00:00:02 Speaker 1
The Institute of Internal Auditors presents all things internal audit. Hey, audit pros. We have a special episode for our listeners this week. Joining me is Christine Genesco, our senior editor for Internal Auditor magazine and author of the article Fortune favors The Wise, which just came out in our August issue.
00:00:21 Speaker 1
So for this podcast, we're going to hear snippets of those interviews that didn't quite make it into the.
00:00:26 Speaker 2
Article. Thank you so much for having me on the podcast. Katie, this is really fun. There is always so much good material and stories that don't make it into the article because you just can't include everything. So I'd like to share some of these excellent Nuggets.
00:00:41 Speaker 2
Of insight with our readers so that they can learn.
00:00:43 Speaker 1
From them as well. And I think for this first recording we hear from Don Cinco, who is a retired Chief Integrity officer for the Cleveland.
00:00:51 Speaker 2
Clinic's yes. Don was extremely knowledgeable about governance and had a great point to make about how at least working toward good.
00:00:58 Speaker 2
Governance can keep organizations from getting into trouble with regulators, even if they are facing legitimate issues.
00:01:05 Speaker 1
Alright, let's take a listen.
00:01:08 Speaker 3
We had 13 years that we got atmospheres, world's most ethical companies award. We got him for 13 years and part of it is because like for instance in in my years there and this is unusual in healthcare, but we had no federal fines or penalties, you know compliance fines or penalties or or or issues. And I think part of it is.
00:01:29 Speaker 3
And it's not because we didn't have any problems. We had lots of issues. I mean, we're a big, large, you know, organization, but what happens?
00:01:36 Speaker 3
There's.
00:01:38 Speaker 3
They see that you're, you know, you're doing, you know, one of the things that, you know, audit and I talk with audit and compliance because to me their missions are are almost identical. They want to see. Are you trying to find the problem? Well, first of all, are you structured properly? Do you have a good structure? They loved our structure. They love the fact that, I mean, law firms were telling the.
00:01:59 Speaker 3
The clinic structure is ideal the way they have compliance reporting, the board audit reporting the board. So your structure is good then are you trying to find problems? Law departments will tell you don't look for problems because once you find them now we gotta deal with them. Our job in audit and compliance is to find problem. If we have them to find them because I always use them the the medical. The medical analogy is.
00:02:20 Speaker 3
If you have cancer, don't you wanna find it as a stage 1 cancer instead of a stage 4 cancer? You know? So the longer something goes on, you know. So so you wanna be looking for it. So 1 you have to be structured properly. Two you you need to be looking for stuff and then three they look at well what do you do once.
00:02:36 Speaker 3
You find it.
00:02:37 Speaker 3
You try to cover it up. Do you try to make it somebody else's problem, you know? And So what happens is, you know, we have lots of issues, but when the government comes in to evaluate and they go like, well, you're structured better than than than than most you're actively. You'll the reason you know about this problem is because you found it, then you did all the right stuff. You you made.
00:02:57 Speaker 3
Appropriate actions, you know, whatever. Whatever. So then you don't get fined and penalized so that independents having the independence to to do those things that many in the organization would not want you to do.
00:03:10 Speaker 3
Allows you to do it.
00:03:11 Speaker 1
Honestly, that seems like a very valuable lesson for fending off regulators and fines.
00:03:16 Speaker 2
Yes. And going further, he also talks about how being independent allowed him to, let's say, encourage people to address problems more quickly. He has a funny story about that.
00:03:29 Speaker 3
So for internal audit we always you know we would find stuff, we'd write a report and to me.
00:03:35 Speaker 3
The the finding is important and the recommendation is important, but the most important thing is they fix the thing you find because what one of the problems that we have in internal audit is there's pressure to to have metrics. The one metric is you know, you know how fast you get reports out from when you do an audit, how fast you get reports out.
00:03:55 Speaker 3
And I always said I think that's a terrible metric because I can get reports out really fast. The most valuable thing that we do.
