IT security and risk represents a declining priority among internal audit functions—at a time when IT security has never been more important.
Larry Harrington, vice president of internal audit for Raytheon Company, has one of the best internal audit success metrics I’ve ever come across: telephone calls.
“If you’ve developed a brand as a great audit function, your phone is going to ring off the hook from people in the business who want your help,” Harrington explains. “At the end of the day, we’re not paid by the audit report or by the audit finding. We’re paid by how we can make the company better.”
In other words: If you make the company better, the phone calls will come.
Harrington, whose internal audit team works with more than 68,000 employees worldwide, shared that piece of “Field of Dreams”-esque advice with Richard Chambers, president and CEO of The Institute of Internal Auditors (IIA), and Paul McDonald, senior executive director at Robert Half International in a paper that Chambers and McDonald co-authored.
More internal audit executives ought to manage to a similar metric, judging from the results of a new “state of internal audit” survey conducted by Thomson Reuters. The survey of more than 1,110 internal audit professionals in Europe, the Americas, Asia, Africa and the Middle East features several troubling findings, including the following:
• Information technology (IT) security and risk represents a declining priority, or concern, among internal audit functions—at a time when IT security has never been more important;
• Strategic risk management was identified as a top-three concern by only 9 percent of respondents despite the fact that more than one-third (36 percent) of respondents said strategic risk management should qualify as a top-three concern;
• Perhaps most troubling, seven percent or fewer of respondents indicated that they spoke to their compliance function on a weekly basis, and only 18 percent of respondents said that their functions interacted with the risk management function on a weekly basis.
In Thomson Reuters 2012 internal audit survey, 32 percent of respondents indicated that they interacted with their risk management function on a weekly basis.
Despite my headline, these issues are not internal audit’s fault. But they are a problem, and my hunch is that the function’s lack of interaction with other functions—compliance and risk management, to be sure, but also IT, finance, HR and every other function and business unit throughout the company—are the root cause.
To succeed, internal audit functions need to forge trusting relationships with their business partners. That’s why Harrington places so much value on incoming phone calls. Developing that trust is a two-way street: internal audit needs to establish its credibility (no small task), and everyone in the business needs to extend their trust to internal audit partners scrutinizing their processes and decisions (also no small task).
That’s also why Harrington frames his team’s mission as making the company better. Sure, they sniff out fraud (a top-three priority area among Thomson Reuters survey respondents), provide assurance and produce reports. However, if that work (and much more) is not perceived as delivering benefits to the organizations, internal auditing professionals are going to hear crickets chirping.
And when that happens, those organizations’ senior management teams and boards are going to field a lot more troubling calls about risk management messes, some of which will be monumental tasks to clean up.