Mariette Cutler, Managing Director of The Risk Navigation Group, discusses how relative inexperience in the audit profession can be a real asset – salve to the souls of those still gaining a footing in the GRC space.
Early morning paired with the brisk fall air to set the tone for a third-quarter audit committee meeting. Most of us have been there: dry commentary interspersed with the occasional cold remark and a generous sprinkling of buzzwords.
Audit committee meetings can be stressful. The pressure is on to have all your ducks in a row, all possible questions anticipated and the corresponding answers prepared. During the meeting, a “Mr. Smith” (real name withheld) was introduced as a recent addition to the team. After [whatever Mr. Smith did… call, report, etc.], the audit committee discussed what he could bring to the table. The tentative, optimistic consensus was that Mr. Smith was very professional and came across as experienced and knowledgeable. Since I had recently met Mr. Smith in person, I was asked what my first impression was. I immediately responded, “I really like his shoes!”
The initial reaction I received was one of those moments that’s funny in hindsight, but not fun at all in the moment. There was open surprise, a little hint of disbelief, but mostly it was blank confusion. When the faces wearing those expressions are your boss’s boss’s boss and all the bosses in between, it’s not a comfortable feeling. Generally, internal audit engagements are quite clear-cut and dry. The job is to analyze risk and improve control structures. The concept seems very simple, and “shoes” are not usually considered relevant.
Most internal audit departments rely on straightforward, tried and tested, “expected” processes. As a result, many internal control structures do not take into account the individual nuances between departments or divisions. Effective controls are rigid and difficult to manipulate, especially if they are programmed correctly. Other controls can be easier to implement, but are often based on assumptions that may not reflect the ever-changing business environment. Whether they are good or bad, all controls rely on people doing the right thing at the right time in the right way.
Understanding people’s motivators and their disposition to their day-to-day job responsibilities can give you some insights into the likelihood of control failures. However, in a setting that’s all about the numbers, it can be easy to miss this. On the other side of it, people are the first line of defense. People are not robots; they are unique and all bring a different skill set to the workplace. Relying solely on a control structure stifles innovation and will take away the opportunity to take full advantage of people’s capabilities. This is not an exact science, of course, but it can help identify people in the organization that are more or less likely to help the internal controls functions.
To be a truly effective auditor, you need to identify the people who have the company’s best interests at heart. These people may not like the hassle of an audit, but they are not afraid of it. They welcome another set of eyes to look at the current status of the business for objective opinions. Being asked multiple times for help bringing issues forward and on investigating why certain solutions don’t seem to work quite right, or being asked the question, “what’s industry best practice?,” these are best case scenarios for auditors, because it shows that the local team trusts you enough to point out existing problems with the trust that the audit will help improve the business. You want to think like a business partner, not the police.
The other side of the coin: people who actively avoid audits, offering irrational excuses and behaving erratically. I’m sure we’ve all experienced pushback on an audit – for example, document requests that are delayed for three weeks when the audit engagement is two weeks long and scheduled six weeks in advance; being told to only speak to certain employees in a department; or an audit finding that is met with hostility and defensiveness instead of open discussion for the best solution. These are all pretty clear signs that those individuals aren’t on board with the audit. It’s very important to have employees’ “buy-in” if you’re going to make lasting changes. Putting aside expectations and looking past people’s job titles to see them as individuals can provide valuable insight. This brings us back to Mr. Smith and his shoes.
Mr. Smith is a white-collar employee in the finance department, but he wears steel-toed shoes every day. So why did “I really like his shoes”? It comes down to a common thread I found on a previous audit concerning people’s PPE and their attitude toward the job. Employees in the procurement department who had eye and hearing protection on their desks were the ones going out to actively troubleshoot problems at the receiving dock.
Mr. Smith wearing steel-toed shoes to work every day signaled to me that he is prepared to review inventory levels in person to make sure things make sense on the books. A supply chain employee who performs due diligence on current suppliers to ensure compliance with laws and regulations is protecting the company as well as themselves. This attribute is an indicator that the team member cares about the internal controls in place, because they go out of their office to investigate problems as they occur in real time. Mr. Smith and employees like him are assets to the company, but the reasons why aren’t always recognized, because they don’t show up in the numbers.
I think being open to others and what they bring to the table is one of those things that doesn’t come with time and experience. Being willing to learn is a choice we make, and it’s one that gets harder the more personal knowledge and experience we have. In the end, being new and without expectations proved to be useful; there are no preconceived notions, and people’s uniqueness can be appreciated as a strength. Maybe “I like your shoes!” is not that strange of a comment when you want a finance employee who focuses on more operational processes. Take note of who you interact with; those observations can give some indication of what type of person they are.