Chief audit executives and directors are building teams that are out to change the perception of internal audit
By Karen Kroll
17 April 2017
NOTE: This is part four of a four-part series on treating auditees as customers. See part one, The Customer Service Oriented Internal Audit Department, part two, Tell Us How We Did: More Internal Audit Departments Surveying Auditees, and part three, Turning Front-Line Internal Auditors into Customer Service Envoys.
Adopting a customer service mindset for internal audit starts at the top. Chief audit executives and other internal audit leaders who want to change the perception of internal audit must create a culture of treating auditees as customers that includes changes to internal audit processes, communication of what is expected of rank-and-file internal auditors, and examples of taking a customer service approach through actions.
Once established, a customer service approach can help internal audit break down barriers and win the trust of business units and the other functions it audits. "It all starts with viewing those we audit as customers," says Ziad Lajnef, audit director of the Americas at General Motors. "When people ask what internal audit does, I tell them: 'We are in the customer service business, and you are my customer.' " Lajnef knows a thing or two about serving customers. Before becoming an internal auditor, he worked as a professional chef.
So what does taking a customer service approach really mean? It includes treating auditees with care, empathizing with them, making their jobs easier by being flexible on schedules and plans, keeping them well informed of the process, and going the extra mile to provide solutions whenever possible. "It also means listening more," says Lajnef.
Several attributes can help internal audit leaders deploy a customer service approach when interacting with others in the organization. The "Golden Rule"—treat others as you would want to be treated—is a decent way to approach relationships on and off the job. The "Platinum Rule" is even better, says Dan Samson, chief audit executive with SRI. That is, "treat others as they wish to be treated." Gain an understanding of customers' needs and preferences for working together, and accommodate as possible.
"To me, taking a customer service approach starts with understanding what's top of mind and relevant for the business," says John Hand, vice president, global internal audit at Samsonite. "Then it requires reflecting on how and where we can provide greater value to the business."
Hand notes that when he's working on an audit, his team looks for ways to provide insight and ideas that often go beyond the scope of the audit itself. For instance, an important strategy at Samsonite is expanding the company's direct-to-consumer e-commerce presence. He observes how different areas are working to execute this strategy and then shares ideas and best practices with stakeholders. "We're one of the few teams that looks across our global organization, while also having a deep lens into our operations," he says. "We try to connect the dots as we visit each of the subsidiaries."
Establishing Trust and Building Credibility
Credibility is critical to initiating a customer service approach. To gain it, internal audit leaders need to understand the business, says Ruby Opara, senior director and chief audit executive, global internal audit at Haemonetics. Venture into the business units and meet with the individuals who can demonstrate and help you navigate the operations, she advises.
Closely related to credibility is trust. "Be fair in how you deal with auditees," says Marius Bosman, director of information technology audit with Ball Corporation. He provides an example: His team had reviewed potential risks with one department. Managers of the unit agreed with the risks Bosman's group had identified, but mentioned another risk they believed was more significant. They felt the audit plan should be changed to cover it. They also asked Bosman to let leadership know the department had come forward to identify the risk. That type of honesty requires trust. "They know we won't throw them under the bus to make ourselves look good, and that we'll get the budgets to the right projects and risks."
Another way to build trust is to ask for input from others. Phil Benvenuti, senior director of internal audit at Pegasystems Inc., meets with the company's executives and direct reports twice each year. "I have always looked at our role as auditors as protecting the organization we are auditing, from the mailroom to the boardroom," he says. While internal audit can (and should) continue the "bread and butter audits of AP and Payroll," it also needs to understand the management's view of true risks the organization faces, he adds.
Straight talk and building relationships throughout the organization are also critical to winning the trust of customers. "I have to show that I mean what I say," says Molly Ruddock, senior manager, internal audit with Hologic Inc. Ruddock notes that as a relative newcomer to Hologic, she's made a point of meeting with leaders of different departments. "I let them know that my goal is to work prospectively with their departments, and not just come in and tell them what they're doing right or wrong," she says.
