Examples of governance breakdowns in public- and private-sector organizations are plentiful, from avoidable cyber breaches to scandals fed by toxic or misaligned cultures. Whatever the causes, problems in governance and risk management are invariably at the heart of many organizational failures. With such potentially dire circumstances, one would imagine that supporting and nurturing good governance would be the first priority of every member of the organization. However, there are plenty of examples where ignorance of sound governance practices — whether actual or willful — are to blame.
One of the root causes of Wells Fargo’s fake account scandal was a decentralized governance structure that allowed its community bank leadership to shield the board from understanding the scope and significance of the problem. According to a report from the bank’s board, the decentralized structure and the bank’s culture also handicapped efforts to identify and address the problem.
At Equifax, whose 2017 cyber breaches exposed the personal data of nearly half of the U.S. population, the governance breakdown appears to be tied to poor oversight of IT controls. A June 2018 settlement between Equifax and eight states that brought suit against the credit-rating agency focused corrective action on a strict audit regimen of IT controls by internal audit and aggressive oversight by the board. The unstated message is that a lack of such assurance and oversight contributed to Equifax’s epic breach.
Preventing what at times seems like an epidemic of high-profile governance failures would appear overwhelming. After all, what can one person or group of people do to stop it? The easy answer is to hope executive leadership and the board have developed strategies to strengthen governance practices and put in place sufficient internal controls to successfully identify and mitigate risks.
Ultimately, internal auditors must do their part. They must have an innate understanding of their vital role in good governance and embrace that it is part of their job to zealously promote that role and the value internal audit provides the organization. Internal audit cannot afford to sit back and let others dictate its role based on a skewed or myopic view or, worse yet, on an agenda that doesn’t put the organization’s success first.
Internal auditors, especially chief audit executives (CAEs), must make it a priority to educate executive management, audit committees, or other governing bodies on the conditions where internal audit can thrive and provide high-quality assurance, advice, and insight. Heads of audit must invest in developing relationships with the CEO, chief financial officer (CFO), and board to become trusted advisors. The relationship the CAE has with the CEO/board must be the same as the CEO/CFO or CEO/general counsel relationship — one that is mutually trusting and mutually respectful, especially where each needs to do what is necessary in their respective roles. Lastly, the CAE needs to be in meetings with the CEO, CFO, and executive vice president to hear what’s going on.
Control the Message
Getting the Message to Stakeholders
Successful communication is key for chief audit executives (CAEs) to build strong and mutually beneficial relationships with their audit committees. That partnership can be achieved with a few simple guidelines.
Communicate the value. Ultimately, internal audit’s product deliverable is not the work done on engagements. It is what is communicated to stakeholders about what those engagements found. Internal audit must make clear to stakeholders why its recommendations matter to the organization and how it will help protect it from risks or leverage risks to help it reach its goals.
Learn to listen. Listen to learn. Most people listen to respond. Internal auditors must listen to learn. Often, internal audit’s best work can come from understanding what is said, but also from what is not being said.
Keep it short. Keep it simple. Executive management and boards/audit committees are constantly being pulled in multiple directions. Internal audit must respect this and provide concise and precise information to stakeholders.
Invest in building relationships. The challenge in building relationships is that work gets in the way. Heavy workloads for CAEs and frontline auditors can make it easy to put relationship building on a back burner. Make the time. Frontline auditors can schedule two or three hours a week to get to know department or division managers and the work they do. CAEs should meet regularly with audit committee chairs. Investing a few hours can pay dividends in the long run.
Commit to excellence. Convincing stakeholders of internal audit’s value is tied to providing the highest quality service possible.
The principal challenge in getting internal audit’s complex message to stakeholders is controlling the message, itself. Internal audit cannot allow others to define what it does. When control of the message is lost, misconceptions and misperceptions about internal audit creep in. Internal audit can best control the message through articulation and demonstration — what is said to stakeholders and what is done to earn their trust.
The message articulated to stakeholders must be clear and convincing. IIA President and CEO Richard Chambers provides a great example of that in his February 2018 blog post,
“Internal Audit Advocacy: Actions Speak Louder Than Words.” In the post, Chambers hones in on three key messages that internal auditors should promote to stakeholders:
- When the internal audit function is effective, the organization is made stronger.
- The IIA’s
International Standards for the Professional Practice of Internal Auditing provides the foundation for high-quality audits that help ensure complete, accurate, and reliable information is reported to the board.
