Internal Audit (IA) must recognise that it
exists to serve the needs of diverse stakeholder groups, that their
expectations are constantly evolving and may not be necessarily aligned.
Internal auditors, whether in-house or outsourced – irrespective of the size of
the organisation – who invest in managing the expectations of their various
stakeholders are more likely to create an IA function that remains successful
and relevant in the long term. Those who lose sight of this are at greater risk
of long-term failure.
THE STAKEHOLDERS
For IA, the stakeholders comprise:
(i) The Audit Committee (AC) and the Board of
Directors (Board), to whom IA is supposed to report directly and functionally;
(ii) The CEO (or head of the enterprise), to
whom IA usually reports administratively;
(iii) The CFO, who is primarily responsible for the
internal control environment and who, therefore, may be IA’s perpetual ally;
(iv) Other business heads of the organisation
(auditees);
(v) Internal audit team (whether forming part of
the in-house team or members of professional services firms engaged on a
co-sourced basis);
(vi) Statutory auditors and regulators;
(vii) Other board committees and heads of support
functions, especially administration and HR; and
(viii) Professional network.
In well-established organisations, there
will also be potential collaborators such as the CIO (Chief Information
Officer), the CRO (Chief Risk Officer) and the Compliance Head who can jointly
drive the common governance agenda with the AC / Board and within the
organisation. Incidentally, the CIO can be the best catalyst and support for IA
as technology initiatives gain momentum to increase the effectiveness of IA.
IA needs to identify the key stakeholders
and categorise them in terms of influence and needs, craft engagement
strategies for each and build and maintain an effective working relationship
with them.
UNDERSTANDING STAKEHOLDER EXPECTATIONS
IA provides value to the organisation and
its stakeholders when it delivers objective and relevant assurance, and
contributes to the effectiveness and efficiency of governance, risk management
and control processes. To achieve this, the IA plan should reflect the issues
that are important to the stakeholders; it should address the challenges and
risks that stand in the way of the strategic and other key objectives of the
organisation. IA must invest sufficient time in talking to stakeholders to
identify and assess priorities. It should involve them in drafting the IA plan
and solicit inputs. Knowing what’s important to stakeholders is the
cornerstone of managing their expectations.
Keep your ear to the ground to ensure that
IA is in tune with current concerns and has a flexible plan. If need be, it
should review and update the plan at the half-year point or even quarterly if
circumstances so dictate. Design a process that brings information together;
share it within the IA team to ensure that the team is aware of the main
business drivers and risks; analyse it and make planning decisions
based on key risks and issues.
One of the most important aspects to think
about is the approach, frequency and content of communications for each
stakeholder so that it is easy and encourages them to get involved. Besides,
consider the balance and benefits of formal and informal protocol. Ensure that
the stakeholders understand your needs, relevance and the value of IA to the
organisation.
There are several key areas of IA work that
require good stakeholder understanding:
(a) The IA Charter, which defines its mission, role
and scope, should be a living document that helps to sustain IA’s value to the
organisation. The Charter must be up to date, clear, easily understood and
reflect the focus of IA. Stakeholders need to be aware of it and it could, for
example, be a key document on the IA intranet.
(b) More and more internal auditors are
providing ratings at an engagement and overall level. IA should work with the
AC Chair and senior managers to devise a way of expressing ratings that help
them to understand where the business stands in relation to achieving its
objectives. Some ACs prefer narrative statements, others ‘traffic light’
systems or gradings. There is no right or wrong way of doing this. It does mean
talking through options, agreeing to a suitable format and applying it on a
consistent basis.
(c) Stakeholder feedback on individual engagements
and at the overall service level are important components to continuously
assessing the effectiveness of the service and how well it is providing value
to the organisation.
