Blogs Mike Jacka, CIA, CPA, CPCU, CLU Jun 21, 2019
There is a gap…a significant gap. And we need to take immediate action to help close that gap. And the best way to close that gap is to communicate with our customers/clients/stakeholders — find out what they need, want, and desire, and then help them achieve it.
In response to that post, Dariusz Stolarski noted that not all needs can be met. “Sometimes my job is to tell the client that he is wrong.”
Nailed that one Dariusz.
In our battle to get the eyes and ears of executive management, get a seat at the table, and get in a position where we become trusted advisors, it is easy to be so focused on building those relationships that turning down any attentions feels like a step in the wrong direction. “They like us; they really like us!” becomes more important than ensuring the right work is being completed.
Yes, we must understand and be ready to respond to what our stakeholder believe they need, but that is only part of the equation. There is something more important than our stakeholder’s “needs”. That is the success of the organization. And sometimes stakeholders are so knee-deep in strategies and decisions that they miss how best to ensure that success.
That may well be the greatest value internal audit can provide — to use our independence and objectivity to step outside the quagmire of execution where most executives reside, providing new and different perspectives on potential risks and responses.
Here’s an example you may well be experiencing. You walk into a board meeting and ask “What can internal audit do to help?” Instantly, you are buried in an avalanche of cybersecurity risk accompanied by the request…nay, demand…to throw every resource at internal audit’s disposal into this end-of-times situation.
No doubt, cybersecurity is a worthy foe. It is number one with a bullet on the risk hit parade; what all the cool organizations are worrying about; the talk of the town; the cocktail party conversation of choice; and the go-to word for countess headlines, clickbait, magazine articles, conference topics, and watercooler talk. It is the bee’s knees, the cat’s pajamas, a corker, crackerjack, far out, groovy, rad, tubular, kewl, sick, and tight. It is what every board fears and every board wants to know about.
But, worthy foe or not, that doesn’t mean cybersecurity is the single most important thing internal audit should be doing. Internal audit has to have the bravery to say “No” or, at the very least, “Let’s hang on a minute.” No matter how important, popular, or flamboyant the risk, internal audit’s role is to look at all risks — not just the latest flavor-of-the-month — and determine how resources can best be used.
If cybersecurity is the biggest risk, then there is the potential (note, only potential) that it represents where a good hunk of resources should be allocated. But if there are other risks as important, or important enough to also warrant the department’s time, then internal audit has to go to its stakeholders and have a serious conversation that will include the word “no”.
The stakeholder may not like it. But it is the right thing to do
I’m just using cybersecurity as an example because it seems to be everywhere. But it could be anything from blockchain to reputation to brand to financial statements to petty cash. Just because the customer/stakeholder asks for it doesn’t mean we have to deliver.
As Dariusz noted, an important part of our job is sometimes telling our client when they are wrong. And that is where an audit department can exhibit true professionalism and bravery. Just saying no.