Someone told me early on in my career that internal auditors need to develop a thick skin. While I found it amusing back then, over the years, I have realized there was truth in that statement. One of the essential attributes for an auditor is the ability to remain unmoved by criticism. That also means auditors should not expect any appreciation for a job well done.
The nature of the profession is such that we are expected to flag risks and propose actions to manage the risk effectively and efficiently. If carried out in the right spirit, this helps the organization avoid or reduce losses from events before they occur — and sometimes help prevent the risk, itself.
However, in the course of this work, internal auditors sometimes face resistance from audit clients. We often hear statements such as, "Internal audit doesn't understand the business," "Internal audit is flagging a risk that can never occur," and "It's a waste of management's time." The criticism may be justified at times, and auditors should have an open mind to listen to our clients.
On the flip side, when the client does accept audit recommendations, the fact that the business was protected from the impact of a potential risk by following those recommendations is rarely acknowledged. Let me explain with an example.
In late 2019, one of our audit teams performed an audit of the crisis management process in one of the company's regions. The audit client's management initially questioned the need for an audit of this nature, something it saw as nonessential. The audit team prevailed and completed the audit, providing recommendations to strengthen the crisis management and emergency response procedures, which were found to be inconsistent or lacking across entities in the region.
A couple of months after the audit, the COVID-19 pandemic was spreading like wildfire across the globe. Businesses had to make quick crisis-response decisions and take steps to ensure business continuity. Guess which region in the company was ready to immediately tackle the crisis and took steps to secure employees, assets, and operations? Yes, the one that internal audit had recently audited.
Did the client's management acknowledge and appreciate internal audit? No. However, we learned from a second-line compliance partner that the crisis management response and procedures had worked smoothly when this crisis broke out, unlike earlier years, and the partner felt the audit was timely and helpful.
Surely, I don't mean to claim that the audit team had a premonition of the upcoming crisis. The points I wish to make here are:
- It is important for auditors to stand our ground if we have done our homework and assessed the risks adequately. In this case, the audit team was convinced that this was an area to be reviewed and was not swayed by the resistance from the audit clients.
- Unlike the above example, in most cases, auditors might not have an opportunity to demonstrate the visible impact of our work. If the business implements our recommendations and the risk is successfully averted, then how do auditors prove the risk would have occurred in the first place?
That is the beauty and the bane of our profession. The most effective auditors are the ones who help the organization successfully manage risks before they could adversely impact the organization. However, that also means people might never acknowledge or realize the good work of the auditor because they actually do not see a loss.
Hence, it is important for auditors to be open and listen to what the business stakeholders have to say, yet maintain a healthy professional skepticism and do our own homework and due diligence on risks. Also, do not expect any reward for a job well done.
It helps to develop a thick skin in such cases, where there is no acknowledgment of the auditors' contributions. After all, our work itself is a reward, isn't it?
Parikshith Acharya, CIA, CA, CISA, is a director of Internal Audit at Hewlett Packard Enterprise in Bangalore, India.
Want to be a part of Your Voices? Click here to learn how to contribute a blog post.