Should internal auditors be making recommendations?
ACCA’s Internal Audit Network Panel was recently discussing the outcomes of a series of consultative meetings held earlier this year. One point in particular was a recurring theme – ‘should internal auditors be making recommendations?’.
Unanimously, the panel believes that internal auditors should be making recommendations. Here, I will explain why.
As an internal auditor with 20 years’ experience, who works to high professional standards and is an experienced chair of audit committees, I started to examine the argument of raising recommendations in my own mind. Some key points were screaming out to me:
Why would we just point out the problems? The image of internal audit has suffered enough over the years; thankfully I believe we have made great strides in abolishing the old ‘policeman of the organisation’ type image - let us not now become the grumbling pot of negativity which springs into action, tries to point fault at management and generally casts doom and gloom wherever we go.
The IIA definition: ‘internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes’; the key words here for me are ‘help’, ‘improve’ and ‘add value’. Surely, recommendations are a key element of the process to achieve this.
As an audit committee chair, I look to my internal auditors to add value, which must come from their wider experience, fresh eyes and independence. I know from my personal experience this is a view shared by my fellow board members and our executive team; flip to my professional career as an internal auditor and I believe my clients rightly expect this of me and my teams when delivering services.
Do we not have the skills, experience or confidence in our own ability to assist? Is it the fear of getting it wrong? No one expects us to know everything! I think this is the pivotal point. It’s not the making of recommendations, but individuals having reservations about whether the recommendation is right, therefore whether they should be making it and whether if they do their independence is impaired?
My conclusion at this point is that internal audit must not just point out problems; we must be seen as a critical friend and force for improvement.
I believe it is the way in which we reach those recommendations which is important and that I’d now like to explore.
I believe that as a profession internal audit has moved on considerably over the years and many of us are doing our very best to dispel the old image of the policeman of the organisation and bayoneting the wounded. However, the terminology we use is not doing us any favours. I do not personally like to use the term ‘recommendation’; it creates a somewhat imposing state for management: ‘internal audit is saying we should do this’. Can you hear those police sirens howling away in the background?
I hope we all recognise that the internal auditor who plods around an organisation just pointing out problems, thinking they know it all or taking credit for management actions is likely to be met with short shrift.
Over recent years I have placed preference on the term ‘agreed solutions’; ultimately one can argue that an agreed solution is simply a recommendation, by another name, but importantly I believe the subtle difference lies in how you arrive at it.
We just need to remember two very important life lessons that I’m sure almost everyone’s parents will have shared with them; however, for which they cannot take credit.
The first I believe is credited to Epictetus – a Greek Stoic philosopher who lived approximately 50-150 AD – or is at least inspired by his words ‘we have two ears and one mouth so that we can listen twice as much as we speak’.
The second has its origins in the Bible, Ecclesiastes, 4:9: ‘Therefore two are better than one, because they have a good return for their labour’; translated to the modern proverb ‘two heads are better than one’.
For the purpose of illustration I’m skipping the fieldwork; as the internal auditor, we have identified an issue within the control environment which leaves the system exposed to a level of risk which is beyond that of the organisation’s risk appetite.
We have discussed this with management, the finding is factually correct and valid, so what’s important now? a) Communicating the issue succinctly to management and audit committee, but more importantly b) the solution: how are we going to help our client reduce risk to an acceptable position?
I refer you back to point 4 above; no one expects us to know everything. It is how we use our tool bag of skills that enables us to do this; think of yourself as an enabler or catalyst for action.
This is where we put the ‘two ears and one mouth’ proverb into practice; if we speak less, listen more and engage better with our clients it benefits our relationship exponentially.
This approach rests on the premise that management should know their organisation and systems much better than you; use this to your advantage.
When presenting your finding, discuss the risk exposure it presents to the organisation and then move to openly discussing methods by which the risk could be reduced.
This is the time to introduce and volunteer your own thoughts in respect of potential solutions based upon understanding of the client’s policies and procedures, regulatory requirements, professional experience or good practice that you have gained from auditing elsewhere and that which you have harvested from your fellow audit colleagues; but do not attempt to enforce your ideas - open the discussion up and invite the auditee to volunteer their thoughts.
Talk the issue through, listen to their ideas and steer the conversation towards reaching a consensus or rather the ‘agreed solution’ which draws on the respective experience of both parties and therefore reflects the ‘two heads are better than one’ proverb.
Don’t be afraid to openly admit that as management they will know systems and processes better than you do; recognition and indeed a little professional flattery will pay dividends. You are there for a short defined period to deliver the audit assignment; they on the other hand are likely to live and breathe it daily. Remember, no one expects us to know everything.
This approach enables internal audit to present the full story in its audit report to senior management and audit committee; we have identified the finding, risk exposure and arrived at an agreed solution through an engaging and consultative process to address the exposure. Management replies are simplified to acceptance, allocation of responsibility and the target timeframe for implementation.
It is this process of acceptance that ensures management recognises it is their responsibility to implement the agreed solution and protects our independence – ultimately it is their decision.
An engaging approach where management views are heard, respected and included to deliver the right outcomes for the business will strengthen relationships, embed internal audit and create a culture of co-operation and working together for the same aim.
Likewise, it improves the relationship upwards within the business and importantly with audit committee; what they really want to see is solutions not problems, agreement not disagreement, acceptance not conflict. Implementing an agreed solutions approach can help achieve this.
In a world characterised by swift, electronic and impersonal communication it does the internal audit process good to recognise these old proverbs and revert to old fashioned methods; many will remember the old British Telecom advert ‘it’s good to talk’ - most definitely it is, but remember to add a splash of Epictetus’ wisdom here and listen twice as hard.
As internal auditors, our most valuable tool is the ability to converse successfully with our clients.
Lee Glover FCCA – director of internal audit, Haines Watts