logo-newlogo-newlogo-newlogo-new
  • Home
  • Blog
  • Audit Trail Academy
  • Advisory Services
  • Books
✕
  • Home
  • Chambers on Internal Audit
  • Internal Audit Stakeholder Relations
  • 5 Frequent Sources of Tension Between Management and Internal Audit

5 Frequent Sources of Tension Between Management and Internal Audit

Workpaper Retention Presents Internal Audit With Its Own Compliance Risks
August 8, 2021
Four Strategic Risks Internal Audit Faces in the Decade Ahead
August 24, 2021
August 16, 2021

In the past year, management and internal audit have stood together in the vast majority of organizations in the face of the unprecedented risks presented by the Covid-19 pandemic. Ideally this alliance will prevail in corporate and public organizations around the world, and it likely will most of the time. Despite being allies, management and internal audit do not always see eye to eye. Disagreements may be easily resolved by simply rewording an audit report, or they may be serious enough to impair internal audit’s ability to carry out its mission.

During my years in the profession I navigated countless disputes with management. In recent years, I have frequently been approached by chief audit executives (CAEs), or members of their staff, who say they are at an impasse with management on a contentious issue. As I reflect on my own experiences, five frequent sources of conflict between internal audit and management stand out.

1. Internal Audit Resources

There is no scientific formula or international standard that prescribes the precise level of staffing or budget for internal audit departments. If there were, then one source of tension — disputes over resources — would be far less frequent. Management, particularly the CEO and chief financial officer (CFO), is charged by the board with achieving organizational objectives, including delivering profitable results in the corporate sector. To that end, management may move to streamline operations and reduce costs, when necessary, to alleviate pressure on the bottom line. But a CAE’s mission remains unchanged: to provide assurance and advice on the effectiveness of the organization’s risk management and internal controls. 

So, when management seeks to reduce internal audit’s budget or staffing levels, CAEs face a difficult choice. Pushing back on potential resource reductions may alienate their administrative boss (typically the CEO or CFO), while failing to raise a concern may leave the CAE’s functional boss (the audit committee) with a false sense of security that internal audit has the resources to effectively carry out its mission. Navigating this dilemma requires courage and finesse. 

Because the appropriate level of internal audit resources can be subjective, I often advise CAEs and audit committees to periodically review the top five risks that internal audit will not be able to address with current resources. If the audit committee is comfortable with this discussion, the debate over adequate resource levels is likely over, albeit only for the time being.

2. Risk Assessment

While there may not be a formula for calculating internal audit’s resource requirements, there are internal audit standards that mandate the assessment of risks at both the enterprise and engagement levels. But as COSO has observed, “risk management may be called both an art and a science.” Leveraging the art analogy, management sometimes prefers flattering portraits, while the internal auditors seek to “paint it like it is.” My advice here is to communicate first, negotiate if appropriate, and ultimately agree to disagree if circumstances warrant.

The CAE should be sharing the results of the (preferably continuous) enterprise risk assessment with the audit committee as a basis for internal audit’s coverage. Courageous CAEs will not simply alter, delete, or conceal their assessment of a risk because management doesn’t like it. If management and the CAE disagree over the accuracy of such risk assessments, then both views should be presented to the audit committee. It may not be comfortable for the CAE, but it is usually the correct course of action.

3. Results of an Internal Audit

No source of tension is more frequent (or sometimes more acrimonious) than a disagreement between internal auditors and management over the results of an internal audit. The source is obvious: Internal auditors undertake an objective and systemic evaluation of operations that are under the purview of management. Most of the time, management agrees with internal audit’s findings and recommendations. However, as the saying goes, “no one likes it when you call their baby ugly.” The same may hold true when management receives an internal audit report. It is typically operating management that offers the most vehement objections to a draft or final audit report. If discussions and negotiations leave both parties at an impasse, the issue should be elevated through the ranks of management, including to the CEO, if necessary. If the CEO sustains a disagreement, then the CAE should note that with the audit committee. Management may have the prerogative of accepting one or more risks identified in an internal audit report, but the board has ultimate oversight of the risks.

There have been far too many instances in recent years when high-profile companies have become embroiled in a calamity or scandal resulting from a risk-management or control failure that had been clearly on internal audit’s radar, sometimes for years. In such instances, the internal auditors were often as tarnished as management for failing to elevate their findings or conclusions all the way to the board (audit committee). No one is served well when internal audit rolls over in the face of disagreement with management over internal audit results.

