2019 ECIIA Conference – Plenary presentation

Does internal audit have a blind spot concerning organizational politics?

I was pleased to be asked to present at the 2019 ECIIA conference in Luxembourg. It was an honour and a privilege to present to around 700 attendees. The key messages I delivered were:

  1. We (in internal audit) may not be doing enough to proactively identify and manage political pressure:
    • First at the level of (audit) teams, but also at the level of the IIA itself; and
  2. The wrong sort of politics may even be a problem within the Internal Audit profession

I defined organizational politics as:

  • The networking, influencing approaches, and use power that managers deploy to get the organization to make a decision they want, and/or
  • The strategies and tactics managers use to slow down decision making, or even to stop decisions being made..

Organizational politics can be seen in a good or bad light, depending on whether the political activity is genuinely for an organizational benefit, compared to primarily benefiting an individual’s career, power and/or influence.

Organizational politics exists because there are only a limited number of senior, influential, roles in an organization that get to make key decisions, so invariably there is competition for these jobs. And organizational politics goes back a long way: here’s a quote from 2500 BC: “Just because you don’t take an interest in politics does not mean politics won’t take an interest in you.”

Of course, the amount of politics in any organization can vary considerably (on a range from “minimally political” to “pathologically political”), which can hamper those in a relatively good organization to see the problems of those in a more challenging one.

I looked at key IIA materials/research to look for a mention of politics. Here were my findings:

  • 2010 CBOK – nothing explicit in the general or behavioural competencies on politics;
  • 2013 competency framework – nothing explicit in the competency framework;
  • 2016 CBOK – nothing apart from a reference to some 2015 research (which I will come on to);
  • IIA IPPF 2017 – nothing on politics;
  • 2018 CBOK – Nothing on organizational politics in “Internal Audit competencies for the future”.

I wondered whether we think, in internal audit, that no explicit reference to politics is needed because other competencies cover all that is needed? e.g.: professionalism, communication, collaboration and independence etc. My experience working with IA teams and CAEs is that an indirect treatment of politics allows some key issues and challenges we face to “slip through our fingers”.

I then discussed the 2015 IIA research report: “The Politics of internal audit”, and summarized some of its key points:

  • Auditors asked to suppress a finding 1 or more times: 55%
  • Auditors asked to not audit a high-risk area: 49%
  • Auditors asked to audit a lower-risk area for personal reasons: nearly 32%

The authors state that political pressure on internal audit is intense – with “pervasive efforts to influence internal audit reports” etc. I support this conclusion and suggested to the ECIIA Conference: Isn’t internal audit one of the most politically sensitive functions in any company?

I then went on to highlight some of the recommendations from the IIA research report about what could be done about managing political challenges:

Whilst I welcome this research as a step in the right direction, I worry that following these recommendations may not be sufficient to manage the wide range of political pressures that CAEs face. And even if these recommendations did work, I wondered whether there was any data on whether internal audit teams have effectively implemented these recommendations? I worry that doing this research appears to have calmed down the IIA’s overt interest in organizational politics, whereas I believe it should have done exactly the opposite. 

My concern, based on my work with clients, is that we may have a blind spot in some parts of our profession concerning organizational politics.

I shared two key perspectives that I have used with internal audit teams to help strengthen their approach to managing politics:

A: Political types: Owl, Fox, Donkey and Lamb

Researchers Kim James & Simon Baddley developed a simple framework for thinking about organizational politics, based on whether individuals proactively think about politics (or not), and also based on those who use politics for organizational benefit vs. those who mostly focus on personal gain. They also came up with four animals that epitomized these behaviours outlined in the following table.

Their research highlights that senior roles in an organization are mostly comprised of Owls and Foxes, because they are the ones who seek to look good most of the time, (sometimes finding a scapegoat for anything that has gone wrong) and are therefore more likely to be promoted. The research found that there are a lot more foxes in senior roles than people think, which can be a surprise to some. I like to say: “The number one rule for a fox, is: pretend to be an owl”.

I then considered some of the political issues internal auditors can face: at the planning phase: concerning audits as weapons (to satisfy a political agenda); and then, during assignments, getting push back such as: “nothing bad has happened yet”, “that issue is not my responsibility” or “we already knew about that issue, and are working on it”. I explained that unless the whole audit team is sufficiently politically savvy an audit assignment could progress reasonably well at first, but then run into difficulty at the end (over the wording of the report, ratings and action planning etc.), embroiling the CAE and IA management team in dispute resolution, and having a significant effect on audit productivity. Insufficient savvy in the whole audit team can also be a source of tension within an IA teams because more junior auditors may see an IA manager or the CAE changing report wording and reducing issue ratings etc. and regard this as a sign that they are not being independent, whereas the IA manager or CAE may feel it’s necessary to make some changes to manage the politics of the report and get buy-in.  

I also made the observation that even some audit committee/board members can be “foxy”, meaning that the safety valve of the CAE going to the audit committee to resolve difficult issues between them and the C-suite is not always as straightforward as it may seem. I explained, that this undermines the dual reporting line as a guarantee of independence. This is a topic that is rarely if ever, discussed explicitly by the IIA: what should a CAE do if they are getting no support on a key issue apart from threaten to resign?    

