Aesop’s Fable, “The Miller, His Son, and Their Donkey,” recounts the trio’s perilous journey to the market where, along the way, the man and his son face various criticisms for each of their decisions. First, they are chided as foolish and wasteful for walking, and then lazy and cruel for riding. In a desperate attempt to quell the second criticism, they decide to carry the animal only to lose it in the river. The moral is that it is impossible to please everyone given the diversity of opinions, and that attempting to do so can be a fruitless endeavor.
This predicament also applies to internal audit functions. As the role of internal audit continues to expand, so does its stakeholder base and the level of expectations. But, like the onlookers from the fable, internal audit’s broadening stakeholder base may value a variety of conflicting qualities. For instance, an organization’s manufacturing department, which values efficiency and minimized downtime, may perceive internal audit’s U.S. Sarbanes-Oxley Act of 2002 controls testing as valueless and disruptive to its operations, while the chief executives and external auditors may view such testing as an invaluable barometer in their overall controls assessment.
In acknowledging that universal stakeholder approval is not always possible, an effective internal audit function also realizes that it can consistently act in the best interests of the organization and its core values, even if it leads to some dissatisfied stakeholders along the way. And while each organization’s values are unique and there is no one-size-fits-all approach to stakeholder management, chief audit executives (CAEs) and their staff members can consider specific actions throughout the engagement life cycle while navigating widespread stakeholder expectations.
Begin With the Risk Assessment
Regardless of the industry, organization, or department, all stakeholders face some form of risk and understand the need to manage it within acceptable levels. That said, disagreement on the nature and severity of risk is inevitable. While auditors are not expected to evaluate risk through the same lenses as their stakeholders, they can use the risk assessment process to engage stakeholders — such as through interviews and surveys — and as an opportunity to align future audits or projects with mutually agreed-upon risks. Further, to ensure stakeholders are on board with the risk ratings and evaluation criteria, auditors should use generally accepted risk assessment methodologies, such as The Committee of Sponsoring Organizations of the Treadway Commission’s Enterprise Risk Management–Integrating With Strategy and Performance. Wherever possible, they should quantify the likelihood and potential impacts of such risks in lieu of using highly subjective, and often contentious, heat maps with high, medium, and low categorizations.
Align Engagement Goals
Once the need for an engagement has been established by aligning it with mutually agreed-upon risks, internal auditors should set goals for the engagement and discuss them with impacted stakeholders before beginning fieldwork. Further, auditors can gain stakeholder interest by articulating the direct or indirect links between the proposed engagement and the accomplishment of departmental and organizationwide objectives. For example, an operational audit of an organization’s shipping function should begin by evaluating the department’s immediate and long-term goals, such as shipment of 100 percent of forecasted orders this month, quarter, and year, and the organizationwide objectives they support, such as greater customer satisfaction and improved profitability.
As a result, the engagement’s goals should include identifying issue root causes and providing recommendations that will enable them to achieve their goals. When the department’s goals conflict with, or do not align with, enterprisewide objectives, further dialogue with departmental and executive leadership may be warranted before beginning fieldwork.
To promote a “no surprises” approach, internal auditors must proactively communicate engagement goals with their stakeholders and obtain consensus on scope and timing. While this practice seems obvious to many, its importance is sometimes overlooked. Auditors should use engagement proposals, scope documents, and kick-off meetings as a vehicle for engaging their stakeholders and establishing ground rules and expectations.
Furthermore, obtaining stakeholder buy-in requires not just discussing the engagement terms, but also communicating what’s in it for them. While this message can be challenging, especially on a mandatory compliance audit, stakeholders are far more inclined to act as a partner when they are aware of the incentives. For example, instead of warning sales department leaders about the penalties for their team’s noncompliance with company travel and expense policies, an internal auditor reviewing travel expenses can emphasize the benefits of cooperation during the audit, such as shorter audit duration, less disruption, and a reduction in audit findings. The audit also can point out the advantages of implementing the subsequent recommendations, such as greater management and monitoring of expenses and budgetary adherence.
While a robust engagement plan can set the tone and ensure the efficient allocation of audit resources, an internal audit engagement’s — and department’s — success is contingent on the team’s ability to promptly adapt to change. According to The IIA’s 2018 North American Pulse of Internal Audit, two-thirds of CAEs significantly value future agility, yet only 45 percent consider their departments very or extremely agile today.
The process to becoming agile can begin by leaving flexibility in the engagement plan, which can range from budgeting hours for responding to ad hoc requests, to continuously refining the plan after major milestones. In addition, audit teams need to establish a scope change management protocol with stakeholders up front to ensure changes to the original plan and scope are handled consistently.
Use Accepted Methodologies and Best Practices
To avoid irreconcilable differences of opinion, auditors can base their approach, evaluation criteria, and, ultimately, their conclusions on generally accepted standards. For instance, while assessing a company’s IT password requirements, an auditor is likely to encounter stakeholder pushback and questioning by concluding that the password length requirements are weak or even noncompliant without attribution to a specific framework. On the other hand, if the auditor notes that the company’s current password length requirement of five characters does not align with the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-63 recommendation of at least eight characters, stakeholders are far less inclined to challenge the finding and more likely to accept the recommendation, especially if they also value the NIST framework and were apprised of the audit criteria earlier in the engagement.
