I have long argued that courage is vital to effective internal auditing. Integrity and objectivity matter, but courage determines whether internal auditors ultimately serve their stakeholders. Being honest is essential. Saying what leaders need to hear is harder. Both are required.

In most organizations, internal auditors can report noncompliance, inefficiencies, and ineffective controls without much resistance or fear of retaliation. Those messages are expected. They fit neatly within the traditional boundaries of assurance.

Other messages do not. These are the issues that test resolve. They often involve power, priorities, and uncomfortable truths. They are the matters the CEO and audit committee most need to hear. These are the quiet things that must be said out loud.

Audit committees rely on internal audit for candor. When the CAE withholds difficult truths, oversight weakens and risks grow. From my experience, there are at least five quiet things that internal auditors must be prepared to communicate clearly and directly to the audit committee.

Management has limited or interfered with internal audit’s work

Audit committees approve the internal audit charter, scope, and plan. They do so with the expectation that internal audit will have unrestricted access and independence. When that expectation is compromised, the committee needs to know.

Interference does not always look dramatic. It may involve delayed access to data, restricted interviews, narrowed scope, or pressure to alter objectives or methods. Sometimes it comes as a request. Sometimes it comes as an instruction.

Internal auditors should not rationalize these actions away. If management limits internal audit’s work, it undermines assurance. The audit committee deserves transparency.

Be specific. Explain what was restricted, how it affected the work, and what risks remain unaddressed. Avoid emotion. Stick to facts. This should not be an accusation. It must be about preserving governance.

Internal audit lacks the resources to meet audit committee expectations

Audit committees expect internal audit to address an expanding universe of risks. Cybersecurity. AI. Third party risk. Data privacy. Culture. Fraud. Strategy. Risks multiply and expectations rise. Resources often do not.

Many internal auditors hesitate to raise this issue. They fear it sounds like an excuse or a complaint. It is neither. It is a statement of capacity.

Audit committees cannot make informed decisions if they assume internal audit is addressing the critical risks or that it has capabilities it does not. When resources are insufficient, assurance gaps emerge.

Internal audit should clearly communicate:

• Which risks are not covered.
• What work has been deferred or eliminated.
• Where skill gaps exist.
• How limitations affect the ability to provide an overall assurance opinion.

Data helps. Show coverage versus risk. Show trends over time. Let the audit committee decide whether the gap is acceptable. Silence transfers that decision without consent.

Organizational culture is creating enterprise risk

Culture shapes behavior. Behavior shapes outcomes. When culture undermines values, risk increases even when controls appear sound.

Internal auditors often see cultural warning signs before others. These signs include repeat issues, management override, fear of escalation, inconsistent accountability, and ethical gray areas. Individually, they may seem minor. Collectively, they signal risk.

Culture can feel subjective. It is not. Patterns tell a story.

Internal auditors should connect cultural observations directly to enterprise objectives. Explain how behavior affects compliance, performance, and sustainability. Use examples. Use trends. Avoid labels. Focus on impact.

As I observed last year, organizations with toxic cultures are often the last to know. That’s because no one speaks up. Audit committees expect internal audit to look beyond processes and controls. Culture is often a root cause. When it elevates risk, say it out loud.

Audit findings or conclusions have been suppressed by management

Few messages are more uncomfortable than this one. Few are more important.

Suppression can take many forms. Reports delayed indefinitely. Findings softened beyond recognition. Conclusions changed without evidence. Requests to keep issues informal. Pressure to avoid escalation.

When internal audit conclusions are altered for reasons unrelated to professional judgment, the audit committee must know. Their oversight depends on unfiltered information.

Internal auditors should document interactions and decisions. When raising this issue, be precise. Describe what changed, when it changed, and why it matters. Avoid speculation. Present facts.

Audit committees rely on internal auditors to be their eyes and ears. When that channel is compromised, governance fails. Silence signals acceptance. That is not an option.

Management does not prioritize corrective action

Unresolved issues are not a paperwork problem. They are a leadership problem.

When corrective actions stall, deadlines pass, and repeat findings persist, risks compound. Over time, this erodes confidence in management’s commitment to control and accountability.

Internal audit should highlight patterns, not just individual delays. Report the age of open issues. Track repeat findings. Identify chronic problem areas. Compare commitments to outcomes.

Audit committees need to understand whether remediation is treated as essential or optional. If management does not prioritize corrective action, say it. Calmly. Clearly. With evidence.

How and when to communicate the quiet things

Ideally, these messages are shared with the CEO long before they reach the audit committee. Transparency builds trust. Surprises damage it.

That said, courage sometimes requires escalation. Executive sessions exist for a reason. When necessary, the CAE should use them.

Even then, transparency with the CEO remains critical. If communication occurs without prior notice, explain it afterward. Promptly and directly. Trust between internal audit and management is fragile. Once broken, it is difficult to repair.

To my colleagues who chair or serve on audit committees, take note of the things you should be hearing. Ask the quiet things out loud. Ignorance may be bliss – but it can also be costly!

Why this matters now

Risk is more volatile. Expectations are higher. Boards face greater scrutiny. Audit committees need clarity, not comfort.

Internal auditors have a unique enterprise wide view. With that view comes responsibility. The role is not to please. The role is to keep management and audit committees fully and currently informed.

Trust is earned by saying what needs to be said. Especially when it is difficult.

Have the courage to say the quiet things out loud.