Having a sound relationship with the board is crucial if internal audit functions are to serve their organizations well and provide effective assurance. Whether chief audit executives (CAEs) report directly to the board or, more likely, to an audit committee, it is vital that the two sides share an informed understanding of internal audit and its role and purpose within the organization. That is why educating the board about the level and nature of assurance internal audit provides is an important part of any CAE’s role.
While that is an easy principle to grasp, achieving it in practice can be a difficult and prolonged journey for both sides. Explaining what internal audit can do and how the function should be positioned in the business is likely to be unhelpful, unless it is done in the context of the board’s real-life needs. “CAEs should be thinking about putting themselves in the shoes of the board members, and understanding what is on their agenda and why,” says Ninette Caruso, CAE at Discover Financial Services in Riverwoods, Ill. Boards are more likely to be concerned with business issues such as profitable growth, dealing with competitors, net profits, and complying with pressing regulatory issues. If internal audit is not engaged in those areas, trying to educate the board about assurance is likely to feel too abstract and disconnected from the business.
As internal audit begins to provide specific value and advice to the board in those parts of the business where it has genuine concerns, Caruso says it will be effectively educating the board about what true risk-based internal audit means to the organization by demonstrating the type and level of assurance it can provide. In doing so, internal audit will be greatly appreciated and recognized for it.
“Let’s try to understand where the board is coming from and not waste time trying to add value to, say, a compliance audit if the board is not really interested in that area,” Caruso says. “Instead, the internal audit function needs to focus on perhaps two main issues on the board’s agenda at that particular point in time and to put all of its efforts into those areas.”
Getting issues onto the board’s agenda that internal audit feels are important, but the board does not, can be more challenging. Caruso says it demands a level of storytelling that auditors are not often used to about what they have found and why that matters to the organization.
“Even if the board only wants internal audit to check the controls put in place by management and risk functions, internal audit can still play an educating role by standing back and looking at themes that emerge from the interaction between different parts of the business,” Caruso says. “Nobody may want that from internal audit until we bring it to them and they can see the value of it firsthand.”
A Clear Understanding
Louis Cooper, chief executive of the U.K.’s Non-Executive Directors’ Association, a professional training and education membership organization based in London, understands how CAEs and nonexecutives think about each other. He agrees with Caruso when she says that CAEs often dive in, providing services that they believe the board will want without stepping back and asking some simple questions first — and listening to the responses.
As Caruso says, boards generally want to know what the key issues are and what the organization needs to do to respond to them. But building a picture of what the board wants can take time. “Internal audit often has a disjointed view of the board because of the limited contact it has with its members through various committees and because of the brevity of that contact,” Cooper says. “Quite often, internal auditors only get pulled into the audit committee to present their report, so they often don’t have ongoing dialogue with key board members, especially the audit committee chair.”
In addition, internal auditors are busy people, he says, concerned with delivering their audit plans. That is why it is important for CAEs to schedule time within the audit plan, itself, for relationship building. Internal auditors can use those meetings to both strengthen their understanding of the board and explain how the function can serve the organization’s broader needs.
“Having a clear understanding of the corporate governance framework within the organization enables people to connect the dots on the risks that have been identified in the organization,” Cooper says. “Internal audit’s knowledge of the organization and its related feedback on the effectiveness of the corporate governance framework is an element often missing from such conversations.”
If the CAE can help the board come to grips with the control environment and help ensure management takes more ownership over some of the control processes, it can promote a better balance of activity based on management fulfilling its role in the Three Lines of Defense model. That helps move internal audit away from low-level controls testing and into a more strategic risk-based auditing, the internal auditor’s “holy grail,” which can, in turn, free time in the audit plan for big-picture audits or consultancy-style projects.
Kristiina Lagerstedt, vice president, Audit and Assurance, at Sanoma in Helsinki, and a board member at Uutechnic Group, says internal audit departments can educate boards on the progress of big change projects. She has been working on information security and privacy readiness and maturity in preparation for the European Union’s stringent new General Data Privacy Regulation (GDPR), set to come into force this year. Because Sanoma is operating in the media and learning sector, getting the rules right is crucial.
“When GDPR was introduced, I noticed there wasn’t a common approach to privacy and information security within my company,” she said. She raised the issue, and the company decided to establish a steering group to oversee preparations for the changes with the CEO as chair.
“I took care of the agenda for the first year and a half, and we met twice a quarter,” she explains. Six months ago, when the steering committee agreed that the privacy and information security programs were up and running appropriately, it decided to meet quarterly and the agenda moved over to the chief information security officer. Lagerstedt is still involved, but with a smaller role.
“For a CAE, it is important to get involved in group-level change programs to ensure a common approach across businesses and countries,” she says. Lagerstedt’s main contribution was to keep the project moving and keep top management and the board up to speed on the progress made, the main risks faced and how they were being dealt with, and the maturity levels the business units had achieved on a quarterly basis.
