— CHAPTER 16 —
Internal Audit Needs a Seat at the Table Whenever I travel, I meet CAEs who long for an opportunity to secure the trust of key players within their organizations. The exact words vary, but the question they put to me amounts to this: “How can internal auditors get a seat at the table?” CAEs frequently seek my advice on the best way to secure and retain this seemingly elusive seat. Although there is no magic formula, I often share my thoughts on this professional quest. When I arrived at TVA in the summer of 2000 as the newly appointed inspector general, I was mindful of the rocky relationship my predecessor had with the board of directors in the years leading up to his retirement. As I contemplated a strategic approach for improving the Office of the Inspector General’s relationship with TVA’s board and executive management, I was struck by the current relationship, which was very much an us versus them arrangement — at least from management’s point of view. For example, I knew that the board and management met regularly to review the giant electric utility’s business strategy and its execution. I also knew that, as the inspector general, I was not invited to these meetings. I genuinely believed that getting a “seat at the table” was essential to better understanding the business and how its strategies and decisions were formulated. In early 2001, I approached TVA’s chairman and said I wished to attend the meetings as a non-decision-making participant. Not unexpectedly, he was very apprehensive. No previous inspector general had attended management’s meetings (though no previous IG had a background in auditing). He said he was concerned my presence would have a chilling effect on the candid discussion of business issues and exchange of ideas. He also worried that management would view my presence as an attempt to gather audit leads that the OIG would then use to cherry pick areas of weakness in TVA’s operations for targeting in our annual audit plan. I assured him I would not take advantage of such opportunities. In the end, we agreed that I would attend these meetings on a regular basis, but I would not attend every meeting. I recall the tension in the room the first time I showed up for a meeting. Several executives made no secret of their mistrust of the OIG, even if they didn’t know me. I took the opportunity early on to address the “elephant in the room” when I delivered a brief presentation on the OIG’s newly formulated strategic plan and informed the executives that our vision was to be successful in “illuminating today’s challenges and tomorrow’s solutions” for TVA. I also noted that one of our strategic objectives was to “enhance communications with stakeholders and deliver services that meet their needs.” TVA executives remained skeptical, but I followed up on my pledge to work more collaboratively by “walking the talk”— particularly during these important meetings. Over time, I came to earn the trust of several key officials. When I retired from TVA in early 2002, more than one of the board members and executives who had initially been skeptical of my intentions indicated they had been proven wrong. They thought my seat at the table had helped improve relationships between the OIG and TVA’s management. Why a Seat at the Table? For internal audit departments to deliver optimum value, the CAE and the department’s staff need a keen understanding of the organization. Such an understanding must include how the business strategy is formulated and how risks are assessed and managed. A “seat at the table” is simply a label for the CAE’s attendance at and participation in meetings and discussions with senior management and the board. In seeking a seat at the table, it’s most important that you first examine why you want to be there. Too often, internal auditors treat a seat at the table merely as a sign of success, which is a mistake. You must be at the table for the right reasons, not because you hope that being with senior executives will make others view you as a senior executive. Securing a seat at the table is a means to an end—not an end in itself. Not preparing for it in advance may damage, rather than enhance, your chances of delivering added value to the organization.
LIFE LESSON #34
“The process of earning a seat at the table begins long before you can pull up your chair. It starts with you building a trusting relationship with the organization’s board and management.” It’s also a mistake to view a seat at the table as a source of audit leads. If you leave your first management meeting with plans for an immediate audit of the operating unit discussed that day, you may not be invited to the next one. You need to add value, not prevent others from talking freely. And I mean add value — management will benefit from our being at the table only if we are prepared to share, not just listen. Think of guests at a dinner party: we want our hosts to invite us back. In the case of board and management meetings, it helps if we bring something fresh, interesting, and important to the discussion. Focus on making operations better in the future, not on past mistakes, and provide insight instead of hindsight. I understood that I would be more welcome at executive meetings of TVA if I was willing to share insights as the authority’s inspector general on matters related to risk and control. The table is not a training ground. We must be able to discuss critical strategies and business risks facing our organizations, and we must understand the organizations’ core business and be aware of both internal risks and external factors affecting our industry. If we don’t bring our own perspectives, we won’t add value, but we must be able to defend our views by ensuring we fully understand the discussion. Most internal auditors are prepared to offer such valuable insights long before they are invited to the table, because the invitation is usually the result of the relationships they have built throughout the organization. It’s not what we write in an audit report that gets us to the table — it’s what we do and say with management every day. Senior executives will want us there if they respect us and see us as knowledgeable, trusted advisers. By the time most internal auditors reach the table, they no longer see management meetings primarily as sources of audit leads because they are already fully informed on the subjects likely to be discussed. Adding value at the table requires a different perspective from the one we use as internal control advisers. Most internal auditors can discuss internal controls for a new strategic initiative, but when management discusses the feasibility of such an initiative, controls may be just one facet. To act as senior management, we must add value to other parts of the discussion as well. An important part of IIA Global’s strategic plan in recent years has