Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​Diversity and Internal Audit

Comments Views

​A year or so ago, I was the closing speaker for a chapter's annual conference. Even when I'm not speaking until the end of a conference, I like to see as much as I can. Of course, listening to what others have to say about the profession is how we all grow and learn. But the main reason I show up early is to get a feel for the ebb, flow, and content.

Partway through the opening speaker's presentation I noticed a sobering fact. The speaker was African-American. I looked around the crowd of 200–250 internal auditors and saw only one other African-American. Now, the crowd was not homogeneous — it was not a vast palette of white, male faces. Nonetheless, there is no way that one African-American was representative of the chapter's community. And that meant a significant disparity existed between the makeup of the conference attendees and reality.

At this point, I'm going to interrupt with a little background about what you are going to find written here, as well as an update about the journey many of you have been taking with me. First, the journey. As readers of my blog know, I've been doing a series of posts on significant issues from the prior decade — issues where internal audit missed the opportunity to embrace those issues and, in so doing, allow the profession to have a significant impact on our organizations. However, it is also my contention that the issues still exist, along with the opportunities. I've talked about reputation risk, disruption, whistleblowers, the gig economy, and bots.

When I started working on this series back in January, there were two topics I felt were most important. In fact, thinking about them back then is what led me to the broader idea of multiple lessons to be learned. One of those two topics will be my next post in this series. But the topic I planned on posting on this date — the one I've been working on for quite a while — is the topic of diversity.

Which leads to a short discussion about the piece you hold in your virtual hands. As noted, I've been working on this for quite a while. In fact, I have had rough drafts of those first two paragraphs, as well as some of the following materials, in the works for a while. I had been struggling with how best to say what I wanted to say, so I gave myself today's date as a deadline and started writing.

And then events came up and smacked us all in the face.

I am not here to provide solutions to the significant issues that have recently arisen. To be honest, even I wouldn't listen to an old white guy — one who is probably enmeshed in privilege he doesn't even recognize — who purports to have any kind of answers. Instead, I want to speak to what the profession of internal audit can be doing related to diversity. And, just like the other topics I've covered in this series, the basic message is wake up, recognize the missed opportunities, and figure out how to do things better.

To provide value, internal audit needs to determine what the organization is doing to ensure diversity and provide assurance that these efforts are successful. Over the last few years, organizations have made varying efforts in this regard, actions such as establishing diversity officers (or similar titles); providing training on such topics as hiring, internal relationships, respect, and sensitivity; and inundating employees with emails, flyers, posters, and communications reminding everyone of the importance of and need to embrace diversity. All nice, all well-intentioned, all a wonderful thing to behold. And there is evidence that some of these organizations are taking real, sincere, and effective action.

But how many organizations are taking these steps with unclear direction, mismatched goals, and a primary emphasis on optics rather than results? And, what is internal audit doing to ensure that the programs are well-intentioned and successful — that lack of diversity is not an issue for the organization?

These can be hard questions. But It can still be easy for internal audit to effectively impact the organization's efforts (or lack thereof). Note that it also requires the department, in some instances, to be willing to take a stand. Here's an example of how easy it is and how hard it can be.

I was talking with a friend (an internal auditor) about diversity — specifically equal position and pay. Knowing his company had a lot of information about their employees — information relevant to the discussion, as well as very specific and regimented salary grades — I asked if internal audit should analyze the data. I suggested determining if there were disparities in how salary grades were distributed and if there were disparities in salaries within those grades. In other words, determine if the data indicated a potential problem.

His series of responses were interesting/baffling/saddening. First, he said there was no need to run the data because he did not think there was a problem. He went on to say the results might be unreliable. He then went on to say he was not sure what might be done with the information if a problem was found.

Then he came to his final excuse, one that was as damning to the organization and the internal audit department as anything he had previously said. He explained that, if a problem was found and no action was taken, then the fact that a problem was found but no action was taken could be a liability to the organization. Therefore, the analysis should not be completed.

Well, yeah! That's kind of the point. One relatively simple piece of data analytics and internal audit knows everything it needs to know about diversity within the organization, knows what it needs to report to the board, and knows if the board cares.

Of course, you don't even have to work that hard to understand where the organization really stands on diversity. Just look at pictures of the C-suite, the board, and the executives. If you see a bunch of old, white-hairs like me, then you have a problem. In fact, if half that board, half the C-suite, or half the executives are old (or middle-age, or even young) white-hairs, then there is a systemic problem. And internal audit should take a role in helping the organization recognize the problem and do something about it.

But there is another aspect of all this where internal audit can provide value — the existence of hidden or unrecognized prejudice and racism within the organization.

One of the great things about our profession is our ability to wander around hearing the everyday, common conversations that people are having. That means we hear unvarnished commentary where the filters have been removed. We gain an incredible insight into what people really think. (And, yes, this is tougher in this newly virtual world. But we still have opportunities to hear the seemingly inconsequential conversations that reveal volumes.)

What is happening in those conversations? Are there jokes that probably shouldn't be told? Are there remarks that are questionable? Is there evidence in the side comments, quick asides, and mutterings under people's breath that prejudice and racism are hiding in the halls?

In these moments you are hearing the real heart of the organization. And while comments may seem innocent and innocuous, they are an indicator. There may not be overt prejudice, but tolerance of such activities can grow into a cancer that cannot be cured.

So far, this has all been wonderful. Yes, internal audit should provide assurance that the organization is taking positive, effective steps to ensure diversity and to root out the potential for racism. But what about the beam in our own eye? It is probably more important to first shine that spotlight of inspection on ourselves.

Which brings us back to that conference I was talking about way back at the beginning of this piece.

What does your department look like? Is it representative of the organization? Is it representative of the community? Look at your local IIA chapter. Is it representative? Why not? What has your department/your chapter done to reach out? What have you done to make everyone feel welcome?

I can't quote you any statistics. But I get around some and, while I see some diversity within audit departments, I am hard-pressed to believe most match the diversity within their communities. And I've seen similar, if not worse, representation in some of the chapters I've visited.

Now, if you believe — if you truly believe within your heart of hearts — that the profession has found the very best of the best, and that the current mix — female, Asian, Black, Hispanic, etc. — while not matching the population at large, is a true result of the very best people becoming part of the profession, then you need to take a deeper look. Because, if you believe that, then there is a problem.

Is it prejudice? Is it racism? I'm not sure what title to attach to it. But there is an underlying problem. And it is these underlying problems that currently permeate our profession and our organizations.

Internal audit is a great profession. But if we fall into the trap of accepting the lack of diversity within the profession and within our departments, then we will never achieve the greatness we know is within us. And we will have become part of the current problem, not a solution.

I've tried to do my best with the words at my disposal. I can only hope I've given you something to think about. And, in those thoughts, given you the impetus to take action.

Do something. Do something for the profession, do something for your organization, and, perhaps most importantly, do something for your fellow human beings.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • IIA Quality_July 2020_Blog 1
  • IIA Online Testing_July 2020_Blog 2
  • IIA Training_July 2020_Blog 3