Regardless of the organization, interdepartmental conflicts or turf wars are inevitable, and by virtue of their authority, internal auditors often are petitioned by stakeholders to support a particular side. IIA Standard 1120: Individual Objectivity states, “Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.” While maintaining an objective mindset is critical, it can be far more challenging for internal auditors to appear neutral in the eyes of their stakeholders. In addition to abiding by the explicit requirements of neutrality, which include refusal of gifts and avoidance of workplace fraternization, internal auditors should refrain from being overly complimentary or critical of a particular stakeholder group in their interactions and in their reports. For example, internal auditors should avoid using words with strong connotations such as failure, weakness, or gap and replace them with more constructive terms such as opportunity.
In the unfortunate situation where a dispute arises between internal audit and a stakeholder, such as disagreements over regulatory interpretations, audit findings, or recommendations, CAEs should consult a mutually regarded third party as a mediator, whether it is another department, such as legal or human resources, or outside consultants. For instance, if internal audit and accounting have a disagreement about the interpretation of the new Financial Accounting Standards Board Lease Accounting Standard, the CAE can consult the external audit firm to provide its independent, objective interpretation of the standard to both parties in hopes of achieving greater alignment.
While a thorough risk assessment and well-articulated plan can help stakeholders understand the need for, or even appreciate, the engagement, they are less likely to embrace the fieldwork process, itself. For example, a retail operations manager concerned about shrink may welcome the idea of a loss-prevention audit, but may be less enthusiastic about the auditor’s requirement to conduct time-consuming inventories after hours. While auditors should avoid the temptation to eliminate or modify key audit procedures to appease stakeholders, they should try to reduce the audit burden by compiling their own documentation, such as running reports and queries, scheduling observations at mutually agreed-upon times, and being fully prepared at the onset of fieldwork to limit the audit duration.
Issue Vetted, Quantifiable, and Actionable Reports
The audit report can be the most valuable product of an engagement, but it also can be the most controversial. According to Deloitte’s 2018 Global CAE Research Survey, 24 percent of participants listed helping the business respond to prior internal audit recommendations as a key strategic priority. As audit reports can have a widespread audience, including executive leadership and the board, stakeholders can be highly sensitive to negative feedback and how it is presented. While some stakeholder defensiveness is inevitable, internal auditors can make the audit report less controversial by preparing it under a highly collaborative and iterative process. While stakeholders should not author, redact, or edit an audit report, they should be given the opportunity to review drafts and ask questions until consensus is achieved before publishing it to a larger audience.
Additionally, audit recommendations should not come in the form of mandates, but rather as value propositions supported by tangible, quantifiable benefits. For instance, an auditor completing a Lean Six Sigma assessment can advise stakeholders that implementation of the proposed recommendations could potentially drive productivity up X percent and reduce operating costs by Y percent. If such data is not available in house, the auditor can at least point to successful case studies, such as General Electric’s savings of $12 billion in the first five years after implementing Six Sigma. Lastly, to the extent that supporting management in its implementation of audit recommendations does not impair independence, auditors should offer to lend support throughout the process to ensure the recommendations are timely and satisfactorily addressed.
Convert Solicited Feedback Into Action
While soliciting real-time, informal feedback throughout the engagement life cycle is valuable, internal auditors cannot underestimate the importance of formal, recurring feedback mechanisms such as stakeholder surveys and quality assessment interviews. According to KPMG’s 2018 Benchmarking Survey, three-quarters of respondents use a formal stakeholder satisfaction questionnaire. While effective surveys can take several different forms, internal audit surveys should be anonymous to ensure candid feedback, and leave the respondents with the opportunity to provide free-form responses — in lieu of pure multiple choice or numerical rating scales — to expound upon improvement opportunities with examples and recommendations.
While administering a survey can be seen as a gesture of good faith to the stakeholder, it can be perceived as mere lip service without being converted into visible actions. To ensure stakeholders realize their feedback is not in vain, CAEs should consider summarizing the survey results, including the improvement opportunities and subsequent action plans, and communicating them to impacted stakeholders via reporting or debrief meetings.
Perform Quality Assessments
The most valuable feedback an internal audit function can receive is directly from its stakeholders. Nonetheless, the performance of periodic quality assessments, as mandated by The IIA’s International Standards for the Professional Practice of Internal Auditing, can help identify additional opportunities to align with generally accepted best practices. While a quality self-assessment using IIA-provided tools is generally sufficient, CAEs must adhere to The IIA’s guidance to engage an independent party at least once every five years to complete the assessment, and ensure stakeholders are apprised of this practice to avoid the perception of a conflict of interest. Similar to the audit feedback surveys, CAEs should consider reporting the results of their quality assessments, including any subsequent action plans, to impacted stakeholders to demonstrate the audit function’s commitment to continuous improvement.
A Customized Approach
Internal audit functions face constant challenges juggling diverse and occasionally conflicting expectations from their stakeholders, including business-unit leads, executives, board members, external auditors, and regulators. Unfortunately, these challenges cannot be alleviated by a single action or even a one-size-fits-all approach. However, an effective internal audit function can navigate widespread stakeholder expectations through a multifaceted approach that engages stakeholders in every aspect of the engagement life cycle. By differentiating effective stakeholder management from constantly trying to please everyone, internal auditors can avoid the fate of Aesop’s Miller and His Son.