How do you describe Internal Audit’s value proposition within your organization? 

Do you have a ready-to-go answer? Does that answer land with your key stakeholders? 

Do you wish you had a better answer? 

In last week’s newsletter, we looked at whether Internal Audit should change its name. One argument in favor focused on the potential to better communicate what we do, given our expanding remits. Another focused on wanting to position Internal Auditors as trusted advisors partnering with the business to solve its problems. 

Whether CAEs were pro or con, all roads led back to value.

‍The consensus: The name doesn’t matter if it’s not backed up by action — by how the function operates, and the value and impact it delivers. That brings me to the central question of this week’s newsletter: 

How can we best communicate Internal Audit’s value proposition? 

A recent Internal Audit Collective roundtable with 40 CAEs focused on Internal Audit’s value proposition. While everyone had different answers, we found clear themes — and some big takeaways.

The Best Way to Convey Value Is Through Action

Everyone began by talking about messaging. After all, it was the topic of the day.

But they quickly pivoted to talking about what they did to substantiate their value props. 

As Internal Audit and ERM leader Shaun Kirby put it, “You’re mainly measuring and communicating value after the fact. If you say, ‘we’re Internal Audit and we’re here to help’, people roll their eyes. To me it’s not about just saying it, but  it.” 

When explaining his team’s value proposition, Shaun highlighted actions that had real impact (e.g., distributor audits yielding cost recovery dollars, audit support for key management initiatives). He also shared how the team’s metrics effectively showcase their work. For example, by tracking the percentage of management requests as part of the audit plan, he shows not only that management is actively engaging them to do work, but also that it makes up a sizable portion of their remit.

Internal Audit and ERM leader Linh Truong also uses metrics to back up her team’s value. She explained, “We need to show that we’re auditing things that matter to the business, not just findings people don’t care about. That’s the north star underlying all three of our remits (Assurance, ERM, and Advisory) — to what end are we working? Are we helping the company improve their key processes and controls in the achievement of their goals and objectives?”

Linh’s metrics are designed to show partnership and strategic alignment. For example, her team tracks:

• Percent coverage of top enterprise risks on audit plan. The team is moving away from a compliance focus to a risk-based methodology; 90% of the past three years’ audits have been first-time audits (e.g., talent management was a top-five enterprise risk but had never been audited before).
• Number of special projects. This number doubled in year one and doubled again in year two. The metric demonstrates both strategic alignment and cost savings on consulting spend.
• Before-and-after maturity assessments. Instead of grading findings on a high-low scale, the team shows progress by doing maturity assessments before and after operational audits. Linh said, “Helping the company move up that maturity mountain is another value proposition for Internal Audit.” 
• Before-and-after management KPIs. For follow-up audits, management and the board are shown before-and-after graphics after Internal Audit’s recommendations have been implemented. Management’s performance metrics measurably improve after each audit in those areas. It’s hard to imagine a better way to show the direct impact and value of audits.

Value Is Less About Assurance, and More About Advisory

Whether they focused on defining value before or after the fact, “value” for these forward-thinking, industry-leading CAEs had very little to do with assurance. While audit committees still focus on assurance, management puts more value on the advisory work. 

Almost all of the CAEs conveyed that management requests for advisory work keep rising, and that their teams are taking on more projects around their organizations’ emerging or evolving risks. 

Viewed alongside the reality that automation will take over more of our assurance work, it seems clearer than ever: Internal Audit’s role is changing. 

Only one CAE highlighted Internal Audit’s independence and objectivity as integral to the team’s value proposition. 

Another called out that unless his stakeholders had prior experience as auditors, they probably couldn’t define what assurance is.

In years past, we probably would’ve been talking more about the “third line of defense,” fraudulent financial reporting, SOX compliance, and other regulations. That’s all still critical. But today’s executives have more to worry about. 

They can use the help, and Internal Audit is ideally positioned to provide it.

Most Value Props Focus on Improving the Business and “Connecting the Dots”

Most CAEs didn’t have ready-to-go vision or mission statements. Everyone agreed they could improve their messaging around Internal Audit’s value. 

Everyone also agreed: Internal Audit’s value proposition is evolving, so there’s work to be done.

“Internal Audit means different things to different people,” said CAE and Internal Audit & ERM VP Tony Scardino. “How we communicate value is impacted by what we do. As our remit changes, how we provide value will change.” To that end, Tony’s elevator pitch focuses on how his Internal Audit team helps the organization become better, “giving people tools to fix their problems.” 

Below is a summary of key themes from our discussion of value propositions, along with the CAEs’ variations on each theme.  

