The middle of the summer may mean time at the beach for some, hikes in the mountains for others, and registering for your favorite internal audit conference for all.
For many chief audit executives, the middle of summer may also mean spending time with their team members providing feedback on past performance, and development ideas to improve future performance through on-the-job training and formal learning opportunities.
Planning for these discussions, having the discussions, and documenting the agreed on learning and action plans takes a lot of time away from internal audit's primary role as an assurance provider, so it is easy for many CAEs to not go through the mid-year performance review for themselves.
If this rings true for you, take a moment to consider how you are doing to position your internal audit department for success. The following seven CAE best practices may help you both better position your team to improve the performance during each of their projects, and more importantly for you, better position internal audit as a go-to resource for business leaders to provide insight and assurance on their business processes.
1. Build relationships to identify key organizational risks
Can a CAE propose an audit plan without meeting different executives and other employees to better understand their organization? Sure. But that CAE also runs the risk of having a proposed audit plan that does not address the real risks of the organization.
To better understand the organization and more closely align the annual audit plan to key organizational strategies and risks, the CAE has to have a relentless focus on building and maintaining relationships with all levels of employees and stakeholders.
To start building relationships, the CAE should consider a bottoms-up approach to networking. Start with frontline managers to understand what they do, and why it's important. Then, as they network up the department's ladder, the CAE has not only established relationships but is also providing value to their new contacts by giving feedback already obtained from their team and others across the organization.
When the CAE finally meets with the department's executive, they won't have to ask questions such as "What keeps you up at night?" They can ask informed, clarifying questions such as "Your team believes that (risk example) is important. Is it important to you? Why or why not?" These questions prove the CAE has done their homework and increase the chances that an executive will share relevant information with them.
2. Describe the risk, not the process
When reporting to the audit committee, some CAEs spend most of their small amount of time addressing how the risk assessment was performed, and less about the risks to be evaluated by the proposed audit plan. This may include sharing who the CAE interviewed or surveyed, the criteria used to assess risk event likelihood or impact scores, and the resources used to benchmark the proposed audit plan.
Chief audit executives can benefit by spending more time sharing insight on the applicable risks for each proposed audit during the year. Any additional time left over could be spent discussing risks not addressed in the proposed annual audit plan, and how those risks may be addressed in the coming year.
While there is a time (the one-on-one meeting with your audit committee Chair) or place (appendix of the audit committee presentation) to share how internal audit's risk assessment was performed, discussing it during your time-crunched audit committee meeting is not one of them.
3. Incentivize Internal Audit team members to network
Like adding vegetables to a diet, the benefits of making networking a part of all Internal Auditor's responsibilities are easily understood, yet rarely acted on.
So why don't internal auditors network more? Perhaps it has less to do with the age-old brand of auditors being introverted bean counters and more to do with a lack of being incentivized to network.
To get internal auditors to network more, CAEs should consider including networking goals in staff performance evaluations, providing a small budget for networking lunches or coffees, discuss past networking results during team meetings, strategize together on future networking efforts, and provide spot awards for team members exceeding networking goals or identifying a new risk to the company.
The CAE with the well-networked internal audit department will be ready to educate other managers and executives (opposed to asking questions) and should be more likely to propose an annual audit plan that directly aligns with the organization's largest risks.
4. Take time to explain the audit process to your customers
How many times has an audit team completed an audit on time, with total customer buy-in, only to have the audit go awry when issues are moved from the status updates to a draft version of the audit report? I'm guessing more than once.
This is a great example of the audit team not taking the time needed to fully explain the audit process. Had the lead auditor mentioned that part of the audit process is agreeing on the wording of the audit report, the audit could have finished timely and exceeded expectations. It is easy to anticipate what could go wrong when an internal auditor assumes their customers understand what they are doing and why, after being told about it only once.
