Throughout my 20 years as a student and practitioner of internal auditing, I have seen the profession make strides toward achieving its full potential. However, there is still more to do. If the full scope of internal audit’s work today is seen as ensuring the accuracy and reliability of information, opportunities to make a bigger difference and reach our potential are being squandered. Contemporary internal auditors must contribute to advancing the strategies and business practices of their organizations. Today’s internal auditors also must be an example of integrity and a force that drives the kind of good, sound culture that is the foundation of successful enterprises (see “The Right Path”). In short, to operate at the highest levels of the business, internal audit must “Step Forward” — my theme for my year as chair of The IIA’s North American Board.
Three areas of opportunity for internal auditors to step forward fall under the headings of culture, courage, and conflict. There are still those practitioners who do not fully understand what the role of an internal auditor entails — or, if they do, they are unwilling or unable to take the necessary steps toward fulfilling that role. First, setting the right tone by conducting oneself with professionalism and competence is key — own the role unapologetically and without reservations. Second, some internal auditors lack the courage to make disruptive and strategic recommendations for improvement to management and the board. And, finally, some auditors are simply uncomfortable with conflict. They fail to understand that embracing conflict can help them produce better, more robust work.
I urge internal auditors who struggle in these areas at any level of the profession and in any type of organization to step forward and begin making a bigger difference for themselves, those they serve, and the profession.
Culture: Do What’s Right
My Year As Chair
During my year as IIA North American Board chair, my focus will be encouraging a renewed emphasis on helping internal auditors realize and appreciate that they are part of an indispensable profession. That entails providing IIA members with the tools they need to step forward in their organizations — to help them balance their often deep technical proficiency with the ability to instill confidence in their stakeholders that internal audit can make a difference at a strategic level and provide leadership.
In addition, in North America and globally, The IIA is striving to achieve concrete results from its advocacy work. We have been advocating, for example, for the U.S. Securities and Exchange Commission to require publicly traded companies to disclose whether they have an internal audit function. This is the first of many steps required to provide The IIA with the impetus to go further and begin a public discussion about what it means to be a professional internal auditor who follows the International Standards for the Professional Practice of Internal Auditing and the criticality of holding a Certified Internal Auditor designation.
I am also chairing an IIA group that is reviewing the committees of the North American Board to ensure our professional body is streamlined and fit-for-purpose. We are assessing whether each committee is still adding the value that we initially envisaged. The review most likely will lead to restructuring, change, and spirited discussions. When people are passionate about what they do, it is crucial that those involved can see the bigger picture and bring their considerable skills and talents to bear on the most relevant and strategic issues. So, we are looking at the North American committees as well as the relationships between that body and global committees under the One IIA initiative, which is aimed at achieving better uniformity of internal audit quality globally.
It is part of internal audit’s job to help drive a prevailing culture within the organization that is fair, healthy, effective, and focused on serving customers — an organization that one can trust. Securing a position of trust is not easy. When I accepted my current role as chief audit and compliance officer at the Texas Department for Transportation (TxDOT) in 2011, I was called on to improve the profile of the audit department and the organization. Immediately, my defense mechanism kicked in: Yes, I was responsible for how the audit department was perceived; no, I couldn’t own responsibility for the organization’s profile. In the end, I took on the challenge and, in partnership with my commission (board), initiated a program to elevate the focus on holding ourselves accountable, being transparent, and examining how and with whom the organization conducted its work.
One of the first steps, an external audit, identified noncompliance as well as some impropriety at an entity that did business with TxDOT. It would have been easy to call out the noncompliance, issue a report with recommendations, and be done with it. However, it was an opportunity to demonstrate that TxDOT was serious about its stewardship role. I positioned this to my audit committee chair as a chance for the organization to demonstrate that it was focused on driving honesty, integrity, and trust in its business relationships. Internal audit aligned with the board and executive leadership in formulating a strategy to anticipate and get ahead of any pushback from the entity’s officials. In addition to meeting with the entity’s leaders, I met with local officials and equipped TxDOT’s board and executives with information to share with our state officials. It was uncharted territory, but we knew it was the right thing to do, and we did it. It was the beginning of improving the profile of the audit department and the organization.
To set course on such initiatives, internal auditors must be able to work strategically and operationally at all levels of the organization. That entails evaluating the business to understand how it could do things differently to better serve customers — how it can achieve goals at the same time as building trust and a more sustainable culture. Recommendations must be relevant and practical. Internal audit’s oversight role puts it in a unique position to help the business in these ways.
Chief audit executives (CAEs) must engage their boards and advocate for internal audit by explaining its value to the organization. It is not always understood, for example, that internal audit is here to make things better. Even where a good relationship exists, there may be opportunities to extend internal audit’s reach. For example, recently numerous accounts of harassment in the workplace have been brought to light. Few would instinctively think of internal audit as ideally positioned to help address such an important, culturally explosive issue. Instead, they would reach out to human resources or the legal department. But internal audit can act as the eyes and ears of the board on such sensitive issues and help gauge the culture in different parts of the enterprise. Every audit opens the door to understanding how business is conducted, but it also is an opportunity to understand the culture of those performing the work. Internal audit needs to step forward and ask questions to ensure it feels good about the organization’s health.
