When I entered the internal audit profession, my manager taught me a foundational principle that stuck with me for 30-plus years. She said, “As audit manager I have one job — keep the regional manager out of trouble.” Over time I changed the titles to match my various situations, and it has morphed into an important truism: Internal audit’s No. 1 job is to keep the organization’s leaders out of trouble.
Through the years, many people have disagreed with me about this simple statement. (In fact, I’ll bet more than a couple of you rankled upon reading it.) Those disagreements seem to fall into three camps.
The first is the most common and comes from internal auditors who fall back on basic internal audit principles, arguing that our job is to help ensure risks are identified, controls effectively mitigate those risks, and objectives are achieved. No doubt these principles are key to our success. However, isn’t this just a long-winded way of saying that we help keep everyone out of trouble? And when we not only identify potential risks but also potential opportunities, aren’t we helping leaders stay out of trouble by enhancing their ability to succeed?
The second argument originates from leadership and represents a shortsighted view of what we can do. As an example, the chief claims officer at an organization where I previously worked asked members of the audit function what we thought he wanted from internal audit. I raised his hackles by responding that our job was to keep him out of trouble — he vehemently disagreed.
He then said something many of us have heard from other executives: “I want you to tell me something I don’t know.” I wanted to respond, “If you don’t know something and I tell you about it, isn’t that helping you keep out of trouble?” However, retirement was still several years away, so I kept quiet. But to limit expectations to “something I don’t know” is to pigeonhole internal audit as no more than another source of information, not a partner in the business.
The third argument can be generally expressed in the question, “What if leadership deserves to get in trouble?” When leaders are no longer acting in the best interests of the organization, and are involved in unethical behaviors such as fraud, falsifications, discrimination, or even lying and bullying — when leaders are driven by self-interest over the organization’s needs — then they deserve all the trouble that follows. But when leaders fail the organization, we have a responsibility to ensure organizational structures around controls, governance, and ethics are strengthened, helping keep everyone else out of trouble.
We have a litany of responsibilities that ensure we are successfully accomplishing our missions, visions, and objectives. But they should all work together to achieve one thing — keep everyone out of trouble. When our work keeps everyone safe, that is a value that can’t be matched.