So when should the audit process be explained? As much as possible, and all throughout the audit. While re-stating every detail from the entrance meeting may be overkill, audit teams that take additional time to provide context about the desired outcome of each meeting, and how it fits into the bigger picture of the audit, should benefit. Internal auditors should also be encouraged to routinely ask for, and address, customer's open questions.
Additional context about the audit process, and what our customers can expect, should be summarized during all formal and informal audit status updates. The CAE who is consistently transparent and provides context in all of their communications is more likely to have an audit team that treats their customers the same way.
5. Leverage Subject Matter Experts
Imagine you are the head of a procurement department. You were just audited by your organization's audit department. The audit team found five issues and have provided five recommendations to change your process in order to correct the issues. Would you, as the department head, be more open to agreeing and implementing the recommendations of the lead internal audit manager, or an industry expert who was engaged by the audit department to participate in the project? I think we both know this answer.
If CAEs plan audits that truly relate to key organizational risks, obtaining funds to use subject matter experts (SMEs) should not be that difficult. If the budget cannot be obtained to engage SMEs full-time, consideration should be given to at least hire the SME for 10 – 15 hours during audit planning, have available on-call as –needed during fieldwork, and most importantly, as needed during reporting to help create and vet recommendations to correct identified control breakdowns.
If used correctly, the value of having an SME on the audit team should prove itself quickly to audit customers, executive management, and the audit committee. And when these audit stakeholders can appreciate internal audit's value, the CAE usually benefits.
6. Create a Guest Auditor Program
If you ask any CAE in the country, chances are, she is looking for a senior internal auditor with three to five years' experience at a Big 4 firm with a CPA, CIA, CISA, and likes to clean up their work papers on the weekend (ok, one of these may not be completely true). Unfortunately for most CAEs, they've been looking for that person for the past six months, and are slowly realizing they need to be more flexible with who they hire.
While CAEs continue to struggle with an emerging internal audit talent shortage, they may be able to find help with their workload by creating a Guest Auditor Program. Successful guest auditors normally have 3 – 8 years of experience, are considered high-potential employees in the company and can allot, with their manager's approval, 2 – 4 weeks to complete an audit. The more time the guest auditor can give to the project, the more beneficial it will be to both them and the audit team.
Creating and maintaining a guest auditor program also offers indirect benefits to the CAE. First, a Guest Auditor Program provides human resources another opportunity to both challenge the organization's top talent by participating as a guest auditor. Guest auditor alumni can also be a great resource for a CAE to gain information about their area of expertise in the organization.
Finally, if the CAE gathers all of the guest auditor cohorts together throughout the year to discuss past and future audits, it is a great opportunity for the CAE to seek out a c-suite executive to speak to the organization's top talent. While senior executives at Fortune 200 sized companies may routinely speak to leadership and development programs, this not a common practice at smaller organizations. The CAE should benefit by providing a forum for the executive to speak at.
7. Host a BBQ
David Vincent, IBM's Governance, Risk, and Compliance Executive, once told a story about his past experience with a newly appointed CAE at a large oil and gas company. After the CAE's first week on the job meeting different executives, it was apparent that Internal Audit was not seen positively, and had done nothing more than highlight issues that were not important to the organization.
The CAE knew that for internal audit to be successful, he needed to break down the negative barriers between internal audit and the rest of the organization. To open the lines of communication, the CAE hosted, and paid for, a monthly BBQ for all of the company's executives and their management teams. Business was not discussed, and the only agenda item for internal audit was to establish a new relationship that was not built on past work experiences.
This unique action not only positively re-branded Internal Audit within two months, it was such a hit that the CEO of the organization adopted the same philosophy and took over the BBQ to meet with different employees.
While a BBQ may not be in-line for all CAEs, finding creative ways to solve problems should be. It can be easy for others to pigeon-hole internal audit to a negative stereotype. It should be the CAE's job to re-define and over-communicate how Internal Audit can add value to their organization. And a CAE can't always do that without being creative.