One of the features that makes internal auditing so valuable to modern enterprises is that we serve multiple stakeholders, including the board, various levels of management, and even external auditors and regulators. Conventional wisdom is that internal auditors should align their coverage with stakeholder expectations. But the fact is that the various stakeholder groups rarely agree on where internal should be focused to add value.
Differences of opinions among internal audit stakeholders are sometimes subtle, but trying to satisfy everyone can become particularly problematic if the disagreement is between the audit committee and management. In such cases, the chief audit executive (CAE) can feel caught between two very powerful forces.
I have heard CAEs taking sides in these debates, based not on the particular issue at hand but on whose opinion should take precedence. The stance, for example, may be: “We need to work with management. Management knows the company best, so we will just have to discreetly ignore the audit committee’s requests.”
I’ve also encountered CAEs whose view is that the audit committee, rather than management, should prevail when internal audit is determining its priorities. “Management doesn’t approve our annual plan; the audit committee does. We will just have to explain to management why we need to follow direction from the audit committee rather than to undertake a special audit request from the chief financial officer (CFO).”
From my experience, neither of the foregoing approaches is healthy. If you elect to follow the direction of a single stakeholder group without making every effort to find common ground, you are missing an opportunity. What’s worse is that you are often engaged in a dangerous game of corporate politics. Hitch your wagon exclusively to the wrong stakeholder group, and the results could prove disastrous for internal audit and even fatal to your career.
It is true that the audit committee generally has responsibility for final approval of the annual audit plan and, by extension, levels of resources. The real issue is not whose opinion should take precedence. Instead, we must operate with a shared vision regarding risks and controls. With that in mind, the issue becomes how to bring management, the audit committee, and the CAE to a consensus.
When the audit committee and management disagree about audit priorities, I believe the first step should be for the CAE to have a candid dialogue about all potential options. For example, the audit committee may believe internal audit’s primary focus should be to provide assurance on the effectiveness of financial reporting controls, and management may believe that internal audit should focus on operational effectiveness or compliance. At this point, the CAE generally should avoid creating any tension about what each stakeholder groups wants, and instead try to understand each point of view. It also may be helpful to ensure that both the audit committee and management have an appreciation for the full range of internal audit’s capabilities.
If these initial discussions have not cleared up differences of opinion, it may be time to discuss the other party’s views with each stakeholder group. For example, you might need to tell the audit committee that management wants internal audit to focus on cost containment and reduction opportunities and moderate some of the focus on financial controls in the coming year. These discussions must be handled with care. The situation can get difficult if management officials believe you are putting them on the spot with the audit committee by pointing out that they take a different view.
In most cases, agreement will be reached at this point. However, if there is still disagreement, my advice is to hold a three-way conversation involving the CEO or CFO, the audit committee chair, and the CAE. The CAE should facilitate a candid conversation about the different expectations and try to foster a consensus among these important stakeholders on internal audit’s priorities.
Of course, senior management and audit committees are not our only stakeholders. Take, for example, regulators, who in some industries (such as financial services) are starting to outline specific expectations regarding audit plans and schedules. I once had an official with a U.S. regulator refer to internal audit as their “boots on the ground” when describing a bank’s internal audit function. It’s likely that neither management nor the audit committee would agree with that view. Moreover, it is unlikely that you will get regulators to sit down and discuss the alternatives with your leadership team. But even if we can’t bring all parties together to discuss the issues, we can clearly articulate to management and the audit committee the risk of developing internal audit plans that are not aligned with regulator expectations.
We all want what’s best for our organizations, but it’s only natural for people to see things differently. Things would certainly be easier if we didn’t need to worry about keeping all of our stakeholders happy. But without our stakeholders, internal audit has no mission. The best audit schedules are built through consultation with all our stakeholders. By actively working to establish consensus, we are helping to ensure the audit schedule addresses risks appropriately. If we consistently assess and reassess stakeholder needs and expectations, and if we align the delivery of our services to meet these evolving demands, we are more likely to deliver the value they are seeking.
What are your thoughts and insights for aligning stakeholder expectations? Feel free to share your comments with me at blogs.richardchambers.com.