Prepare your leaders for a transformational change
Editor’s note: This is the first article in a limited series focused on the benefits of, and approach to, establishing an impactful internal audit function for private companies, including family-owned enterprises.
In times of growth or transformation, the thrill of progress may overshadow emerging risks and complexities. When a company races toward new opportunities, leadership may notice growing operational concerns that can increase risks related to inefficiency, internal controls, fraud, and regulatory compliance. These are the moments that call for evaluating the need for an internal audit function — a critical step in the growth of many businesses, and a landmark opportunity for any organization.
“In many cases, you are getting to the size where senior leadership and the board no longer have direct control over, or active involvement in, every aspect of the business,” said Grant Thornton Risk Advisory Director Brian Shellito. “They are starting to raise questions related to operational performance and standardization, investing in the company’s systems and infrastructure, quality and timeliness of reporting, and ensuring there is adequate consideration of enterprise risks.”
Internal audit offers a structured approach to identifying and mitigating risks, improving business performance, enabling compliance, cultivating future leaders for the company, and bridging communication gaps across an evolving organization.
“Literally everything within the umbrella of a company can be subject to assessment and improvement through internal audit,” said Grant Thornton Risk Advisory Services Principal Adam Ross.
A well-designed and well-executed internal audit function can strengthen management practices and unlock new potential for the company. However, if implemented and executed poorly, internal audit can lead to dissent and resentment about a perceived new layer of bureaucracy.
“The organization needs to be prepared to change, because once you get an internal audit function, it’s going to present recommendations that may require management to do things differently,” Ross said.
“If I was a company leader, I would want to understand exactly what the value proposition will be.”
A successful implementation often hinges on the answer to a simple question: Before you established a function, did the supporters of internal audit convincingly articulate the value of an internal audit function and the need for change with the right stakeholders?
“If I was a company leader, I would want to understand exactly what the value proposition will be, and how internal audit will function across the company,” Shellito said of the conversations that leadership should be having in the early stages of an internal audit implementation process.
Identifying the need for internal audit
For most companies, the potential role of internal audit rests on three legs:
- Risk management and internal control
- Operational efficiency
- Compliance
But there is no single portrait of a company that needs internal audit, even among those required by regulatory compliance obligations. These organizations can look dramatically different from one another — pre-revenue start-up to multi-billion-dollar, multi-generational family-owned business, domestic or international, older-but-evolving organization to newly formed spinoff, consolidated business via merger, and so on.
“If there have been problems at the organization in the past — operational inefficiency, accounting errors, fraud, a cyber security breach, a failed system implementation, gaps in compliance, and so on — that can be an indicator that internal audit can add value,” said Grant Thornton Risk Advisory Services Principal Matthew Lerner.
One of Ross’s clients, a multi-billion-dollar private company, has been successful for decades without internal audit. However, in addition to the lack of an internal audit function, the company has not invested in process standardization, technology enablement and internal control, all contributing to high degrees of inefficiency. The result has been margin compression and executives constantly “putting out fires.”
“In many cases, a CFO will decide it's time to establish an internal audit function to help uncover the root causes of known issues and recommend improvement opportunities, and to have a way to get that information to senior management and the board more consistently,” he said.
Checklist: 6 signs that your organization is ready for an internal audit function
The following factors may indicate that it’s time to start building internal audit capabilities.
Building the case — and dispelling myths
In the early stages, it is helpful to identify tangible examples of the power of internal audit, including from peer companies. Ross gave one recent example from his internal audit consultancy work.
“Using analytics, we identified over $25 million in potential duplicate vendor payments. We worked with our client to identify which ones were likely duplicates, which ones might be false positives, and which required further analysis by the company to conclude,” he said.
In addition to delivering direct financial returns, an internal audit function can enhance a company’s workforce as a training ground for new leaders with cross-functional experience. Ross recalled a conversation from very early in his career: “Besides me,” the department director said, “you are the only one who understands our end-to-end processes.” That brief conversation helped the director realize she needed to increase cross-training across the team and break down silos that had been unintentionally built up over the years.
Internal audit can also foster the cross-pollination of leading practices within your organization, from competitors, and from other industries. For example, Ross shared an experience where he helped a hospital system adapt a leading practice in user authentication and access management from an unlikely source — the gaming industry.
“I was able to talk to a hospital CIO about how casinos were solving for an issue they were struggling with,” he said.
A high-performing internal audit function doesn’t just underline compliance and regulatory needs, or point out policy violations and internal control weaknesses. It identifies improvement opportunities that align with the company’s strategy and objectives, enabling the organization to improve business performance.
Getting that improvement may require overcoming myths and misconceptions about internal audit:
“One thing that should be emphasized is the value that an internal audit function can bring to improve operations, drive efficiency and bring new perspectives.”
- More than finding faults: Colleagues may believe the outdated idea that internal audit only exists to find mistakes and drive compliance. In fact, internal audit can develop and advise upon leading practices, process improvement, and future strategy.
