Progress Through Sharing: A Hallmark of the Internal Audit Profession
August 19, 2024Five Questions a New Audit Committee Member Should Ask Internal Auditors
August 27, 2024I have written frequently over the years about the enduring reputational challenges that internal auditors face. A quarter of the way through the 21st century, I would have hoped to see us finally recognized for all the value we add and the contributions we make toward our organizations’ success.
Sadly, a recent report from The Internal Audit Foundation: Internal Audit: Vision 2035 – Creating our Future Together, presents a reminder that we have much to do when it comes to how we are perceived. The report is the culmination of a mammoth undertaking by The Foundation during which input from more than 6,000 internal auditors and stakeholders were surveyed from around the world. While the report offers some great advice on the future of the profession, it was the response to a question about current perceptions of internal audit that most attracted my attention. Survey participants were asked a simple question: “In general, how do you think internal audit is viewed?” Here were the top 10 responses:
- Compliance-focused: 54%
- Independent; 51%
- As “police”: 48%
- Objective: 43%
- Trusted advisors: 40%
- Internal consultants: 40%
- Respected: 36%
- Collaborative: 34%
- Problem solvers: 34%
- Valued: 28%
While responses such as “trusted advisors,” “respected,” “collaborative,” and “valued” were positive terms, the percentage who report those perceptions was abysmal in my opinion. Based on the responses, internal audit is 71% more likely to be thought of as “police” than “valued.” It is 59% more likely to be thought of as “compliance-focused” than “problem solvers.”
Over the past two decades, we have shed many of the classic stereotypes that weighted us down for so much of our profession’s storied history. We have been called upon by our boards and executive management stakeholders to help our organizations navigate the risks of cyber breaches, toxic cultures, even ineffective risk management itself. But despite our progress, as the Foundation’s report reveals, there are still some stigmas that we must work collectively to discard. Perhaps the one that struck me the most was that 48% believe we are still thought of as their organizations’ “police.”
As young internal auditor, I was indoctrinated early on the need to catch those who might be doing “bad things.” Looking back, I realize how ridiculous the approach could be at times. As a civilian auditor for the military, I was called on to do regular audits of the officers’ clubs. One of our audit steps involved inventorying the unused bottles of alcoholic spirits to ensure that bartenders had not been guilty of generous pours (or worse). We were referred to by some as the “liquor police.”
Over the years, we were successful at convincing our stakeholders that such audits added little value in the big scheme of things. But there were still many audits and audit steps designed to detect fraud, waste, and mismanagement. As I look around the profession and hear regularly from internal auditors in the 21st century (including participants in the Foundation’s survey), I am saddened by the amount of policing that internal audit still undertakes. It’s one of the reasons we are still disparagingly referred to as the “corporate police” inside many organizations.
I would like to think we are saddled with these policing duties because our stakeholders demand it. Unfortunately, some of us still act like police because we enjoy it. There is a sense of power that comes from picking up a “radar gun” to identify speeders. Good internal auditors resist that temptation, and focus on a range of ways to achieve outcomes. Catching speeders isn’t the only way to achieve traffic safety, just as findings of compliance violations isn’t the only way to reduce compliance risks.
To be clear, I am not suggesting that compliance audits have no place in an internal audit plan. There will always be compliance risks that warrant internal audit coverage – particularly in regulated industries. However, we must reassess the extent to which we deploy compliance testing – particularly in non-compliance audits such as operational, financial and IT areas.
There is no one size fits all solution to this challenge, but there is a guiding principle that serves us well in all that we do: “follow the risks.” In other words, we must assess where the risks are the greatest in deciding what and how to audit. In assessing your approach/dependence on compliance testing methodologies in your audits, I suggest you challenge yourself by exploring the reason for the audit and the appropriate methodologies to achieve the objectives. In deciding the extent to which compliance testing will be appropriate, you might ask:
- Why was this area/process/business unit chosen for audit?
- What was the risk that resulted in its addition to the plan?
- Was there a compliance aspect to the risk?
- Have we crafted audit objectives that align with the risks.
- Do the methodology and objectives truly necessitate compliance testing?
- Is there a better way to mitigate the risk and enhance outcomes than test for compliance?
In the end, you may well decide that compliance testing will be an important part of the engagement. If so, you should communicate with the client and design the testing so as to minimize the sense that you are in a policing role. Make sure the client and operating staff understand why the testing will be necessary – how will minimize risks and ensure the success of the business unit and enterprise in the future.
All of this may sound somewhat elementary and even superficial. Yet, from my experience our relationships with the client and the ultimate success of the engagement is dependent on how they perceive our motives and whether they feel respected. As I noted in a blog in 2022, we would do well to consider our reaction to a traffic policeman with a radar gun aimed at us, and contrast that with the appreciation we feel for the traffic officer who guides us around an accident or construction site.
As the Foundation’s report clearly spells out, internal auditors have a lot of work to do to turn the unflattering perceptions about internal audit around. We can start the process by examining our own behavior and how it contributes to the negative perceptions.
I welcome your comments via LinkedIn or Twitter (@rfchambers).