Nearly every internal auditor has a few stories to tell about audits that have gone off the rails. Most have encountered audit clients that can run the gamut from guarded, to uncooperative, to out-right hostile. Breaking through these difficult working environments and putting audit clients at ease is never easy, but with some strategies, internal auditors can foster better working relationships and break down barriers that can make for difficult audits.
Most internal audit functions define the audit environment with a clause in their internal audit charter. Indeed, the Institute of Internal Auditors (IIA) defines internal audit environment as: “An organization environment where internal audit aligns its activities with business activities and risks.” Further, it adds that, “action plans emanating from audits are facilitated by internal audit, but agreed, owned, and implemented by management.”
In endeavoring this, audit functions in the course of their work often encounter resistance that can create friction with business units and other entities in the organization. Hostility towards internal audit can be as a result of many factors, ranging from prior poor experiences, to lack of understanding of internal audit’s goals, and even fear on the side of the audit clients.
Modern internal audit functions are working hard to circumvent these conflicts and build valued relationships which are vital to influencing fair perceptions within the organization. There is a significant benefit when internal audit establishes itself as an advisor and consultant that other staff and process owners can relate with.
IIA defines internal audit as: “An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” This forms the foundation of the internal audit environment. The question is asked how an independent department encounters hostility. The independence of internal audit is defined by IIA as: “The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.” It says further that, "to achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels."
There are various forms of antagonism that internal audit shops may encounter in the corporate world. They include, but are not limited to:
- Inadequate staffing
- Resource and budget constraints
- Lack of support or commitment from top management
- Failure to implement recommendations of prior audit findings
- Low grading of internal audit leadership in the organizational hierarchy
- Negative perceptions by auditees and lack of cooperation during audits
- Lack of cooperation from the external auditors
Many internal audit functions will encounter these difficulties in the course of their work, and, in the worst scenarios, it will encounter them all. But each of these situations also has devastating consequences. Amidst all these, the auditor has to align himself or herself with the objectives of the organization and deliver value.
Nonetheless, there are strategies that internal auditors can employ to ease the friction with audit clients. The keys to eliminating hostilities can be found in the people, processes, communication, and relationships with audit clients. Internal audit functions that seek to foster a friendly and professional environment should endeavor to do the following:
1. Initiate an open dialogue with audit clients
Auditing activity creates anxiety on the part of audit clients. The head of internal audit should initiate a dialogue with the auditee to ease that anxiety. Before presenting audit reports to the board, for example, it is crucial that internal audit share its findings with the management first. Top management does not want to be caught off guard when the auditor presents a report to the audit committee.
When conducting reviews, audit staff should also build relationships that make the auditee feel comfortable when sharing information or discussing potential concerns about controls. Sending emails and memos during audits only promotes anxiety and discord. Instead, pursuing regular dialogue with audit clients, collecting feedback, and listening helps to align with the findings and recommendations of internal audit.
2. Audit, don’t investigate
Auditing differs greatly from conducting investigations. While the objective of internal audit is to provide assurance to the stakeholders of the entity and assist them in discharging their responsibilities; investigations are skewed towards detecting and monitoring fraud and wrongdoing. Auditing is meant to improve systems and procedures, while investigation is usually undertaken in response to reports of misconduct and focus upon people. The auditor shouldn’t be viewed as an investigator or a cop on the beat.
When audit clients feel like the focus has turned from systems to personalities, they will either become defensive, or will strike back with inappropriate behavior against the auditor. The auditor has a bigger role to play in strengthening the internal control systems of an organization than conducting investigations. International Standards of Auditing (ISA) 240 gives responsibility for investigating fraud to management and those charged with governance of the organization, rather than to internal auditors. The auditor should consider investigations only when it is absolutely necessary, and often only when it is agreed upon by the board or senior management.
3. Be independent and don't take sides
Internal audit functions are sometimes used by the top management and the board to settle scores. In my 15 years of auditing, my office has been approached by both sides of the divide with such motives. When internal audit becomes weaponized to fight colleagues, serious aggression is imminent and the auditor becomes stuck in the crossfire. The independence of an auditor requires him or her to remain professional and unbiased. When internal auditor loses its independence, it becomes exposed and vulnerable and the situation will often end with the termination of top auditors.
4. Uphold the code of ethics
The IIA code of ethics requires internal auditors to uphold integrity, objectivity, confidentiality, and competency. The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. Auditors should be objective in gathering, evaluating, and communicating information about the activity or process being examined. They are required to make a balanced assessment of all the relevant circumstances and should not be unduly influenced by their self-interests or by others in forming judgments.
Further, internal auditors should respect the value and ownership of information they receive and never disclose information without appropriate authority, unless there is a legal or professional obligation to do so. They should apply the knowledge, skills, and experience needed in the performance of internal audit services.
5. Simplify the truth through audit reports
The audit report is the end product of every audit project. The auditor can win the hearts of the auditees and the board of directors through the report. The form and content of an internal audit report are of utmost importance since it is through it that the auditee comes to know the opinion of the auditor.
The auditee will appreciate a brief, precise, simple and intelligible report free from untrue and unfair opinion. The auditor should honestly identify weaknesses in the controls, give balanced criticism and make logical recommendations. The auditor’s report should demonstrate his impartial attitude toward the auditee or processes. When the report covers the interest of both the board and the auditee, negativity will be contained at the joy of the audit team.
6. Be open to criticism
Internal auditors should open the door for honest feedback on their strengths and weaknesses. Equally, he or she should pursue input from stakeholders, a process that makes the internal audit function more effective. It's not enough to simply declare that you are going to do better. The therapy process can be difficult, but recognizing that even the auditor can have a problem halves the battle.
7. Build relationships with board members and other key stakeholders
The internal auditor is ultimately responsible to the board. He or she needs to understand where to direct their energy to remain relevant, to know which choice works to his or her advantage and to understand who will be helpful when all hell breaks loose. In a perfect situation, internal audit functions reports to the topmost organ of the organization through the audit committee.
Any chief audit executive who does not cultivate a good relationship with the board, is missing the trick of the game. The advisory role to the management should go hand in hand with the assurance role to the board of directors on the status of the organization. Close professional relationships with those on the board will win the auditor some much-needed peace when top management becomes hostile. The easiest way to achieve this is by obtaining the blessings of the board on your annual audit plan. Share a copy of your internal audit program with the chairperson of the audit committee. Foster relationships outside of the office where appropriate.
It’s all about relationships
It is worth observing that internal auditors are part of the organization’s workforce. Therefore, the responsibility to collaborate with other staff should be nurtured to maturity. A good internal auditor audits along with the auditees, not over them.
One thing that should not escape internal auditors minds is the role of collaboration in their duties. Internal audit’s success depends as much on the work and cooperation of other staff as it does on its own work. To enjoy a peaceful environment and achieve objectives, the audit function must engage effectively and widely. Affiliations should exist within the internal audit team, across the business, and to the board, particularly with the audit committee.
Kennedy Njoroge, CPA is a Director, Internal Audit, Assurance & Risk Management