To be sure, audit leaders need to walk a fine line when their departments become involved in initiatives outside actual audits. "You want to make sure it doesn't come across like you're doing an audit," Ruddock says. Much of internal audit's time should be spent listening and learning the businesses' needs and objectives, she adds.
When offering input on projects, it helps to remember that internal audit's role is to provide another perspective, Ruddock says. One way is by asking questions. When Ruddock was a member of a software implementation team, she asked questions such as: Do you have a project plan? Are you following it? Have you documented any failures, so you can create a report of lessons learned?
Encouraging a Customer-Focused Internal Audit Team
For an entire audit department to truly be customer-service oriented, all employees and consultants, and not just executive leadership, need to be on board. Bosman says he lets new auditors and outside consultants know, "our approach is a softer approach. We're not here to catch anyone and prove ourselves."
Barbara Gai, senior internal audit consultant at the Louisiana Workers Compensation Corp., will have new internal auditors attend meetings with her, largely for observation. "They learn how we would like them to interact with management. They learn how to ask questions, listen, and be observant," she says. "The auditees are the subject matter experts, and it's important that we as auditors understand their processes and account for them accordingly," she says.
As new internal auditors take on a greater role in conducting field work, Gai continues her oversight. If she sees the information exchange between auditor and auditee isn't as productive as it needs to be, she'll intervene and get involved a little longer, often by continuing to sit in on meetings and coach internal auditors.
Treating auditees like customers can also mean taking into account practical considerations when deciding how to evaluate issues uncovered in an audit. "Guard against a pure textbook approach," Bosman says. For example, he was on a team that learned one setting in an IT system should have been different, according to the manual. When he talked with the IT department, he learned that changing the setting to align with the instructions would indeed make the system more secure. It also would block communication, however, and hamper business. To avoid that, the IT department had left the setting and established compensating controls.
"Obtaining this insight requires sitting with customers and saying, 'help us understand why this not in place,'" Bosman says. Once it understands the rationale, internal audit can advise management on the risk, so they can decide if they're comfortable with it.
After the audit, discuss the findings and actively listen to and consider the auditees' concern before finalizing the audit report, Opara says. When there's a disagreement, jointly evaluate the findings from the perspective of the potential risk to the company. "It's not about who wins, ensuring the viewpoint on risk is highlighted, and the related impact effectively articulated," she says.
In the end, of course, the audit report has to provide an independent, objective, and factual review of an area. Some auditees won't be happy with some of the findings. However, they're more likely to accept them if they feel they were treated fairly and had an opportunity to provide input, Bosman notes.
After an audit is wrapped up, Adda Power, director, SOX and internal audit with TripAdvisor, asks for feedback from the business contacts who interacted with the audit team. "This helps continue to develop the relationship with the business," she says. They see internal audit takes its job and interaction with the business units seriously.
When an audit leader receives feedback, he or she needs to seriously consider it. "Customers have to understand we heard them," Opara says. Moreover, the feedback can drive and guide constructive action, such as the reworking of a procedure. The client should be notified of the change, so they know their input received and used.
Celebrate the Good
Another way internal audit leaders can take a customer service approach is by "celebrating the good," Samson says. "Use success stories to reinforce behavior." For instance, he emails the head of each business division, along with the CEO and president, with the names of employees who had 100 percent compliance in completing daily timekeeping records.
In fact, SRI's internal audit department created a dashboard that employees receive, reminding them to complete their time sheet. It shows their compliance rate, their department's rate, and the company's rate. Highlighting positive information demonstrates that internal audit is there to help employees succeed, Samson says.
When audit leaders take a customer service approach to their roles, they, their teams, and their companies benefit. Audits become more efficient and focused on the significant risks. And other departments begin to consider the impact of their plans on risks and controls—before they implement them. "They'll say, 'We're thinking about making this change,'" Ruddock says. "Do you see any impact on controls?" It's a question a customer-focused internal audit department will be more than happy to answer.
Karen Kroll is a writer and editor based inMinneapolis, Minnesota.
Dr. Hernan Murdock is an instructor at MIS Training Institute and author of the book, Operational Auditing: Principles and Techniques for a Changing World.