**Warning** The comments in this post do not reflect those of The IIA!
Having a "seat at the table" seems to be the goal of many internal auditors.
Do they deserve a seat alongside senior executives at the top management table? Or do they deserve a seat with other support personnel, at a table designated for leaders of a business unit, or one where middle management sits?
The goal seems to be to sit among people like the CEO, chief financial officer, chief operating officer, general counsel, and the executive vice presidents. In practice, that is rarely achieved. Why?
It's because title and position (such as reporting to the board or CEO) matter much less than what you can contribute to the discussion at the top table.
When board members and CEOs share the views of Drew Stein (a board member and former CEO in New Zealand), internal audit will sit somewhere closer to the kitchen than to the CEO. He considers internal audit today and asserts:
- Almost all of internal audit findings are mundane operational compliance issues, which management, when notified, can attend to and rectify in an immediate sense. While important to ensuring operational integrity, these issues are not earth-shattering.
- The majority of operational compliance issues and minor financial irregularities are in the first instance identified by management during their normal duties and not by the internal audit group.
If internal audit is to earn a place at the top table, they have to:
- Audit what matters, and
- Communicate assurance, advice, and insights that matter.
What they do has to matter to the people at the top table, so they are eager to listen to what internal audit has to say.
Why? Because it matters to the achievement of their personal and enterprise goals. It helps them run the organization successfully.
Auditing That Matters is my attempt to guide those seeking a seat at the top table by accomplishing these two objectives. It challenges CAEs to understand and address risks to enterprise objectives, then to tell those at the top table what they need to know instead of what we traditionally like to report: what they need to know to be successful.
I thought people were coming along with me in this direction, but then I saw a new Practice Guide from The IIA: Engagement Planning: Establishing Objectives and Scope. The underlying IIA Standards, the 2200 series, talk about identifying the risks "relevant to the activity under review." This should mean understanding where what happens at that location, department, or unit is a source of risk to an enterprise objective. In other words, the audit should still focus on enterprise risk, though limited to how it is affected by local operations, rather than risk to local objectives.
However, when the Practice Guide talks about performing a "preliminary engagement-level risk assessment" by mapping local business processes and brainstorming, I fear that the result will be audits of what matters to that location but not necessarily what matters to the enterprise as a whole.
It shouldn't be necessary to perform a detailed engagement-level risk assessment. The location, unit, or process should be on the audit plan because it has already been identified as a potential source of risk to one or more enterprise objectives.
An audit should not be put on the audit plan because it has a lot of revenue, assets, people, or even complex systems.
It should be there because it is seen as a source of risk to enterprise objectives.
All you need to do at the engagement level is focus a little (not a lot) deeper on those potential sources of risk and decide how to assess and audit related controls. Recommending detailed process and control mapping is more often than not unnecessary and a waste of our most valuable resource — time.
The goal should be to provide assurance, advice, and insights that matter to the board and top management because it will help them navigate risks to the achievement of the objectives that matter to them — enterprise objectives.
If what you have to say matters to the people at the top table, because it includes advice, assurance, and insights that are actionable and help leaders run the organization as a whole, you will be welcome! If what you have to say only really matters to middle management, there is where you will sit. If what you have to say is seen as a police report, you will sit by the kitchen.
Does your internal audit function assess, audit, and provide assurance, advice, and insight on what matters to the top table?
I welcome your comments.
Please join the discussion by clicking the Subscribe button.