Norman Marks on Governance, Risk Management, and Internal Audit

As the CAE of multiple internal audit departments[1] that were considered world class by members of the board[2], top executives[3], consultants[4], and team members, I would deliberately not comply with the IIA’s Global Internal Audit Standards (as drafted).

Several draft standards are involved, especially:

1. We would not perform an assessment of risks to the auditable entity that will be audited. We try to focus our scope on the controls at the entity relied upon to address the more significant risks to the objectives of the enterprise (i.e., we often do not address risks to the objectives that are only important to the entity).
2. We do not include recommendations for each risk and control issue in our audit reports. Instead, we work with management to determine and then report agreed action items. Management believes these are necessary for their own success as well as that of the enterprise, so they get done.
3. Because the risk is low that the agreed actions will not be completed, we do not formally follow-up and report the status of every action item, and rarely if ever perform a follow-up audit. We discuss significant issues with management in our periodic meetings with them, and that is almost always sufficient.

I posted a video on why I don’t report audit recommendations and some of the viewers found the idea challenging.

I like this comment:

What did you do to foster a collaborative and productive relationship between internal audit and other functions and how fast did you achieve that goal? More often than not audit and other control functions are perceived by the business as the “necessary evil” and this perception may be very deeply ingrained.

There are several keys to building that positive and constructive relationship, including:

• Believing and living that belief that IA exists to help management and the organization succeed, not to make points at their expense.
• Valuing our contribution based on our ability to provide the assurance, advice, and insight management and the board need, when they need it, in an easily consumed and actionable fashion. In other words, recommendations have no value. Only action has value.
• Listening to management and treating them, at all levels, with respect. Not being arrogant but instead being humble because they know their business better (I hope) than we do – while retaining our independence and objectivity and standing up for our position when warranted (and after listening). Taking that extra time, letting them get to know us, and getting to know them.
• Wanting to work with them instead of appearing to work against them.
• Not surprising them, especially in front of their boss.
• Going out of our way to praise when appropriate, and not just criticize. Issue balanced and fair reports.
• Going out of our way so they don’t look bad when that is neither necessary nor fair.

Another viewer wrote “Don’t the IIA standards require recommendations?”, and my reply was that this was another defect in the GIAS draft!

On LinkedIn, there were another couple of interesting comments.

One expressed disbelief that I never included recommendations because sometimes it is hard to get management to provide an action plan. He said that sometimes “expedience” required the audit report to go out without the action plan. My response was that expedience is not part of my name. I prefer to take the time to sit down and work things out with management – for all the reasons I share in the video.

Another pointed out that some 2/3 of the reports she sees (as a consultant training people in report writing) include recommendations rather than agreed action plans. She said it would require courage to make the change. I disagreed, pointing out that management and the board would both be highly receptive to internal audit taking the time to make sure management owns and takes the right corrective actions.

The one I liked the best said that he had moved to including agreed action items with great success. Another said:

I fully agree with you Norman. It is possible to add value with colloboration. Both auditors and management are valuable assets of the company and they will find the best way to fix the issues if they collaborate and it is important to add the agreed actions in executive summary with the findings. Because the real value is in the agreed actions

So, am I wrong to deliberately fail to comply with GIAS (as drafted)? Does that make me the CAE of a less than world-class internal audit function?

I welcome your thoughts.

====================================================================

[1] Notably at Tosco, Maxtor, and Business Objects

[2] “You help us sleep at night”; “you are a model of an effective internal auditor”

[3] “Internal audit gives us a competitive advantage”; “internal audit makes sure we stay efficient”; “keep it up or you’re fired”

[4] The first internal audit function included by Protiviti in the best practices database