- A focus beyond finance: There’s a common belief that internal audit is only about financial risk and internal control over financial reporting, but this misses the function’s potential to help the company address operational, technological and strategic risks.
- A support, not an obstacle: Other leaders may see internal audit as an unwanted intrusion in their workflow, believing that they’ll waste time providing information and implementing unnecessary recommendations. But when internal audit is at its best, it can improve workflow by helping to design better controls and identifying inefficiencies.
Overall, successful leaders will explain how internal audit will fulfill a much broader mission than simply finding faults and driving compliance.
“One thing that should be emphasized is the value an internal audit function can bring to improve operations, drive efficiency and bring new perspectives from within the industry and from peers,” Lerner said.
How to build a coalition for internal audit
Building support for internal audit is about clear communication of the new function’s role and potential benefits — starting with the CEO.
“I think there's one person that you have to get on board, and that's the president or CEO,” Ross said.
In some cases, the chief executive may recognize the need and drive the conversation. In others, the CFO (or whoever the executive sponsor is) may need to make the case, as Ross suggested: “Here’s why I believe now is the time we should establish an internal audit function and here’s the potential ROI. We all agree these are important topics that need attention, so if not now, when? If not internal audit, then who?”
Once the CEO is in agreement, they must put their weight behind the effort. After this initial approval, the implementation of an internal audit function is no longer an idea up for discussion; it’s a mandate to be fulfilled.
With the chief executive’s support, alignment from other C-suite leaders and the board will be easier to achieve in a process that will clear the way for a smooth launch.
“If I’m advocating for establishing an internal audit function, I would make sure to socialize this with my peers on the senior leadership team,” Ross said. “However, it's not an ask. It's informing and getting buy-in. It’s providing education to others who might not be as knowledgeable about an internal audit function, especially for private companies — about what the ‘art of the possible’ is.”
Be sure to identify allies early. The general counsel, CIO and of course the board can be key supporters, helping navigate through skepticism and resistance. However, those same senior leaders and others may fear that internal audit will encroach on their domains and meddle in their workflow.
Key benefit: External perspective
Internal audit will never know more about a business or function than the executive in charge of that area.
It’s about acknowledging that an external perspective will undoubtedly provide fresh ideas and recommendations that will help the company improve.
“Their objections often come from the cost and the perception of operational disruption, or that someone will be looking over their shoulder, and they don’t want to change,” Lerner said.
Often, the answer is to respond with empathy while emphasizing the necessity and opportunity — as well as the mandate behind the new push for internal audit. A key discussion point is around recognizing internal audit will never know more about a business or function than the executive in charge of that area. It’s about acknowledging that an external perspective will undoubtedly provide fresh ideas and recommendations that will help the company improve. It will bring increased awareness to the organization’s strengths and external consensus on what is already known to be deficient.
Expanding the engagement campaign
These early conversations aren’t just about winning people over — they’re about exploring the real potential of the new internal audit function. The new internal audit function won’t just be looking for errors and driving compliance to policy; it will generate ideas and help implement positive change that make the organization more efficient and innovative.
“It’s about breaking down barriers, bringing people together, and providing an enterprise view of risk and opportunity.”
“It's about breaking down barriers, bringing people together, and providing an enterprise view of risk and opportunity, which is where an internal audit function can really shine,” Ross said. “It's a great opportunity to not only assess individual areas, but to eventually start identifying thematic items that you can address over a wide swath of business operations.”
As planning gets underway and senior leaders get on board, engagement extends to departmental leadership and beyond.
“At this point, you need to start employing formal change management principles with a focus on communication and education,” Lerner said. “Get people to know, trust and understand that the internal audit function will add value.”
Of course, trust and approval are only the beginning. Next comes the work of specifically defining the role of the internal audit function and building a plan to achieve your vision. The next installment in this series will delve into implementing the internal audit function — a roadmap from planning to execution.
Contacts:
Adam Ross
Principal, Risk Advisory Services
Grant Thornton Advisors LLC
Adam Ross is a managing director in Grant Thornton’s Business Advisory Services practice in our Philadelphia office. He has 15 years of experience helping public and private companies enhance the efficiency and effectiveness of their business and IT environment, operations and organization structure, as well as increase awareness on risk, improve internal controls, and manage compliance with applicable laws and regulations.
Philadelphia, Pennsylvania
Industries
- Life sciences
- Healthcare
- Manufacturing, Transportation & Distribution
- Technology, media & telecommunications
- Media & entertainment
- Not-for-profit & higher education
- Services
- Transportation & distribution
- Energy
- Retail & consumer brands
- Private equity
- Hospitality & Restaurants
Service Experience
- Risk advisory
Matthew Lerner
Principal, Not-for-Profit and Higher Education, Risk Advisory Services
Grant Thornton Advisors LLC
Matthew is a Principal within Grant Thornton’s Not-for-Profit and Higher Education Advisory Services practice.
New York, NY
Industries
- Not-for-profit & higher education
- Healthcare
Content disclaimer
This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.
More advisory insights
No Results Found. Please search again using different keywords and/or filters.
Share with your network
Share