This year will mark my 34th in the internal audit profession. During my career, I have had the privilege of leading internal audit teams and conducting quality assessments of internal audit functions in the public sector, not-for-profit sector, corporate sector, and even the Big Four. I am sure I could fill a book on the successful strategies I have seen deployed by high-performing chief audit executives (CAEs). By the same token, I have witnessed more than a few spectacular failures over the years. Failures are rarely career enhancing, and sometimes they can be downright fatal not only for the CAE’s career, but also for the internal audit function itself.
What are the most common reasons that CAEs fail? They can miss key risks in their annual risk assessments. They can deliver audit reports that lack impact or fail to demonstrate value. They can even fail by surrounding themselves with the wrong talent. However, from my experience, the most common strategic mistake that CAEs make is failing to maintain ongoing alignment with the needs and expectations of their key stakeholders (typically the audit committee, chief executive officer (CEO), and chief financial officer (CFO) in the corporate sector). Once a gap emerges, it is only a matter of time before the audit committee and senior management collaborate to change CAEs.
Isn’t it obvious when a gap is emerging? It certainly should be for the CAE. However, all too often they are clueless until it is too late. The first time I witnessed this phenomenon was almost 20 years ago. I completed an external quality assessment for a small internal audit function near Seattle. In those days, quality assessments were more of a checklist of performance against the International Standards for the Professional Practice of Internal Auditing (Standards). I concluded the review with the observation that it was “one of the best departments I had ever seen.” Within six months, the CAE was gone and the department eliminated. I went back and asked the CEO what happened. It was simple, he said: “They weren’t demonstrating any value. I had to implement significant budget reductions, and they were one of the few targets that everyone agreed should be eliminated.” While I did not agree with the decision, it was one of the most important lessons I’ve ever learned — the value proposition is critical to internal audit’s success.
If you are strongly aligned, why do you need to worry? The answer is simple. Stakeholder expectations for internal auditing can shift swiftly and dramatically. That was never more evident than in 2002. In the years leading up to the U.S. Sarbanes-Oxley Act of 2002, many corporate internal audit departments were focusing on operational risks and IT risks. Many of them were even becoming corporate “business partners” and donning consulting hats. With the swift stroke of the President’s pen, Sarbanes-Oxley became law, and corporate internal audit functions across the United States became a key source of insight on the effectiveness of financial controls. In short, the expectations of internal auditing’s stakeholders turned on a dime. In the months and years that followed, many CAEs who were not willing or able to pitch in and help with Sarbanes-Oxley compliance found themselves irrelevant or worse.
Are there circumstances that are likely to prompt swift changes in stakeholder expectations? In my experience, the factors that seem to accompany such changes are (1) the enterprise is experiencing swift expansion, (2) the enterprise is under significant revenue or cost pressures, or (3) new external risks have emerged for the enterprise. In each instance, internal audit stakeholders are likely to seek a new or different focus/value from internal auditing. Most successful CAEs are agile or flexible enough to adapt. The really successful CAEs are one step ahead and can anticipate expectations shifts before they occur. Unfortunately, many fail to recognize that expectations have moved on and become seriously misaligned. Of course, there is also the situation where old stakeholders depart and new ones take over, but that is the subject for another article.
What are the lessons that can be applied in 2009? At least two of the factors above are present for many companies in the current economic environment. Revenue and cost pressures abound. In addition, new external risks include brutal market forces, an unprecedented crisis in the capital markets, and a likely avalanche of new regulations and legislation that will emanate from Washington. If you are still banging away on financial controls, channeling a vast portion of your resources into Sarbanes-Oxley testing, or crafting audit plans loaded with cyclical audits of low-risk operating units, you may want to revisit priorities with key stakeholders. In many instances, they are desperately looking for assurance that cost and operating risks are being addressed. Many boards also are trying to figure out how they can gain objective assurance on the overall effectiveness of risk management. These are all areas where internal auditing can play a role. Be proactive, and have a dialogue on what their needs and expectations for internal auditing really are.
10 signs that potential trouble may be brewing for the CAE: