EDUCATING STAKEHOLDERS ON THE STRATEGIC VALUE OF INTERNAL AUDITING
The Mission of Internal Auditing, as published by The Institute of Internal Auditors (IIA) in 2015, is to “enhance and protect organisational value”. The IIA explained that it introduced this Mission to “articulate what internal audit aspires to accomplish within an organisation”.
So, it is clear that internal audit exists for a reason – to help organisations create, preserve and sustain strategic value. However, is this clear to all the organisational stakeholders who are supposed to benefit from internal audit’s assurance and consulting services? I believe the simple answer to this question is a disappointing, resounding NO! Sadly, this is because internal auditors have not taken time out of their busy schedules to educate their stakeholders about what a well-supported and effective internal audit function can do to help optimise operations; positively influence decision-making; prevent penalties that result from non-compliance with laws and regulations; grow the market share; improve customer service delivery; enhance public relations; and even to propose innovative solutions that can help sustain competitive advantage in the market.
WHICH STAKEHOLDERS SHOULD INTERNAL AUDIT EDUCATE ABOUT ITS VALUE AND IMPACT?
This is the question that most chief audit executives ask themselves, and the only correct response to this is: educate all your stakeholders, across all levels within your organisation. No single position or structure is too important or unimportant to either advance or hinder internal audit success. A brief look at a couple of stakeholders below will help make this point clearer.
- The Governing Body (The Board of Directors, Council or Executive Authority)
As part of its governance responsibilities, the governing body is expected to steer and set strategic direction; approve policy and other strategy execution instruments; monitor performance; and report on the organisation’s performance. All these responsibilities require efficient and effective governance, risk management and internal control processes. For instance, the governing body needs to be certain that the integrated annual reports they sign-off on and publish contain credible and reliable information.
The chief audit executive can educate the governing body on the work performed by the internal audit function to assess whether key strategic programmes are achieving pre-set objectives; whether well-performing projects have the desired impact on targeted beneficiaries; whether operational and financial information reported by management is plausible and can be relied upon; and whether ethical standards set by the governing body have been consistently upheld by all stakeholders within the organisation.
Without full knowledge of what internal audit can do, most governing bodies wrongfully believe that the internal audit function exists to help the organisation obtain a positive external audit report, and as such fail to leverage this function’s expertise on the organisation’s core business. This results in governing bodies giving more attention and financial resources to external auditors, while short-changing internal audit. This situation quite often leads to clean external audit reports but failure to meet operational, financial and strategic targets and goals.
Nokia did not obtain a negative external audit opinion for losing the market to the likes of Samsung due to lack of innovation; Ford did not get a qualified audit opinion due to the Kuga’s costly explosions; and closer to home, tyres are still burning in municipalities that are given a clean bill of health by the Auditor General. The reason behind all these examples is to show that none of these organisations have preparation of financial reports as a core business. So, even if financial statements look good, the business activities on the basis of which financial reports are being prepared may actually be failing to live up to strategic expectations. Governing bodies must be educated more on these matters so they can derive full benefits from the costs they incur on assurance and consulting.
- Management and Process Owners
Members of the management team are mostly worried about achieving performance targets set out in the balanced scorecards for the areas they are responsible for, e.g. operations, human capital or finance. Promised incentives for good performance and fear of loss of lucrative jobs may lead to executives and process owners being hostile to the internal audit function, instead of making it a vital part of their business processes.
All this depends mainly on the extent to which management understands what internal audit is about. If they misconstrue internal auditors as corporate police officers, then they will try to hide as much information as possible from internal audit or ensure that internal audit does not get sufficient support (in the form of resources or collaboration) to efficiently and effectively discharge its mandate. There are other factors, apart from lack understanding of internal audit, which may lead to the unfortunate behaviour by management as described above. This may include incompetence and/or fraud (but that’s a topic for another day).
If internal audit can educate management on the significance of understanding deficiencies in governance, risk management and internal control processes, and on the value of preventing or detecting and correcting such deficiencies before they erode organisational value, then management may react differently to an internal audit report loaded with findings. Further, if internal audit educates management about how it can utilise its technical skills, through consulting services, to help process owners resolve critical process, risk and control problems, this may improve relations between the two parties (hopefully not at the expense of internal audit’s objectivity).
- Audit Committees
Unfortunately, most audit committees are dominated by members who have extensive external audit background and little, if any, knowledge of internal auditing. However, the problem is that while almost every external auditor claims to know internal auditing, in reality, they have very little understanding of what this profession is about. These are the people that most chief audit executives have to present their reports to; who have to approve internal audit plans and budgets; and most importantly, who are tasked with protecting the independence of the internal audit function.
The challenge is that these very people more often than not want to see less coverage of core business processes in internal audit plans, and more on reconciliations, ledgers and journals. If internal audit does not take the initiative to educate these professionals that business is more than a balance sheet, then the chief audit executive must forget about realising the Mission of Internal Auditing. Further, educating governing bodies that audit committees must have a balance of skills (to include internal audit and risk management experts, in addition to the accounting professionals), may go a long way to resolving this problem.
So, internal auditors must educate the governing bodies, audit committees and management, amongst others, that if business processes are not properly designed and carried out, the business may, in fact, disappear from the face of the earth before there is time to prepare the financial statements. Further, chief audit executives must teach these stakeholders that internal audit exists to ensure that organisations deliver on their strategies, achieve their objectives, manage their risks and capitalise on meaningful opportunities. Internal audit functions can achieve this by making educational presentations in monthly and quarterly stakeholder meetings, leveraging social media and also sharing thought leadership information that may help improve performance in specific processes, such as leading practices in supply chain processes.