Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​​​A Matter of Trust

​​Attention to detail and focused effort can help internal auditors build the relationships required to be perceived as valued advisers.

Comments Views

​As boards and audit committees are being charged with more risk management and internal control oversight within their businesses, they have increasingly turned to internal audit for help. In addition to providing assurance on organizations’ core functions, auditors have been involved in advising boards on key strategic initiatives — with some enjoying the status of trusted adviser. That is both a recognition that traditional audit work is not enough on its own to help the business execute its strategy in the face of emerging risks, and a realization that internal auditors can do more. In fact, just 16 percent of CAEs, senior management, and board members surveyed in PricewaterhouseCooper​s’ 2016 State of the Internal Audit Profession study say internal audit is currently providing trusted adviser services.

Trusted adviser can mean different things to different auditors, so some clarity is needed on what the role entails. But demand for a different level of service is evident. Not all auditors are comfortable with this shift, and many board members have either not experienced this level of service or are unaware that it exists. 

“Checklists and audit plans often dominate the time and focus of internal audit teams,” says Olivia Kirtley, president of the International Federation of Accountants and audit committee chair for Papa John’s International, ResCare Inc., and US Bancorp. Moving away from that approach involves investment by the board and the audit department to free up some time from everyday audit work. “Internal auditors must be encouraged and have permission to devote time to innovation, gaining understanding of evolving challenges, and initiating conversations with people throughout the business regularly about their issues and challenges. Importantly, this applies equally to business areas not under a current audit,” she says.

Shift in Thinking 

Mark Carawan, chief auditor for Citigroup in New York, and current president of the Chartered Institute of Internal Auditors, says taking on the trusted adviser role entails a large shift in the working relationship between the CAE and the board. “Being the trusted adviser to the board means that the internal auditor needs to be in a position where she or he can, at any point, initiate contact with the designated board member to raise something.”  

Instead of contact being confined to communicating audit findings during formal meetings, the CAE should be free to talk about emerging issues that the board should be aware of as soon as those issues arise. “The internal auditor is helping inform the board member about current and emerging risk, candidly giving information on how the independent internal auditor is proceeding, how management is addressing that risk, he says. “Also, within the trusted part comes the ability to benchmark and give a qualitative view of positioning within the marketplace,” he explains.

Carawan says auditors build trust when their advice demonstrates external awareness of what competitors, regulators, and others are doing. “That’s really valuable to board members and, if you can provide that, they’re ready to pick up the phone the next time because they say ‘OK, last time I spoke to him, I got a really good heads up about something coming down the pipeline.’”

That trust, when in place, cuts both ways. Carawan says when the audit committee chair has trust in the CAE, he or she is more likely to share information confidentially that will help the function match its work with the organization’s strategic goals. That communication is essential for audit planning and business intelligence because it forewarns the CAE about product launches, withdrawals, downsizing, outsourcing, and other strategic decisions that have a major impact on the business and the relevance of internal audit’s work. 

Part of the Team

Mark Salamasick, executive director of audit at the University of Texas System (UT System) Austin, has been promoting what he calls a consulting approach to internal auditing since the 1980s. He was pleased when The IIA revised the definition of internal auditing to include the term consulting in 1999 and less than thrilled when the U.S. Sarbanes-Oxley Act of 2002 gave audit a hugely onerous compliance role. “That basically set us back 13 to 14 years,” he says.  

For him, being a trusted adviser means being accepted as part of the management team. In the UT System, which comprises 14 bodies, the organization’s chief internal auditor, J. Michael Peppers, is part of the chancellor’s executive management team that sets the strategic direction of the organization. Salamasick says internal audit can often be forgotten if it is not part of the core team, because it is less visible than those functions that meet and talk regularly about strategy and upcoming projects. Part of the problem, he says, is that more auditors are working remotely, using IT as an efficiency measure, but sacrificing the face time that builds up rapport and trust. Other internal auditors just do not see themselves in that role and stick more to traditional compliance work. Salamasick says they are mistaken.

“As soon as you have relationships built with management and you are integrated into the team, your decisions help improve every level of the three lines of defense,” he says. It helps internal audit have a presence on major initiatives and projects and begin to move from historical auditing to looking forward and advising the organization on its strategic goals. It helps internal audit becomes change agents in the business.

Kirtley also sees relationship building as critical. “Initiating conversations with business lines to truly understand the business and their current challenge is an area that can bring great value,” she says. “These conversations help align internal audit as a valued business partner that will not only call failures and successes on the current control and risk environment, but will also help business lines better anticipate and prepare for any troubled waters that might lie ahead.”

