Today, whenever corporate fraud or scandal hits the headlines, no player is held harmless. Along with everyone else involved, internal auditors will be asked, "What did you know, and when did you know it?" Internal audit departments must continue to ask themselves how they can better help the organization maintain a healthy, ethical culture.
Several years ago, Farmers Insurance Internal Audit addressed that question by putting in place its Relationship Management process. This four-step cycle has enabled us to keep our fingers on the pulse of the company's culture by sitting down at regular intervals with the top leaders to review their visions, values, and strategies. The process has afforded the means of reassessing company risk and adjusting our audit plan to cover those risks timely.
Our relationship management cycle has played a big role in conforming to IIA Standard 2010: Planning, which states: "The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization's goals."
As the diagram below shows, the relationship management cycle consists of:
- Conducting periodic meetings with the top 150 leaders.
- Reassessing risks based on those meetings.
- Adjusting the audit sched-ule to meet the changing risk environment.
- Updating the audit universe to ensure adequate coverage in all key areas.
Step one of the cycle — the relationship management meetings — is the engine that drives the other three steps in the process and is the focus of this article. The benefits of the meetings are multifold, as they enable us to:
- Promote a relationship of trust, mutual respect, and partnering between company leaders and internal audit.
- Systematically identify business strategies, objectives, initiatives, risks, and controls.
- Update our audit universe and schedules to reflect emerging risks and business needs.
- Grow our talent by having audit managers, and often auditors, participate in the meetings.
- Provide value and insight to our customers through these meetings and the projects that result from them.
For this process to work, relationship management owners must be adroit and capable. The owners are audit staff who are matched to company leaders based on their expertise, areas of specialty, and interests. Take, for example, an audit manager who specializes in underwriting. It makes sense to assign him as relationship management owner to the Underwriting head. The commonalities between staff and leader can go a long way toward creating mutual relationships of trust, rapport, and respect. Without that, the cycle will fall short.
Relationship management owners are responsible for all aspects of the meetings. Planning and scheduling the meetings may require tenacity and persistence in tracking down leaders who are often on the road. Conducting the meetings requires the use of effective soft skills to draw the leaders out so they are forthcoming and frank. They should feel comfortable enough not only to share their strategies, but also to reveal the obstacles and threats to achieving them. Relationship management owners' notes of the meetings must be accurate and complete, as they will often provide the springboard for discussions with senior audit leadership on what was learned.
The relationship management owner sets the agenda for the meeting. Agendas will cover strategy, objectives, and business plans and the risks that threaten them. If warranted, past audit results also will be covered. The audit schedule will be reviewed to verify content and timing of planned audits. If the leader is new or unfamiliar with the audit process, we will add our charter to the agenda so we can cover our principles.
The frequency with which relationship management owners meet with company leaders depends on several factors, including: leader experience, size and complexity of the operation, ongoing changes or initiatives, and past audit results. For example, Claims is Farmer's largest department and the pace of change within it may warrant meeting with its leaders three or four times a year. Meeting once a year may be sufficient for smaller departments or those with a slower pace of change. Relationship management owners confirm the meeting frequency with senior audit leadership.
Before the meetings, relationship management owners will email the agenda to the leaders, inviting their input on areas to discuss. The email will often include the ongoing and planned audit schedule for the leaders to review. Whenever possible, the relationship management meetings will be held on site. Relationship management owners will often include other auditors who have an interest or are specializing in that area of the company. This provides an opportunity to grow our talent, as these auditors observe and learn from participating. One of those auditors will usually be the scribe, and after the meeting send the notes to the relationship management owner for review and distribution. Meetings usually run about one hour. All meeting records are stored in a database.
Each quarter, our senior audit leadership team meets to review and adjust the audit plan. This is when our relationship management meetings pay off. The relationship management owners will share results of those meetings, and, in particular, focus on changes that have occurred to the risk landscape of the department in question. Reassessing risks, the leadership team will adjust the audit plan, moving up some audits, pushing back others, and, in some cases, setting up new audits. This is also the time when the leadership team will consider requests made by leaders during relationship management meetings for us to provide consulting services.
While we may attribute organizational failures to things like fraud and poor leadership decisions, culture is really at the crux. Bad decisions stem from an unhealthy culture. Our relationship management cycle puts us in a unique position to help ensure our company's culture remains healthy.