audit might expect to hear comments such as, “I can trust what this auditor says about …”
Reliability is established in the realm of actions. Do the audit department and its staff present themselves as dependable, honest, and consistent? Internal audit might expect to hear comments such as, “I can trust this auditor to do …”
Relationship strength is established in the realm of emotions. Is the internal audit department building strong relationships with the business? Internal audit might expect to hear comments such as, “I feel comfortable discussing this issue with the auditor because he or she understands my business dilemmas.”
Self-interest is established when the department’s or individual internal auditor’s actions and behaviors are self-promoting, rather than in the best interest of stakeholders and the organization as a whole. If internal audit’s stakeholders sense a high level of self-interest, it will quickly undermine its trustworthiness. When self-interest is low, internal audit might expect to hear comments such as, “I can trust that this auditor cares about how well my control environment is operating and that the outcome of audit work aligns with, and supports, the success of my business.”
By looking at the Trust Equation through the lens of behaviors associated with internal auditors, it is easy to see how these behaviors can support or detract from becoming a trusted adviser.
Being credible is not simply about having the right technical expertise, which can easily be measured by certificates and diplomas, but it also relates to experience and personal attributes such as presence or gravitas. Outstanding technical competence is necessary but not sufficient.
Credibility results from being recognized by stakeholders as reasonable, understanding, and committed to beneficial outcomes for the organization. The audit organization must be staffed with the right balance of individuals who have experience working in the business and understand its objectives and the dynamics that come with reaching them, and those with a strong audit pedigree.
Credibility increases when a CAE has built strong relationships with senior executives and communicates powerfully about internal audit’s role within the organization’s governance framework (third line of defense). Auditors need to be able to communicate this purpose, as well. The audit department should not second-guess the decisions line management makes that affect business outcomes. Instead, it should see its primary role as ensuring that business is performed within the boundaries of the risk appetite set by the board and CEO. To do this, internal audit must use its understanding of the organization’s enterprise risk management model to shape the audit plan and be responsive to new risks as they emerge.
Internal audit should continue to bring fresh perspectives to the business and transfer leading practices across the organization. Some examples include adding an engineer who is an expert in Lean process management to the team on a rotational basis, hiring an auditor with technical experience to help optimize technology controls, and adding a human resources professional.
Once credibility is established, the internal audit department may be seen as a source of future talent for the organization. It may also become part of the career path for candidates for top executive positions.
Reliability requires auditors to do things in a consistent way that fosters stakeholder confidence that their findings and recommendations for improvement are fact-based. Internal audit can build its perceived reliability by consistently providing an objective perspective and focusing the audit plan on the organization’s strategic, material, impactful, and emerging risks. Like the rest of the organization, the audit department must set and deliver against realistic expectations, defined by relevant metrics, and communicate these expectations to all levels of management. Additionally, auditors must be able to advise business leaders and communicate with stakeholders on a real-time basis to inform them of significant opportunities for improvement.
Some internal auditors are good at fostering relationships across the organization. Over time, these individuals can use that ability to facilitate and expedite all aspects of audit design and delivery, including conveying difficult messages in a nonthreatening way.
Auditors can improve the strength of their relationships by understanding situations and dilemmas facing stakeholders, acting like a real person — rather than someone playing a role — not sugar-coating or steering away from delivering difficult messages, and providing sound reasoning for all recommendations. Moreover, internal audit can improve relationships with the business by changing some aspects of how it reports the results of its work, such as removing inflammatory terms, developing innovative solutions, clearly explaining the residual risk of each finding, and ensuring that target completion dates for management actions are reasonable, given the level of residual risk, and are agreed to quickly.
The denominator of the Trust Equation has only one element, self-interest. Auditors want stakeholders’ perception of self-interest to be low because it is the area where trust can be most easily eroded. That is especially true when stakeholders see auditors adopting the old corporate cop mentality or acting in a way that is viewed as in the auditors’ own interest or advantage. Examples include giving in to stakeholder positions simply to make audit delivery targets, showing more concern for the image of audit than the robustness of findings, and refusing to have a stake in outcomes.
Acting out of self-interest will erode stakeholder trust quickly. Trusted advisers must be seen as “servant leaders” who focus on the needs of the organization and the business units with whom they interact, acknowledge their perspectives, and provide the support they need to meet their goals.
Internal audit can achieve a desired level of low self-interest when audit staff members are more motivated by an internal drive to do the right thing than by their own personal reward or any organizational dynamic. One way internal audit can demonstrate this is by positioning the audit report as a collaborative effort to drive significant value for those who are running the business, highlighting unnecessary or unacceptable risk that the business faces. The audit report should not be merely a historical capture of what has gone wrong, which could make it difficult to reach agreement with audit clients about the findings and management’s responses to them.
Moreover, internal auditors need to consider the best interests of all of their stakeholders and demonstrate that they are helping management achieve its strategies and objectives. They should work closely with the risk-focused departments in the second line of defense, while maintaining independence, to enable the organization to benefit from a truly integrated set of assurance activities.
A Different Conversation
To achieve trusted adviser status, the audit team needs to take an objective look at where they are on the continuum between corporate cop and trusted adviser. The team should then develop a road map that addresses the components of the trust equation that are required to move toward trusted adviser status.
Each step closer to trusted adviser status can enable the internal audit department to contribute more to the organization’s long-term success, attract and develop top talent, and provide a more rewarding experience for those who remain in internal audit long term. That can change the conversation between the audit committee chairman and CAE to one in which internal audit is respected by the board and management, responds to emerging and strategic risks, adds value to the organization, and realizes untapped potential.