Reading this article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.

INTRODUCTION

As a general rule the people who succeed in organisations aren’t necessarily the most able or technically competent.  Rather, they are often the ones who are able to persuade and inspire.  We talk about such people as having charisma and an important part of this is the ability to build rapport and communicate in a way that touches their audience.  As the American poet, Maya Angelou famously said: “I've learned that people will forget what you said, people will forget what you did, but people will never forget how you made them feel.

For internal auditors, the ability to communicate well with our various stakeholders is vital.  We have a broad range of stakeholders: from members of the Board to almost anyone who provides us with information as part of an audit and inevitably, they have different needs and expectations regarding the work that we do.  Another thing that sets us apart from other functions in the organisation is that our job generally involves us spending time in other departments, looking at people’s systems and suggesting ways that they can be improved.  When you are auditing established processes, managed by long-serving members of staff it’s not unusual to get resistance, or even hostility.  It can sometimes seem like you are telling a mother that she has an ugly baby!

While giving such messages will never be easy, there are techniques Internal Auditors can use to try to ensure that what we say is heard in the most palatable and impactful way.

WHO ARE INTERNAL AUDIT’S STAKEHOLDERS?

Best practice internal audit departments spend time thinking about how they can add value to the organisation and what their different stakeholders are looking for them to provide.  As Richard Chambers, President and CEO of the IIA put it: “We should never lose sight of the fact that we do not define value.  It's our stakeholders who define what value is.  You must start with the stakeholders as you work through this process.”

Internal auditors typically have three broad groups of stakeholders within the organisation and (depending on the industry) two external groups who they need to communicate with.  In certain organisations in the public sector, it may also be useful to consider the views of “End users”, such as patients in the NHS, or tenants in Housing Associations.  Interaction with end users can be facilitated via bodies which represent them and generally their needs will be similar to the Non-Executive Directors in terms of good governance.  As illustrated below, the different groups may have quite different needs and expectations:

Internal Stakeholders

Board of Directors/Audit Committee

Possible primary needs: Assurance that key risks are being managed within the organisation’s stated risk appetite; a clear (unambiguous) message from the Head of Internal Audit.

Possible KPIs: Delivery of the approved Plan; audit coverage across the whole enterprise, over a set period; number or age of outstanding actions.

Other factors: May have particular areas of concern (e.g. based on their experience at other companies); will probably want concise, high level, thematic information; unlikely to have in-depth knowledge of the organisation’s processes; likely to be particularly sensitive to potential reputational issues (including frauds); may not want IA to perform (much/any) advisory work, at the expense of carrying out core assurance activities.

Executive Management

Possible primary needs: Audits of areas of concern to them; reports that support their personal ‘Agendas’.

Possible KPIs: Savings identified; perceived cost/benefit of the IA team; length of time to issue reports.

Other factors: May want IA support on major projects or other advisory work; will typically want concise information (though may want more detail for their own areas); unlikely to want Red-rated audit reports or large numbers of findings in their areas.

Line Management

Possible primary needs: A clean audit with few findings; pragmatic actions to improve the control environment.

Possible KPIs: Rating of reports; numbers of recommendations; time spent by IA in their department.

Other factors: May want IA to intercede with the Executives on their behalf; may want to use IA as a free resource (e.g. by ‘borrowing’ internal auditors to work for them on secondment).

External Stakeholders

External Auditors

Possible primary needs: Confirmation that Management takes control seriously and that risks are being managed; information regarding any locations they don’t visit themselves.

Possible KPIs: Spread of ratings across reports issued; numbers and age of outstanding actions.

Other factors: External auditors cannot generally place reliance on IA.  However, a professional and effective team can be a useful source of information. May request IA workpapers, for particular areas of interest.

Regulator

Possible primary needs: Confirmation that Management takes control seriously and that risks are being properly managed.

Possible KPIs: Spread of ratings across reports issued; numbers and age of outstanding actions.

Other factors: Likely to be interested in Audit Reports containing “trigger words”, e.g. “breach” or “non-compliance”. May request IA workpapers – particularly for any Audit Reports containing trigger words.

Preparing a Stakeholder Analysis of this type (for example, in a workshop as part of an internal audit team meeting), can be a useful way of making sure that all members of the department share a common understanding of stakeholders’ expectations. 

UNDERSTANDING EXPECTATIONS

Obviously, the best way to find out what your stakeholders want is to ask them.  It can be tempting to communicate with senior managers via questionnaires or regular update emails, where words can be carefully selected and polished.  This approach also enables auditors to stay in the “comfort zone” of their office or cubicle.  However, email is essentially a series of one-way communications and obviously relies on management actually reading the email and bothering to respond.  

Telephone or videoconference calls are a better option and allow a two-way conversation to take place.  Also, if you are dealing with stakeholders in other countries, this may be the most cost-effective option.  However, as a general rule, face-to-face is always best.  Ultimately, internal audit needs to be visible at the most senior level if it is to be effective.  Indeed, a Head of Internal Audit that I used to work with advised me that, particularly when dealing with senior management and Executives, you need to “see the whites of their eyes”!   

Holding face-to-face meetings with senior Executives can be a source of anxiety to some internal auditors (and indeed, some Executives exploit this fact!).  However, it’s possible to learn various techniques to help you stay calm in such circumstances, which will be valuable in your future career.  

In person meetings are a good opportunity to get to know stakeholders better and build rapport.  As well as enabling a proper dialogue and chance to draw out additional information, they also allow the internal auditor to pick up on what is not being said, by observing body language.  I recommend new internal auditors familiarise themselves with the basics of Neuro Linguistic Programming and also Myers Briggs Type Indicators (or one of the more recent derivatives of MBTI).  Some people challenge the science behind these techniques.  However, both do help auditors appreciate that when it comes to communication, there is no “one size fits all”.  We need to be flexible in the way we interact with others and always try to adapt to their communication preferences.  As we try to address their particular needs, it’s useful to think about the stakeholder’s “WIIFM” (i.e. the “What’s In It For Me?”).

Stakeholder Engagement Plan

A Stakeholder Engagement Plan (SEP), which records formal (and informal) meetings that members of the IA department have had with stakeholders can be a useful working document.  As well as being a good place to record what subjects were discussed, the SEP also helps to prompt auditors to have regular contact with their stakeholders.  Obviously, it’s important to strike a balance, so that you are engaging with your stakeholders with the right frequency.  Executives will not thank you for scheduling meetings if you don’t have much to talk about.  However, it can be even more dangerous to assume that their expectations are being met or have remained unchanged since you last spoke to them!  

As the late Steve Jobs said, in a quote which I think is particularly relevant for Internal Audit: “Get closer than ever to your customers.  So close that you tell them what they need well before they realize it themselves.

 

Greg Coleman - independent consultant

After 25 years of experience in governance, risk management and audit roles for various multinational organisations, Greg now works as an independent consultant.  He runs a variety of internal audit training courses and is an External Quality Assurance reviewer on behalf of both the Chartered Institute of Internal Auditors and their French opposite number, IFACI.