Five Red Flags That Your Internal Audit Department May Be Losing Stakeholder Support

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 

 
 
Stakeholder support is vital to internal auditing’s ability to add value and contribute to the organizations we serve. When chief audit executives and their staff are not meeting stakeholder expectations, there are typically signs or early indications that the support we might have enjoyed in the past is starting to slip.
 
I saw this scenario play out many times during my years leading internal audit for the U.S. Army. I have likewise seen it occur in the corporate sector. Like many of my colleagues, I’ve also taken over internal audit functions where my predecessor had lost that connection with stakeholders. So I’ve seen the signs. I know what they look like, and I thought I’d share some with you:
 

1. Lackluster response. If you’re having trouble getting stakeholders to complete your annual risk assessment, that’s a problem. Executives and board members all have things that keep them up at night. If they won’t share their concerns with you, it could mean that they believe that you will not act on them, or that you don’t have the ability within your team to address them.

2. The phone never rings. Delivering value is key to the long-term success of any internal audit function. If executives and business unit leaders do not feel internal audit adds value, they will rarely seek you out whenever a problem arises, or whenever they believe internal audit input or insight is needed. If your phone isn’t ringing, there may be a disconnect.

3. Breakaway republics. Internal audit is increasingly being referred to as the third line of defense, not a dotted line of defense. A strong internal audit function speaks with one voice. When business units start creating their own audit teams (or their own elements that duplicate the capabilities of internal audit), chances are that they’re not getting what they want from you.

4. Resource reduction. Companies invest in what they value. If an organization is cutting back across the board, that’s one thing. But if your budget is slashed disproportionate to other departments, that’s a pretty clear indicator that you do not enjoy the level of stakeholder support that you need.

5. The external quality assessment isn’t your idea. Standard 1312 of The IIA’s International Professional Practices Framework requires external quality assessments of internal audit departments at least once every five years. Internal audit should never be in a position in which they’re not the ones proactively pushing for that assessment. If your stakeholders independently initiate a quality assessment, it is likely they’ve got concerns and are looking for validation.

 
So those are some of the signs I watch for. The question now becomes: What can you do to get back on track? Anyone who knows me won’t be surprised by my answer. I think the best way to start is to acknowledge the elephant in the room; to say, “I understand that we may not be meeting your needs and expectations, and we are re-committing ourselves to doing a better job.”
 
Seek clarity. Get honest feedback on your strengths and weaknesses and enlist help from stakeholders in making the internal audit function more effective. Vest them in your positive outcome. It’s not enough to simply declare that you are going to do better. You need to engage your stakeholders in the process.
 
The rehabilitation process can be difficult. But recognizing that you’ve got a problem is half the battle.
 
What do you think? I’m sure some of you have had to deal with a crisis of confidence, or observed one at another organization. How did it play out? I’d love to hear your ideas on how an internal audit team that has fallen out of favor can reconnect with its stakeholders.

Posted on Jul 1, 2013 by Richard Chambers

Share This Article:    

  1. In case of Barings Bank scandal, the management ignored internal audit recommendations. 100 year old bank was brought down by a rogue trader. Finally, a well known bank was acquired by a Dutch bank ING. Management failed to understand internal audit issues, let alone, derivatives risk posed in Singapore. On the contrary, specialists in derivatives felt that either they were too busy or too independent to get bogged down for details required in audit risk assessment, planning and execution. Peer review standards in derivatives came under industry guidelines viz., DPG - Derivatives Product Guidelines. Each domain professionals have to look at this guideline to see if audit objective and control objective standards were met also. The financial market products and risks have moved in leaps and bounds similar to information technology, risk and control standards. Quality aspect in having the auditing standard is one thing but quality standards among peers in the industry group is one area considerable progress was made with best practice. The fact is market dynamics change constantly, however, audit piece had to align with best practice standards and rules rather than one isolated legal entity's problem unique to begin with auditing. Bridging of this gap is costly and it does not meet business alignment for stake holders. Salary and executive compensation required to have a dialogue and communication for risk that is either suitable or not suitable becomes a status quo is not good. That is the beginning of the problem for internal audit also under risk focused auditing standards, let alone, stake holders expectation. The best way to readjust and realign is to have internal audit seminars and international experienced professionals in specialized business domain to promote international auditing standard consistently also in these seminars and workshops.
  1. Richard, I completely agree.  The first step is to know there is a problem.  The next step is to understand the specifics, as you stated with seeking feedback on strengths and weaknesses.  About vesting them in your positive outcome, I would suggest giving the stakeholders specific metrics on which you want to be evaluated.  By setting your own metrics, you have a better chance of meeting and exceeding expectations.