MANAGING STAKEHOLDER EXPECTATIONS – OVERVIEW
Having understood
the stakeholder expectations:
1. Assess key stakeholder expectations, identify
gaps and implement a comprehensive strategy for improvement;
2. Deploy quality resources for planning and
execution;
3. Leverage technology to the full;
4. Deploy a strategy for business knowledge
acquisition;
5. Streamline IA processes and operations to
enhance value;
6. Coordinate and collaborate with other risk,
control and compliance functions. In many organisations, some of these roles
are with IA or there may be an overlap. It is not unusual to find board members
looking at IA when issues of risk, control and compliance come up for review.
KEYS TO SUCCESS – HIGH-LEVEL INTER-PERSONAL SKILLS
Good oral, written
communications and presentation skills topped with soft skills will hold you
and your team in good stead.
Strong
collaboration with stakeholders calls for highly capable communicators who are
good not only at oral and written communications, but also good listeners who
are highly perceptive of body language and unspoken words. My experience over
the years is that there is scope for improvement for IA in effective
communication with stakeholders.
IA needs to
remember to communicate what is and what is not being audited and why. ACs need
clarity on this point. Further, the rule of sequence of observation, root
cause, risk and suggested mitigation presented objectively and with clarity
will reinforce your effectiveness.
And if you see a problem beyond your scope, either do something to fix
it, or bring it to the attention of those who can fix it. You will then be
perceived as a valuable partner to your stakeholders. Do not hesitate to
solicit feedback from stakeholders; ask them to identify areas for you to
improve.
To stay
relevant, always
* Know your stakeholders’ expectations;
* Set the right tone and culture for your team
– never stop short of demanding quality, agility and integrity;
* Build
exceptional teams that deliver high-value assurance and advisory services to
the organisation / client.
STRIKING A BALANCE
To achieve the
right balance, IA may employ some of these approaches:
(i) Engage stakeholders as a business leader, not
a technical auditor –
Assess the IA
team’s level of business acumen and, if necessary, develop a plan to spend time
and effort with those in the organisation who can help you think more like a
business leader and understand the risks related to its strategies and
businesses and the internal and external inter-dependencies. And align these
with functional knowledge of IA.
(ii) Coordinate with the second line of defence –
Understand clearly
the work done by functions in the second line of defence. Collaborate as much
as possible with these functions, work towards common views of risks and
compliance where possible. Once the rigour of their work is tested, IA may rely
on assurance work done by these functions.
(iii) Balance competing demands –
Develop strong
relationships with stakeholders, including auditees at all levels. However,
stay grounded in your professional obligations and be firm when the situation
demands.
IA may also involve
itself in conducting proactive fraud audits to identify potentially fraudulent
acts; participating in fraud investigations under the direction of fraud
investigation professionals; and conducting post-investigation fraud audits to
identify control breakdowns and establish financial loss. Above all, just
watch for complacency!
Recent stakeholder
surveys suggest that whilst IA is keeping up with changes in business and is
communicating well with management and the Board by focussing on critical
areas, IA needs to demonstrate its capability for value-add. This is
best done by moving beyond its comfort zone to help organisations bring an IA
perspective to strategic initiatives and changes – digitalisation,
cyber-security, Internet-of-things and more. It needs to proactively flag
the new and emerging risks that organisations need to understand and
manage.
To successfully
manage auditees’ expectations, IA should become familiar with the most common
issues relating to their expectations. To understand them, find some time to
have one-on-one casual and unscripted conversations as often as possible. You
need to realise that stakeholders are not IA subject matter experts. They may
not understand the IA jargon or theory as well as you do. Take some time to
understand them and educate them when you know for sure that there are gaps in
their knowledge that should be filled. Keep it simple when communicating
with auditee stakeholders; in fact, use their language in your conversations
and you will instantly strike a chord!
Working with
stakeholders is a two-way process. Talking to and working with them is
fundamental to IA. It enables internal auditors to explain the value of IA
while getting to know stakeholder expectations. Regular face-to-face
meetings enable internal auditors to highlight the function’s role in good
governance and explain the value of the independent and objective assurance.
Stakeholders, on the other hand, have an opportunity to talk about IA
performance and flag risks or issues they would like to see in the IA plan.
