We all know the importance of best practices and doing the right things the right way. In addition to understanding what we should do and why, it sometimes helps to look at what we should not do and why not.
During the 2010 MIS SuperStrategies conference, I led a session entitled, “The 50 Worst Practices for Marketing and Selling Internal Audit.” The look at 50 worst practices was a fun and fresh way to explain why some practices are better than others, and why some should be avoided at all costs. When it comes to the marketing and selling of internal audit, there are many potential mistakes. Perhaps the biggest is the failure to understand the need for marketing and selling.
Internal auditing has become a competitive business. To keep the function’s role as assurance providers, risk consultants, and process improvement specialists, internal auditors must be seen as adding value to an organization. To do this, internal auditors need to market and sell their services.
Unfortunately sometimes we encounter people – even within internal audit departments – who do not believe in internal audit adding value, or the need to promote the value it can add throughout the organization.
When we speak of marketing and selling internal audit, we are talking about educating stakeholders on the services we can provide, giving them examples of how these services recently have helped the organization, and then persuading, encouraging or inducing them to use our services.
A common theme in business these days is “doing more with less.” Internal audit can help organizations do this in any number of ways, including improving internal controls where needed, reducing or eliminating controls where risks have lessened or no longer exist, and improving operational efficiencies. But people in the organization need to know, and too many internal audit departments fail to spread the word.
However, to be effective sales people and marketers, the department must first really understand the business – what the organization does, its significant risks and emerging risks, its business plans and goals, and how it accomplishes them. The department also must understand the needs of key stakeholders within the organization. Are they compliance-related? Operational-related? The list of potential needs could be long. Know the business plan, goals and objectives. Explain how internal audit can address those needs: providing assurance and validation, partnering on development projects, advising and consulting on control issues, helping build controls by knowing where risks are, auditing third-party relationships, etc. Talking up internal audit without having this knowledge and plans to address needs is a big mistake because the work likely will not meet the promise, thus doing harm to the department’s credibility.
Another big mistake can be biting off more than the department can chew. It is good practice to start by biting off the low-hanging fruit – engagements that can quickly add value and give a clear win. Once that happens and credibility is established, the department can reach for more difficult engagements or ones with longer-term payoffs.
As we conduct engagements, we should also be validating and looking for more opportunities and letting people know what we have done, and what we are doing. Be as concrete as possible. Let them know what money we have brought back to the company, what controls have been improved, and where there are no longer risks, etc. Success begets success.
Department size does not matter. Corporate culture, relationships with key stakeholders, and other factors that shape the way internal audit and organizations work together is what really matters.
I am sure I will long remember the seminar I led last year for internal auditors. I laid out the importance of marketing and selling audit services. Then an audit director interrupted to declare, “They have to accept us,” speaking of the rest of the organization. Talk about corporate culture! That dictatorial attitude is a surefire fail strategy.
The challenges internal audit departments face as they set out to do internal marketing and selling can be described in two words: customer ignorance.
Unfortunately, there are still people in internal audit who do not believe in the need to market and sell. They do not believe they are an extension of the credibility of the organization, and externally there are many preconceived negative notions of how internal audit can contribute. These notions are wrong but have not disappeared.
That is why we need to market and sell internally – to make sure people in our own department buy in – and externally to key stakeholders in the organization so they understand how we can help them in ways that add value.
With this in mind, here are the 50 worst practices. Many are self-explanatory:
- 1. Employing staff that does not believe in internal audit’s value.
- 2. Not letting Executive Management and the Audit Committee know how you add value.
- 3. Doing SALY and JELLY audits. This means audits that are “same as last year” or “just exactly like last year.” Audits need to change with the business.
- 4. Issuing non-timely reports.
- 5. Issuing “snoozer” reports. Such reports are too long and too detailed, forcing recipients to wade through too much information.
- 6. Using “fuzzy” math to validate quantified findings. Do not guess. Be as precise as possible.
- 7. Issuing factually incorrect reports is a real credibility killer.
- 8. “Nit-picking.” Do not dwell on insignificant problems. Stress what is important.
- 9. Not surprising, communicate during the engagement process. It is bad to catch people completely unaware.
- 10. Not knowing the business is another credibility killer that can also result in missed opportunities for internal audit to shine.
- 11. Re-auditing after external auditors and regulators. No need to redo work that has been done by others.
- 12. Having dictatorial opening conferences. This often leads to internal audit failing to learn of clients’ key issues.
- 13. Improper socializing. Inappropriate fraternization can cause many problems, including clouded judgment of the auditor or perceptions of impropriety by third parties who might doubt the credibility of even a good audit.
- 14. Improper professionalism – hours, dress, etc. Be on time. Dress appropriately. Show professional respect to others.
- 15. Not following up. This means not caring what happens after an engagement is completed.
- 16. Never conducting client training – ACL, anti-fraud, etc.
- 17. Not respecting time constraints. We need to take into account audit subjects’ schedules, including the need to complete quarter-end reports or year-end reports, accommodate staff members’ vacations, etc.
- 18. Not being available or responsive.
- 19. Never lending staff out for value-added projects. Respond positively to requests for help whenever possible.
- 20. Not being technically current. Must know industry issues, regulatory issues, etc.
- 21. Never doing special projects.
- 22. Never sharing audit tools, flow charts, walk-through documentation, key performance indicators, etc.
- 23. Having reports that are negative by definition. This is like setting up someone for failure.
- 24. Not addressing 2010 risks. We must adjust as business, industry, regulatory and other risks change.
- 25. Having outdated mission/vision statements.
- 26. Never attending business strategy meetings.
- 27. Always blaming others for your mistakes.
- 28. Not being part of value-added user groups.
- 29. Never having interns.
- 30. Never in-sourcing. Never using people from within who might have language, technical or other skills that could be helpful.
- 31. Having an inflexible annual plan.
- 32. Finishing every audit. Sometimes audits do not need to be finished, such as when you have already determined key controls are working.
- 33. Having no turnover. No new blood – or thinking.
- 34. Having too much turnover. Too little experience or continuity.
- 35. Not recognizing the role of the facilitator, negotiator and not listening.
- 36. Not recognizing all stakeholders.
- 37. Not recognizing best practices.
- 38. Not embedding in ALL staff that they are marketers. Staff must see themselves as an extension of the department’s credibility.
- 39. Hiding behind independence and not adding value.
- 40. Monitoring the wrong KPI’s (key performance indicators).
- 41. Not continually educating Senior Management and the Audit Committee about the top inherent and residual risks.
- 42. Being a data-provider not knowledge-provider. Internal audit adds value by what can be gleaned from data.
- 43. Not using SME’s to educate the department and the business units.
- 44. Not spreading “the word” at internal conferences, webcasts, etc.
- 45. Having no non-audit contact. Must reach across the organization.
- 46. Not educating about controls relevant to the organization’s risk appetite.
- 47. Believing internal audit resides on sacred budgetary ground. Budgets need to be adjusted when new needs arise or other needs are no longer relevant.
- 48. Being a recluse. Talk, talk, talk to key stakeholders.
- 49. Not buying your last audit. If you had been a client, would you have paid for your last audit?
- 50. Not having a roll forward annual plan that continually reconfigures to the current state of enterprise risk management.