The following is a guest blog by internal audit Roger Ngong. If you would like to contribute to Internal Audit 360°, please read our contributor guidelines.
Let’s talk about trust. Trust is the one indispensable thing in our work as internal auditors, the relationships in our lives, and very likely in the universe as a whole. For that reason, what I am about to say here is not just useful for internal auditors, it is useful in our day-to-day interactions, although my message is written with the internal auditing profession in mind.
In fact, let me be bolder: All human beings are in the business of trust, literally. We buy and sell it as we interact with others and navigate our lives. We need it to be able to live. We need it to sleep at night, to earn a living, to send our kids to school, to eat our meals, to cross the road, and we survive and thrive because we developed systems of trust. The world as we know it cannot exist without trust.
We internal auditors talk a lot about controls, but we often forget that the only point for control, for risk management, and for governance itself is to increase the trust we have in people and in systems. Internal controls do not take the place of trust, and they certainly don’t, God forbid, eliminate the need for it. We audit, not because there is no trust but because we need more trust.
Imagine a world without trust and you have a world in chaos that has stopped working. You cannot trust the ground on which you stand; you cannot trust family, or even the air you breathe. It is simply not worth living without trust. That is why we invented trust in those wild savannah fields of East Africa so many eons ago.
Controls Don’t Replace Trust
Getting back to audit, it is important that auditors understand that our work is actually to advance trust. In fact, the best controls are the controls that do not need to exist, the ones that are invisible, the ones that are ubiquitous, and the ones that we adhere to without thinking about them at all. As an aside, that is why I personally almost never read manuals to know the controls in an environment. Do not get me wrong, I may consult manuals, but I rarely read them. That’s because the real manual is what people are doing, so what I do instead is to observe people and their interactions with processes and systems.
Just for background, it is important to understand the trust to which I am referring. There are at least two types of trust. There is the trust in people and there is trust in systems. Trust in people has its finer points, and we are all familiar with it because it is personal. We rely on it every day to varying degrees with our loved ones, our friends, our neighbors, members of our community, the salesperson at the used car lot, and, yes, even our politicians. Trust in people, however, has limitations. Chiefly, we cannot know everyone well enough, and in modern life we must interact with so many people we do not know. We use the knowledge we have, our past experiences, and our views on human nature to form various levels of trust.
Then there is the trust in systems, which is impersonal. Trust in systems is essentially how we live our lives in the wild modern metropolises that have replaced the East African savannah fields. When we get in an airplane, we have never met the pilot but we trust that he or she will pilot the plane safely to the stated destination. We expect the pilot to navigate dangers like Southwest’s Tammie Jo Shults, when the moment comes. We trust the system and training that placed her in the cockpit. When we buy the ticket we buy that trust, and when they sell the ticket they sell the same. When done right, it’s a fair deal.
Fostering Trust with Transparency
Auditors should be in the business of contributing to trust in the system, not of adding controls, or worse, sowing doubt and fear. We should contribute to risk management and mitigation, not to eliminating risk taking, innovation, and the trial and error needed for enterprise operations to succeed at their missions. We should contribute to governance, not to second guessing decisions and assigning blame.
Richard Chambers, president of the Institute of Internal Auditors, talks about becoming a trusted advisor. It’s a crucial goal to which all internal auditors should aim. But how do we get there? We must be good listeners. We must leave our preconceived ideas and notions behind, forget our canned solutions, and first just listen. We must also be transparent, as nothing increases trust in a system more than transparency. Being transparent includes giving credit where it’s due, being honest and clear about our objectives, communicating plainly and openly, and keeping no hidden agendas. We must empathize with stakeholders (auditees, employees, the public, shareholders and trustees, management, and customers), and not favor one stakeholder over another. Too often, I see internal auditors kowtowing to senior management, which sows distrust.
Lastly, we should understand and believe in the mission of the organization. And if we do not, we should be not be auditing it.
Roger Ngong is director of internal audit at Save the Children US based in Washington, D.C.