One of the most frustrating events in my career was one of the first times an internal audit client firmly and repeatedly said “no” to one of my internal audit recommendations. It was an important point and I tried to explain my reasoning. Management agreed with the finding, but believed corrective action would be too time consuming and resource intensive. My supervisor also supported me, and we believed the risks of not implementing corrective action would be very high for the enterprise. But neither of us could persuade management to implement the recommendation or even find an acceptable alternative course of action.
When management says no and refuses to budge, you realize that it makes no difference how valid your recommendations are, or how hard you worked on the audit. Without results, you often feel like you accomplished nothing. If you can’t bring people around to your point of view, your instinct may be to view your audit efforts as a waste of time because important risks may remain unaddressed.
In my particular situation, the issue was elevated to the chief executive officer. And, when it still wasn’t resolved, it became the first audit recommendation in several years that went all the way to the audit committee for resolution.
As the internal auditor who made the initial recommendation, I was invited to the audit committee meeting along with my CAE. I had always wanted to attend such a meeting, though I never imagined my first experience would come about because management strongly disagreed with me. I wasn’t sure what to expect. Fearing the worst, I envisioned a “trial by fire” confrontation with management, with the audit committee serving as judge and jury.
To my relief, there was no major confrontation. Both the CAE and the audit committee were supportive of my point of view. If the CFO still was not in complete agreement, he was very polite about our “difference in perspectives.” The issue was quickly resolved, and we maintained a cordial working relationship.
I know that many of you have had similar experiences, and that sometimes your audit committees are not as supportive as the one in my case. The ultimate question is: “When management is willing to accept the risk of not implementing a corrective action, how far should the internal auditor be willing to go?”
Standard 2600 of the International Standards for the Professional Practice of Internal Auditing (Standards) states that:
“When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.”
That’s the path we followed and, in my case, it worked. But we all need to be prepared for the consequences if the audit committee fails to show its support. So, if we are convinced that an incorrect path is being chosen regarding a significant risk, does the internal auditor have an obligation to go beyond the audit committee and the board with the information? For example, should the internal auditor take a disagreement to regulators or shareholders (or the public, in the case of internal auditors in government)?
The Standards do not specifically address what happens if the audit committee agrees with management rather than with the internal auditor. But our Code of Ethics states that internal auditors should “not disclose information without appropriate authority unless there is a legal or professional obligation to do so.”
I believe this means that, in most situations, the board is the final adjudicative authority when management doesn’t agree to implement an internal audit recommendation. We can advise and we can try to persuade, but the final decisions regarding risk and controls are not ours to make. There may come a point when we need to acknowledge that we have done all we can do, and that our job is done – even if we don’t agree with the outcome.
Of course, we must keep in mind that, if fraud or an illegal act has been disclosed, national or local laws may require us to go further if management and the board are stonewalling. These would be extraordinary circumstances, and I would always recommend obtaining legal advice before taking an issue outside of your organization. Even The IIA’s interpretation of Standard 2600 acknowledges: “It is not the responsibility of the chief audit executive to resolve the risk.”
So, while we may be powerless when our recommendations are not supported by executive management and the board, there are things we can and should be doing on an ongoing basis to minimize the risk that our recommendations will be ignored. Here are five things I believe we should do on a continuous basis:
As with all of my blog posts, these are my personal views, but I realize some of you may disagree. Do you believe the Standards and Code of Ethics address these issues adequately? What advice do you have for other internal auditors who find themselves in such conflict?