00:04:03 Speaker 3
An audit above the finding and a recommendation is did it get fixed? So if I'm getting stuff I find stuff and here's my recommendation and I'm sending this stuff out and all this boy look at all this stuff. We're more we're so productive if nobody's.
00:04:15 Speaker 3
Addressing the problems right, it doesn't.
00:04:17 Speaker 3
Matter people. So they issue all these reports, they get thrown in a desk drawer so.
00:04:22 Speaker 2
Yeah. No, I'm doing a good job.
00:04:23 Speaker 3
How valuable. Yeah. So so oh, boy, look at. Oh, it's so good. Look, how many. How.
00:04:27 Speaker 3
Faster.
00:04:28 Speaker 3
I'm going like that. What was important is every everything that we did.
00:04:33 Speaker 3
From a recommendation standpoint, what we reported to the board was did management address it once a year, we presented to the board all items, all recommendations that we had that were that have not been addressed and it was not a very long list because nobody wanted to be on.
00:04:37
Mm-hmm.
00:04:51 Speaker 3
That.
00:04:51 Speaker 3
List no.
00:04:53 Speaker 3
No department wanted to be on a list selling the board. You didn't do what you said you were gonna do, so I was able to do that because I referred to the board and and because no one wanted to be on that list.
00:04:53
That's fine.
00:04:58 Speaker 2
Mm-hmm.
00:05:05 Speaker 3
Stuff got done.
00:05:06 Speaker 1
Yeah, that's definitely some great motivation to get people to keep the To Do List short. I wonder what other hidden gems you'd like to share.
00:05:10
Sure.
00:05:14 Speaker 2
Well, I also talked to Carolyn Chalmers, who is the CEO of the Good Governance Academy in Johannesburg, South Africa, and she is chair of the South African Bureau of Standards Technical Committee for the governance of Organizations.
00:05:27 Speaker 2
Well, she actually teaches board members about good governance. She talked about why internal audit and the CAE are so crucial in reporting governance problems and in protecting governance.
00:05:42 Speaker 4
I've found myself in audit committees far more than I found myself on board. I love that audit committee role and the Chief audit executive and the internal audit teams. It's the most underrated function. Some of it is to do with poor leadership by the chief audit executive.
00:06:00 Speaker 4
If if the CAE is not of the right frame of mind or frame of reference or mindset, there could be subservient. That's actually the the chief audit executive is the board's best weapon, is the board's best.
00:06:12
Mm-hmm.
00:06:19
Mm-hmm.
00:06:21 Speaker 4
2.
00:06:23 Speaker 4
Because the ball doesn't have any insight into the organization.
00:06:28 Speaker 4
The executive members, the the executive directors do. Mm-hmm. But the non executive directors don't. And in a good governance setup you have more non executives than you have executives. So on balance you you don't have a good understanding of the deep insights into the organization and rightly so. You need to get this level of independence.
00:06:51
M.
00:06:51 Speaker 4
Now you can trust management and so many governance failures are on over trust of chief executive officers that are very charismatic and you've only trusted the chief executive.
00:07:07 Speaker 4
That what you haven't relied on is your right hand person actually is your assurance provider and it's not your chief risk officer. Your Chief risk officer is a clear assurance provider in in unpacking. So what are the risks? And yes, we need controls for that, but really the rubber hits the road in.
00:07:27 Speaker 4
Are those controls actually working to reduce the risk to the level of acceptable risk? And that's the right hand person.
00:07:36 Speaker 4
Is management says it doing this? We understand the risks and these are all the controls actually working because if management is charismatic and gets and runs away, we do have controls around charismatic. You know we've got limits of authority and various other things that we do have committees of oversight committees.
00:07:56 Speaker 4
But if those controls aren't working, that's the chief audit executive needs to be the first one to call it.
00:08:03 Speaker 1
Yeah, that certainly shows how important internal audit is when it comes to governance. I think the article also talks about how to measure governance maturity and that comes from your interview with Chalmers.
00:08:13 Speaker 2
Right. Yes, that's correct. Carolyn goes into detail about the governance maturity model, which internal auditors can use to assess how mature.
