It sometimes seems like executives see the big risks associated with situations like data breaches or fraud, yet still view the internal audit function as a cost of doing business rather than an important investment. Sabrina Serafin welcomes back Danny Goldberg, the founder of GoldSRD, to talk about a critical topic: marketing internal audit within our organizations.
Culture of Compliance is available on iTunes, Google Play Music and Spotify. Listen now using the player below or download for later.
Marketing Internal Audit within Your Organization Transcript
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina: Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier and Deeter’s Process, Risk & Governance practice. Today we’re welcoming back Danny Goldberg, the founder of GoldSRD, a leading provider of staff augmentation, executive recruiting and professional development services. Danny is a well-known speaker on communication, internal audit and risk. And today, we’ve asked Danny to talk about a critical topic: marketing internal audit within our organizations. Welcome Danny.
Danny: Thank you very much for having me.
Sabrina: I want to start by noting what an important topic I think this is. Often, it seems like executives see the big risks associated with situations like data breaches or fraud, yet they still view the internal audit function as a cost of doing business rather than an important investment. What are your thoughts?
Danny: Well, I think there are a couple of different themes that drive that perception. I think there seems to be a perception that maybe we have a lack of knowledge on certain subjects, we’re not ingrained in the business, so we don’t have that knowledge base. And then secondly, I think Sarbanes-Oxley did a lot for our profession in raising the bar and raising the eye of internal audit inside of organizations, but there was a tipping point where SOX has actually negatively impacted our industry, right? And that we’ve become only compliance related, and people don’t see that value. So I think marketing the value of what we do, and again, it might not even be marketing the value, it’s making sure people understand what we’re there to do in an organization, I think is key to making sure your internal audit department is effective.
Sabrina: So given the reality of how people habitually think about internal audit, what are your thoughts on how to market the function to change how people view it?
Danny: It’s funny, because probably 70 years ago when we started speaking on this topic, I’d get some laughter when I would say, “Well, you need to come up with a marketing plan for internal auditing.” I think a lot of people are starting to buy into it now because they see the value. I think we all should be looking at ourselves, and maybe my perception changed when I went from industry to running my own organization, we should all view ourselves as external consultants at all times.
We’re all trying to sell something. As auditors, we’re trying to sell the benefits of what we do, and the findings. So we’ve helped organizations with coming up with marketing strategies. Now I always get the question, “Well, how quickly can we change perception?” It matters how negative the perception was in the first place. And if you were almost the police to the organization, for what I’ve done, I’ve seen organizations take up to three to five years to change that perception. If it’s really a fresh and newer internal audit department, I think a lot of people are more open minded to understanding what you do regardless of their past experiences.
I think they can be overcome because there isn’t that inherent negativity here inside this organization, but I think you can look at 18 months to up to five years to really change that perception, and there’s a few things that I think organizations can do that are quite frankly very simple. One would be in going back to the police comment I just made. Some groups don’t call themselves internal auditing; some groups call themselves advisory services, potentially.
So there are little tweaks you can do like that, where the word auditing is inherently negative. I got audited last year on my worker’s comp policy. It’s a very small policy, didn’t do anything wrong. But the concept of an auditor coming in and looking at what we’re doing for a couple hours was a little nerve wracking quite frankly.
I mean I understand why it can be viewed with such negativity. So maybe just taking the word away from the conversation tends to help quite a bit. I think there’s a couple of very easy things that you can do and it starts with: “Why are we here as auditors?” If you look at the IA’s definition of internal auditing, the root of that definition is to help the organization achieve its objectives. That’s it. That’s as simple as that. I’ve asked that question for the last 10 years and I’d say about 20 percent of auditors understand and know. That’s really why we’re here. If 20 percent of auditors know that, I’m sure less than 20 percent of the business knows that. It’s probably 5 to 10 percent that really buy into that, because we tend to focus on compliance related issues or we tend to focus on risks.
The risks are only driven from objectives and what we’re trying to accomplish. So I think starting the conversation in planning with your audits not starting with what are the risks, but simply starting with: “What are your business objectives, what are you trying to accomplish this year and what are the risks to accomplishing those objectives?” It’s really what we’re doing from an audit standpoint anyway.
But I don’t see a lot of auto shops asking, “What are the business objectives?” They’re more focused on, “What’s the objective of our audit?” If people realize your audit is guided towards helping them achieve those objectives, if you are in a publicly traded company, if you’re meeting your objectives what does that mean? That means money in my pocket, most likely. If you’re going to help me as an auditor get more money in my personal pocket potentially, I’m going to buy into what you’re doing. And I think that’s a simple simple change, really, not to change your audit methodologies but to change the dynamics of the conversation that might get them on board a lot quicker than we already do.
Sabrina: Great example and great concepts. Outside of changing a name or a title, what are some other examples that you’ve seen that have been effective in changing the perception of internal audit?
Danny: We’ve worked with a lot of different organizations that have tried and many things. That’s just one very simple example. A few others: having brown bag lunches with new employees or new managers. The things people will do for free food… They’ll listen to the topic of internal auditing. These are little goodwill efforts you can make. When a new manager or new VP or new director comes into the organization, they probably have a 100 day plan when they first get there. Meeting with them, understanding their plan and asking them if they’d like an operational review of their process to get a quick win. We can point out some of the skeletons in the closet that they’re probably there to get rid of in the first place. So this might give them an insight into some of their problems which they can correct and hopefully take credit for as well. Those are just two simple examples.
I’ve got one other that I really like, a company I’ve known for a few years, and this chief auditor does a great job of having the right mindset with their audits during planning. I think a lot of times, the perception of auditing is driven by the lack of understanding of what an audit really is. So at the planning phase of the audit, they have a, they call it simply, a service level agreement, where it says throughout the audit, on the left side of their document, here’s what we’re going to commit to: We’re going to make sure that we’re giving you information in a timely manner, we’re communicating findings immediately. Eight to 10 different bullets that we’re committing to that you will get this from us from no matter what. In turn, you’re going to commit to these things, making sure that we’re getting responses in a timely manner. Does that drive marketing internal audit? I think it does because it drives the understanding of audit.
I’ve only seen a couple organizations use that, but it’s been so effective for them, because that innate fear of auditing, people understand it better, and they’re doing a good job of going into planning and saying, “Hey, what did we do last year that we need to improve upon?” And was there something you didn’t understand. So it’s really just making sure and being transparent and making sure people understand what we’re doing, because I think there’s a lot of misperception on what an audit shop really is and really does.
Sabrina: Well Danny, thank you for sharing your thoughts with us today. Of course, this podcast is all about adopting the mindset of compliance as an investment in the business, and I really think the idea of internal marketing is one that many internal audit teams fail to recognize. I hope some of our listeners have had a light bulb moment and are right now deciding what they will implement as a result of our discussion today. Thank you for listening to Frasier and Deeter’s Culture of Compliance podcast, and please join us for our next episode as we continue to discuss transforming compliance requirements into investments in your business.