Creating a Culture That Embraces Risk Management and Internal Audit
June 6, 2017
By Jerry E. Lear, CIA, CISA
Approximately 50 percent of participants in a recent poll conducted during a Crowe Horwath LLP healthcare webinar said their organizations’ risk cultures could be described as somewhere in between “combative” and “collaborative.” Unfortunately, stressful working relationships between a healthcare organization’s internal audit function and other departments such as legal, finance, and operations are common in the industry.
Internal audit team members can play a role in moving an organization’s culture toward one that embraces internal audit as a partner rather than just an oversight function – a culture in which internal auditors are viewed as trusted advisers and not adversaries. It may not be easy, but it can be done. Following are strategies for moving organizational culture in a direction that is more likely to embrace internal audit and, ultimately, become more collaborative in its approach to risk management.
Rethink the Internal Audit Approach
Changing an organization’s culture and attitude toward internal audit is about more than just the audit process; it’s about members of the internal audit team building relationships, making connections throughout the organization, and truly becoming part of a larger team. This relationship management approach can help internal audit be seen more as a trusted partner and less as a policing function.
Internal audit staff can start building relationships by looking for areas in which they can provide consultation and share expertise in a proactive manner. Then, the internal audit team should work alongside management to develop action plans that address organizational compliance issues.
Being visible within the organization is another way to strengthen organizational partnerships. Internal audit staff should make it a point to become part of specific teams, show interest in other departments’ work, and express how internal audit may be able to help. In addition, internal audit staff can become more visible by opting for face-to-face meetings and visiting other departments, facilities, and administrators throughout the organization rather than conducting all communications through phone calls and email.
Another way for internal auditors to increase visibility and contribute to the team is by offering to provide educational sessions to the management and governance teams about emerging risk topics and ways in which internal audit can add insight and bring value to the organization.
Focus on Delivering Impact and Value
The methods auditors use to deliver information have a powerful impact on the perceptions of others in the organization about internal audit’s function, including any negative perceptions. It is important, therefore, for internal audit staff to provide value and depth beyond basic audit reports.
To achieve this, auditors should illustrate the impact of and meaning behind audit reports. When delivering reports, they should start by focusing on crucial risk areas and communicating why these areas are important issues for the organization.
They should express how information in audit reports affects the organization overall and provide suggestions for ways the organization can make improvements and mitigate risks in a sustainable way. Doing so provides an opportunity for internal audit to work side by side with leadership to identify risk gaps and find ways to close those gaps. Showing leadership that internal audit isn’t there simply to point out problems but, rather, to help identify solutions to problems – and perhaps avoid them altogether – builds trust and goes a long way toward exhibiting that internal audit is a valuable partner.
Embed and Embrace the Internal Audit Function
Obtaining governance and management support is necessary to create an environment that embraces the internal audit function, and this support should be made known throughout the organization. Management should send a consistent message about how internal audit helps the organization achieve its goals.
One way governance and management can express their support for internal audit is by helping to promote positive interactions among internal audit and other organizational functions such as compliance and legal. This support can assist internal audit in building positive working relationships with these vital areas.
Another way governance and management can show support is by including internal audit in key organizational meetings. This gives internal audit staff the opportunity to provide advice and assistance, making the auditors a more essential part of the organizational team. Internal audit staff can add significant impact to meetings by offering insight into control monitoring situations and suggesting ways they can help such as through consultation, appraisal, and regulatory insights.
Internal audit’s involvement should be seen and heard in everyday organizational communications. This helps promote the internal audit function as a trusted partner and ingrained part of organizational culture.
The entire internal audit team should be involved with telling success stories that show the cultural impact of internal audit. Organizational meetings, presentations, and other internal facility communications are ideal places to highlight stories about internal audit’s role in projects and initiatives. Information shared should convey positive working relationships between internal audit and other organizational functions – such as compliance, legal, administration, finance, technology, risk, quality, physicians, and operations – and showcase the value-added activities and solutions generated by these collaborations.
Monitor and Adjust
Internal audit’s role requires auditors to be critical of others, but internal audit also needs to be objective and critical of itself. The entire team should be responsible for assessing how it has positively or negatively affected organizational culture.
Auditors should be open to self-reflection and take an honest look at the areas in which the function is doing well and at those that could be enhanced or changed. Some ways to gather feedback on which the internal audit team can reflect include:
- Surveying other departments
- Evaluating working relationships with other departments
- Reviewing organizational and governance materials and looking for references to internal audit, noting how internal audit is portrayed
- Tracking and analyzing audit requests and consultations
After gathering feedback, auditors should use the results to challenge any audit processes that consistently receive negative feedback and should work to improve those processes. If internal audit isn’t being mentioned in meetings and organizational materials, that could be an indicator that it isn’t becoming part of the organizational culture.
Break Down Barriers
By building a culture of partnership and teamwork, internal auditors can help everyone in the organization fulfill their roles more effectively and break down existing barriers to open communication and collaboration. The result will be a true collaboration as well as an enhanced and improved risk management program.