5 Things Management is Reluctant to Say to Internal Auditors

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.

A few months ago, I wrote about Five Things the Audit Committee Won’t Tell Internal Auditors. Based upon feedback I received from around the world, it appears that many chief audit executives shared my perspectives. While I continue to believe we need to work on communications with our audit committees, that is not the only area in which we face communication challenges. Internal auditors typically have a strong working relationship with management, but managers also don’t always tell us everything we need to hear – and know.

When the topic is fraud management or internal controls, most management executives will speak up without hesitation. But some might feel they don’t know us well enough to tell us everything that’s on their minds. Perhaps, they fear we might not take the news well. Or, maybe, they are simply trying to be tactful in order to preserve a future working relationship.

Whatever the reason, we need to encourage management to be open and honest, always. So, as I did in sharing with you what audit committee members are really thinking, here are five things that might be on the minds of managers in your organization:

1. “We don’t believe you fully understand the business.”

If management doesn’t have confidence in your knowledge of the business, a warning sign may be as blatant as a visible eye-rolling when you make a suggestion. More often, however, managers will simply discount your recommendations. They will rarely come to you for help, and unexpected disagreements might crop up when you issue a draft audit report. When this happens, a candid discussion can help. Also consider joint staff meetings or training sessions that will help the internal audit department stay abreast of current business issues.

2. “You provide us more value when you talk about the future than when you limit your view to hindsight.”

Last year’s error rate matters little compared with next year’s error rate. Risk-based auditing should be forward looking. Don’t be surprised if you get a yawn over an audit report that focuses only on the past. Management’s attention is rightly tuned to what’s happening now and, more important, what lies ahead. Internal auditors will not be heard and cannot effectively drive change by looking solely in a rearview mirror. We need to have our eyes on the future, because foresight is more valuable than hindsight.

3. “You are too often duplicating the work of others, and vice versa.”

Duplication is obviously wasteful, but when internal audit resources are not deployed effectively, we run the risk of serious gaps in coverage. What’s more, if management believes the internal audit function simply duplicates the work of others, don’t be surprised if you see waning support for your programs – and your budget. Misunderstandings do happen: Even among internal auditors, there can be confusion over specific internal audit responsibilities versus the roles of other assurance providers. The IIA’s 2014 Pulse of the Profession North American Report found that the Three Lines of Defense model is gaining acceptance for defining the roles of internal auditors and other assurance groups; however, the roles still are not clearly defined in the majority of organizations.

4. “It would be nice if you occasionally point out things we do well.”

It’s difficult to provide a balanced, unbiased opinion of operations if you never have anything good to say. As a CAE, I always insisted that my staff include a “management accomplishments” section at the beginning of every audit report. Discussing what’s done right balances a report, and knowing that the section is always included can help remind auditors to stay on the lookout for the good as well as the bad.

5. “Sometimes, we say we agree just so you will go away.”

Occasionally, you may be in a situation in which management accepts your recommendations, but only reluctantly. You could be tempted to argue your point until you have “won” the argument, but if doing so comes merely by wearing the other person down, you might have won the battle but lost the war. Internal audit is about changing perceptions, not about arguing. If management is not in full agreement with your recommendations, it’s probably time to listen more and talk less. They may have an important point.

Of all the unspoken messages on managers’ minds, I consider these to be among those potentially most damaging to internal audit. Chances are at least one applies at your organization. If so, consider reaching out to someone you trust on your management team, someone you feel will be candid with you.

What else might be on management’s mind that internal auditors need to hear? Share your insight here.
 

