A hot topic in boardrooms and C-suites across the world for the past few years has been risk culture, and with good reason. A poor risk culture can have devastating consequences on an organization.
Aside from those attention-grabbing headlines about fraud and theft that may keep board members and executives awake at night, a poor risk culture can also lead to inefficiency, waste, eroded margins, and loss of business. Businesses don’t just have to answer to regulatory agencies —they also must answer to ownership, customers, and society. No matter if the entity is a Fortune Global 500 or a small business just getting started, a strong risk culture is essential.
With that said, professionals in the audit and controls space have a responsibility to educate, guide, and enforce standards. Let’s dive into best practices:
Set a strong tone from the top in partnership with leaders
The most effective way to positively affect risk culture is by gaining the buy-in of leadership. You need to have the trust of leaders so that when you do, inevitably, come across a confrontational client, resistance, or flat-out conduct violations, that you have their support no matter what action is needed. Some critical factors to evaluate for tone-setting by leadership include:
- Involvement of risk or controls in business meetings
- Positive or negative consequences of findings
The first item (involvement of risk /controls) depends on your position. I always recommend that audit / controls leaders are involved in regular CFO staff meetings. This can serve a few purposes: First, it gives you valuable insight into the organization’s stressors and pain points. Maybe there is a strong pressure to meet a deadline, a revenue target, or the company is in a cash crunch. That knowledge should be a consideration in your audit plans or controls focus, as it may put stress on revenue recognition controls, for example.
The second reason this is important is that it de-stigmatizes your function. You are now part of the “us” in the “us vs. them” mentality. I like to choose a topic and present it to the CFO staff —whether it is the second line of defense, emerging risks, or recent findings — it keeps you fresh in mind. People know what you are doing and how it impacts the business. This doesn’t need to be limited to Finance. Get yourself into other leaders’ meetings from time to time.
In terms of positive or negative consequences of findings, the goal here is to keep focus on the facts wherever possible. Let’s say you are auditing procurement and you find that the department is not getting multiple quotations as required by the established policy which has resulted in paying inflated prices for goods or services. If the tone at the top is that one audit finding equals a 25% reduction in the process owner’s bonus, you will be met with war every time you try to confirm or agree upon a finding. People still need to be held accountable to execute strong controls, but an organization that simply ties pay or performance reviews directly to an audit result is setting the wrong tone.
Think about it this way: Do you want to be arguing over a score on an audit report, or reviewing the new proposed controls to address the findings?
You catch more flies with honey than with vinegar
This phrase sounds cliché, but I have personally found this to be very true when it comes to audit and controls work. I’ve been called “the friendly face of audit” yet still managed to influence and drive improvement at all levels of organizations. There is no reason that internal auditors or risk/controls professionals need to be feared or viewed as a policing function. You have the same company name on your ID badge as your process owners and everyone else in the company. Everybody in the company has the same overarching goal: Success of the entity.
While individuals may have varied incentives (sales goals, production goals, cost savings, etc.), the complex web of compensation and KPIs should be designed to operate as one ecosystem to achieve that overarching objective. We can use this to our advantage. Too many auditors stress “findings” and “exceptions.” What we need to focus on is, “how do we help our company achieve its goals?”
The simple answer is this: Put yourself in the shoes of your audit clients. Let them know that you are there as an internal resource. Even though you may be an independent internal auditor, it is still far better to find those issues, exposures, and even failures (big or small) NOW and deal with them proactively, than not identify them or even cover them up and have them be discovered later by external auditors or regulatory authorities.
Help your clients find and solve issues
When you move on to the next process or project, clients are the people left executing the process and running the business.
Strong relationships will break down walls and have people telling you where failures happen rather than hiding things from you. We evolve our organization by considering circumstances behind transactions —being human! In the case of a new manager, we could approach them as an auditor or controls professional in two ways:
- “Hi Tom, I am the internal audit director here, and we need to audit your XYZ process next month as part of our audit plan. Please provide us with all the below initial data requests and make yourself and your team available for an audit kickoff meeting on (date).
- “Hi Tom, I lead the Internal Audit function and I understand you recently took over management of the XYZ process. We have this process in our annual audit plan that we have reviewed and agreed with both the Board of Directors and the CFO at the beginning of the year. This will serve as a great opportunity for us to work together to perform a deep dive on your process and give you assurance that things are operating well. We’ll also share similar issues and findings we may have seen in this process in the past or in other geographies to help you out. If you’ve identified any inefficiencies or gaps in control so far, please share them with us so that we can get them documented and help review your improvement plans.
In both messages, the point is clear. However, in the second message, you are not only introducing the project but offering support and understanding. Independence does not have to mean indifference.
Even in a case where a manager has overseen a process for 10+ years, we can (and need to) collaborate. Yes, we still own the testing and methods. We need to decide how we perform our audit. However, we can include the client. I’ve had long-tenured process owners help in brainstorming sessions. Some of my most productive audits and most impactful findings have come through collaboration.
For example, if you are auditing a warranty redemption process – who would know better the data fields, the ways to “game” the system by customers, and the exposures than the actual process owner? Let them help you — “Tom, if I want to find transactions that may have had multiple claims for the same part number, or get the serial numbers that have had the most parts issued against, how would I go about doing that?”
You’ll find that by walking through planning and testing controls this way, you’ll take less time, target more usable data, and provide better insight.
Build strong relationships in audit/controls by demonstrating value
In conclusion, you build strong relationships in audit/controls by demonstrating value. How will your audit help them? It may be a requirement by the board, but why should the process owner spend any more than the bare minimum time and effort to get your project wrapped up?
- Build a strong relationship with an organizational leader, you will have the ear of everybody in their organization.
- Demonstrate a desire to add value and back it up, you will get buy-in.
- Treat each audit client like a human, you will have conversations with candor.
- Involve process owners in your audit/review, you will leverage their experience.
All these things will then result in meaningful change. Once you have the ears and trust of the company, your impact will grow exponentially.
If you have questions about your finance & accounting team’s audits and goals, contact Versique’s Finance & Accounting experts today. We look forward to hearing from you!
If you have questions about your Audit organization and its’ goals, contact Versique’s Finance & Accounting experts today. We look forward to hearing from you!