Regular contact is
therefore beneficial to everyone, but it can be difficult to organise. Plan
ahead, especially as other assurance providers may be competing for your
stakeholders’ attention.
MANAGING STAKEHOLDER EXPECTATIONS
Let us now look at
how IA can manage its key stakeholders:
AC / Board,
CEO
- With the AC Chair as well
as with the CEO, agree on the audit plan after presenting your draft and
soliciting guidance to modify the same. That establishes your agreement that
captures the stakeholder expectations. Thereafter, remain proactive; seek
periodic meetings when you can share progress as also any challenges that could
impede audit execution. Avoid surprises with all stakeholders, especially the
AC Chair and the CEO. Reset expectations if necessary or seek support that may
mitigate challenges.
- Talk to your stakeholders, particularly your
AC Chair and CEO, perhaps also the CFO, and find out what they expect from IA.
This not only includes the focus of the IA plan but also IA processes, such as
expressing opinions, reporting styles, performance monitoring and quality
assessment.
- Set up separate ‘audit
planning days’ with the AC Chair / members outside the formal meeting schedule.
Prepare monthly / quarterly activity reports or regular briefings for AC
members requesting feedback. This might include a balanced scorecard or
dashboard to show progress on a number of important activities. Meet informally
or call your AC Chair between meetings. Meet the AC Chair before each meeting.
- AC Chair and CEOs often use
IA as an informal sounding board with whom they can discuss risks and explore
practical responses.
Auditees
- Organise formal, one-to-one
internal audit planning discussions with business heads and heads of support
functions.
- Find time for follow-up
reviews with managers to understand changing risk profiles.
- Schedule informal, short
‘catch-up’ meetings or phone calls with managers to keep up with changes and
developments in the organisation.
Your
collaborators
- Establish regular meetings
with the CFO and risk management teams to maintain awareness of risk events and
issues.
- Keep in touch with other
assurance providers to share information.
- Collaborate with the
compliance head and the IT head – both of them can be valuable supporters in
your initiatives. IA can also work on creating a common resource pool with this
set of collaborators.
Your team
- Arrange monthly team
meetings for sharing experience during execution.
- Organise training for
functional and soft skills. Hold ‘audit workshops’, for example, where the CEO,
CFO or a business head may meet with a section of the audit team to discuss
significant risks and issues.
- Recognise good performers.
Ensure variety for team and focus on their development and rotation.
Demonstrate how IA can be a pipeline for talent that is already groomed in
process discipline.
- An annual two-day offsite for
the IA team is ideal for brainstorming, introspection, assimilation of feedback
and team-building. Try and get an external expert to address the team. The IA
team is more often in the field and less often in office – life can be tough,
so be sensitive to their hectic schedules and extend support to them.
External
stakeholders
- Schedule planning and
update meetings with external stakeholders, e.g., external audit. It is
necessary to share the audit plan and solicit inputs from the statutory
auditors. Have at least quarterly meetings to exchange notes with them.
- Periodically engage with a
professional network, which is a good source for sharing new initiatives,
knowledge-sharing and also trying joint initiatives.
- Be a part of professional
networking groups and occasionally host such meetings in your office. That also
helps your team to get external exposure.
Over the years,
there is a reluctant acceptance that IA does not enjoy as much influence as it
could have enjoyed. There is a feeling that IA is not positioned properly
within the organisation to have the maximum possible impact. And often, IA is
reduced to a compliance function, unable to focus on the opportunities and
risks.
Often, IA teams do not have the right skills and capabilities to
undertake the kinds of activities to be relevant and impactful within the
organisation. In response to this challenge, more CAEs plan to use alternative
resourcing models in the coming three to five years to gain the kinds of skills
they need. Co-sourcing, for instance, is a popular option that helps access
specialised skills. Additional alternative resourcing models such as guest
auditor programmes and rotation programmes are also gaining acceptance.
Though many IA
teams are embracing analytics to drive deeper insight and provide greater
foresight, others are barely scratching the surface. CAEs are now attempting to
deploy advanced analytics and predictive tools that leading internal audit departments
are using to provide greater value, to provide deeper insight, and to provide
foresight to their stakeholders. Use of workflow-based audit planning and
execution software is helping IA in enhanced delivery.
