Even as most business leaders today face pressure to eliminate inefficiency, they still need to maintain a solid grasp on the risks facing their organizations. Internal auditors, by forging strong relationships with their colleagues in the functions that make up the “second line of defense,” such as compliance, IT security, quality control, and risk management, can help their employers achieve both these goals.
How? By working together, internal audit and the departments within the second line can share their skills in risk assessment, documentation, and critical thinking, says Larry Harrington, vice president, internal audit, with Raytheon Company. Both sides can capture more benefits from the skills they’ve developed.
In addition, Internal Audit may be able to use its auditing resources more judiciously by leveraging the work of these areas.
“Internal audit can't be auditing everything that goes on in the company,” Harrington says.
If it’s developed strong relationships with the second lines of defense, it can work with them ensure they’re conducting proper, professional risk assessments, and appropriately documenting their testing. To be sure, internal audit still will need to audit them periodically, but likely on a less frequent basis.
Conversely, if internal audit is cut off from the second line functions, the chance increases that multiple risk assessments will take place, all examining the same areas, Harrington says. At the same time, if none of the departments know what the other is doing, some risks likely will be overlooked.
“I would advocate for internal auditors in any size organization to identify all of the second lines of defense and to proactively build relationships with each,” he says. “Understand what they do, why they do it, and how they do it.”
The guidelines below can help internal auditors develop stronger relationships with their colleagues in the functions that make up the second line of defense.
Understand and support the different roles
A first step is understanding the operations and objectives of the second line departments, says Norman Marks, an honorary fellow of the Institute of Risk Management, former auditor and author of several books on auditing and risk management.
“You’ve got to understand what the function’s about,” he says.
Of course, most risk management departments work with leaders of the operating units to assess the risks they face and understand how they’re being mitigated. However, risk management may not have a strong understanding of the effectiveness of the controls put in place to manage these risks. That’s where internal audit can help.
Marks provides an example: while working with one company, he learned that its ethics training in different locations was not conducted in the local languages. So, while employees could say that they’d received training, its value was questionable. Marks worked with the legal and ethics departments to change the training.
If internal audit learns of a shortcoming in a control, rather than immediately place blame, it pays to search for the root cause. Not only does this strengthen the relationship with the second line departments, it becomes more likely the shortcoming is addressed. Often, the failure may be due to causes at least partially outside the department’s control, Marks says. For instance, a lack of resources may have contributed to the lapse. In some cases, the business units may ignore the input of second-line departments. “We have to understand their limits,” he says. In some cases, internal audit can show how changes could help the department.
Similarly, Internal Audit, and the organization, benefit when any shortcomings found within the second line departments are addressed in a way that drives improvement, rather than simply makes the department look bad, Marks says. For instance, if it’s clear a function is falling short because it’s immature and developing, Internal Audit can point this out when explaining its concerns to management. “You recognize that they’re still in the process of developing the function,” he says.
If Internal Audit knows of major initiatives from which second line departments are excluded, it can “be their ambassadors,” and advocate for their inclusion, Marks says. Not only can this build relationships, but obtaining a wider range of input should contribute to more successful projects.
Establish well-defined roles, coordinate, and communicate
One key to a strong relationship between Internal Audit and the second line of defense is “well-defined roles and responsibilities,” says Keith Kawashima, managing director in Protiviti’s Internal Audit and financial advisory practice. If the roles aren’t clearly defined, misunderstandings are more likely, as well as both duplication of the work underway and gaps in risk coverage and management.
“If you fail to coordinate and don’t communicate, does anyone know what the other (functions) are responsible for?” he asks. Moreover, the confusion tends to make forging solid relationships more difficult.
When internal auditors and their colleagues in the second line departments regularly discuss risk control, compliance, and risk management, both sides find it easier to do their jobs more effectively. Not surprisingly, they’re more likely to want to work together. That leads to more robust relationships between the departments, and a stronger organization overall.
“Communication is key,” Kawashima says.
Just as important, the communication should highlight successes as well as problems. If internal auditors only identify what other departments have done wrong, it’s unlikely those departments are going to seek their counsel.
“My job as an internal auditor is not just to come up with a list of problems,” Kawashima says. “It’s also to identify ways to improve the risk profile of the organization,” he adds.
Start early, meet, and highlight successes
In Internal Audit, as in other areas of business, trying to build a relationship only once you need something is apt to turn off the other person. Instead, internal auditors need to foster relationships when there’s nothing at stake. And, helping the other person, even in small ways, is one way to do that. For instance, Harrington will forward articles about internal audit, risk, and similar topics to his colleagues in the second line functions.
“It’s letting them know you care about their success,” he says.
In-person meetings, as old-fashioned as they are, maintain an important role in building and sustaining relationships. It’s too easy to misinterpret written and even phone exchanges. Harrington generally holds quarterly meetings with his colleagues in compliance and other second-line functions. They’ll talk about risks, opportunities, and emerging issues, among other topics. The goal is to maintain their relationships and leverage each other's insight and work, instead of duplicating it.
Many companies have strong second lines of defense—departments that work hard every day to reduce cost and improve productivity, efficiency and margins, Harrington notes. Highlighting this work, including to the audit committee, is another way to build relationships. It also leaves the departments more receptive to constructive criticism, when it’s needed.
“If we build those relationships, we can help drive change for the company,” he adds.