Compliance Made Simple™

Insights - Our Blog


Are Auditors Internal Police or Business Partners?

We had the privilege of interviewing David Chavez, the VP Head of Internal Audit at film and television empire, Dreamworks Animation. This industry giant has been behind some of your kids (and let’s admit it, yours too) favorite movies. From Kung-Fu Panda, Shrek, Monsters Inc., and Madagascar, there are too many classics to choose from. This November, “Trolls” will be released on the big screen, followed by “Boss Baby” this year. We may have forgotten the integral business functions behind these creations, such as internal audit. We go in-depth with David to find out how to manage the expanding role of internal audit and gain insight to handle tough situations that you may face.

5 Core Elements of Deciding Role & Vision of Internal Audit:

Over the years, the role and responsibility of internal audit seems to grow not shrink. How can we meet these increasing demands?

  1. Adding Value - Ask yourself, “How is the department adding value?” and “How are you adding value?” Value proposition is a critical, keystone element of what and how this will this serve an organization.
  2. Beyond Effective - Board and audit committees are seeking deeper insights into risk management, beyond just controlling effectiveness.
  3. Extending Risk - Vision and objectives of an audit function need to extend to risk identification and risk mitigation, and continue to expand coverage to strategic risks.
  4. Don’t Neglect the Old- While attempting to expand, don’t forget to maintain your current compliance areas! Avoid any decrease in coverage on financial reporting, operational, and other compliance related areas.
  5. Break the Wall - Internal audit is oftenseen as the internal police. Internal audit should build the bridge to be a real business partner, while still remaining independent. It takes a great deal of collaboration with management to achieve business goals and internal audit objectives. This in turn will provide a return on value beyond just compliance effort.

How to Deliver Bad News to the Board

It can be intimidating to break bad news, but if you follow these simple steps, the conversation will go as smoothly as possible.

  1. Balancing act - Be clear & concise, while staying at the 10,000 ft. level. Don’t dilute your message! It can be easy to dive in too much, but maintaining balance is key.
  2. A Seat at the table - Sitting right next to the Executive responsible for risk allows the conversation to flow much better.
  3. Unified front - Delivering bad news in collaboration with management will demonstrate a partnership. This will help create clear establishment of ownership & accountability with management. Without having management in agreement with the plan, the board will be in a poor position. They would much rather review the results, figure out if the plan is reasonable and meets the expectations in terms of what the key stakeholders want.
  4. Don’t forget your homework - Present the complete picture about risks and what management is doing to address and mitigate risks. Get your facts right! Ensure that the findings and evidence are properly vetted.

Dissect Crisis Issues and Technology

Oh no! The worst has happened, what now? Unique circumstances or “crisis” issues can arise with little time to react. Clarifying a plan and its core elements should be documented and trained, which most organizations are straining to create. Board members and key executives, are not looking for perfection, or a plan that covers every single thing that could happen. The best organizations are really saying, “I need another core element. I need to know who’s going to be responsible for delivering some of those key tasks.”

  1. Technology isn’t the Silver Bullet - How does technology fit into your plan to navigate these crises? Often, technology is sold as a“silver bullet” that can be a cure-all. In reality, in most cases the problem is the process or the people are the root of the problem.
  2. Back to Basics - Always take a step back, and assess the big picture. Go back to basics and understand from an end-to-end process perspective how and what to identify as the root cause. It is always a critical path. Ask yourself, “Is this a new risk or is it a risk that was already identified?” Or, “What is the control that failed?” Most of the time people forget to step back and look at their control environment.
  3. Fix the Process First - Do not default to technology implementationwithout fixing the process first. There is always a people, process, and technology issue. Jumping to technology first may leave holes in other areas that could be the true root of the problem.
  4. Crisis Response Plan - The board and executive management needs to understand that while you can mitigate the risk there is always the possibility a crisis will arise. For example,Cybersecurity is no longer an “if,” but a “when.” Having a concrete plan and its core elements will save you valuable time and money, instead of being forced to start from scratch.

What do you consider when you need to make a change in the internal audit value proposition?

It has to be more than just a piece of paper! Companies need to ensure that they have the right leadership in the audit function and that they have a clear transformation plan they're going to be executing.

Two Key Questions:

  • “What are you really trying to accomplish as a company?”
  • “How are you going to empower your audit function in order to be able to do it?”

Must have:

  • Leadership Needs to Build Bridges - The right leadership are those people who can break walls and build bridges. If minor changes to the company culture are necessary, we need great leaders to facilitate these changes. How will they embrace that change? This is critical, because you need balance. It is the responsibility of the organization to manage the risks and change the process.
  • Talk at the Top - Communication across executive management and the tone at the top on how they value internal audit are both very important. It should be especially clear how internal audit is going to make and bring back value to the organization.

Need help with your ERM program? We invite you to learn more by emailing us at

Learn how to save over 25% of your SOX Compliance costs.

More about David Chavez

Listen to Entire Interview

Prior to joining DreamWorks Animation, David was a National Leader of Deloitte’s GRC Technology practice where he managed multiple GRC related engagements for Fortune 100 companies. Before that David was the Head of the ERM & GRC office for Dell Computers. He is the recipient of 2 MVP awards from the GRC institute for his contribution to the GRC market. David also serves as an Advisory Board Member of the North Carolina State University ERM project and he served as a Governor of the Board for the Institute of Internal Auditors for a local chapter in Texas. David was nominated in 2012 as a candidate for the PCAOB Advisory Board. We’ll be discussing what are the current issues and best practices regarding Risk Management, data analytics and the best use of GRC technology in the internal audit department and across an enterprise.