By Richard Chambers | May 12, 2019
It is often said that great leaders also possess the capacity to follow. As I have gotten older, I have begun to fully appreciate how true that is. I find there are many fields and areas of expertise where I am totally lacking. For that reason, I find myself looking more and more to others for advice and insight. In short, I have come to realize that, to be an effective leader, I must also follow.
Internal auditors need to be seen as leaders within their organization. In my 2017 book, Trusted Advisors: Key Attributes of Outstanding Internal Auditors, I identified “inspirational leadership” as one of the attributes that great internal auditors share. In the book, I reflected on inspirational leaders in the field of internal auditing:
Their unique positions in their enterprises enable them to connect with management and employees throughout the organization. These leaders seize the opportunities to impart insights and advice in a way that motivates change. But there’s another quality that sets these leaders apart: They have the capacity to inspire. They are inspirational change agents!
Internal audit leaders also demonstrate the capacity to follow: They follow the lead of others, and they often model the values and behaviors of those they admire and respect. But to be an internal audit leader, we must follow more than other leaders. In fact, I often advise internal auditors who seek my advice to do three fundamental things:
OK, I realize this advice may seem pretty obvious. There is a natural assumption that we are all followers of risks, the International Standards for the Professional Practice of Internal Auditing, and our conscience. But the reality is there is work to be done in all three of these areas by today’s internal audit professionals. Let me elaborate.
Follow the Risks. This is one of my most consistent mantras for our profession. For, if we fail to follow the risks, we are not serving our organizations well, and will almost certainly end up being asked, “Where were the internal auditors?” when a high-risk area damages our organization’s value or reputation. There are obvious warning signs showing that internal auditors may not be following some of the key risks facing organizations in 2019. For example, cybersecurity is at or near the top of most CEOs’ and boards’ lists of key risks. Yet The IIA’s most recent Pulse of Internal Audit report revealed that only about 7% of internal audit resources are being dedicated to cybersecurity risks. I have often been quoted as saying, “Internal auditors can audit anything, but not everything.” But if we miss the high-risk areas, it won’t matter what we could have audited. Leaders in our field understand the importance of risk-based auditing. They follow the risks!
Follow theStandards.No real profession can exist without standards to which its members are held accountable. It is in large part because of The IIA’s Standards that internal auditing is now widely viewed around the world as a profession. Yet despite the accessibility of professional internal audit standards, there is plenty of evidence that internal auditors are following those Standards at a disappointing rate. The Internal Audit Foundation’s 2015 Common Body of Knowledge (CBOK) study found that less than 35% of chief audit executives (CAEs) fully comply with The IIA’s Quality Assurance and Improvement Program standards alone. Even more troubling, the CBOK report noted that many CAEs who do not follow the Standards do not disclose their nonconformance to their audit committees or other governing bodies. While conformance with other standards was often much higher, we must recognize that we are only as strong as our weakest link.
So why don’t we follow the Standards more faithfully? The excuses are endless: “I don’t have the resources”; “I don’t have the time”; “My audit committee doesn’t care.” These are not the words of true leaders. Leaders in the internal audit profession would see professional standards as an essential resource to guide them in serving their organizations. They follow the Standards!
Follow Your Conscience.This one is a bit different. After all, risks can be assessed and documented. The Standards are documented for the whole world to see. But an internal auditor’s conscience is known only to him or her. Others may point fingers at us for not following the risks or following the Standards, but no one is likely to challenge whether we followed our conscience. This one is self-graded.
I am often approached by internal audit professionals who are struggling with an ethical dilemma. Sometimes they are being pressured by executives in their organization to conceal bad news or look the other way. Sometimes they are blocked from looking at areas of high risks or where there might be suspected fraud or ineffectiveness. They are seeking my advice on a course of action. I will listen to their plight and point out some options. In the end, however, my advice is usually very simple: Follow your conscience. The mere fact that they are raising the dilemma with me is evidence that it is bearing on their conscience.
I can tell them what I would do in a similar circumstance, but their circumstances might be completely different. For example, faced with their circumstances, I might quit and find another job, but they may be employed in a constrained job market and have a young family at home. In the end, only they can decide the best course of action for themselves.
If there was ever a time in my career when I didn’t initially follow my conscience, I found that I ultimately had no choice. Our conscience will often serve as a persistent and persuasive voice inside of us. And it will keep raising its voice until we do the right thing.
The thoughts I share in this blog are ones that would rarely be linked together. However, they have one thing in common: Following the risks, following the Standards, and following one’s conscience are among the hallmarks of good internal audit leaders. And we are never too successful or important to be followers.
I welcome your thoughts.
I welcome your comments via LinkedIn or Twitter (@rfchambers).