Skip to Content

From Critic to Collaborator

Articles Neil Hodge Apr 08, 2024

Entering any new environment can be strange, intimidating, and awkward — and even more so as an internal auditor sent to review that environment and report back to management. Auditors are well aware that their presence may be polarizing and met with suspicion, and their recommendations might be welcomed by some and rejected by others.

“Resistance is natural when habits are disrupted, so auditors need to address concerns compassionately,” says Ron Stefanski, founder of entrepreneur information website “Understanding office politics and having consultative influence over cultural elements like workplace relationships, communication styles, and change management are as critical as technical audit skills.”

It’s important, therefore, at the start of any engagement — and arguably before — to exercise political acumen, “read the room,” and enlist people’s cooperation quickly.

But how to do that? There are some universal strategies when it comes to smoothing the path in an audit engagement. These include acting collaboratively, thinking long-term, applying psychology, and working toward building a mutual understanding between internal audit and stakeholders.

Conveying a Message of Cooperation

Internal audit needs to set the right tone from the outset and clearly communicate why it is there. Auditors should be open to answering questions rather than just asking them, experts say.

Dan Samson, CAE at SRI International, a nonprofit scientific research institute in Menlo Park, Calif., says his opening line when engaging with key stakeholders is: “I’m here to make you successful.” He says it establishes a positive tone, gets peoples’ attention, allays fears, and shows that internal audit is on the same side.

“Internal audit should not be about impeding strategy but about how to make it succeed,” he says. “We need to communicate our recommendations and advice in a way that helps people understand that.” The message to stakeholders should be that if they make certain changes, they are more likely to achieve their goals, he adds.

Samson says another important approach is to follow the “Platinum Rule,” which is to treat others as they want to be treated (and not necessarily how you would like to be treated).

“No one likes being told what to do, especially by someone who does not work in their area of expertise on a day-to-day basis,” Samson says. “You are trying to build long-arc relationships with people because you will likely be working alongside them for years — not just for one audit review.”

Samson advises auditors to put themselves in the client’s shoes. “Gain a better appreciation of their responsibilities by finding ways to connect outside of an audit,” he explains. “Look for ways to add value, whether through sharing regulatory and industry developments, facilitating discussions on risk, or sharing process best practices.”

He adds that it is important to deliver audit observations in a way that is collaborative, not personal, and allows people to save face. 

“Audit opinions can often be regarded negatively by those who receive them,” Samson says. “It can be more productive to show clients the information you have put together and let them connect the dots about the conclusion.” Most times, he says, this leads to general agreement and provides people with the opportunity to give their input, making the process fairerand more collaborative.

Samson warns it can be easy for internal audit to blow its credibility quickly by “crying wolf” too readily. “Sometimes, internal auditors can over-blow concerns, but if you raise the alarm too early or needlessly, the organization can lose confidence in you,” he says. “Unless you have incidents of serious fraud or clear instances of criminal activity, audit findings can be collaboratively communicated and mitigated. By forcing the issue, you could lose trust.”

Taking the Long View

Shane Foley, enterprise risk and controls leader, Cyber Risk & Regulatory, at PwC in New York City, says he agrees that internal auditors should always pursue collaborative solutions. “If you uncover a problem and are going to make a recommendation to resolve it, find out who will have to make the fix and take responsibility for it,” he says. “Involve him or her in the process so they feel like they are part of the solution and can provide input.”

Foley explains that it is important to get the organization behind the recommendations that internal audit makes, rather than push people into making changes they don’t understand or feel are unnecessary. This protects internal audit’s reputation long-term. “Telling people ‘do this or else’ can work in some circumstances, but it’s not a sustainable approach over the long-term and it just makes everyone resent you,” he says.

Instead, Foley says, CAEs should try to link their recommendations back to strategy. “Everyone in the organization is committed to achieving the business strategy — and internal audit is no exception to this,” he explains. “Therefore, it’s important that CAEs frame the actions they want management to take or the risks they want to highlight in terms of the impact these could have on the strategy.”

For example, he asks, will these issues slow the strategy down or make it harder to achieve? Will it cause the organization to not realize some benefits? Will it increase costs or result in failure? “Internal audit will get more buy-in if the recommendations it wants the business to take on are in sync with what the organization is trying to do,” Foley says.

Executives and the audit committee want a partner who will help the organization deli­ver its strategy, Foley adds. “Constructive challenge is welcome, but they don’t want a CAE who is obstructive.”

Using a Little Psychology

Some say there is a subtle art to how internal audit should communicate its findings. To get respect and buy-in, “you have to show you’re in their world,” says Jonathan Chapman, an internal audit consultant in London and chair of two audit committees. “You have to show you understand the business, its drivers, the operations, the customers, and the key stakeholders as well as they do. Without that deep level of knowledge, internal audit has no credibility.”