“When you are pushing things forward and operating as a change agent (or consultant), it is sometimes confusing for people in the business to understand what the role of internal audit is and should be,” she says. While internal audit took a front-line role in the GDPR project in some respects, she aims to involve the business’ external auditors in the next audit to help reassert internal audit’s independence.
“Be brave in the tasks you take on,” she says. “Think about the company doing the right thing, but also keep in mind your and your team’s limitations to successfully manage expectations and not give promises you cannot keep.” She says continual education about what internal audit does and can do is key to success. “Remember to keep top management and the audit committee informed about where you are, and what the next steps and most critical risks are,” she advises.
Explain the Standards
Although The IIA’s International Standards for the Professional Practice of Internal Auditing does not explicitly say that the internal audit function should educate the board, it can be inferred from the many ways in which auditors communicate and work with directors and management across the business. While there is obvious value in providing education as to the effectiveness of the governance processes within the organization, and the type of major risks change projects can bring about, does it make sense to try to educate the board about the Standards? After all, the Standards are meant to be the benchmark of audit quality.
“Effective communications enable the audit committee to work with internal audit leaders to better understand the internal audit process,” Jim DeLoach and Charlotta Hjelm wrote in their 2016 CBOK Stakeholder Report, Six Audit Committee Imperatives: Enabling Internal Audit to Make a Difference. “To this end, directors should become more familiar with The IIA’s International Standards.”
Given the time constraints that both internal auditors and board members experience, is such a suggestion realistic or even desirable? According to evidence included in the report, the answer is yes. The quality and frequency of communication between CAEs and board members is greater among stakeholders familiar with the Standards, according to the report. Specifically, two out of three board members are familiar with the Standards to some degree and almost all — 98 percent — see value in internal audit conformance.
“If audit committee members do not have adequate knowledge of the Standards, they should ask the CAE for more information about them and how internal audit is ensuring their conformance,” DeLoach and Hjelm conclude.
For David MacCabe, a longtime CAE and an internal audit consultant based in Austin, Texas, informing the board that the internal audit function is conducting engagements in line with the International Standards for the Professional Practice of Internal Auditing is on his list of the critical assurances the CAE should provide to the board.
“Some members of the board may have minimal experience in business operations, such as those in nonprofit organizations, and they may just be interested in the programs and the people they serve,” he says. “But even in corporate America, there are some members of the board who may not be sure what their full duties and responsibilities are — and what the appropriate questions to ask as a responsible board member are.”
Internal audit can help educate them about those duties and, in doing so, underline its own credibility and integrity by explicitly saying it adheres to these international standards, he says. “Even for experienced boards, it can be useful to demonstrate that you are committed to external quality reviews by independent practitioners so they will know you are a step above what they may have experienced elsewhere,” he adds.
Effective communication and other interpersonal skills are crucial to achieving that goal and, while MacCabe says today’s auditors are generally more personable than in the past, there is room for improvement. In addition, The IIA’s many useful tools and publications can help CAEs inform and educate the board about leading practices for internal audit teams and audit committees.
He agrees with other CAEs that progress can be slow, and trust and respect need to be earned both by word and deed. Being proactive and available to management and staff in formal and informal settings can be a winning approach, MacCabe says. “It makes a world of difference to be open-minded, available, accessible, and approachable in the hallway, in the cafeteria, and wherever in the organization,” he says. People are much more likely to share their concerns when you are friendly, and people get to know you.
He recalls one time when he brought a story he had heard through conversations with staff to a line manager. “The manager was worried I’d pass it on to his section head, but I gave him the option to act on it or not, and emphasized that it was not a complaint or concern, but an observation about something that may or may not be true,” he says. Situations like this can help form great relationships because the auditor is then viewed as being available to discuss issues and provide informal advice for control improvements or remedial actions.
“Building those relationships throughout the organization from the board to the frontline of the business is crucial,” MacCabe says. “Management often asked me to pass things onto the board, and that can be done either in confidence, or openly as they choose. Everyone benefits.”
Commit to Improvement
MacCabe says internal audit also must be committed to continuous improvement through internal and external quality assessments (refer to Standard 1300 series) and by continually updating its knowledge of leading internal audit and management practices, as well as business and industry trends. For that, quality assurance reviews are particularly important — especially because they form a key part of conforming with professional standards. He says he worries that only 39 percent of survey respondents worldwide said they had such an external review, according to the Common Body of Knowledge (CBOK) 2015 Global Internal Audit Practitioner Survey.
“It’s no use saying that we are professionals and then only being partly in conformance with our own Standards — that erodes our credibility,” he says. He urges CAEs and all internal auditors to be committed to achieving and demonstrating the highest professional standards. In striving to do so, auditors will become a more respected and vital source of knowledge and education on assurance for everyone in the business — especially the board.