5 Things Management is Reluctant to Say to Internal Auditors
Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.
When the topic is fraud management or internal controls, most management executives will speak up without hesitation. But some might feel they don’t know us well enough to tell us everything that’s on their minds. Perhaps, they fear we might not take the news well. Or, maybe, they are simply trying to be tactful in order to preserve a future working relationship.
Whatever the reason, we need to encourage management to be open and honest, always. So, as I did in sharing with you what audit committee members are really thinking, here are five things that might be on the minds of managers in your organization:
1. “We don’t believe you fully understand the business.”
If management doesn’t have confidence in your knowledge of the business, a warning sign may be as blatant as a visible eye-rolling when you make a suggestion. More often, however, managers will simply discount your recommendations. They will rarely come to you for help, and unexpected disagreements might crop up when you issue a draft audit report. When this happens, a candid discussion can help. Also consider joint staff meetings or training sessions that will help the internal audit department stay abreast of current business issues.
2. “You provide us more value when you talk about the future than when you limit your view to hindsight.”
Last year’s error rate matters little compared with next year’s error rate. Risk-based auditing should be forward looking. Don’t be surprised if you get a yawn over an audit report that focuses only on the past. Management’s attention is rightly tuned to what’s happening now and, more important, what lies ahead. Internal auditors will not be heard and cannot effectively drive change by looking solely in a rearview mirror. We need to have our eyes on the future, because foresight is more valuable than hindsight.
3. “You are too often duplicating the work of others, and vice versa.”
Duplication is obviously wasteful, but when internal audit resources are not deployed effectively, we run the risk of serious gaps in coverage. What’s more, if management believes the internal audit function simply duplicates the work of others, don’t be surprised if you see waning support for your programs – and your budget. Misunderstandings do happen: Even among internal auditors, there can be confusion over specific internal audit responsibilities versus the roles of other assurance providers. The IIA’s 2014 Pulse of the Profession North American Report found that the Three Lines of Defense model is gaining acceptance for defining the roles of internal auditors and other assurance groups; however, the roles still are not clearly defined in the majority of organizations.
4. “It would be nice if you occasionally point out things we do well.”
It’s difficult to provide a balanced, unbiased opinion of operations if you never have anything good to say. As a CAE, I always insisted that my staff include a “management accomplishments” section at the beginning of every audit report. Discussing what’s done right balances a report, and knowing that the section is always included can help remind auditors to stay on the lookout for the good as well as the bad.
5. “Sometimes, we say we agree just so you will go away.”
Occasionally, you may be in a situation in which management accepts your recommendations, but only reluctantly. You could be tempted to argue your point until you have “won” the argument, but if doing so comes merely by wearing the other person down, you might have won the battle but lost the war. Internal audit is about changing perceptions, not about arguing. If management is not in full agreement with your recommendations, it’s probably time to listen more and talk less. They may have an important point.
Of all the unspoken messages on managers’ minds, I consider these to be among those potentially most damaging to internal audit. Chances are at least one applies at your organization. If so, consider reaching out to someone you trust on your management team, someone you feel will be candid with you.
What else might be on management’s mind that internal auditors need to hear? Share your insight here.
Posted on Jun 16, 2014 by Richard Chambers
Share This Article: