How Compliance & Audit Can Add Value
This week I’m attending SuperStrategies, a conference for corporate audit executives run by the MIS Training Institute. MISTI likes to focus on leadership strategies for corporate audit, security, and risk management leaders, with a smattering of compliance officers hanging around, too.
So let’s talk about successful leadership in an audit, risk, or compliance function, since that was the order of business today and I picked up some great insights.
The insights came from Joe David, chief operating auditor (really, that’s his title) at General Motors. David has had a circuitous career, meandering from Big 4 audit minion in the 1990s, to SOX project manager in the early 2000s, to CFO and finance consultant in the early 2010s, to General Motors since 2015.
And once David landed at GM, he faced a question that probably feels familiar to many of you. How do you move audit (or compliance) from a push function, barging its way into a business unit; to a pull function, where the business units want to bring you in for help and counsel?
This is not an uncommon question. It’s really just another version of “How can audit or compliance add value?” which we’ve been asking ourselves for years. I’d even say most compliance and audit professionals now think about that issue quite a bit, and understand that the best answer lies somewhere in helping the business functions manage risk before it explodes into, ahem, an undesired outcome.
“It’s not just about getting a seat at the table,” David said. “It’s about staying at the table.” Exactly.
David framed the answer in terms of staffing and people. If your role is to lead the compliance or audit function as the team tries to provide advice and counsel about risks—that is, to get a seat at the table and be invited to stay there—then you need to pull together the right people to do that.
Those people don’t need to be auditors, he stressed. If you need engineering expertise, get an engineer; if you need product marketing savvy, get a product marketer. Then you, the internal audit leader, can train those people on auditing basics, or pair them with a professional auditor on your team.
Added Value Examples
That alliance of expertise is what transforms the value of internal audit. You can provide sharper advice; design better predictive analytics; tie risks more closely to strategic or business objectives, rather than just regulatory compliance. A team like that truly can add value, and that’s what transforms audit into a pull function. (And every word of this holds true for the compliance function, too.)
I’ve seen this idea in action before. For example, for many years Procter & Gamble had no dedicated chief ethics and compliance officer or “career” compliance employees. Instead, executives rotated into the ethics and compliance function for a few years, and then rotated back out. They brought business process expertise into the compliance function while they were there, and then could preach the gospel of ethics and compliance when they went on to their next assignment.
More often these days I see this approach for audit departments trying to develop better analytics. Chief audit executives can be well served finding a good business analyst and teaching that person audit, rather than training your audit staffers to master analytics. At a large organization you might have the budget to keep that analyst on your team; but even at smaller firms, you could find a business analyst working in another department and (with sufficient persuasive skill) lure that person to work with audit on a project-by-project basis.
Done correctly, that combination of business acumen and audit expertise lets you penetrate more deeply into questions of fraud risk, poor access control, or what I call “shadow process”—the risk that employees will set up some way to process transactions totally outside your normal systems.
For example, imagine some far-flung group in the real estate department, arranging leases without recording those transactions in a centralized database. The finance team doesn’t discover that until three days before quarter close, and all those lease costs need to be reported in the 10-Q. (I give that example because the SEC’s chief accountant chided companies about the new lease accounting standard just today.)
That’s a big mess, and it’s not hard to imagine as a concept—but how would the real estate team do that? What controls would need to be ineffective? Having real estate or finance expertise on your audit function, or at least within the audit function’s reach, gives you the answers much more quickly.
Once you understand those answers, and can present them to the CFO or the head of real estate before the big mess happens—then you’re saving the day. Then they like you. Then they pull you into the conversation, before you have to push your way into it. And then you’re adding value, like we all want.