Effective internal auditing often involves going beyond the initial audit. Some practitioners may believe their obligations end after communicating findings in the audit report, but this approach generally proves insufficient. Internal audit recommendations have no value if management decides not to take action.
When audit findings are not acted upon, the most likely explanation is that management does not believe the risk justifies the cost or disruption the recommended actions would cause. It could also mean that management disagrees with the risk level expressed in the audit report or that it does not believe addressing the risk is a priority. Even worse, management’s inaction may be a sign that it does not understand the report.
Each of these problems represents a failure of internal audit. Management may contribute to the problems, but internal audit bears ultimate responsibility — the client’s failure to act reflects internal audit’s inability to sell its findings and persuade management to make timely changes. Internal auditors need to convince managers that action is necessary, appropriate, and in some cases, urgently required.
The effective internal audit department not only helps drive constructive change, but it has a reputation for ideas that will help the organization succeed. In that sense, internal auditors are evangelists for running the business better.
Audit practitioners can add considerable value to the business if they are willing to work with management to effect worthwhile change. Two examples from my own career illustrate how auditors can serve in this capacity and help evangelize for organizational improvement.
When I was the head of internal audit at a large U.S. domestic oil refining and marketing company, one of the firm’s local refineries consistently gave both the auditors and senior management headaches, even while we smiled at its earnings. The refinery’s operations were complex and difficult to manage. Even though management paid great attention to equipment maintenance, employee safety was a critical concern — the facility experienced occasional fires, as well as an explosion that cost several lives. Compliance with federal and state environmental laws and regulations also proved challenging.
Because of the high risk level, internal audit maintained a team resident within the refinery, led by an experienced audit director. The team issued several reports each year identifying significant issues relating to the quality and cost of maintenance, controls over compliance with environmental laws and regulations, and other areas.
Although the refinery manager and his direct reports always responded positively to our audit reports, we continued to find issues and noticed that corrective actions took excessive time to complete. Part of the problem lay with an ineffective management team. The refinery manager had a great deal of experience and technical competence, but he had not gained the trust of his team. Plus, there was conflict between the manager and some of the facility’s other key management personnel, as well as significant tension between the engineering and maintenance departments. Fortunately, the president of the company’s refining operations recognized that the first step to correcting the situation was to change refinery managers.
Shortly after the company announced it had selected a replacement for the position — a manager from one of its other refineries — I shared with the new manager my observations on the underlying organizational and teamwork issues. I also sent him a copy of the prior two years’ audit reports, as well as a schedule of the outstanding management action items. He later thanked me for the information, but then made a comment that amazed me. He said that he agreed with everything we had reported: the findings, the significance of the risk each represented, and the agreed action items. He then added that while he acknowledged our need to perform audits on risks at the refinery that mattered to the organization as a whole, every audit and every finding just added to his massive task list.
The manager asked that we find a way to help him effect change rather than simply adding to his team’s list of action items. I had to agree that he and his team had a formidable task in front of them and needed our help. His comment reinforced for me the tremendous difference between issuing a report, even if the corrective actions have been agreed on, and effecting change.
I spoke to my local audit team about what we could do. We thought we were already doing a great deal to “sell” our findings to management: We worked hard with them to agree on the overall audit assessment and the actions necessary and appropriate to correct any deficiencies. We also met with the refinery manager monthly to review the status of issues and to hear his thoughts on the challenges facing refinery management.
We agreed on three additional actions. First, we reviewed the audit plan and made sure engagements addressed only high-risk areas; the rest could wait because they were unlikely to identify issues that would rank high on the action-item list. Next, we reviewed and prioritized the list of outstanding management action items. The team prioritized it first and then met with refinery management to agree on both the priorities and, if necessary, revised due dates. Finally, we decided to use more facilitated self-assessment sessions to help management work through some of the more difficult areas. Sometimes called control (or risk and control) self-assessment workshops, these sessions involved bringing a cross-functional group of managers together to discuss an issue, identify the optimal solution, and agree on a plan to implement it.
