6 Ways a Career in Internal Audit Prepared Me to Be a CEO
April 24, 2023Did Banking Regulators Just Throw Internal Audit Under the Bus?
May 8, 2023If it’s May, it must be Internal Audit Awareness Month. This is when internal audit leaders and advocates around the world turn up the collective volume for the profession and build greater awareness of the value we bring.
Throughout the month, The IIA, its chapters and affiliates, and many others will gather proclamations from government officials, reach out to the community and, conduct myriad other activities to promote recognition and support for internal audit. It is also a time to create awareness among those who might be considering a future in the profession.
In short, Internal Audit Awareness Month is an inspiring time each year to be an internal auditor, and I support the tremendous efforts. But before we slice the celebratory cake and sign off on the month, I want to express a few thoughts.
First, by setting aside only one month each year to champion internal audit, I believe we lose an important opportunity to continue building awareness by not making this a year-round endeavor. I addressed this in a blog last year during awareness month. Grab the spotlight this month, but don’t go dim the rest of the year.
Another issue is in who we are targeting. Certainly, it is important to build awareness across the broader community. Many legislators, regulators, standard setters, investors and even the general public don’t fully grasp what we do or the value we bring. So, reaching out to them in an awareness campaign makes perfect sense. But awareness begins at home. Are we taking for granted what those within our own organizations – particularly in the C-suite and boardrooms – know about us?
There is a natural assumption that these key stakeholders understand our capabilities and the value that internal audit can deliver. But do they really? And if they don’t, whose fault is that?
While it is beneficial that everyone appreciates who we are and what we do, it’s essential that our key stakeholders do. Sadly, too many do not, or they have a superficial understanding of internal audit’s role and contributions to the organization. Ironically, this is particularly true of some audit committees.
Based on my experience, I have found that, too often, audit committee and other board members join an organization with preconceived ideas about internal audit. If they have been around internal audit functions steeped in talent and possessing a deep understanding of strategic business risks, they will expect the internal audit function in their new organization to perform at the same level. However, if they have been around weak and ineffective internal audit functions (or, if this is their first association with internal audit), their expectations may be limited. These are the stakeholders to target. We should never make the fatal mistake of meeting low expectations.
Management and the audit committee also may not fully appreciate your potential. Do you advocate their use of internal audit to protect and enhance/realize value? Do they understand the role internal audit can play in addressing a spectrum of critical and emerging risks, or do they think of you as the traditional financial control assurance function?
As we mark the beginning of awareness month, I encourage you to ask yourself these questions:
- Does management seek us out for advice and insight on a new or emerging risk?
- Does management understand our processes for assessing risks and do they fully engage with us in assessing and monitoring critical risks in the organization?
- Does management invite us to “the table” when business/strategic risks are being discussed?
- Does management and the audit committee understand that we follow a code of ethics and standards set by The IIA when undertaking our work? Are they aware of the results of our last external quality assessment, and when the next one is scheduled?
- Is the audit committee and the board aware of the additional obligations the IIA’s proposed Global Internal Audit Standards would place on them in their oversight of internal audit?
- Does management and the audit committee look to us for assurance related to cybersecurity, ESG, and organizational culture?
- Does management and the audit committee know which risks we are not addressing due to resource limitations or lack of expertise?
If you answered “no” to one or more of those questions, then I believe you should dedicate some time this month to create awareness at home.
Don’t let this opportunity pass without advocating the importance of internal auditing to your key stakeholders. The better they understand your capabilities, the more likely they are to leverage internal audit in their oversight roles and in creating value for the organization.
How are you spreading the good word? Let me know by commenting on this post or via email at: blogs@richardchambers.com.
I welcome your comments via LinkedIn or Twitter (@rfchambers).