Maintaining Independence

Critics would argue that having too close a relationship with management threatens the internal audit department’s independence. Maintaining independence entails ensuring the board knows that internal audit is serving the best interests of the organization — something that is increasingly difficult in a heavily regulated world. “As demands from regulators increase, internal audit needs to balance independence, being a trusted adviser to audit committees and executive management, and being an extension of the regulator where they can rely on the function,” says Paulette Mullings Bradnock, CAE at The Bank of New York Melon Corp. in New York. “Balancing the activities required to be an assurance function while being a trusted adviser is walking a fine line.” 

She says auditors need to show they are team players, while retaining their independence. That can involve saying no to myriad stakeholder requests while demonstrating that the function is focused on areas critical to the business strategy.

Having the right team is crucial. “To be a trusted adviser, an internal audit function must have the right complement of talent to address the full spectrum of complex risks within an organization,” she says. That means all auditors on the team need to be conversant with the business, as well as the emerging risks associated with the products and services. “Having the right talent is necessary to deliver on client expectations,” she says. “The full complement of individuals with business acumen, industry knowledge, analytical thinking, and strong communication skills are necessary to achieve trusted adviser status.”

Salamasick says those starting out on the route to creating a team capable of providing trusted adviser levels of service are likely to face some stiff challenges. First, he says, try to leverage the technology in the organization so data can be centralized more easily and made more readily available to the audit team. That can take time and money. Second, train the existing team to understand that audit is not just about compliance and assurance, but it can embrace a wider range of services. That can be hard to achieve, too, but training can help them think differently. Finally, he says, consider moving people out of internal audit who find it too difficult to make the change to a consulting role. One option would be to move them — along with some of the compliance and regulatory work — into the second line of defense, allowing internal audit to focus more in an advisory capacity, he says. “Determining who can make the change, and dealing with those who won’t be able to, can make a difference in successfully creating an audit group that becomes known as a trusted adviser.” 

A Unique Position

Philip Ratcliffe, former president of the Chartered Institute of Internal Auditors and now a consultant who has sat on the audit board of the Biotechnology and Biological Sciences Research Council, sees the role of trusted adviser as providing insights to the board that largely fall outside the normal recommendations that come out of the audit program. That can involve sitting down with the audit committee chair or chief executive and discussing the possible options. “The auditor has to be free to say when something has not worked and to suggest alternative ideas,” he says. “It’s up to management to evaluate that advice and to decide whether to accept it and act on it.”

Auditors may worry that their suggestions don’t work, but Ratcliffe says that may depend on the way management implements their ideas, or some other unforeseen reason. “Auditors are there to make organizations better — it is a key part of the way they can add value,” he says. “Not commenting when they see a better way to do something could show a certain lack of moral courage.”

Having worked both as a CAE and a nonexecutive director, Ratcliffe says internal audit occupies a unique position within organizations. Because auditors understand the business, know the key people within the organization, and have a firm grasp of where the pressure points are, they are closer in their understanding of how it works than even the CEO. Because the CEO is likely to be more involved with strategic decision-making, that leaves internal audit with an opportunity to give an impartial view to the board on sensitive issues.

“I’m not sure enough internal auditors understand they are in this unique position,” he says. But to take advantage of it, they need to make sure the advice they give is based on facts and arrived at independently. That means undertaking their own risk identification and prioritization exercises and developing views on the culture, morals, and effectiveness of different people in the business.

Ratcliffe stresses that “trusted adviser” implies an informal dimension to the internal audit role that is not covered by the usual range of audit activity. It can, he says, require a lot of tact. If management is incapable of taking remedial action to put controls in place, for example, it may not be something to include in the audit report, but it shouldn’t be ignored. 

Trusted advisers need tact, then diplomacy and political awareness, so they understand how people are likely to react when advice is given. Communication skills are key, but so is what Ratcliffe calls communication awareness. That means knowing not just how to say things clearly and effectively, but to whom you say it and when. He also warns that auditors who do have the ear of the CEO potentially face jealousy or resentment from other managers. He advises them to ensure that their advice is objective and based on facts rather than gut feelings, and to be aware that anything that is said by the auditor in confidence is still likely to become known. “Put a real premium on your modesty and self-restraint,” he says.

Persistent Effort 

Nobody says that trusted adviser is an easy role to play. Nor is it one where the scope and range of activities can be set in stone. “I spend a lot of time talking with CAEs about these issues,” Kirtley says. “I do think they are fully aligned with my views on how to be a trusted adviser for the audit committee, but it takes diligent attention to detail and constant effort.” And it is a critical one if internal auditors are to be able to provide advice on what keeps their board members awake at night.  

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.



Comment on this article

comments powered by Disqus
  • CAE-OnRisk-January-2021-Premium-1
  • CIALS-January-2021-Premium-2