B. Considering different influencing styles from a political perspective

I shared headlines from the work I have done with CAEs and IA teams concerning the most and least favoured style of influencing by internal auditors. The results, compiled by asking from several hundred internal auditors/CAEs across Europe, are set out in the following table:

I looked at which of these, and other, influencing styles, might work on a foxy manager? Generally speaking, if you are trying to persuade a fox to do something they don’t want to do, the most effective influencing styles are: gentle pressure, the use of legitimating tactics (e.g. reference to audit committee, or a recent fine), working in coalition with other functions, as well as exchange. Unfortunately, my research suggests these influencing styles are not greatly liked by many internal auditors! Trying to make sense of this during a coaching session with a senior audit manager, they explained they preferred not to use pressure because they didn’t want to spoil their relationship with the foxy manager. I explained that with a fox there is, sadly, no real relationship to spoil! This is a key message for internal auditors; you need to think not only with rational/logical arguments but also in terms of psychology, organizational constraints and political agendas.

I believe there isn’t enough training about how to deal with foxy managers because:

  • Some senior managers don’t want to openly acknowledge that negative politics exists in their organization; and
  • Other senior managers are actually quite foxy, so wouldn’t want to enable others to see their tricks and be better at dealing with them!

I believe that training on political savvy is the equivalent of the Harry Potter books’ “defence against the dark arts.”  I believe political savvy training and development should be a top priority for any audit team that wants to better manage disagreements impacting the delivery of audit assignments, as well as ensure they have a reputation as a value-adding function.

Of course, being politically savvy is a journey, starting with knowledge and awareness, and tactical thinking, progressing to a more team-based approach, to being more strategic and better able to “read” the political sensitivities of audits, and have the ability to manage through this.

In summary, I suggested to the ECIIA that we should do the following:

  • More explicit references to political savvy in the IIA competency framework;
  • More in-depth research and discussions on political savvy challenges; 
  • More guidance on audit planning, especially how to watch for audit blind-spots, and the risk of audits as weapons;
  • More forums to share war stories, and develop strategies to deal with foxy managers in a safe/confidential environment – for example through Action Learning techniques (which I used for the 7 years I was a CAE).

2. In relation to my second key concern about the wrong sort of politics within our profession, I shared the following observations:

To be an effective CAE it’s inevitable that you need to be politically savvy and at times this will mean you are a bit “foxy.” This ability to be politically savvy (e.g. when to push hard and when to back off) is a key CAE skill – and some years ago the CEB found that nearly 60% of CAEs who left their role within 2 years, did so because of a lack of political savvy. By the same token, thinking through the politics of what internal audit is doing is one of the reasons it is such a great job for personal development and also why being a CAE can be so interesting. However, a key question is when does this political savvy, and flexibility, amount to losing our independence? Melaine Roussy at Laval University, Quebec has done several pieces of research on this topic and interviewed CAEs and internal audit managers to get their “war stories”, and insights about political challenges. In her 2015 paper “Welcome to the day to day of auditors: how do they cope with conflicts”, she concludes with the following, rather challenging, conclusion: “While internal auditors are strategic in managing conflicts, they do not consider the cumulative effect that their coping behaviour has on their .. independence and, ultimately, capability to play their expected role in protecting the public interest”.

I shared more of the details of this research with the ECIIA conference and argued that we, in internal audit, should be ahead of the curve on such issues and not finding someone from outside making these sorts of comments.  I believe we owe Melanie Roussy our appreciation for highlighting that internal audit independence is far less straightforward than we might think. Based on my experience and coaching work with CAEs, we have many day to day challenges to manage and it’s not so straightforward to know when we have lost our independence; especially since CAEs are within a particular organizational culture and context can become acclimatized to some negative things without really noticing. (this may be especially true where CAEs are expecting a business role in their organization after 2-3 years as CAE).

I believe we could be using EQA’s to look more closely at independence issues; but mostly I think we need more training, guidance and help CAEs and their teams strike the right balance on this important issue.

Finally, I spoke about the possibility that we might have foxy managers within internal audit or close-by. The issues that most concern me are:

  1. When new software etc. is proposed to the internal audit community, selling how wonderful it is; we should be mindful if there’s little discussion about the time, effort and cost involved to implement it, alongside any short-comings;
  2. Where new ways of working are discussed, how do we guard against these becoming a fad? I believe we must encourage much more discussion about how any new ways of working align with, or challenge, the IIA standards. I argued that we are supposed to be an internal audit profession, and not just management consultants. As I see it, the IIA could insist that all articles published on internal audit topics “tie back” to the standards as much as possible, and not just “float free”.
  3. The risk that we sideline, or gloss over, more critical voices about what we/the IIA is doing. Is the IIA looking out for challenging comments, and prepared to give these space to be considered (e.g. have any of Melanie Roussy’s research papers been shared by the IIA?). Also: do we have a policy on social media comments on IIA sites? Are critical comments ever removed by web administrators etc. because they are not helpful to what the IIA wants its members to read? I can’t believe that a profession that seeks openness and transparency in others, and values independence, could be uncomfortable with posts that are not “on message”.

In concluding, I recognize that my comments contain a degree of challenge towards a profession that I am proud to be a part of, but I do this in the spirit of seeking to make sure we don’t get complacent, so we can grow successfully over the long-run, and deserve the trust so many put in what we do.

James Paterson is the former CAE for AstraZeneca PLC. He has been consulting, training and coaching on Internal Audit matters since 2010 (especially on CAE induction, root cause analysis, auditing culture, assurance mapping, politics and influencing). He is also the author of the book “Lean Auditing” published by J Wiley in 2015. For more information, go to www.RiskAI.co.uk

Join our mailing list

We will keep you updated with news and events.

Contact

Contact and appointments:

Risk & Assurance Insights
T: +44 (0)7802 868914
Email

Please also use our contact form