By Tom O'Reilly
24 April 2017
The Apprentice, Top Chef, and Project Runway are three of the most successful reality TV competition shows in the United States. Each show highlights a cast of competitors trying to prove themselves to a panel of judges on how well they do their job. The end of each show features the judges’ assessment and feedback of each competitor, which then ultimately decides their fate, or reward.
From a CAE’s perspective, it is easy to see some similarities between the shows’ and Internal Audit’s responsibilities. A major goal of an internal audit is to work with audit customers to determine if their assigned risks are managed to an acceptable level. Then, similar to Donald Trump, Tom Colicchio, and Heidi Klum (the shows judges), the CAE provides feedback on the audit customer’s management of those risks.
When a contestant does a great job, they can be rewarded with new job opportunities, industry acknowledgment, major publicity, cash rewards, or some combination of each.
Audit customers receiving a “no issues” or positive audit rating can be rewarded similarly to TV show contestants, however, doing so should involve serious consideration by the CAE. Improperly rewarding audit customers can affect the efficiency of future audits, cooperation from future customers, and even question Internal Audit’s objectivity and independence. With this in mind, several reward methods and parties are analyzed to help determine how, or if, our customers should be rewarded for positive audit results.
Recognition in the Internal Audit Report
The first, and perhaps most obvious way a CAE can reward an audit customer for a satisfactory audit rating is by acknowledging the individuals by name in the audit report. The audit report is used to communicate whether a process or department’s risks are managed acceptably. Simply stating the names and titles of all who have responsibilities in the area well managed can be positively viewed by individuals who do their job correctly and can also help establish Internal Audit’s reputation as fair and balanced.
But, can Internal Audit objectively conclude through their audit procedures that the process has been managed with no exceptions? It is easy to conclude when a control is not operating effectively. The percentage of issues identified from the sample is then applied to the population to extrapolate an assessment of the total times the control did not operate as expected. And assurance that the control, and process, needs improvement is obtained because evidence of non-compliant transactions actually exists.
But can testing a sample of transactions that identifies no issues provide the same level of assurance thatalltransactions comply with process procedures? Even if data analytics are used to identify transactions more indicative of non-compliance, it would be difficult for most CAEs to attest that the process has no problems unless the full population of transactions were tested. Providing this positive assurance to the audit committee that the process could hurt internal audit’s credibility if issues were to arise in the future.
If the CAE decides to highlight individuals within the audit report, they should consider further articulating exactly why the individuals are being recognized. For example, “John Doe and Jane Doe oversee customer complaints in the call center. For the 100 customer complaints tested, all were handled in compliance with call center policies”.
Publicizing Internal Audit Reports to the Company
Another channel for CAEs to promote satisfactory audits is by publishing positive audit results on the company’s intranet site, through a company newsletter, or at a town-hall meeting. Obviously, certain executive management approvals may need to be obtained. But doing so may help promote risk management and control awareness and prove that internal audit is not always out to report bad news. However, making audit results public also comes with its own set of risks.
For example, if audit customers are aware that positive audit reports will be published to the company, their focus may turn to doing everything possible, including arguing, to earn a positive audit rating. This type of interaction could incentivize audit customers not to share all information relevant to make a conclusion and hinder the spirit of “continuous improvement”, which should be a part of every audit.
Whether through the audit report or a more public channel, a CAE should also consider if it is appropriate for them to be providing positive recognition at all. By publicly acknowledging employees for positive audit results, Internal Audit could be perceived as grading people, which could cause divisiveness between Internal Audit and those with not-so-perfect audit results. This could further damage Internal Audit’s perception of being a change agent within the organization.
Also, positively recognizing employees is one way to manage employees. And if Internal Audit is seen as managing employees, could their independence be questioned? This question then leads us to…
Senior Management and Audit Committee Acknowledgement
If Internal Audit is not the most appropriate party to recognize positive audit results, perhaps business unit managers, executive management, or the Audit Committee are. In addition to managing their employees as mentioned above, positive words from a company senior manager can reinforce the “tone at the top” and further motivate employees to do their job to the best of their ability.
Although the CAE will not be rewarding anyone, it doesn’t mean they don’t have a have a part to play. During one-on-one meetings with business unit, executive managers, or the Audit Committee, the CAE can provide some perspective on the job well done. Then, at the suggestion of the CAE and after the audit report has been emailed, the Business Unit or Executive Manager can follow up with some words of their own recognizing the individuals or team.
To get the Audit Committee involved, a little more work such as drafting an email or note, may be needed. But the effort will be well worth it! This proactive CAE just gave their Audit Committee member an opportunity to be more involved in the organization. If Audit Committee person sits on another board, chances are s/he is not getting these opportunities from their other CAEs.
Cash or other Performance Rewards
Similar to other measures of positive performance, audits with no issues could be rewarded by an on-the-spot or small cash reward. Normally, these types of rewards can range from $100 – $2,000 and need to be approved by at least a few managers. These rewards could be given because of the positive audit rating, but could also be given for spending all of the time necessary to help internal audit, in addition to maintaining their current workload.
Regardless of the reason, CAEs should keep in mind that any type of financial incentives may increase the chances of non-compliant behavior from the customer. Similar to publicly acknowledging positive audit results, audit customers could hide audit issues, retain information, or lie to auditors to increase their chances of receiving more money.
Recognition in Performance Reviews
If management does feel strongly about financially rewarding employees, perhaps the employee’s performance review can reflect the satisfactory audit rating their process earned. A satisfactory audit rating can at least support the employee is carrying out their control responsibilities at an expected level and can be one arrow in the quiver of their overall job performance. Including control efforts when assessing compensation can further align the “tone in the middle” with the “tone at the top”.
Congratulations, You’re Top Chef
As you reflect on the different ways audit customers can be rewarded for positive audit results, it would be wise to keep these TV shows in mind. The winners of the Apprentice, Top Chef, and Project Runway have proven many times over and over that beyond a reasonable doubt, they are the best at what they do.
Chief Audit Executives should think about whether audit customers should be rewarded and congratulated for doing their job, or if they have proven they are responsible for a best practice or significantly improving a previously area that was performing poorly. If objective evidence exists for the former, perhaps sharing this perspective with their managers is sufficient. If objective evidence exists for the latter, perhaps more accolades can be awarded. If objective evidence doesn’t exist? Then perhaps neither should the reward.
 Hopefully the phrases “Your Fired!”, “Please Pack Your Knives”, and “Alveterzane” are never mentioned in your audit reports.
 Need some more motivation to prompt an Audit Committee letter? Think about the impact a “great job” note given by a Board of Director to an overworked and underpaid middle manager. The conversation at the middle manager’s dinner table that night may be extremely different because of your actions. I hope one day we all have the opportunity to spread this type of good karma.
Tom O'Reilly is Vice President and General Manager of Internal Audit and Seminars at MISTI.