• Helping the business improve: 
  
  • Inspiring positive change. Not forcing or coercing, but showing the way. 
  • Moving beyond compliance to focus on what genuinely matters to the business.
  • Using a risk-based methodology to stay flexible and adaptable — able to lend a hand when needed. 
  • “Not being a roadblock or speed bump,” as Tony put it, but instead supporting progress and helping the organization accelerate.
  • Giving people tools to fix their problems.
  • Being the friendly auditors, here to keep you out of trouble. 
  • Doing reviews and assessments, not “audits.”
  • Tony’s dentist metaphor: “Short-term pain for long-term gain.” 
  • Helping the organization grow, scale, and mature its processes and controls.
  • Supporting critical controls to help them stay out of trouble while improving risk management and operations (e.g., for a newly public company).
  • Reframing assurance: As one CAE phrases it, “We’re here to show that what you’re doing is right.” Linh looks at it as making sure the company is doing the right things right, not the wrong things right. 
  • Making ourselves, our team, and our stakeholders better. 
  • Providing education and benchmarking on effective processes and controls, and what they need to fix to get it right.
  • Leading technology initiatives, including spearheading automation efforts, piloting new technologies, and helping to roll out technologies across other parts of the business. For example, Head of Internal Audit Alexis Zibell’s team focuses on “staying on the leading edge of innovation, bringing along finance and other parts of the business. We like to be one of the first groups to pilot new technologies. That way, we’re able to help other parts of the organization scale.”
  • Tony also shared his Starbucks-inspired “last four minutes rule”: How are you providing your stakeholders with value (e.g., results, recommendations, ideas, clean bill of health, tools that can help them be more successful) at the end of any engagement or review in  Internal Audit’s equivalent of the “last four minutes”?
• Connecting the dots across the organization: 
  
  • Bringing the benefit of Internal Audit’s unique cross-functional perspective and relationships to deliver a connected, organization-wide view on risk and an objective view of overall risk management effectiveness.
  • Reducing and connecting risk management silos, including improving communication and knowledge sharing across audit, risk, and compliance teams. As one CAE shared, “We have different groups around the country doing different risk assessments. I get pulled into their worlds, but I need to pull them into mine more. Pulling everyone together is a big opportunity.” 
  • Having the ability to understand and connect different parts of the business (e.g., introducing best practices, sharing best practices from one part of the organization to others, introducing people with problems to people with solutions). 
  • Understanding and communicating themes and trends to the board in compliance with Global Internal Audit Standards.
• Providing objectivity, independence, and transparency:
  
  • No surprises. Transparency builds trust. 
  • Providing the objective, independent view of the organization that they can’t get elsewhere.
  • Using data and metrics to drive results and reporting. 

Communicating Internal Audit’s Value Proposition

We’ve established that you’ve got to back up your value prop with action. But CAEs still have to try to get the message across, whether in formal stakeholder communications or day-to-day conversations.   

‍How do these CAEs do it? 

Alexis shared several ideas with the roundtable, including:

• Regularly soliciting feedback from the business. Alexis uses both formal avenues (e.g., surveys, annual performance reviews from stakeholders) and informal methods (e.g., reaching out on Slack and asking, “How’s it going? Do you have any feedback for us?”). Having established open lines of communication, she also frequently receives unsolicited feedback. 
• Sharing it back with stakeholders. To communicate how value is being delivered, Alexis compiles the ad hoc feedback and key metrics (e.g., percentage of key risks covered in audit plan, number of cost savings and efficiency opportunities identified) in a single document she provides to stakeholders.
• Ongoing stakeholder education. Alexis formally introduces her team and its capabilities to  key stakeholders new to the organization. In advance, she shares a pre-read that includes basic information, including an org chart to help them connect names and faces. Then, she reinforces the key points in a live conversation and shares example Internal Audit projects and results. Her team also maintains a Confluence page with information about the team; a link is included in the team’s introductory documents.

Other CAEs had great strategies as well. Metrics were a universal choice. Linh’s team holds lunch-and-learns to roll out new Internal Audit offerings or methodologies. One CAE talked about being highly visible at company events, positioning Internal Audit not as detached “presenters” but true participants — including going out for drinks or dinner. 

And this brings me back to my last big takeaway from the roundtable: Communicating Internal Audit’s value proposition starts and ends with building relationships. 

Some more great soundbites from our roundtable conversation: 

• “Every conversation is easier if you have a relationship.” 
• “Move yourself closer to the business. Engage with stakeholders. Trust is not built from nothing.”
• “It all comes down to relationship building, so that people don’t have their backs up when you call them. So they see that you are on the same side, and not as ‘gotcha police’. You need to do the upfront work of relationship building, including learning about their programs so you can add real value.”
• “Understand how you align with value to the business. What is that person specifically trying to get from what we’re doing? How can we accomplish that together and bring that to the company’s strategic objectives? How do they need to show results, and how can our advisory work support that?”
• Said Shaun, “I tell my team, ‘Delivering a plan is our mandate, but our job is to build relationships’.” (His team has developed metrics to measure their progress.) 

I have zero doubt that all of these incredible CAEs are providing value to their organizations. 

But as Internal Audit’s role keeps evolving, so will the challenges we have in communicating the value we provide. 

However you define your value proposition, remember the one thing every CAE agreed on:

‍It doesn’t matter what you say if you aren’t proving it out every day.

TO

P.S. Want to be part of one of our roundtable discussions?

‍The Internal Audit Collective hosts regular roundtables on a range of topics, from these CAE Corner discussions to Third-Party Risk Management, Internal Audit Fundamentals, Auditing Cyber Security, AI Use Cases and Audit Considerations, and more.

‍Join the Internal Audit Collective today and sign up on our Community Events page!