It Takes Courage
During my career, I’ve conducted many external quality assessments. Invariably, I request time with each member of the board to understand his or her knowledge of the CAE’s role. Their feedback often includes: CAEs do not communicate effectively; CAEs do not focus on matters that are important enough to rise to the board level; and the time CAEs have with the audit committee and their reporting executive manager is insufficient. These are indications CAEs are not stepping forward to make their value known, and their work is not perceived to be informing or advancing the success of the organization. Perhaps they do not understand their organizations as well as they should, or they are not fully engaged with how their organization’s leadership plans aim to achieve its strategic goals — issues that come up time and again in IIA research and surveys.
The North American Board has asked The IIA to focus on advocating for the internal audit/board relationship through the creation of tools and content that will help CAEs have the courage to step forward. In the meantime, CAEs can take it upon themselves to get to know individual board members and executives. CAEs need to understand the priorities of the entire board, not just the audit committee. It takes courage to ask for time with the board, but the context and perspective obtained from those conversations help make internal audit’s work meaningful.
More junior staff can step forward by spending constructive time with senior auditors. It can take courage to speak to CAEs for those just beginning their careers, but it will be worth the effort. Junior staff also should get involved with their professional organizations — The IIA has many local chapters and special interest groups. If these auditors are only learning from their companies, they are missing out on great ideas they can bring back to their teams.
While it may sound counterintuitive, internal auditors should treat every engagement as an opportunity to deal with potential conflict. At TxDOT, for example, we deliberately include conflict in our audit processes and find it to be a powerful tool. For instance, when our audit teams explain their recommendations regarding an audit’s scope of work, or what testing they are planning, the internal audit management team is charged with challenging it. That puts the teams through a level of conflict that helps them support the work they want to do and the reasons they want to do it; and it can identify gaps and weaknesses to help make the audit work stronger. It also pushes the management team to put itself in the business owners’ shoes, which requires deep knowledge of the business and its leaders to be effective. My role is to challenge the management team by bringing a board and executive management perspective to the forefront. I ensure that the message we are delivering will matter, and that we account for potential organizational and political considerations.
We have such meetings at the planning, fieldwork, and reporting phases of each audit. This process prepares staff members to sell their ideas and value to our business partners — it helps everyone in the organization. It can be tough going through this process, but we remind our team that it is a safe environment, and it is orchestrated to help them deal with the conflict they will sometimes face out in the field. It would be a disservice to my team not to do so.
I accept that a year is not a long time to effect all of the changes mentioned herein. At a minimum, I would like to hear more stories about internal auditors stepping forward and adding value to their organizations. I want to continue to push for a shift in the way publicly traded companies view and talk about the profession. But, most of all, I want auditors to understand that internal auditing is a noble and indispensable profession, and I urge them to have the courage to act accordingly.
From Then to Now
After graduating from the University of Texas in 1993, I expected to pursue a career in law. Instead, I decided to take a break from school and accepted a job collecting student loan payments at the Texas Guaranteed Student Loan Corp. I worked my way up to investigator and, eventually, to internal auditor. The investigator job reported to the internal auditor, who allowed me to work on an audit. I really loved that, especially interviewing people and learning about things that were considered confidential. It was so interesting to me being in that environment.
In 2006, I joined the technology solutions business Dell Inc., which had been focusing on improving its culture by “Winning With Integrity.” Dell was using the internal audit department to drive change across the business. I was assigned to assist with the organization’s first external quality assessment, including working on its first internal audit charter. It was a great learning experience to understand how a Fortune 50 company could rally around an internal audit initiative. Dell really did implement a world-class audit function, and I learned so much from that organization. I’d be remiss if I didn’t mention Mike DeCaro, vice president of Corporate Audit at the time, who challenged me and everyone to be more than technically adequate, and to step forward and strive for excellence.
Joining the Texas Department of Transportation (TxDOT) in 2011 was an opportunity for me to help modernize an audit department and help it drive change in the business. Today, I oversee TxDOT’s internal audit and compliance divisions, which are aimed at improving stewardship, risk management, accountability, and governance through value-driven audits, evaluations, investigations, and advisory services engagements.
During my more than 20-year career, I have served in various positions with the IIA–Austin Chapter, including as the 2006 president. I have been a member of The IIA’s Professional Issues Committee, Publications Advisory Committee, and Public Sector Advisory Committee. I’ve served as vice chair of both content and professional development and as senior vice chair on the North American Board. Now, as chair of the North American Board, I also have a seat on The IIA’s Global Board. I am a member of the American Center for Government Auditing, American Association of State Highway and Transportation Officials, and several other professional organizations. I am past chair of the Texas State Agency Internal Audit Forum. I have earned the Certified Internal Auditor, Certified Information Systems Auditor, Certified Fraud Examiner, and Certified Compliance and Ethics Professional designations.