If you want the internal audit team to address the risks that matter to the success of the organization, they have to know what they are.
I addressed this in detail in Auditing that matters.
In the section on Being Present, I said:
Some internal audit departments live in an ivory tower, part of a corporate organization that is at the center of the enterprise. While there are advantages in being at the center, with information flowing in and with access to corporate officers and executives, the disadvantage is that you may not know what is really happening in the business – where the front lines extend across the globe and the men and women in the trenches feel disconnected with the corporate bureaucracy.
I like to have my office in the headquarters area, but I put my staff where the action is. When business units are headquartered in other areas of the country or the globe, those are where I position my direct reports.
For example, at Tosco we had multiple refineries. Each was a major operation in itself, so I had staff located there. But, my director for the Tosco Refining Company was based at that division’s headquarters in New Jersey and the director for the Marketing Company was at their HQ in Tempe, Arizona. At Business Objects, we had a regional structure; I was at the California office, co-located with the CEO and CFO. But I also had staff in the Vancouver, Paris and Singapore offices, co-located with the Americas, Europe, and Asia/Pacific executives.
I require my direct reports to build a strong relationship with the management of the areas they are responsible for. They attend those executives’ staff meetings and have periodic one-on-one meetings with them. They are part of the local management team in some ways, dedicated to helping that part of the business succeed, although they retain their organizational independence and objectivity.
When they are present, when they are seen, they are able to listen.
My experience is that people will think of coming to you, whether to provide information or to seek advice, if they see you. If they don’t see you, the likelihood they will call on you is significantly diminished.
At Solectron, my team was scattered across the organization – again, to remain in touch with the pulse of the organization.
One of my team, Jeff Mullis, was based in Charlotte, North Carolina. On one of my visits to Charlotte, I arrived outside Jeff’s office a few minutes early for a scheduled meeting with him. As I neared his office, I heard voices inside. I waited outside while he finished the meeting he was having with two members of local management; it was clear that they had come to him for advice on an operational issue (he had been in local operating management prior to joining the audit team).
When they left and I entered his office, Jeff apologized for keeping me waiting. He asked if I had a problem that he spent time talking to local management like this rather than spending all his time on assigned audit engagements. My reply was to congratulate him!
I was very pleased that he had retained his connections with operating management and made himself available when they needed his advice and insight (that ‘magic’ word, again). He knew what was going on in the business, had his finger on the pulse, and as a result could not only be a more effective auditor but help the entire internal audit team understand the risks and opportunities across the organization.
If you want to address the risks that matter to the success of the organization, you have to do more than listen to the members of the board and executive management team.
You have to, using the words of Tom Peters, “talk to the janitor”.
The members of the audit team have to be where the action is, where the risks are being taken, and where the front lines are in manufacturing, sales, procurement, and so on.
How can we expect an occasional visit to help us understand what is really happening? Is it sufficient for the CAE or an audit manager to fly in once a quarter to talk to local management?
Let’s face it: most internal audit “findings” are where they find that what is happening in real life is different from what those in the ivory tower believe is happening.
I do not believe it is advisable to base the audit plan on input and advice from the top and then go audit to find out the risks are different, or at least managed differently.
The audit plan should reflect reality, not ivory tower beliefs.
How confident are you that your audit plan addresses the risks as they appear in the front lines?
Is that acceptable? If not, what are you doing about it?
I welcome your comments.
- How effective is your board (or governing body)? - August 14, 2024
- Internal audit and generative AI - July 17, 2024
- A risk-based approach to auditing governance processes - June 19, 2024