Trust is key in every business and personal relationship — it is essential for cooperation and motivation. Trust should be high on the agenda of internal auditors, too. IIA President and CEO Richard Chambers emphasized the importance of trust for internal audit in his address to a 2013 IIA–Netherlands conference: "We see ourselves as the guardians of trust in our organizations." As guardians, auditors should know what they are trying to protect, which is difficult when it isn't defined, measured, or frequently discussed or monitored.
The essence of trust is being comfortable with a person's behavior, particularly in situations when he or she has to make tough decisions. By trust, we mean informed trust — a situation in which a fair amount of trust is given and in which the given trust is periodically verified and mutually reconfirmed.
For internal auditors, trust involves both 1) their interactions with their organization's leadership and audit clients and 2) their need to assess the trust levels within their organizations. As such, trust is fundamental to the effectiveness of internal audit and should be considered within audits and within the professional development of practitioners.
The Economic Value of Trust
Trust is perhaps our most important human, social, and economic capital, yet people often do not handle it with sufficient care. Too often, managers start governing, organizing, or controlling merely from distrust. Dogmas such as "trust is good, though control is better" influence the way in which organizations are structured, managed, and audited. Checks and balances are everywhere, even where trust might be a much better approach to seize opportunities and manage risks. Where distrust reigns, organizations suffocate in rules, procedures, and controls. Internal auditors often aggravate this situation by recommending even more rules.
Trust and The Standards
The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) refers to trust in terms of the auditor's own role and position. Standard 1120: Individual Objectivity states that the internal auditor is "in a position of trust." Moreover, the Code of Ethics says, "The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment." In its definition of fraud, the Standards glossary describes organizational fraud as a "violation of trust."
Moreover, too much distrust is unhealthy. It convulses relationships, sours creativity, and hampers motivation and cooperation. These are key drivers of quality, competitiveness, and innovation, which are all crucial for sustainable economic performance.
A group of people will never form an effective team without sufficient trust. Trust drives openness, camaraderie, and initiative, which are essential ingredients for successful innovation and renewal. On a continuum, small steps from unhealthy distrust to informed trust could bring significant economic advantages. In his book
The Speed of Trust, management expert Stephen Covey describes the impact of trust on costs and the speed of decision-making: more trust → lower costs and higher speed → greater profit.
Although informed trust is built and reconfirmed over time through social interaction, this does not mean abolishing all procedures, rules, checks, and balances. On the contrary, an appropriate level of internal control is required to facilitate the process of trust building and reconfirmation.
The Need for Change
Most current thinking on organizational performance dates back to the 1960s through the 1980s — a period in which stability and predictability were abundant, and the biggest management concern was with efficiency. This, combined with almost undisputed and negative assumptions about human behavior, brought forth modern management theories and associated instruments.
The resulting practices included corporate governance structures in which people within the organization are not trusted and must be monitored and tightly controlled. Many organizations implemented management instruments such as management scorecards, remuneration instruments, "Plan-Do-Check-Act" cycles, and quarterly reviews of figures. However, these measures may inhibit an organization's innovative capacity, as they assume outcomes are predictable and controllable.
Recently, stability and predictability have been replaced by rapid change and uncertainty. Efficiency is no longer the sole concern of managers. Dealing with turbulent business environments requires organizational creativity, agility, speed, collaboration, and engagement.
A more positive perspective on human behavior could redefine the current management paradigm by adding three other parameters to the business case for more organizational trust: motivation, innovation and change capacity, and risk. The model clearly shows the dividends that trust can generate: more trust → more motivation, lower costs, higher speed, greater innovation and change capacity, and higher or lower risk → greater enterprise value.
Motivation Drives Performance In recent years, we asked about 1,000 managers, controllers, and internal and external auditors to describe a period in their careers when they were very engaged, full of energy, and highly motivated. Most participants recall such a period, but many consider it to have been too brief. Nearly all participants admitted that during the time in which they gave their best, they had to comply with fewer rules, procedures, and other internal controls. There were no detailed forms or extensive checklists to be completed, nor were there long authorization and approval procedures. The absence of these formal controls did not result in less motivation or distraction from the organization's goals — participants' enhanced personal engagement was their response to the level of trust they received.
Participants said trust, purpose, respect, openness, and camaraderie among group members were the crucial ingredients to their openness, cooperation, and hard work. Because of the high level of trust among the group members, control did not need to come from costly, time-consuming, and often demotivating formal management systems. Instead, the group relied on cheaper, faster, and more learning-oriented interactive controls. The group organized and controlled themselves via direct interaction, personal coaching, encouragement, and, if needed, clear, face-to-face correction.
Innovation and Change Require Trust Many internal auditors believe that more hard controls automatically lead to less risk. But this is not necessarily true, particularly not in the case of innovation, which requires:
- Initiative to challenge existing paradigms and beliefs.
- Courage to propose and accept new ideas.
- Openness to discuss and challenge different perspectives.
- Cooperation to share and support.
- Camaraderie to stick together as a team when times get tough.
- Perseverance to stick to the vision and plans when things get rough.
- Flexibility to adapt plans if needed.
All of these dimensions of successful innovation presuppose a sufficient level of trust among participants within the organization.
The Impact of Trust The impact of more trust on an organization's risk profile depends on the starting point. Adding more trust to an organization that already has a high level of trust would probably increase risks by creating too much opportunity for self-interested or fraudulent behavior and lowering the probability of timely detection.
On the other end of the spectrum, adding more distrust to an organization that already has a low-trust culture also may increase risks. More distrust results in more controls, more costs, less speed, and less motivation that would increase business risks. However, adding some trust to a low-trust organization can increase motivation, openness, cooperation, and the willingness to show initiative, resulting in a decrease of the risk profile. These factors are not only important drivers of competitiveness and innovation, but also are crucial ingredients for effective risk management, fraud prevention, and compliance.