Using this approach, we increased our ability to help the refinery management team effect the changes necessary to improve performance, safety, and compliance. Instead of ending our involvement by communicating our findings and recommendations, we worked actively with the management team to ensure a shared understanding of related risks, break through barriers to corrective action, and (without impairing our objectivity or independence) help the team effect desired change.
A few years later, I joined a large contract manufacturing organization as vice president of internal audit. I inherited an audit department that, according to the CEO and chief financial officer (CFO), was well-regarded by senior management. The company assembled electronic products for computer, telecommunications, and similar businesses in its more than 100 factories around the world.
As I reviewed the last year’s audit reports, I saw that my predecessor had developed an innovative way to present the results of each audit. He included a dashboard on the first page of the report with traffic lights for each risk area (red, yellow, or green to show whether or not risks were well-controlled). The dashboard also indicated whether there were any significant issues — and if so, how many.
Internal audit had performed reviews every year that focused on the more critical activities at each of the company’s larger plants. The auditors consistently discovered significant issues — often the same issues — and each time management agreed to take corrective actions. But according to internal audit’s schedule of outstanding management action items, many took far longer to complete than promised.
Shortly after joining the company, I met with its top executives including the CEO, CFO, chief information officer, and heads of major business units. From our discussions, I learned that internal audit was well-regarded for two main reasons. First, my predecessor was charismatic, and he was effective with the audit committee and senior executives. Second, the executives only heard positive comments about internal audit from their line managers. When I asked whether they found the audit reports useful, they admitted that they seldom read them. The executives also told me they were not aware that action items discussed in the audit report were not being completed within agreed time frames.
My discussions highlighted a crucial disconnect. While senior managers received audit reports with significant issues and actions agreed on by line managers, they were not driving change effectively. The problem was especially glaring considering that many of the same issues were identified at multiple locations. Top management’s failure to pay attention, together with failures within internal audit, caused pervasive issues to remain unaddressed by corporate officers — not just those at the local level. When I contacted my predecessor — who had moved to a senior position in finance — he was surprised to learn that the executives were not reading the audit reports. He had assumed they were, as the feedback he received in his annual stakeholder satisfaction survey was always positive. Unfortunately, he hadn’t asked them directly whether they read the reports, agreed with the findings and recommendations, and monitored progress on related action items.
I made several adjustments that I believed would improve our ability to influence change. The first involved modifying our risk-based approach to identify risks at the corporate level rather than locally. One of the virtues of this change was that it helped us identify pervasive issues and shift our focus to the corporate team instead of local management. Only corporate managers would be able to assess the overall corporate risk, consider alternatives, and take the best actions for the organization as a whole.
We also implemented regular meetings with all the major business and department heads. A few such meetings had been held before, but they were infrequent and general in nature. The new meetings included discussions around the executives’ strategies and objectives, the risks to their achievement, and opportunities to improve the likelihood of success — including the need for, and status of, corrective actions.
Reporting to the audit committee continued to include schedules showing the status of agreed management action plans. But now the number and age of outstanding action items changed and became a point of satisfaction instead of one of concern. We were also able to change the audit plan to address issues discussed in executive and board meetings — issues that mattered to the success of the organization — rather than looking at the same business risks every year and only varying the location being audited.
As a young CAE, I attended management training classes on the topics of sales and marketing. They helped me recognize that manufacturing what a business considers a valuable product will not lead to success until customers know they want to buy it. By the same token, internal audit engagements cannot produce positive change unless clients understand the significance of audit findings and that implementing recommended actions will improve the ability of the organization to succeed.
As a profession, we need to change from simply reporting problems to working with management to help them address those problems, improve organizational processes and systems, and ultimately, succeed. We do that by becoming evangelists to the organization, encouraging through our actions and words effective behavioral change.