- Certified internal auditors demonstrate proficiency in the profession and are better equipped to deliver high-quality audits in accordance with the
Demonstrating what internal audit does and how it brings value to the organization is up to the CAE, internal auditors, and audit committee. Striving to provide the best service possible means understanding the business, continually honing and expanding skills, examining efficiency and effectiveness, and conforming to the
But how do all these pieces come together for the benefit of the organization? Each has a part to play in communicating to stakeholders the importance of internal audit in supporting good governance practices.
The CAE’s Role
The CAE is the face of internal audit for executive management and the board/audit committee. This individual serves as liaison, ambassador, and advocate for both the function and the profession. It is imperative, therefore, for CAEs to develop stakeholder relationships built on trust and a deep understanding of internal audit’s value to the organization.
This requires that internal audit deliver on its promises. CAEs must build teams that:
- Understand the business.
- Understand the company’s strategy and value of key initiatives.
- Are versed in the variety of risk areas, including cybersecurity and IT.
- Embrace technology.
- Constantly work to expand their knowledge and skills.
The CAE’s integrity must be beyond reproach, and that integrity must carry through to each member of the team. Building trust requires an unwavering commitment to independent and unbiased assessments of the organization’s governance policies and internal controls.
CAEs also must be willing to speak truth to power. One of the core services that internal audit should provide is asking the hard questions and exposing faults others within the organization may be reluctant to address. With this as a foundation, the CAE can convince stakeholders of internal audit’s value and educate them on what internal audit needs to operate at the highest levels.
The Practitioner’s Role
For individual auditors who make up the team, the role is relatively simple: They should deliver their best possible work with the highest levels of integrity, objectivity, and independent thinking, and invest in growing their skills. I often ask audit staff to put the pen down and tell me three key or strategic insights they have right now in the work that’s in front of them. This is an easy question to answer for staff members who invest in their talent development. CAEs must be able to trust that team members will deliver on the promises they make to stakeholders.
The Audit Committee’s Role
The audit committee, in many ways, holds the keys to internal audit’s success. As the principal contact between internal audit and the board, the audit committee must be converted into internal audit’s ally and defend it with the same zeal as the CAE. This must be real and true support. The audit committee that stands with its CAE is 100 times better than the audit committee that stands behind its CAE.
Obtaining support requires educating the audit committee about its obligations. The minimum requirements for the audit committee that CAEs must articulate at every opportunity include:
- Understanding that its obligation to internal audit is as important as its obligation to external audit.
- Remaining involved in the hiring, firing, review, and remuneration of the CAE. Turning over all but final approval of these steps to management creates the risk of demoting or diluting internal audit’s role as a truly independent assurance provider.
- Being open to communicating with the CAE without executive management present.
- Demanding the highest quality internal audit function and being willing to resource the function and guarantee its independence to get it.
These steps are crucial to getting the best internal audit function possible. As the relationship matures, the audit committee can become more than just internal audit’s ally. It can become its partner. Success comes when the CAE and audit committee stand together.
The biggest challenge, by far, is to make the case for internal audit to busy board and audit committee members. The IIA provides many tools to help educate and convert stakeholders to internal audit’s cause (see “Help Stakeholders Understand and Value Internal Audit” below).
Internal audit practitioners face a wide variety of challenges to provide consistent and high-quality assurance and advisory service to their stakeholders. Laws, regulations, inadequate resources, competition from accounting firms, and lack of educational support resources can make getting the job done a Herculean task.
But as growing demands on stakeholders translate to growing demands on internal audit, it is imperative that the relationship between them be effective. This must begin with educating stakeholders on internal audit’s needs, its value to the organization, and the necessity for all the players in the governance process to see the benefits of a symbiotic relationship.
Help Stakeholders Understand and Value Internal Audit
The IIA provides numerous tools to support chief audit executive communication with executive management, the audit committee, and the board. These tools explore pressing issues facing organizations and provide foundational support for understanding internal audit and its role in good governance.
Tone at the Top This bimonthly newsletter provides boards, audit committees, and executives with information on issues such as risk, control, and governance. Each edition features a Quick Poll that offers insights on how others approach issues addressed in the previous edition.
Global Position Papers These articulate The IIA’s positions and perspectives on vital governance and control issues, from the value of conformance to the
International Standards for the Professional Practice of Internal Auditing to internal audit’s role in good governance. Their Key Takeaways and 5 Questions features are designed to quickly provide information and insights to busy executives and board members.
Global Advocacy Platform and Toolkit The Global Advocacy Platform offers practitioners and affiliate leaders several tools to advance their advocacy efforts, including an advocacy planning tool, stakeholder analysis tool, templates, presentations, fliers, brochures, and videos.
Global Perspectives and Insights This periodic publication offers insight and direction on key issues, with perspectives that resonate globally.