"The Relationship Between the Level of Trust and Risk Profile," at right, depicts the continuum from a very low to a very high trust level. Along this continuum, there is a "tipping zone" (between level A and level B) in which the risk profile does not change with an increase or decrease in the trust level. However, increasing the trust level beyond level B or further decreasing it below level A would raise the risk profile. An organization with a low trust level could earn an economic dividend from an increase in trust as well as decrease its risk profile and its costs of control.
A growing emphasis on trust has implications for internal audit's approach to assessing the effectiveness of an organization's risk management, control, and governance processes. The first dimension of trust — interaction with principals and audit clients — relates to the auditor's own impact. Creating impact is about the quality of internal audit's work, the acceptance of its recommendations, and management's commitment to take action. Basically, trust is built around two dimensions: professional trust (relating to the auditor's perceived professional capabilities) and personal trust (relating to his or her perceived intentions and motives). Although not exactly the same, professional trust relates much more to IQ, while personal trust relates to emotional intelligence.
To create more impact, auditors should address the question of whether management and audit clients put sufficient trust in them or the internal audit function. If people do not trust auditors' good intentions, the acceptance of their recommendations — regardless of their intrinsic value — may drop. Such trust is based on others' perceptions of the auditor's intentions, rather than the auditor's actual intentions.
Building a high-trust organization starts with recognizing that trust is established between people through social interaction. Developing and maintaining informed trust requires both time and a mutual continuous investment in the relationship. Only when there is sufficient trust among individual team members can it grow to the group level, such as a project team or department, and extend from group to group throughout the organization. By setting an example, internal audit can act as a catalyst for this organizationwide process.
In discussions of organizational trust, the "norm to be applied" will arise. Which norm should auditors use for their judgment regarding organizational trust? How exactly do they define trust? What baseline can auditors use to indicate whether the level of organizational trust is too high or too low? These difficult questions apply equally to hard controls. Examples include:
- Defining and measuring risks or risk appetite.
- Assessing the appropriate level of risk exposure or control ambition.
- Establishing the effectiveness of internal control measures.
- Applying and quantifying "reasonable assurance" in practice and translating this into audit planning.
- Defining, measuring, applying, and explaining the scores regarding the maturity of internal control systems.
- Weighting audit findings on a scientifically solid basis.
Auditors sometimes apply ingenious definitions, methodologies, checklists, and scorecards to assess hard controls, but these, too, are seldom without a great amount of "professional judgment."
Discussions of soft controls, such as trust, leadership, and culture, often are met with serious skepticism fueled by the perceived subjectivity of these matters. This attitude is largely grounded in a lack of familiarity with the topics and the accompanying terminologies and methodologies. Although measuring soft controls can be subjective, the same level of subjectivity is already an inherent part of auditors' work. Internal audit could develop standards and required capabilities through learning and cooperation within the profession by building a certain level of consistency in definitions, approaches, and measures. And as long as internal audit's intentions and motives are perceived as good, top management and audit clients should not have a problem with a fair level of subjectivity.
Assessing Trust Levels
Ensuring that trust is on management's agenda is the primary responsibility of senior executives. Spending time on trust during internal audits and reminding executives of their responsibility will be a valuable contribution to the organization.
There are several methodologies available for assessing and visualizing organizational trust and its underlying components and drivers (see "Ranked Outcomes of a Trust Assessment Questionnaire" at right). An assessment — tailored to the specifics of the organization — will provide insights for improving trust among employees and management. It could be the starting point of a fundamental governance discussion about how top management would like the organization to be managed and how the organization is actually managed, linking strategy with execution. Moreover, it could lead to a conversation about the role trust plays or could play in improving the organization's resilience and agility, employee motivation, and creativity. It also could initiate a discussion about assumed human behavior, perceived risks, the quality of risk management, and the corresponding appropriate level of trust.
Trust should be addressed not only within operational audits that focus on organizational improvement, but also during compliance audits, due diligence reviews, and audits of the effectiveness of the risk management system. According to COSO's
Enterprise Risk Management–Integrated Framework, open communication is a key building block of any effective risk management system. Open communication cannot be achieved in an organization in which distrust reigns. Having different perspectives and subcultures can be positive and add value to the organization, as long as leadership is able to reconcile them. Such reconciliation of subcultures is only possible when there is a sufficient level of trust. Internal auditors can play a key role in identifying, measuring, and analyzing the level of trust, or distrust, as they have access to all different parts and levels of the organization. The outcomes of their surveys provide ample room for discussions with audit clients and management.
Balancing Trust and Control
Is there a business demand for making trust an enabler of the smooth operation of the organization? Many entrepreneurs and managers have referred to the need to bring down the burden of control and compliance. As competition intensifies, operational margins erode, and available budgets decline, many organizations can no longer afford the current direct and indirect costs of control. Instead, organizations need to redefine the balance between trust and control.
Although a shift toward informed trust could benefit cost models, quality, competitiveness, and innovation, internal auditors, controllers, and regulators often are the biggest barriers to undertaking such a voyage. Internal auditors can start to change that perception by acknowledging that openness, motivation, initiative, and cooperation are fundamental to effective internal control.
Tjeu Blommaert, PHD, is the owner of Blommaert Enterprise in Maastricht, Netherlands.
Stephan van den Broek, RA, RC, is partner at Blommaert Business Academy & Consulting in Maastricht, Netherlands.
Marinus de Pooter, RA, CIA, CMA, GRCP, is the owner of MdP Management, Consulting, and Training in Deurne, Netherlands.