00:08:23 Speaker 2
The organization is in various aspects of governance. It's really fascinating. So let's hear.
00:08:29 Speaker 2
More about that.
00:08:31 Speaker 4
I was the sole editor of the Governance maturity model.
00:08:36 Speaker 4
Which is answer 37,000 and four answer 37,000 and four says when you're assessing governance it's all very well to go in and you know give a number to it in a point in time and say oh.
00:08:49 Speaker 4
You're.
00:08:49 Speaker 4
- You're well governed, or you're underperforming, or you're whatever, but that doesn't given that.
00:08:56 Speaker 4
You know, governing bodies only meet four times a year.
00:08:59 Speaker 4
And things change very slowly when you, if you think about steering an oil tanker, it's very slow to shift. So a number in a point in time doesn't tell you a lot. We are busy developing indicators. So that would be a point in time. So it's not like they're not useful, but really we started from a premise of of.
00:09:19 Speaker 4
The levels of maturity to say we are here and this is where we're wanting to go to and what is appropriate for the organization is what we're trying to aim towards. So although the the scale goes from zero to five, so for six point scale.
00:09:37 Speaker 4
We don't expect a maturity model. That doesn't mean that everything needs to be a level 5 because a level 5 when it comes to certain things might not be appropriate for your company. So it's up to the governing body to decide what levels are appropriate and it gives us a starting point, but it also gives stakeholders.
00:09:57 Speaker 4
And ability to assess the relative between organisations, the relative maturity of different organisations.
00:10:05 Speaker 4
And it gives the.
00:10:05 Speaker 2
OK.
00:10:06 Speaker 4
Tool to the governing body to actually assess where they are today and where they're needing to go to.
00:10:12 Speaker 4
That's if we can measure, we can improve.
00:10:15 Speaker 1
So we've already heard some excellent insights into how internal audit and good governance go hand in hand. But you also spoke with an internal audit leader about finding that right governance balance. I think his name was.
00:10:27 Speaker 2
Lawrence, yes, that was Lawrence learning. He's a senior director of corporate internal audit.
00:10:33 Speaker 2
Adidas in Herzogenaurach, Germany, I hope I said that correct.
00:10:37 Speaker 2
Actually in the interview, he explained how important it is to find that sweet spot when it comes to governance and it should be based on the needs of the organization. So let's hear what he has to say.
00:10:49 Speaker 5
I think governance it's a good thing until it becomes too much. Take policies. For example, you can have a three page policy. You can have a 50 page policy and and those still are elements of governance or certain controls or activity due to managed risk and and reporting. For example, you can be overwhelmed by 1000.
00:11:11 Speaker 5
They just are reporting and that's, you know, whilst the nature is good.
00:11:16 Speaker 5
But that is going to at some point slow down, slow down the organization, slow down your business activities and in fact there is what we often say assurance fatigue. And I would equally apply that to governance fatigue too much of it is never a good thing or too much of anything is never a good thing. So at some point we have to find the right balance and that's why I think.
00:11:38 Speaker 5
In some situations, the governance may be perceived as impediment when there's too much of it. So it it boils down to how do we as in the company in the in organization find and strike that right balance and and it's really dependent on the organization what it.
00:11:53 Speaker 5
Starts to achieve.
00:11:54 Speaker 5
The maturity, the, the complexity in which it operates, you know you can think about it from a geographical standpoint for international company that's more complex because it also involves people. At the end. I think governance is very much linked to the people within it, not necessarily the business goals or the products.
00:12:14 Speaker 5
Themselves, but it's people who are living in the organization, working in it. And when you have to cross cultures cross boundaries across so many dimensions, then governance is it's, it becomes even more essential.
00:12:29 Speaker 1
And that's a great reminder that balance is.
00:12:32 Speaker 1
Essential Speaking of balance and the need for agility, you also had a great interview with Tom Sanglier, who's the CEO at Science, Technology and engineering company Leidos in Reston, VA and I believe he was the I's former North American board chair.
