Disrupting the Markets - and the Internal Audit Standards

I’ve served over seven years as a chief audit executive and am heading into my 8th year still building and shaping yet another department, even as I transition to a more general finance role. All told, 10 years in the Silicon Valley - one of the most formative leadership experiences of my life and yet the one that challenges my personal view of our professional standards more each day.

Don’t get me wrong - I’m all for rules and standards and pride myself on navigating well within the lines. And let me state for the record that my views on the underlying ethics and integrity of a profession like this are even more concrete - there is very little room for grey when it come to integrity, even when the rules may give you a little extra wiggle room.

I’m onto building and growing my second internal audit function at one of a number of the most interesting and exciting crop of 2019 “unicorn” companies we’ve ever seen - in an industry that has changed the rules for how we move. Having just finished a crash course in doing it at one of our other notable “unicorns” (the one that established the company name as a verb in our modern lexicon), and having spent years benchmarking with other peers in the Bay Area and Silicon Valley, I’m finding my views on how the professional standards work in different stages of a company’s life cycle have really changed. I’m learning that technology disruptors are not only disrupting the markets they serve - they are disrupting my traditional views of the IIA standards.

Starting out at HP in 2009, it was very easy to apply standards in their highest, purest and best form of the written word - and internal audit department was completely independent, totally objective, and never crossed the line of helping management design or implement controls. Easy to say when you work for a $120B company, you have 240 people at your disposal, a separate reporting line to a mature audit committee, and 300,000 other people to design, implement and operate risk management, processes and controls who probably have on average over 10 years of experience in the company. In fact, it would be ridiculous to think it would work any other way - how could my 240 people be “better” at designing and implementing than the other 300,000 people who lived and breathed this stuff every day?

Fast forward 10 years and I’m staring at an amazing company with less than 5,000 people, $2B in revenue and an average age of the population that’s probably easily south of 30. Not only do we not have the sheer volume of people as many mature companies, but when you consider volume, age, experience and the sheer newness of our industry or how fast it changes, does an internal audit function bring value by standing on the sidelines independently evaluating and recommending, or do the true value come from standing side by side with management on some days and being part of the solution?

Having seen internal audit work through the eyes of my peers and now in my own experiences from the last two years, I have a new view of how independence and objectivity is expected to work, and can successfully work, in an emerging industry or rapid-scale growth company. My conclusion? Independence has flexibility that shifts as the organization matures. Objectivity? Non-negotiable.

Why independence can be flexible

There are many situations where I think independence is just as non-negotiable as objectivity:

• Mature organizations, particularly large ones, need to rely on that outside viewpoint from someone not deeply entrenched in the process. Familiarity breeds complacency.
• Regulated industries have specific expectations from an internal audit perspective. Lack of independence may erode the confidence of regulators and may not be worth the business risk it poses.
• Businesses where internal audit is being relied upon by other third parties (e.g., your external auditors) will benefit in cost and effort when internal audit is independent.

But for your typical company in an emerging industry or rapid-scale growth company, senior management and the board value getting the company to maturity in its governance, risk management and processes as quickly as possible in order to stabilize or scale the company. Having been on the inside now for almost two years and in two different companies in a similar phase, I have a better appreciate how this function can play a critical role in that maturity journey when its willing to blur the lines of independence just a bit. I have seen first-hand how valuable smart, intellectually curious and process-oriented people can design and create structures and maturity models and processes that help management plot a course for success.

Why objectivity is not optional

A function without objectivity, however, runs the risk of creating a “me-too” environment without constructive tension, something critical to create the right frameworks for strong governance, risk management and processes that are scalable and sustainable. In fast-paced, high-growth companies, moving quickly, “teamwork” and “collaboration” are valued. To some, the pressure to conform to these modes of operation can be in conflict with the fundamental goal of audit to provide an objective lens for the risks and opportunities the company faces. Internal audit needs to find a path to be flexible with independence, yet has no room to compromise objectivity.

How to protect objectivity while being flexible with independence

The premise of independence and objectivity as a unified element of the standards is a valuable premise - independence helps create a safe space where an objective viewpoint (especially one that sometimes creates constructive tension or opposition to the status quo) is practically protected through the independence of the organizational reporting line and the need to stay separate from the decision-making or implementation of recommendations. But in a roll-up-your-sleeves environment where resources are scarce and the business moves quickly, just like in a small finance department where segregation of duties is sometimes imperfect, independence may be hard or even impractical to achieve. However, there are things an organization and the department can do to protect objectivity, even as they ask their internal audit departments to sometimes blur the line of independence.

How can senior management help?

The administrative reporting line of a function (CEO, CFO, or other C-suite function) can:

• Make smart hiring decisions - consider pairing a junior team with a more experienced chief audit executive, or surround less experienced but high potential chief audit executives with at least one or two experienced functional leaders who can provide that constructive tension within the department and may not be as swayed by trying to win management’s approval.
• Actively message support of internal audit processes and viewpoints (such as remediation recommendations) and hold management accountable.
• Document success factors and competencies up front to make performance reviews more objective - and given equal, if not more weight, to objective measures vs. stakeholder feedback. Using stakeholder feedback in performance reviews that focuses on how (are recommendations actionable and tied to business objectives, are rating criteria consistent and somewhat objective, are communications timely) vs. the what (absolute ratings, recommendations, risks assessments) is critical.
• Agree on areas where management needs help vs. objective assessments up front. Be open to the impact of using audit as arms and legs vs. an independent viewpoint.
• Be open to using consultants or co-source provides to add a layer of objectivity when evaluating areas where internal audit has been involved in design and implementation of new processes.

How can the audit committee help?

• Establish a frequent cadence with internal audit leadership and ask deliberate questions or agree up front on areas where internal audit will be more hands on.
• For areas where internal audit will be more engaged initially, create a maturity journey timeline with internal audit leadership and management that defines how internal audit disengages over time and re-establishes independence.
• Be willing to support additional budget for independent risk assessments or evaluations when management asks internal audit to play a role in design or implementation.
• Be hands on in the performance evaluation for your chief audit executive to make sure management is placing equal value on constructive challenge and collaboration.

How can the chief audit executive help?

• Establish risk rating criteria, prioritization criteria, and maturity scales in advance of any assessments and correlate with other metrics around the company (external audit materiality, regulatory and compliance guidelines, business metrics)
• Socialize risk rating criteria and the audit plan frequently and make the audit plan transparent
• Focus outcomes on successful and timely remediation to reduce the tension related to rating; create incentives for management to welcome risk identification and be evaluated an actioning and mitigating risk quickly, vs. over-rotating to absolute risk ratings (which feels like a report card
• Create reporting structures to highlight management success as well as risk
• Focus on maturity assessments that give management the opportunity to self-assess and decide where they want to be on the maturity spectrum over time. Measure management against that measuring stick vs. a theoretical or textbook set of controls.
• Benchmark, benchmark, benchmark. When you’re out of your comfort zone relative to what your peers are doing, share it with your administrative reporting line and your audit committee chair. Use others to sanity check yourself.

I have a unique opportunity ahead me - where I can help management make the most of the experience an internal audit function can bring in helping us design and implement a set of meaningful but practical governance, risk management and other processes, while helping the internal audit team navigate their independence journey. 

Our North Star? Objectivity.