It’s also important to understand why the people being audited behave the way they do, Chapman adds. “These people may not necessarily be bad at their jobs, and it may be the case that they are as keen as you to improve how things work,” he explains. “Instead, they may be under-resourced, may be badly led, may be under pressure to prioritize certain tasks over others, and may feel they are being pulled in a different direction, which means other areas are neglected. Find out more before you give an opinion.”

Kathleen Harmeston, a business coach and nonexecutive director based in London, says it helps to cite the positives first and the problem areas afterward. And psychology goes both ways. “Understanding that the problems you’ve uncovered may not necessarily lie with the people in the team under review” can encourage auditors to remain nonjudgmental and nonprescriptive, she adds.

Building Mutual Understanding

Chapman says the best way to get people to view internal audit more positively is to demonstrate what it can do. He suggests CAEs invite stakeholders to temporarily join the team as guest auditors — and then use these opportunities to show the value audit can bring. He recommends CAEs be proactive in asking managers what operational and risk problems they face and suggesting ways internal audit can help. “Mitigating problems before they happen is a real benefit to any operational manager, and internal audit should be looking for these kinds of opportunities,” he says.

Having good timing is also key. “We operate in environments with several competing priorities, so knowing when it’s appropriate to raise your issue is important,” says Mel Nicholson, CAE at Conshohocken, Pa.-based pharma solutions company Cencora. “Meet leaders where they are, be empathetic, and over time, you build trust with your stakeholders, fostering a much more engaging and collaborative environment.”

To drive a deeper understanding of issues, Nicholson encourages audit executives to not only work with the business but to partner with second-line functions like compliance, legal, internal controls, and IT.

“I work closely with the second-line functions because it makes sense to have a coordinated response around risk mitigation or to highlight an emerging issue,” she explains. “Although internal audit is independent, working with other assurance functions ensures we each play our part in providing the right levels of assurance around risk mitigation strategies.”

Dealing with Pushback

Despite their best efforts, internal auditors can still encounter strong opposition from the business area they are auditing, or even from senior management — especially if they regard internal audit as obstructive or their findings as inaccurate.

Michael Doolin, CEO at human resources consultancy Clover HR, based in Birmingham, U.K., says it is part of the job for internal auditors to face some resistance, and they should accept it. “If internal auditors are there to challenge management, they can expect to face challenges in their own work,” he says.

There are several ways to diffuse the situation rather than add fuel to the fire. Hemant Nandrajog, managing executive for Talent, Development & Culture at business process outsourcing provider CCI Global in Durban, South Africa, says it is important to be respectful, even when dealing with difficult individuals. Rather than attempt to stonewall the opposition, he suggests auditors open a dialogue to try to understand the basis for any objections to audit findings or recommendations. He also advises internal auditors to be transparent about what the findings are and avoid judgment and personal criticism.

Similarly, when faced with pressure to “water down” negative findings raised in audit reports, Nicholson says auditors should check that leaders understand the context of audit’s findings or recommendations.

“Often the business isn’t pushing back on the finding, but it is pushing back on the context in which the finding may be viewed,” she says. “A report doesn’t exist in isolation — it is received in the culture and in the context of other initiatives and programs. It is therefore important to ensure that the full picture comes through in the report’s messaging and that the context is clear and apparent.”

In the rare event internal audit is sidelined, says Nicholson, the CAE needs to escalate his or her concerns to the highest levels of management and the chair of the audit committee — and have a frank conversation about the impacts open audit findings could have on the organization.

Daniel Wolken, a talent acquisition specialist at recruitment website DailyRemote, says internal auditors must understand organizational dynamics and how to present difficult truths sensitively.

Focusing reports on facts over personalities keeps discussions objective, he says, while communication should be tailored respectfully to each audience. “Providing clear, actionable solutions demonstrates auditors’ commitment to improving processes — not merely finding faults,” Wolken says.

“When facing potential pushback, auditors must stand firm on substantiated conclusions while leaving room for diplomacy. Escalating issues respectfully to senior management can gain them extra support in overcoming obstructions. As a last resort, auditors’ duty to ethical practice may require delicately removing themselves from untenable political pressures,” he says.

Ultimately, whatever degree office politics might be ingrained in an organization, internal audit needs to remain focused on achieving strategy, Nicholson says. She emphasizes staying “above the fray,” intent on enterprise objectives. “Work with leaders to provide context, connect the dots, and ultimately drive them to the right outcomes,” she says.

IIA Resources


Organizational Political Pressure

Neil Hodge

Neil Hodge is a freelance journalist based in Nottingham, U.K.