Carman L. Lapointe is the Under-Secretary-General at the Office of Internal Oversight Services at the United Nations. The Canadian internal auditor served at the Bank of Canada and as corporate auditor for Canada Post, among others. She was the first woman Chairperson of the International Internal Auditors Association. She will be speaking at the 7th Annual National Conference of the Institute of Internal Auditors Canada in October. Editor-in-chief Toby Fyfe began by asking how she convinces public sector executives of the value of internal audit.
It’s a very good question, because a lot of it has to do with perspective. When internal audit is delivering, in particular, tough messages, it becomes a threat to management, and that’s the reality of the kind of work we do. There’s an inherent conflict in the news that we are often presenting, particularly if we are developing our audit programs on a risk basis. We’re going after the high-risk areas, and those, by definition, will tend to produce bad news from a management perspective.
It’s easy to say that the best way to sell it is to convince them that we are trying to help, but it is a tough sell, because it ends up being a tool of accountability for, very often, management’s lack of awareness, or sometimes even resources, to actually make sure that the risks are being managed at the appropriate level.
Quite often, it becomes an opportunity to make the case for additional resources, especially when resources are scarce, to outline key risk areas that need more attention. And that’s easier said than done, because we’re all in an atmosphere of scarce resources, and unfortunately, management sometimes decides the best way to manage the risk is to make sure we minimize the resources that are provided to do these types of things.
How do you sell it to them? Hopefully we are at the front end of any particular audit or even the development of an audit plan. Make sure there is ongoing consulting with management to make sure we are hitting on the risks that are meaningful to them and not just to us, as the auditors. Quite frankly, if the risk areas aren’t important to management, they shouldn’t be important to us. It becomes a sales job, to make sure that we are targeting areas where we can add value with internal audit.
Management isn’t really interested in compliance-oriented reports. They are more interested in, “Tell us how we can accomplish these objectives more efficiently and more effectively using fewer resources, because that’s where the rubber hits the road.”
We need to model the behaviour that we expect program managers to have, and most internal audit functions aren’t there yet, in terms of measuring their own efficiency and effectiveness. To me, I think that is the biggest seller, to show that it works for us, to improve our elapsed time and our success in hitting the areas of interest to management. So that’s what we do: we’ve developed these program impact pathways for all three of our functions.
We tend to go in and do compliance-type work, and don’t often enough ask the question: What is the reason for the non-compliance? Is there a problem with the policy or how it’s being interpreted? We do, as internal auditors, have the right to challenge those policies.
Would that imply a different set of competencies?
It really is a different set of skills, because it isn’t something that you learn when you’re learning how to be an internal auditor. It’s judgment, and judgment comes from exposure to many different aspects, and that’s one of the interesting points about internal audit.
The best internal auditors actually are really good managers first. I can take very good program managers and make very effective auditors out of them by adding the internal audit skills and competencies. External auditors want everything to float and balance, and if it can’t be transferred to an impact on the financial statements, they don’t really care about it. And you can totally mismanage an organization and get a clean bill of health from your external auditors as long as you’ve booked the mismanagement correctly.
There’s been a concern that ideology and political imperatives rather than analysis are driving change. Is that a challenge for internal auditors, and how might they respond?
It is a challenge, and it’s not just at the national or provincial level. It’s at the international level as well. It all comes down to politics, and that I’ve learned in spades, with 193 member states, each with one vote on anything. I think where we can add value is to make sure that we don’t wait for a sunset clause evaluation to occur, that we are monitoring the achievement of objectives throughout the life of the program, to hopefully allow a better impact earlier on, so that when they get to the five-year mandate, they can then prove that they are achieving those objectives.
You can’t wait until the game is played and change the rules, but you can change the rules or the measurements throughout the life of that program, if that’s appropriate. If internal audit worked more closely with evaluators to help feed the appropriateness of the measures and the integrity of the data that’s been collected to feed those measurement programs, we could show that these programs are not delivering on a more regular basis, whether or not they’re ideological or actually based on some sort of analysis or need.
In an ideal organization, what is your relationship to the management team? Are you on the management team?
Here, I report directly to the General Assembly for the results of my work, but for administrative purposes, I report to the Secretary General. I have a very good relationship with the Secretary General, and we have agreed that I will participate in all the senior advisors’ meetings, and they happen at least once a week, where everyone at my level is around the table to talk about the key issues of the day.
I’m also an observer on the management committee, where all of the management decisions are made. And on key teams – we are implementing SAP, and IPSASB, which is accrual-based accounting – I am an observer on those steering committees and task forces, and I think that’s absolutely critical. We cannot hold on to our independence to the point where we totally are out of touch with what’s going on in management. Those interactions help me understand where the weak points are, what the various members of the management team are struggling with, and the constraints of the political system as well.
In essence, you’re saying you need to be a senior member of the management team in order to do your business properly.
Yes, exactly. In order to make sure that we are hitting on the risks that are important to management, we need to be in those forums, and that’s a very different approach than my predecessor, who refused to participate in any of those forums and therefore quite clearly was, I think, at high risk of being out of touch with what really matters to the organization.
Would you recommend a career in internal audit?
Absolutely. I got talked into it, initially. Internal auditors can take their skills and apply them in very different environments. The variety of work is just incredible. You’re not doing the same thing day in and day out or month in and month out. There’s always something new.