Change Is Hard
By Dennis McGuffie
After years of success with traditional audits, a chief audit executive considers overhauling his department's approach to include more progressive, consultative audit work.
Three years ago, Charlie Wilson was hired as the chief audit executive (CAE) of international telecommunications firm Ranger Communications. Charlie took a textbook approach to his new role and set out to gather the thoughts of Ranger’s key stakeholders to precisely assess their vision of an effective internal audit function. It became clear from these stakeholder sessions that the highest level concerns were around regulatory and policy compliance. Moreover, everyone wanted comfort that the basic control processes were operating effectively throughout the organization.
Meeting these expectations required some difficult organizational and process changes within the audit function. But after the first year the team members looked back and felt they had made progress. Internal audit had designed tools to capture audit performance and to compare and trend results so that areas requiring improvement could be highlighted, allowing management to implement training and development initiatives. By the end of the third year, trends in audit results had shown significant improvement, and internal audit’s key stakeholders felt that a good baseline for audit compliance had been established.
Now Charlie is faced with a new challenge. Having successfully contributed to a much improved control environment, should the group play it safe and continue with an audit plan that continues to focus heavily on compliance — an approach that is now familiar, and one with which the staff is comfortable? Or should internal audit consider changing its approach? Recent meetings with key stakeholders indicate that they see value in a plan that includes a mix of financial, compliance, and operational audit projects, as well as increased use of technology to support desk reviews that would minimize the disruptions that teams of auditors in the field can cause. They also expressed interest in seeing internal audit take a more consultative role that would provide insight on operational opportunities and not just recommendations for further tightening of controls. By contrast, the internal audit staff risk surveys indicate a clear preference for the status quo.
Charlie thinks back to the difficulties and challenges he faced when he changed the focus of the audit group three years ago, and he is not sure if he is up to the task again. Based on the staff surveys and follow-up discussions with members of the group, he’s certain that changes would lead to turnover — something he hasn’t had to contend with for the past 2 years. Change is hard, but his gut tells him if he doesn’t take the initiative and make the changes, someone else will.
What do you think? Isn’t internal audit’s primary responsibility to ensure that regulatory and policy compliance controls are tight? How can Charlie be sure that management isn’t just leading him in a direction that would bring back the old days of lax controls and ineffective audits? Maybe he should never have asked the stakeholders what they thought in the first place; after all, he does need to maintain his independence.
Share your comments below.
Change is Hard
"Isn’t internal audit’s primary responsibility to ensure that regulatory and policy compliance controls are tight?"
I disagree. The role of IA is to evaluate whether management has designed a system of control (governance, risk assessment, COSO type control framework) that propvides a reasonable comfort level that compliance occurs, and when it doesn't, that the deviations will surface and be corrected before they become persistant or pervasive.
"How can Charlie be sure that management isn’t just leading him in a direction that would bring back the old days of lax controls and ineffective audits?"
By (a) assuring a close working relationship with the audit committee chair; (b) adhering to the IPPF; (c) applying a strategic risk approach to audit department annual planning and a tactical risk approach to individuial projects; (d) using a recognized control framework such as COSO's as the criteria for assessing the state of strategic and tactical control.
"Maybe he should never have asked the stakeholders what they thought in the first place; after all, he does need to maintain his independence."
Nonsense. Independence is structural. If the CAE is accountable solely to the CEO and the audit committe chair, the requisite independence exists. If so, and thus assuming those being consulted aren't in a positon to "give orders" to the CAE, Objectivity is the key concern. The necessary objectivity (a state of mind)comes from knowing the industry, understanding the risks, following the IPPF, consulting multiple informed sources, etc.
I strongly disagree with other posters who have suggested the role of IA is to find fraud, waste, abuse. Those are are all the responsibilities of management. The philosophy of the practice of internal auditing is delineated clearly in the IPPF. IA has a corporate governance role - we are evaluators of how well management has exercised and been held accountable for minimizing the risks of fraud, waste, abuse. IN the event fraud is suspected, I would posit that most internal auditors are not trained to conduct investigations, which is why the IPPF focuses on internal auditors' awareness of the red flags of fraud. "Cost savings" are the result of effective management. To suggest that identification of cost savings is a primary IA responsibilty is, in my opinion, an egregious misrepresentation of our corporate governance role, responsiblity and accountability.
Posted By: Mark R. Simmons
2012-04-12 10:37 AM
A Balanced Approach
Internal Audit's enterprise-wide perspective operations, risks, and controls positions it to deliver incredible value to the company. IA would be doing the company a disservice if it did not use its comprehensive knowledge and talents to provide operational insights. Providing consultative services does not necessitate a decreased focused on assurance activities if the appropriate parameters are established. In fact, when a balanced approach is taken, the assurance role of IA is typically made more effective. There are plenty of case studies available that would prove this out but what seems to be most at work in your staff is what John Kotter referred to in his book "Good to Great". He specifically states that being satisfied with good is the biggest stumbling block to becoming great. The IA staff is proud of what has been accomplished and they have reason to be proud. Your challenge is to motivate them to want greatness. They seem to have a lot to lose and seemingly have little to gain. That picture has to change if they are going to really. They need to see what they are truly losing right now. They need to understand what their satisfaction with the status quo is costing the company. Only then can they start to envision what could be.
Posted By: Tiffany Crosby
2012-02-14 10:22 AM
I agree with what Liji has said. If your goal as an internal audit shop is to truly add value, then you must adapt to changes in the business. The most mature, effective audit shops align their goals with the goals of the business, while still performing necessary assurance functions. From a team perspective, in this situation, Charlie should, as the leader of the group, establish that as part of the department culture. If necessary change results in turnover, embrace it, and revamp the department with those that accept and welcome change/evolution.
Posted By: Robert Cozart
2011-12-02 11:46 AM
Consultative Roles = Organizational Change
I have found that the most change is effected when the auditor includes the consultative role in each audit. There is no reason why we cannot also offer business advice while enlightening our clients about the risks they are taking. It may be easiest to just report what the client is not doing in relation to policies & procedures, but real gain is acheived when we roll up our sleeves, sit next to our clients and brainstorm/coach them on potential improvements. The era of internal auditors as "police" has long passed it's relevance and usefulness.
Posted By: Ashley Terry-Rhodes
2011-12-01 12:40 PM
IA Must Evolve or Die
As with most institutions in a fast changing business environment, Internal Audit must evolve or increasingly become insignificant. While assurance on compliance and regulatory controls remains important, the best of Audit shops will also provide thought leadership to drive the organization forward. This thought leadership is made possible by Internal Audit's bird's eye view into a company and should be focused on operational efficiencies and cost savings. Such an approach will also enable Interal Auditors to be a great source of management talent to the rest of the organization. Evolution of Internal Audit is a win win on all fronts.
Posted By: Liji Thomas
2011-12-01 10:17 AM
Change is Hard
Dennis: There is a related article on this issue here under "Raising the Internal Audit's Potential" that answers this question. As the economy is nose diving internal audit ought to make a change by adding value to the organization they work for by suggesting ways to save costs on waste, fraud, abuse and operational inefficiency (They come under "Operations" Audit) and by acting as "Internal Consultants" without losing their independence. Just performing assurance services won't cut it any more. Every audit should reflect clearly the dollars saved or identified to the Audit Committee and seek opportunities for such audits.
Posted By: Sam Kulumani
2011-12-01 8:14 AM
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>