In an ideal world, management and internal audit stand together in a common pursuit to strengthen their organization’s risk management, internal controls, and governance processes. For the most part, this alliance prevails in corporate and public organizations around the world. Despite being allies, management and internal audit do not always see eye to eye. Disagreements may be easily resolved as simple wording in an audit report, or they may be serious enough to impair internal audit’s ability to carry out its mission.
Over my internal audit career, I navigated countless disputes with management. And, as an IIA leader, I am frequently approached by chief audit executives (CAEs), or members of their staff, who say they are at an impasse with management on a contentious issue. As I reflect on potential conflicts between management and internal audit, five frequent sources stand out.
There is no scientific formula or international standard that prescribes the precise level of staffing or budget for internal audit departments. If there were, then one source of tension — disputes over resources — would be far less frequent. Management, particularly the CEO and chief financial officer (CFO), is charged by the board with achieving organizational objectives, including the delivery of profitable results in the corporate sector. To that end, management may move to streamline operations and reduce costs, when necessary, to alleviate pressure on the bottom line. But a CAE’s mission never changes: to provide assurance and advice on the effectiveness of the organization’s risk management and internal controls.
So, when management seeks to reduce internal audit’s budget or staffing levels, CAEs face a difficult choice. Pushing back on potential resource reductions may alienate their administrative boss (typically the CEO or CFO), while failing to raise a concern may leave the CAE’s functional boss (the audit committee) with a false sense of security that internal audit has the resources to effectively carry out its mission. Navigating this dilemma requires courage and finesse.
Because the appropriate level of internal audit resources can be subjective, I often advise CAEs and audit committees to periodically review the top five risks that internal audit will not be able to address with current resources. If the audit committee is comfortable with this discussion, the debate over adequate resource levels is likely over, albeit only for the time being.
While there may not be a formula for calculating internal audit’s resource requirements, there are internal audit standards that mandate the assessment of risks at both the enterprise and engagement levels. But as The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has observed, “risk management may be called both an art and a science.” Leveraging the art analogy, management sometimes prefers flattering portraits, while the internal auditors seek to “paint it like it is.” My advice here is to communicate first, negotiate if appropriate, and ultimately agree to disagree if circumstances warrant.
The CAE should be sharing the results of the (preferably continuous) enterprise risk assessment with the audit committee as a basis for internal audit’s coverage. Courageous CAEs will not simply alter, delete, or conceal their assessment of a risk because management doesn’t like it. If management and the CAE disagree over the accuracy of such risk assessments, then both views should be presented to the audit committee. It may not be comfortable for the CAE, but it is usually the correct course of action.
No source of tension is more frequent (or sometimes more acrimonious) than a disagreement between internal auditors and management over the results of an internal audit. The source is obvious: Internal auditors undertake an objective and systemic evaluation of operations that are under the purview of management. Most of the time, management agrees with internal audit’s findings and recommendations. However, as the saying goes, no one likes it when you call their baby ugly. The same may hold true when management receives an internal audit report. It is typically operating management that offers the most vehement objections to a draft or final audit report. If discussions and negotiations leave both parties at an impasse, the issue should be elevated through the ranks of management, including to the CEO, if necessary. If the CEO sustains a disagreement, then the CAE should note that with the audit committee. Management may have the prerogative of accepting one or more risks identified in an internal audit report, but the board has ultimate oversight of the risks.
There have been far too many instances in recent years when high-profile companies have become embroiled in a calamity or scandal resulting from a risk-management or control failure that had been clearly on internal audit’s radar, sometimes for years. In such instances, the internal auditors were often as tarnished as management for failing to elevate their findings or conclusions all the way to the board (audit committee). No one is served well when internal audit rolls over in the face of disagreement with management over internal audit results.
Even when management begrudgingly agrees with unflattering internal audit results, the fur can fly when internal audit assigns an overall rating on the audit report. Such ratings are often adjectival, for example, “satisfactory,” “needs improvement,” or “unsatisfactory.” It is not uncommon for operating management to bristle at an “unsatisfactory” rating. And tensions can become much more pronounced if the rating results in punitive actions, such as impacting management’s performance assessment or incentive compensation.
From my experience, executive management and the audit committee are often more receptive to internal audit rating schemes than operating management. But that doesn’t mean internal auditors should not be sensitive to rating perceptions throughout the organization. As a CAE, I would discourage the use of such ratings as a sole basis for reducing management’s incentive compensation. That’s because internal audit will likely be perceived as an adversary by those who are negatively impacted. I plan to devote an upcoming blog post to exploring the pros and cons of ratings in internal audit reports.
Fortunately, the profession has come a long way in the past two decades when it comes to reporting relationships. A recent IIA Global Pulse of Internal Audit survey shows that nearly 75 percent of internal audit leaders worldwide report functionally to a board or its audit committee. From my experience, management typically becomes comfortable with internal audit’s dual reporting relationship. Strong audit committees embrace their oversight of internal audit, and management understands that. In the vast majority of organizations, the CEO and other C-suite executives would not interfere with internal audit’s access or reporting relationship with the audit committee. However, this still may create tension.
I am frequently approached by CAEs who feel smothered by their CEO or CFO when it comes to the audit committee relationship. They report that the CEO wants to review and approve every communication with the audit committee, and they lament that their CEO and/or CFO may frown upon or prohibit informal communication between the CAE and audit committee chairman. Naturally, this is a complicated dilemma, and one that is not easily navigated. While it is clearly inappropriate for management to obsessively filter the CAE’s communications with the audit committee, the CAE is again caught between a rock and a hard place. I often urge audit committee chairs to be firm in communicating their expectations on internal audit access, and to be the ones who initiate contact with the CAE if they believe management is impeding communication.
If a CAE finds the culture of the organization is insurmountable regarding open communications with the audit committee, he or she may ultimately need to “speak with their feet” and leave the organization. From my experience, when management impedes internal audit’s access to the audit committee, it is typically symptomatic of much darker cultural issues within an organization. Under such circumstances, leaving may be the best thing a CAE can do for his or her career.
I realize this blog was a bit darker and longer than my typical reflections on internal audit. However, tension between internal audit and management can become quite serious if allowed to fester. I urge CAEs to build productive relationships within their organizations so they are surrounded by advocates and champions for the work of internal audit. This will come in handy if conflicts arise. I also encourage CAEs to build a network of peers with whom you can share your frustrations and seek advice. It is never easy to walk alone. I welcome your thoughts on this blog post, and encourage you to share any additional sources of frequent tensions that I may have overlooked.