4. Ratings and Opinions

Even when management begrudgingly agrees with unflattering internal audit results, the fur can fly when internal audit assigns an overall rating on the audit report. Such ratings are often adjectival, for example, “satisfactory,” “needs improvement,” or “unsatisfactory.” It is not uncommon for operating management to bristle at an “unsatisfactory” rating. And tensions can become much more pronounced if the rating results in punitive actions, such as impacting management’s performance assessment or incentive compensation.

From my experience, executive management and the audit committee are often more receptive to internal audit rating schemes than operating management. But that doesn’t mean internal auditors should not be sensitive to rating perceptions throughout the organization. As a CAE, I would discourage the use of such ratings as a sole basis for reducing management’s incentive compensation. That’s because internal audit will likely be perceived as an adversary by those who are negatively impacted. I recently undertook a survey of internal audit practices on ratings and opinions on behalf of AuditBoard. I will be sharing the results in an upcoming blog.

5. ​Relationship With the Audit Committee

Fortunately, the profession has come a long way in the past two decades when it comes to reporting relationships. Recent surveys have shown that up to 75 percent of internal audit leaders worldwide report functionally to a board or its audit committee. From my experience, management typically becomes comfortable with internal audit’s dual reporting relationship. Strong audit committees embrace their oversight of internal audit, and management understands that. In the vast majority of organizations, the CEO and other C-suite executives would not interfere with internal audit’s access or reporting relationship with the audit committee. However, this still may create tension.

I am frequently approached by CAEs who feel smothered by their CEO or CFO when it comes to the audit committee relationship. They report that the CEO wants to review and approve every communication with the audit committee, and they lament that their CEO and/or CFO may frown upon or prohibit informal communication between the CAE and audit committee chairman. Naturally, this is a complicated dilemma, and one that is not easily navigated. While it is clearly inappropriate for management to obsessively filter the CAE’s communications with the audit committee, the CAE is again caught between a rock and a hard place. I often urge audit committee chairs to be firm in communicating their expectations on internal audit access, and to be the ones who initiate contact with the CAE if they believe management is impeding communication.

If a CAE finds the culture of the organization is insurmountable regarding open communications with the audit committee, he or she may ultimately need to “speak with their feet” and leave the organization. From my experience, when management impedes internal audit’s access to the audit committee, it is typically symptomatic of much darker cultural issues within an organization. Under such circumstances, leaving may be the best thing a CAE can do for his or her career.

When I first shared some of the perspectives several years ago I acknowledge this subject is a bit darker  than my typical reflections on internal audit. However, tension between internal audit and management can become quite serious if allowed to fester. I urge CAEs to build productive relationships within their organizations so they are surrounded by advocates and champions for the work of internal audit. This will come in handy if conflicts arise. I also encourage CAEs to build a network of peers with whom you can share your frustrations and seek advice. It is never easy to walk alone.

I welcome your thoughts on this blog post, and encourage you to share any additional sources of frequent tensions that I may have overlooked.  

Share

Related posts

February 13, 2023

When an Internal Audit Client Shows You Who They Are – Believe Them!


Read more
July 5, 2022

Winning Over Skeptical Internal Audit Clients: 5 Strategies To Remember


Read more
February 16, 2022

When Friction Erupts: 5 Ways Internal Auditors Can Mend Broken Fences


Read more

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

What’s Trending

03-20-23

New Report Reveals Surprising Insights from Internal Audit Executives


03-13-23

New IIA Report Is a Timely Benchmarking Resource for Internal Auditors


03-02-23

6 Things Audit Committee Members Often Won’t Say to Internal Audit


Read More

Archive

  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • October 2010
  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009
  • May 2009
  • April 2009
  • March 2009
  • February 2009

Contact Us

PO Box 1441
New Smyrna Beach, FL 32170

+1-407-463-9389
rchambers@richardchambers.com

About AuditBeacon.com

AuditBeacon.com is a resource center for internal auditors and risk professionals from around the world. In addition to more than 500 blogs authored by Richard Chambers, the site includes links to news and insights on internal audit and other information that illuminates the value of this important profession. AuditBeacon.com is provided as a service by Richard F. Chambers and Associates, LLC.

Copyright © 2023 Richard F. Chambers & Associates. All Rights Reserved.
  • Home
  • Blog
  • Audit Trail Academy
  • Advisory Services
  • Books