    Keep up the excellent work!

    Steve 

  1. Richard: Great post. Far too many IA departments are not critically and objectively evaluating their contribution to their organizations. Your point "Lacklustre response" is key, particularly with respect to the board. Boards need to see IA as a key resource - one that provides them with an opinion (at least annually) whether they are getting reliable consolidated information on the current state of residual/retained risk, including the processes that generate it. If the board doesn't see IA as being even remotely capable of doing that task this should be seen by every internal audit function as a major problem. Unfortunately, the Canadian CICA risk oversight guidance for boards largely took the position that few if any IA departments today are capable of assisting boards with this task in any significant way. A February 2013 audit of risk governance in countries around the world lays out key recommendations for financial regulators around the world. One of those recommendations is to make it mandatory that internal audit provide an independent and professional opinion on risk management governance for the board. The title of the report, available with a simple Google search, is "Thematic Review on Risk Governance". This report is directed to financial regulators around the world but most of the key findings are relevant to security regulators as well.
  1. Richard: You have asked '...how an internal audit team that has fallen out of favor can reconnect with its stakeholders.' I think one important factor is to engage all stakeholders in the audit process. This means an initial meeting to 'sell' the audit - why the audit was chosen, what it will involve, how it will report, how the stakeholders will be involved at all stages and the benefits they will derive from the audit. Regular meetings (as necessary) during the audit to discuss issues found so there are no nasty surprises during the closedown meeting. Finally, the completion of a feedback form, not sent but done in person by the CAE or senior IA manager, is vital, as it provides stakeholders to give an opinion on the audit. (Section K of my audit manual page 144 gives an example. It can be found at http://internalaudit.biz/webresources/ribaauditmanual.html). Confidence in the audit team by the stakeholders is vital if IA is to maintain its reputation.
  1. Richard:  I agree with the above statements and/or concerns.  We, as internal auditors, are faced wtih this reality each day.  The Internal Audit activity is currently evolving and we have to do more wtih less,  When we start to lose that connectivity with management, we have to take proactive action to find the cause and address it timely.  We do not want the disconnect to be too wide beyond repair.  In our shop, we are always looking and experimenting with ways to address the problems encountered.  One initiative that we took was to expand assistance wtih process reviews and new product development in order to be viewed not just as an auditor but as part of management.  We also participate in conducting trainings relating to risks and controls to new and existing employees.  Marketing the audit function is another initiative that we are constantly working on.  Providing insight to the stakeholders on new developments and emerging risks is another initiative that we have implemented.  We strongly believe that internal audit needs to move forward from the third line of defense and be proactive without hindering independence and objectivity.

  1. In order to avoid this situation, IA shops should embrace the basics:  No surprises at Exit Meetings; no ticky-tacky findings in the written Audit Report; making Recommendations that the Process Owner and Subject Matter Experts (those who know the business of that particular department or function) agree would in fact be an improvement; and acknowledging the burden being audited places on organizations.  By that last comment:  Do not schedule 8 audits in a single department during a single year unless there is a truly compelling reason.  Remember the saying "That's why people hate auditors."  Remind your audit staff -- including young overly enthusiastic auditors even at the risk of quashing their enthusiasm -- that they are not paid by the Finding; that if a Finding and Recommendation don't add value, they are putting the department at risk of losing stakehold support.  It all goes back to basics. 

  1.  Good to see some nice articles which are talking about the internal audit department.

Leave a Reply