STAKEHOLDER ENGAGEMENT
PLAN
Here are some
simple ideas that might form part of a Stakeholder Engagement Plan or a
component part of IA strategy:
(a) Develop an induction programme for new AC
members and business leaders / senior managers.
(b) Organise separate management meetings and
earmark sessions during AC meetings to provide updates and relevant
information. This could include changes in legislation, regulation, risk
management and IA profession and how this might impact the organisation and
audit execution.
(c) Develop an intranet site that contains useful
and relevant information and ensure that it is kept up to date.
(d) Prepare and circulate a brief note
containing information about IA activities. Use this channel to introduce your
team to a larger audience. Update this periodically to include highlights of
the achievements of IA during the year.
(e) Prepare short guides relating to the IA
process, IA involvement in projects such as systems implementation or new
business set-up, IA role with regard to risk management, etc. Auditees love to
see documented audit processes and terms of engagement with IA, including
service level agreements for flow of information, responses and action-taken
reports.
(f) Schedule periodic meetings with key
stakeholders, even when there is no direct engagement activity in their area,
to stay alive to business changes and the potential for new and emerging risks
that might call for a revision of the engagement plan.
(g) Offer to second team
members for support or, better still, introduce the concept of guest auditor
for operational audits.
With support from
management, IA must help the organisation realise that there is one goal with
one common interest and that there is one team, not two, and each performs its
role in a different way – that would contribute significantly to harmonising
the work performance, increase effectiveness of IA and achieve stakeholders’
satisfaction.
DO STAKEHOLDERS MEET THE EXPECTATIONS OF INTERNAL AUDIT?
The question, how
IA can meet the expectations of stakeholders has often been discussed and
debated. Various questionnaires are used to measure the satisfaction of
stakeholders with the performance of IA and its role in achieving the
objectives of the organisation, improving its operations and enhancing the
control and risk management practices.
There is also a
need to address the subject from the other party’s perspective with the same
degree of interest – how can stakeholders meet the expectations of IA and be
supportive of IA? While it is the responsibility of the management to ensure
that IA is well accepted in the organisation, IA is well advised to take a
proactive approach and build bridges with various stakeholders through fair and
effective communication and finding opportunities to demonstrate the
contribution of IA on a regular, ongoing basis.
CONCLUSION
The frequent discussions about how IA meets the expectations of
stakeholders may perhaps give a wrong impression about internal audit in
comparison with other functions within the organisation. In some organisations,
IA is criticised for impacting the morale of business teams by raising
objections and concerns. In others, particularly those experiencing
cost-control measures, IA is often called upon to justify the reasons for its
existence and the importance of its work. These misconceptions can best be
erased by sustained investment in managing stakeholder expectations and
focusing on value-addition across the various areas addressed by Internal Auditors.
Though IA may not
be the most glamorous corporate activity, without it, many organisations would
fall foul of their numerous regulatory and compliance obligations. Indeed, IA
helps companies to establish and maintain solid cultures of compliance up and
down the corporate structure. Historically, IA has focused primarily on just
financial and compliance areas. More and more organisations are beginning to
see the strategic and operational benefits of utilising IA from an enterprise
risk angle. Compliance with ever-increasing regulations obviously remains a
core focus for IA teams; however, increases in social media usage as well as
the recent explosion in cybercrime and developments in the technological space
are posing more issues for internal auditors to address.
As IA encapsulates
a variety of business areas, boards, senior executives and auditors are
becoming increasingly aware of how companies can leverage IA as a strategic
business adviser, but it is up to companies to find the right balance. Happy
stakeholders will support IA adequately to ensure that the right resources are
available and influence the organisation culture to look at IA as a
collaborator.
Good business leaders should anticipate what their customers will
want in the days to come. Good IAs need to be alert to what their stakeholders
will expect from them, especially when there is so much turbulence in the
corporate world. Are you ready?
