As internal auditors, we frequently hear our profession labeled as the organization’s police. The comment is made in a critical tone, often accompanied by descriptions of internal audit as a “gotcha” function that seeks to identify and highlight obvious issues. Many of us respond by offering examples of how auditors provide value-added services, form partnerships with the business, and provide recommendations that can improve and strengthen the overall control environment. And while citing this information can help educate clients about our wide variety of roles and responsibilities, I have begun to wonder whether disputing their characterization of the profession is truly effective, appropriate, and even accurate.
When confronted with the police comparison, should we seek to understand where this perception comes from? Auditors are trained to ask thoughtful, open-ended questions as part of our standard walk-throughs. Can we implement the same skills in conversations about the nature of our work? A client’s opinion about the profession may stem from an experience he or she had with an audit team in the past. By identifying what could have been executed differently, we can implement strategies in the current audit to help avoid such an experience from recurring. Or perhaps the client’s impression is based on internal audit’s portrayal in the media. By discussing what is happening at other companies, internal audit can facilitate dialogue about risk areas of concern that ultimately could be leveraged to improve audit planning and execution.
Simply disagreeing with clients’ perceptions of internal audit sets an adversarial atmosphere for the engagement. Is it necessary to disagree, or can we acknowledge their perspective? Then, rather than highlighting our consulting projects, special management requests, and continuous monitoring activities, perhaps we could explain the purpose of our work nondefensively.
Maybe audit clients are not that off base when characterizing internal audit as a policing activity. Similar to police who protect the communities they serve, internal audit aims to protect the organization by performing risk-based audits that cover financial, operational, and regulatory activities. Internal auditors are trained to identify red flags of fraudulent activity that could harm the organization, similar to a police officer who identifies criminal activity that could harm the community. Internal audit develops rapport with business units to build a foundation for strategic discussions, similar to police who forge positive relationships with schools and neighborhoods to strengthen the bonds of the community.
Although the profession has made considerable strides with its image among stakeholders, comparisons between internal audit and the police are still common. But such opinions do not have to be interpreted as negative or invalidating. Instead, they can be embraced and leveraged to facilitate candid discussions about audit objectives and organizational risk