An unfortunate truth is that risk and control failures frequently can and do happen despite internal audit’s best efforts. This reality has resulted in far too many calamities over the years. We are more likely to learn about such incidents in the public sector than behind opaque veils that often cloak the private sector. But rest assured, ignoring internal audit warnings happens in every sector.

The High Cost of Ignoring Internal Audit Recommendations

May is Internal Audit Awareness Month, a time for organizations to recognize the vital role that internal auditors play in safeguarding their assets, mitigating risks, and promoting effective governance. Yet, awareness is not enough. Executive management in organizations must not only acknowledge what internal auditors do – they must actively listen and respond to their findings and recommendations.

Too often, when scandals and financial collapses make headlines, the question asked is, “Where were the internal auditors?” But a better question would often be, “Where was management’s sense of urgency in implementing solutions in response to internal audit reports?” Recent history is filled with examples of organizations that ignored internal audit recommendations, only to suffer catastrophic consequences as a result.

When Internal Audit Recommendations Go Unheeded

1. Financial Losses and Fraud Exposure: A prominent retail company faced a significant fraud scandal after management disregarded multiple internal audit warnings about weaknesses in their payment processing controls. Auditors had repeatedly flagged the lack of segregation of duties and vulnerabilities in the electronic funds transfer system. When a trusted senior employee exploited these weaknesses, the resulting fraud cost the company millions in losses and a tarnished reputation.
2. Regulatory Non-Compliance: In a highly regulated industry, a financial services firm received numerous audit reports highlighting the need to strengthen anti-money laundering (AML) controls. Management delayed implementing the recommendations, citing cost concerns. The delay proved disastrous when regulators uncovered a multi-million-dollar laundering scheme that exploited the very gaps the auditors had warned about. The firm not only faced hefty fines but also suffered irreparable reputational damage.
3. Operational Disruptions: A manufacturing company failed to act on audit findings regarding aging infrastructure and inadequate maintenance protocols in its primary production facility. A subsequent equipment failure resulted in a costly plant shutdown, disrupting the supply chain and impacting customer commitments. The cost of the unplanned outage far exceeded the cost of implementing the audit recommendations.
4. IT Failures: A major U.S. city’s internal auditors warned officials that their IT systems could be easily compromised. Those officials’ failure to act promptly to correct the deficiencies left the city susceptible to a ransomware attack that crippled its computer network, and undermined the public’s confidence in city officials.

Why Are Internal Audit Recommendations Ignored?

• Lack of Management Buy-In: If management perceives internal auditors as merely compliance officers or ‘check-the-box’ reviewers, they are less likely to prioritize implementing their recommendations.
• Cost Concerns: Addressing audit findings often requires financial investment, and management may view these expenses as unnecessary.
• Conflicting Priorities: Executives juggling multiple priorities may downplay the significance of audit findings until a major incident occurs.
• Communication Gaps: If internal audit reports are not effectively communicated or presented in actionable terms, management may not fully grasp the severity of the risks identified.

We have likely all been there. Our reports were clear, concise and timely. They highlighted the control or risk management weakness and offered actionable recommendations for corrective actions. Yet, the report spurred no action on the part of management. What could we have done differently?

5 Tips to Ensure Our Reports Are Not Ignored

1. Speak the Language of Business: Instead of presenting findings in technical or compliance-driven language, frame recommendations in terms of business impact – financial losses, operational disruptions, or regulatory penalties.
2. Prioritize and Categorize Recommendations: Not all findings carry the same level of risk. By clearly prioritizing recommendations based on risk severity, we can help management focus on the most critical areas first.
3. Engage Key Stakeholders Early: Share preliminary findings with senior management before finalizing the report. This fosters transparency and allows for early buy-in on necessary actions.
4. Follow Up and Reiterate: Don’t let recommendations fade into the background. Monitor corrective actions and advise senior executives and the audit committee when delays are excessive.
5. Leverage Data Analytics: Use data-driven insights to underscore the urgency of addressing specific risks. Demonstrating potential losses through data visualization can be far more compelling than a traditional audit report.

Internal Audit Month is an opportunity for organizations to not just acknowledge the role of internal auditors, but to act on their recommendations. Ignoring these critical insights is a recipe for disaster – as numerous high-profile failures have proven. By effectively communicating audit findings, prioritizing risks, and actively engaging with management, internal auditors can play a pivotal role in preventing the next major crisis.