Whether you call it chutzpah, moxie, or just plain guts, internal auditors need to show more of it.
That’s the overarching message of the 2017 North American Pulse of Internal Audit report, Courageous Leadership: Instilling Confidence from Within, from the Institute of Internal Auditors (IIA).
“It takes courageous leadership to enhance and protect organizational value,” the report states. “Chief audit executives [CAEs] must have the courage to look both outward at the organization, and inward at the internal audit function. We must consider risks that likely have been given little attention, and make changes.”
So, with that gauntlet laid down, the IIA cited four often-overlooked risk areas that need more attention:
- Communications not traditionally subject to independent assurance, such as analyst presentations, sustainability reporting, and some operational reporting.
- Environmental, health, and safety (EHS) risks.
- Internal audit’s use of data analytics.
- Interpersonal dynamics between internal audit and others in the organization.
Here are the key takeaways regarding each risk category:
1. Communication risks. Everyone in the corporate chain – managers, investors, and other stakeholders – makes strategic decisions according to the information they receive outside of financial statements, the report states.
The majority (66 percent) of Pulse survey respondents who receive such information said inaccurate, incomplete, misleading, or confusing communication poses a significant concern about risk to their organization’s reputation.
“While external audit provides assurance over formal financial statements, this does not include all the communications important to the organization, nor the related processes and controls,” the report states. “Independent assurance can come from internal audit, external audit, or an independent third party.”
Here’s what internal auditors can do:
- Identify their organization’s communication processes and tools.
- Determine what information gets the most attention – either internally or externally.
- Determine the risks of information that is inaccurate, misleading, incomplete, or confusing.
- Include communication of the information that gets the most attention (i.e., is the most important to the internal audit process and planned audits).
- Assess and evaluate who is providing assurance about the communication.
2. Environmental risks. Internal audit should approach EHS risks the same way it does for IT and fraud, the report states. Yet, just under half of all CAEs surveyed said these risks (such as the release of toxic material, contaminated food, dangerous working conditions, and ergonomics that affect employee health or efficiency) are not part of internal audit’s risk assessment or audit plan.
“For many, this is unfamiliar territory and it will take courage to challenge existing beliefs as to internal audit’s role in EHS risks,” the report states. But a lack of assurance “could have a disastrous financial and reputational impact on an organization.”
While internal auditors can’t be expected to have the expertise of an environmental specialist, they should get up to speed on how to evaluate EHS risks. But collaboration between internal auditors and EHS auditors is unusual. Almost two-thirds of Pulse survey respondents whose organizations have an EHS audit function indicated that EHS and internal audit work separately. The two work together in about one-third of organizations, while EHS is part of internal audit in 6 percent of organizations.
Here’s what internal auditors can do:
- Learn the full scope of EHS risk impacts.
- Collaborate with other teams to determine how best to share knowledge.
- Determine if the level of assurance and who provides it is commensurate with the level of risk.
3. Data analytics. While CAEs embrace data analytics, they may put them in play before the organization’s structures and processes are complete, the report states. Pulse survey results indicated that if CAEs were to audit their own data analytics processes, many wouldn’t have good results.
According to the report, the use of data analytics by internal audit is growing, with more than nine in 10 survey respondents saying they include it in their audits. More than four in 10 “always” or “frequently” use data analytics in their audits.
However, those who regularly use data analytics said poor data analytics design caused extra work, which could have been avoided by proper planning and resourcing.
Internal audit uses data analytics the most for direct testing of internal controls (37 percent), followed by for risk assessment in planning a specific audit engagement (35 percent) and identifying potential errors in data which are communicated to management for correction (33 percent).
Here’s what internal auditors can do:
- Determine all uses for data analytics.
- Figure out what processes, technology, people, and data are needed for a data analytics program.
- Assess how and where a data analytics program could derail before it’s in place.
- Get the opinions of all stakeholders and teams in how to develop a data analytics program.
- Document the data analytics approach in internal audit’s strategic plan.
4. Interpersonal dynamics. “Internal auditors’ effectiveness centers on the ability to navigate personal interactions and potentially contentious issues, while still fostering trust – no easy task,” the report states.
But most (59 percent) Pulse survey respondents said negative interpersonal exchanges rarely were attributed to their role as an internal auditor.
Still, the quality of interpersonal interactions between internal audit and the rest of the organization bears watching.
“After a negative exchange with internal audit, management may be less forthcoming with information and also less likely to implement audit recommendations,” the report states. “This weakens internal audit’s ability to carry out the audit and contribute to positive change in the organization.”
Half of the survey’s respondents said a negative exchange might or would detract from audit’s ability to conduct an audit.
And, as with most things corporate, “soft skills” play a big role in how well the medicine goes down.
“Most auditors have had experiences where a member of management tried to blame their own poor performance on the auditor or tried to challenge the auditor as a mechanism to divert attention away from their own failings,” the report states. “After a negative interpersonal exchange, it may be tempting for an internal auditor to blame the other person. However, some of these negative interactions may have been avoided through better use of soft skills.”
Try a little empathy, the report suggests. Look at how audit appears from managers’ perspectives. If internal audit helps management look good, management will help internal audit. This could be where that extra dose of moxie will help, too.
Here’s how to get this warm and fuzzy stuff done:
- Learn the soft skills. Get a mentor, trainer, whatever it takes.
- Assess how the corporate culture affects internal auditors’ interpersonal exchanges.
- Figure out how to improve corporate culture.
The Pulse survey results are based on data collected from 538 respondents, 86 percent of whom are CAEs.
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.