Whose Risk Is It, Anyway? When Management Says ‘No’ to Internal Audit

One of the most frustrating events in my career was one of the first times an internal audit client firmly and repeatedly said “no” to one of my recommendations. It was an important point and I tried to explain my reasoning. Management agreed with the finding, but believed corrective action would be too time consuming and resource intensive. My supervisor also supported me, and we believed the risks of not implementing corrective action would be very high for the enterprise. But neither of us could persuade management to implement the recommendation or even find an acceptable alternative course of action.

When management says no and refuses to budge, you realize that it makes no difference how valid your recommendations are, or how hard you worked on the audit. Without results, you have accomplished nothing. The plain and simple fact is, if you can’t bring people around to your point of view, the engagement will have been a waste of time, and important risks may remain unaddressed.
In my particular situation, the issue was elevated to the chief executive officer. And, when it still wasn’t resolved, it became the first audit recommendation in several years that went all the way to the audit committee for resolution.

As the internal auditor who made the initial recommendation, I was invited to the audit committee meeting with my CAE. I had always wanted to attend such a meeting, though I never imagined my first experience would come about because management strongly disagreed with me. I wasn’t sure what to expect. Fearing the worst, I envisioned a “trial by fire” confrontation with management, with the audit committee serving as judge and jury.

To my relief, there was no major confrontation. Both the CAE and the audit committee were supportive of my point of view. If the CFO still was not in complete agreement, he was very polite about our “difference in perspectives.” The issue was quickly resolved, and we maintained a cordial working relationship.

I know that many of you have had similar experiences, and that sometimes your audit committees are not as supportive as the one in my case. The ultimate question is: “When management is willing to accept the risk of not implementing a corrective action, how far should the internal auditor be willing to go?”

Standard 2600 of the International Standards for the Professional Practice of Internal Auditing (Standards) states that, when a CAE concludes that management has accepted a level of risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the CAE determines that the issue still has not been resolved, we must communicate the issue to the board.

That’s the path we followed and, in my case, it worked. But we all need to be prepared for the consequences if the audit committee fails to show its support. So, if we are convinced that an incorrect path is being chosen regarding a significant risk, does the internal auditor have an obligation to go beyond the audit committee and the board with the information? For example, should the internal auditor take a disagreement to regulators or shareholders (or the public, in the case of internal auditors in government)?

The Standards do not specifically address what happens if the audit committee agrees with management rather than with the internal auditor. But our Code of Ethics states that internal auditors should “not disclose information without appropriate authority unless there is a legal or professional obligation to do so.”

I believe this means that, in most situations, the board is the final adjudicative authority when management doesn’t agree to implement an internal audit recommendation. We can advise and we can try to persuade, but the final decisions regarding risk and controls are not ours to make. There may come a point when we need to acknowledge that we have done all we can do, and that our job is done – even if we don’t agree with the outcome.

Of course, we must keep in mind that, if fraud or an illegal act has been disclosed, national or local laws may require us to go further if management and the board are stonewalling. These would be extraordinary circumstances, and I would always recommend obtaining legal advice before taking an issue outside of your organization.

As with all of my blog posts, these are my personal views, but I realize some of you may disagree. Do you believe the Standards and Code of Ethics address these issues adequately? What advice do you have for other internal auditors who find themselves in such conflict?