been to support internal auditors worldwide in their quest to obtain a place at the table. While The IIA can advocate granting auditors a seat at the table, ultimately decisions about the scope of the auditors’ role will be made by boards and executives in the organizations where internal audit resides. Each CAE, therefore, must demonstrate the insight and ability to participate in the senior management team. Knowing what we want to accomplish and preparing diligently to accomplish it greatly increase our chances of getting to the table. Are You a “Trusted Adviser”? Many CAEs and internal auditors also long to be “trusted advisers” within their organizations. They want management and the board to seek them out for advice on matters involving risk, control, and governance based on their understanding of the business and an assured level of trust that they have fostered over time. But aside from possibly making us feel good about ourselves, what does it really mean to be a trusted adviser? If becoming a trusted adviser were easy, we could simply prepare a sign or add a line to our business cards—surely management would then seek us out at the first signs of trouble, right? Not really. The term “trusted adviser” contains the two essential qualifications for achieving such status: we must be trusted and we must possess sufficient expertise to offer advice. I often use a two-by-two matrix to illustrate the essential qualifications of a trusted adviser: As the graphic indicates, being a trusted adviser is a function of at least two broadly framed capabilities that CAEs must possess: risk, control, and governance expertise and strong relationship acumen. First, CAEs must be able to leverage their expertise; they must have a keen understanding of the business and the industry’s strategies and risks. They must also have a firm grasp of how effective internal controls mitigate risks and the board’s and audit committee’s roles in oversight. As discussed earlier in this chapter, without this kind of expertise, it is difficult for someone to provide meaningful insights, and a seat at the table will prove elusive. A trusted adviser must also possess the relationship skills to build and sustain effective relationships throughout the organization. As we explored in chapter 5, relationship acumen is an essential attribute for successful internal auditors and CAEs. It is also an essential ingredient for building and sustaining trust. If you want to be a trusted adviser, there had better be a credible level of trust between you and your clients. Possessing one of these attributes without the other will limit your potential as a CAE and typically leave you on the outside looking in when other executives are pulling their chairs up to the table. If you are competent but haven’t built effective relationships, you will likely remain a well-kept secret—not seen as the go-to resource when management has concerns or questions. Your audit reports will likely be seen as clinical inventories of findings and recommendations, and management will probably not call you with requests to take on sensitive issues on their behalf. On the other hand, if you and your team are seen as relationship experts but not very competent, you will likely be seen as little more than a great lunch partner. Management may find you and your team likeable but not much of a resource when they need answers to complex or difficult questions involving risk, control, and governance. The phone may ring—but only for rounds of golf. Of course, the worst scenario is to be viewed as both incompetent and lacking in sold relationships with management. If that is the case, you are likely just taking up space and overseeing a weak compliance function. And you are not likely to remain in that role for very long. Ultimately, the trusted adviser must be seen as having extraordinary expertise and someone with whom management has a strong and trusting relationship. These CAEs and internal audit staff are the ones that I invariably find in the high-performing internal audit functions around the world. From Backroom to Boardroom I would characterize internal audit’s journey during the past decade as having taken it from “the backroom to the boardroom.” Following those spectacular corporate failures in 2001–2002— and the subsequent regulatory and legislative response—internal auditing found itself front and center with the audit committee and other members of the board at companies around the world. The profession’s rapid rise in stature is reflected in statistical studies. In 2002, for instance, The IIA found that only 55 percent of U.S. CAEs reported functionally to their audit committees, but by 2007, PwC found that the number had jumped to more than 80 percent. In recent years, internal audit’s emphasis on assessing the effectiveness of financial controls has abated significantly. Given the shift in emphasis, I think there is a real threat that some audit committees may lose their newfound interest in internal auditing. I suspect my view is one not shared by many. After all, it will be argued, corporate audit committees have much broader missions than mere oversight of financial performance and controls. But is that really true? From my experience during the past decade conducting quality assurance assessments of Fortune 500 companies, I was struck by how narrowly written audit committees’ charters often were. In many instances, they were lifted directly from the sample audit committee charter promulgated by the New York Stock Exchange, which is heavily tilted toward oversight of the independent auditors as well as financial statement and disclosure matters. In fact, in the entire five pages of the sample audit committee charter, only two paragraphs are exclusively dedicated to oversight of the internal auditors. I have often found the emphasis in the audit committee charter was a reflection of the focus of its members, many of whom were primarily interested in receiving assurance from internal audit on the effectiveness of their company’s financial controls. Given the foregoing, I believe many CAEs face a significant challenge as they continue to rebalance their internal audit coverage to include greater emphasis on operational, compliance, and strategic and business risks. Their challenge will be to ensure the audit committee drives or embraces this direction and perceives the strong value that a comprehensive risk-based approach to internal audit coverage will bring. Otherwise, I fear some audit committees will grow bored with internal audit’s coverage of nonfinancial risks. As a profession, we have worked too long and hard to gain the stature we have enjoyed recently. Let’s stay in the boardroom and retain the seat at the table with management, because it is there where we can share insight and foresight, which is valuable to those who lead the enterprise.