assurance processes, control, external auditor, Fraud, Internal Audit, internal audit function, internal auditor, internal auditors, leadership, line of defence, management frameworks, public sector clients, Risk management
So this week I’ve said goodbye to my CEO boss, in this case a Permanent Secretary. This is not the first time in my career I’ve done this. Sometimes it has been planned and organised but most times, at this level, people suddenly leave, either to take on their next role or in some cases it has been a sudden departure for less clear reasons. I have been lucky in my CAE career to work with people that I respect and that have all been ethical, moral, talented and capable (I can think of one exception).
Sir Mark, my latest, has been exemplary and I’m sad to no longer be working with him.
The CEO to CAE relationship is key to a successful audit function in my view. For without the trust, engagement and support of the CEO, internal audit is exponentially more difficult to make deliver. Not impossible, but much more difficult. For the tone at the top, as with so many organisational things, makes a difference to not just making things happen, but making change as a result of those things. Outputs can be achieved by an audit function on its own, outcomes require collaborative co-working with the client management team with the support of their leader.
I am grateful to Mark, as with some of the CEO equivalents I have worked with before, for taking me and internal audit seriously. Mark ensured that I reported to him, not just because he felt it was the right thing to do, not because he saw me as his elite police force or praetorian guard, but because he felt internal audit had a role in the organisation, was part of good governance, and was worthy of some of his highly valuable and limited time.
If we go to the International Standards from the IIA, standard 1110 states:
‘The chief audit executive must report to a level within the organisation that allows the internal audit activity to fulfil its responsibilities.’
This is framed primarily as being about the CAE being senior enough to be independent, i.e. having a reporting line both outside of the management chain to the board and to the top of the management chain. It is also about status. For internal audit to be successful in getting senior managers to take it seriously, those senior managers that control resources, power, knowledge and access, then those senior managers must know that the work of internal audit is to be taken seriously by the board and CEO and the response to it will have an impact on their futures. That might be in terms of performance targets, performance assessments, future resource allocations (both positively to tackle risks identified and negatively, to divert resource from poor performing activities).
Sir Mark insisted I reported directly to him, which in the UK Government system (due to odd governance arrangements concerning dual accountability to parliament for resources) is both the CEO and one of the two ultimate governance functions of the department to the UK Parliament (the other being political accountability to Parliament). This was an important statement and one that I recognised when I first met Sir Mark in his office, then adjacent to Buckingham Palace in London.
If I reflect on other CEOs I have worked with, this was a strong statement of support. Not all CEOs recognise the importance of having dialogue with CAEs. This is crucial in my view, for a good CAE should have a breadth, and more importantly depth, of view of the organisation that few others in the management team will have. Also a good CAE should be independent and objective, so should have the courage, ability and perspective, to talk truth unto power. This should provide any CEO with a different perspective to those they normally hear. I’ve written about the dangers of management ‘groupthink’ before Group think the Kryptonite of Leadership – Internal Audit the antidote?
This relationship between CEO and CAE also has to be one of respect, and some level of parity, in that the CAE should not just be able to report to the CEO, but talk to them. Dialogue is important. What takes time is for any two CEOs and CAEs to get to a position; where the CAE is a trusted business advisor. This is difficult for anyone to achieve with a CEO. They are typically well experienced, very capable and confident individuals. If the selection process for them has gone well then I would expect them to be the most capable and confident. So everyone else will, to some extent, still be learning and developing compared to the CEO. If a CEO is truly capable, however, they will recognise their ability to listen is important and this should provide a CAE with a basis on which to provide some insights from their perspective and work.
The relationship also works the other way. It is easy for CAE to do what they want. To take independence to be a non listening position and see all different views as ‘wrong’. I know as a younger CAE I did not listen to my client organisations and CEOs as much as I should have done. For the CEO, if they’re good, should know and be able to guide their CAE about what the organisation can cope with and how it will deal with, and hear, messages from audit work better.
The CEO and CAE relationship is not about agreeing all of the time. A good CAE’s most crucial role is to disagree bravely at times. For it these moments that are the crucible for transformative step change to occur. A good CAE should know how to do that, however. When has a ‘red line’ been reached? When will an organisation benefit from a tough message, when will it retract and recoil from it?
The line between support and challenge is forged in a collaborative, guiding and supportive CEO to CAE relationship. The key is to stretch an organisation, but not to break it. This stretch can be quick with a ‘snap back’ management response to catch up, or it can be a thematic message that builds over time and stretches the gap between internal audit and management views, until the management response begins to catch up. In my experience, compliance and legal issues fit the former; risk management, value for money and governance challenges, fit the latter.
So will I miss my recent boss? Yes, hugely. Both personally and professionally. Do I hope my new boss ‘gets’ internal audit? Yes of course. I have high hopes though see: Do organisations only ‘get’ internal audit when they mature?
So when your guard next changes are you ready?