00:12:48 Speaker 2
That's exactly right, Katie. Tom talked about the give and take between governance, risk tolerance and innovation, and how organizations always have to be ready to adjust either their risk tolerance or the speed of governance. And here's more on that.
00:13:03 Speaker 6
There is one interesting thing on the scene and I'll share it with you around governance and it it is the speed of governance. So I'll give you an example. I my own personal views with emerging technology coming out faster and faster. Now let's talk about artificial intelligence.
00:13:07 Speaker 1
Mm-hmm.
00:13:23 Speaker 6
Just the broad term, artificial intelligence, because there's many different flavors of that. It's coming fast and furious. So there are new tools popping up every single day. You know, Jenny, I agentic I you know you name it and.
00:13:38 Speaker 6
There are risks associated with those tools, but they're also benefits associated with those tools and.
00:13:45 Speaker 6
If you don't change your risk tolerance, you better change the speed at which you govern those tools, because if people do not get to adopt tools that they know will make their jobs better, easier, more effective, they're going to go around, they're going to bypass.
00:14:04
Yeah.
00:14:05 Speaker 6
Governance, right?
00:14:07 Speaker 6
And now the risks are now you've just exceeded your list. How much, in all likelihood, right? So you got two options. You either raise your, raise your risk tolerance for you, speed up the governance process, which means decisions need to be made faster, right, and risks need to be surfaced quicker.
00:14:19
Hmm.
00:14:27 Speaker 6
And addressed and discussions about risk acceptance.
00:14:34 Speaker 6
Need to happen faster. This is because it's not just one, there's going to be multiple, and if you're not addressing that, you're going to have shadow AI, and that's a bad thing, right? If you don't want people to put sensitive information into ChatGPT.
00:14:46 Speaker 2
Mm-hmm.
00:14:51 Speaker 2
Mm-hmm.
00:14:52 Speaker 6
Then you better give them a tool that they can put sensitive information into, because otherwise they're going to put it into ChatGPT, right?
00:14:56
Yeah.
00:15:00 Speaker 2
Right, right.
00:15:01 Speaker 6
So so that I think just the speed of business nowadays, I mean just look at the 1st 100 days of Trump and the speed with which things have been.
00:15:11 Speaker 6
Happening, look at the volatility AI. The speed with which those tools are coming out every single day. It's just a faster, more volatile role and the governance is.
00:15:12
Yeah.
00:15:25 Speaker 6
Going to need.
00:15:25 Speaker 6
To change to do, to deal with that.
00:15:27 Speaker 2
One of the guys I talked to, I don't know if I'm putting it the right way, but he said governance can be if it's too much like it can be kind of like what you're saying. If it's too tight or too restricting, it can restrict people from innovation.
00:15:41 Speaker 6
It will inhibit in this world. It will inhibit the ability to achieve.
00:15:45 Speaker 6
Objectives you will fall behind your competition, but at the same time you can't. It's Goldilocks, right?
00:15:52 Speaker 2
Yeah.
00:15:53 Speaker 6
Too much is is governance is going to slow the business down and make it perhaps negatively impact competitiveness. Too little is going to cause risks to appear.
00:16:01 Speaker 4
Oh.
00:16:06 Speaker 6
Well, it's it's a you know what's just right and what's just right is never going to be the same, you know, over the years it's going to change.
00:16:17 Speaker 6
And right now the change I'm seeing is speed.
00:16:20 Speaker 1
Such a strong future focused way to wrap up this segment, Christine and I can't thank you enough for sharing these clips with us.
00:16:27 Speaker 2
Thank you so much for having me on the podcast, Katie. It has really been fun.
00:16:33 Speaker 1
To find the internal auditors digital issue for this month, you can visit the IAA's website or you can find the link below in our show note.
00:16:42 Speaker 1
Want fresh ideas and real takeaways for your GRC role? Join the 2025 GRC conference from August 18th to the 20th in New York, or virtually packed with informative sessions and useful tools. The conference offers up to 24 CPE's snag your spot now with theia.org.
00:17:02 Speaker 1
If you like this podcast, please subscribe and rate US. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or at the iaa.org that's theia.org.