A few years ago, I was privileged to be a member of the Institute of Internal Auditors’ Relook Task Force.
It had a couple of objectives, including reviewing the Definition of Internal Audit (which it decided did not require updating, although we did decide to add a Mission of Internal Audit), and answering the question of whether the IIA’s International Standards for the Professional Practice of Internal Auditing should be principle or rules based. We quickly agreed they should be principle based, but what are the principles? That lead to the development of the Core Principles of Internal Auditing, which were published after approval by the IIA’s board.
One of the points that was made by one of the other members was that while there is value in formal communications by internal audit, such as the audit report, in many cases management and the board obtain immense value when internal audit shares their less formal insights. That sharing is often not included in formal audit reports. These insights may not be backed up by “evidence” that would stand up in a court of law, but are instead the professional opinions and observations of the internal auditors.
We are Entitled to Professional Opinions!
The Task Force was unanimously of the opinion that insight was not only of great value but sharing it should be included in the Core Principles. Most of us were experienced chief audit executives (CAEs) and knew that the audit committee’s questions usually asked for insights that went beyond the content of any audit reports, beyond what we could prove with evidence.
One of the members of the IIA staff has said that the IIA’s Standards Board doesn’t see a difference between advice and insight. Which takes me to my point: What is the difference between advice and insight?
I asked Google’s new artificial intelligence engine, Bard, this very question, and it had a very good answer:
“Advice is a suggestion or recommendation on what to do in a particular situation. Insight is a deep understanding of a situation or problem.
Advice is typically based on the advisor’s experience, knowledge, or expertise. It can be helpful in providing a new perspective or a solution that the advisor has seen work in other situations. However, advice should always be considered carefully, as it may not be the best solution for everyone.
Insight is often gained through experience, but it can also be gained through research, reflection, or simply being open to new ideas. Insight can help you to understand the root cause of a problem, identify your options, and make a decision that is right for you.”
An audit recommendation is advice. We have been doing it forever, and we even talk about consulting or advisory services. Our assessments and any advice we provide should be based on our insights, our understanding of the operation, its objectives, its risks, its organization, its people, its processes, its systems, and its controls.
Practitioners often shy away, however, from sharing their insights beyond what they are prepared to put in their audit reports. Maybe they are afraid of being wrong. Maybe they don’t know how to address challenges by management, because they don’t have sufficient evidence to prove they are right. Maybe they don’t see it as their job! Maybe they don’t see the value of a discussion, open and constructive.
The members of the Task Force would disagree. We all believed that: (a) as experienced professionals we have insights that management values, and (b) we have a professional obligation to share them with management.
Examples of Sharing Insight
We could all tell stories of insights we have shared outside the formal audit report. Let me tell you some stories of my own.
At Tosco, early in my time with that company as CAE, I saw that several direct reports to the refinery manager disliked each other and did not work well together. I shared that in a confidential discussion with the refinery manager. I told him that I thought this was a problem, but I didn’t give him a specific recommendation. He appreciated the insight and worked to address it.
Years later, also at Tosco, my team and I found that the root cause of several accounting issues was a manager who didn’t trust his staff. He refused to delegate any decisions, instead taking them on himself. As a result, he burned the candle at both ends and made serious tired mistakes. We talked to his staff and found them to be experienced and competent—contrary to what the manager believed. I shared that insight with management. They told me they suspected something like that, but didn’t have the insight we did, and they appreciated it. We didn’t make a specific recommendation; we let them figure out (with HR) the best course of action.
At Maxtor Corporation, I was very impressed by the accounting team in Singapore, especially the Controller and Assistant Controller. I shared this insight with management and also with the audit committee. It was information of value to them.
At Solectron Corporation, my team audited procurement practices at several of our global locations. Penang was clearly the best and was obtaining the same materials at better prices than anybody else. They should have been a role model for the other locations. We shared that insight with management, and they appreciated it.
At Business Objects, I noticed that members of the audit committee were grilling the CFO more than I had seen before. I shared that insight with one of the members who confirmed that they weren’t totally confident in the CFO. I also observed that other executives were including the CFO’s #2 in meetings rather than inviting the CFO himself. I shared these insights with the CEO, who said he was aware of the problem. However, my noticing it and telling him what I saw was valuable information to him. He had confidence in the CFO and needed to make sure others did as well.
Also at Business Objects, when I visited our shared service center in Ireland, I found morale to be low, the staff were young and inexperienced, and the managers overwhelmed and of doubtful competency. I discussed these insights with the regional controller in Paris, who was not fully aware of the problem. Changes were made.
See It, Say It
Sometimes, we can see things that management cannot. Our perspective is objective and free from bias (I hope). People will tell us things that they won’t to tell their own management. When we share our professional insights with management, we get their respect. They listen to us and may grant us a seat at the table.
Recently, I was in London and traveling on the Underground. There are frequent announcements asking people to be alert to something possibly wrong: “See it; Say it; We will sort it!” If an internal auditor sees something that management should know, “say it” so they can sort it. Good or bad, they will value the insight.
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
Note: This article was republished with permission from Norman Marks on Governance, Risk Management, and Audit.