 

 

Posted on Jun 16, 2014 by Richard Chambers

Share This Article:    

  1. Richard, looking at point 4 above, risk based auditing should always highlight the 'things done well', since the conclusion should be of the form: 'We examined controls managing 50 risks. Controls over 48 of these risks reduced them to below the risk appetite and were therefore operating properly. Controls over the remaining two risks were not operating properly (referred to in the detailed report) but management has subsequently taken action to improve them and we now consider all risks to be properly managed.' This puts any problems found into perspective. Managers could be provided with copies of the relevant audit papers to prove their competence to their bosses.
  1. On David's point I agree with embedding the negative finding into a context like 'n out of m', effectively converting it to an 'exception rate' as additional information on the negative finding, but not with the idea that that would amount to balancing the report in the way RC I think means when he calls for that. To say 48 out of 50 risks are satisfactorily covered with controls is not to say there is a success beside the failure (- even less 48 successes against 2 failures !). It is much more to say that the failure rate is 4%, i.e. qualify the failure. I consider that what RC envisages here is some other procedure(other than the procedure found working not well),or other aspect of the procedure, that management is doing a good job of, i.e. operates well. Among RC's excellent points, I singled out (5), as top advice for young auditors: "You ... argue your point until you have “won” the argument, but if ... by wearing the other person down, ... won the battle but lost the war. Internal audit is about changing perceptions, not about arguing. If management is not in full agreement ... , ... listen more and talk less. They may have an important point.
  1. Dear Sir,

    Thanks for raising up issues which are directly relevant to the profession worlwide and keeping us enlightened with your invaluable views and alerting us to be more risk focused while in profession. The other things the Management will not usually inform the audit ,as per my experiences,  include

    1) Bonus information

    2) Overseas travel plans

    3) About company customers get together and party

    4) Complaint on lengthy report

    5) Board's prior approval on issues

    6) major incidents and audit to know about it from third party

    7) Audit wants to take credit  and wants show things are audit driven

    8) Complaint about audit does not know the techincal side of business

    9)Audit stopping everything

    10)Audit  Not regularly reporting even when all risks highlighted are not acted upon timely by them

    11) Orally giving explanation as written will be proved

    12) use of different faces as per situation

    13 passing good things about audit to Board

    14 Forcing  External auditors to query Internal audit effectiveness

    15 Important Board decision's on control on time

    16) Trusting non factual information from others

    Dev

     

  1.  Richard,  some interesting food for thought. Not sure about reporting things doing well. Yes in narrative form perhaps, but review management papers to senior management, they are all about the issues or risks and focus on things that need to be done, not back patting. 

    Also, can we, as a profession stop putting ourselves down? We are not there to fully understand the business as the management team does. The whole purpose of IA is to be detached and come to it cold with a new perspective. Clearly we need to be able to understand quickly the risks and issues, but we do need to be careful about what 'understanding' means. For therein lies the risk of 'group think' with our management colleagues. 

    If we are really looking at lack of understanding non execs can be far more detached and remote from the business in my experience. Good IA reports with suitable detail can help out with this. 

  1. I believe that internal auditors need to focus on the expectations of the stakeholders.  Our product, the Audit Report, should convey the appropriate message.  The report should describe what we did and the results.  If we decide to include the positive achievements of the area subject to audit, we need to ensure that the message is not misunderstood.  Our primary responsibility is to provide independent and objective assurance on controls and processes, and i believe the audit report should represent that aspect of our responsibilities.

  1. Richard, When Management does not want to implement IA recommendations, then point 5 applies. If they want to hit at the credibility of IA or worse want IA buy-in for decisions taken, then point 1 applies. The US versus THEM mentality still prevails in many parts of the World, and with the 3 lines of defense concept gathering pace, it is now Management and Risk versus IA. Management does not inform IA on - future plans, issues that has come to light (frauds or important ones). Management also does not involve IA in Strategic Committee meetings, ostensibly to maintain audit independence. Having said that - IA needs to 'quickly' understand the key risks and controls and evaluate these during an audit.
  1. I would agree with Mr. Wilfredo's inputs,  If we decide to include the positive achievements of the area subject to audit, we need to ensure that the message is not misunderstood. Going back to the basic questions "Which is of more value: saying controls are adequate or the management of risk is effective?"

  1.  I agree with you Richard, management are sometime reluctant to say what they are thinking. Internal auditors however do not report to the management of the organization but to the Audit Committee. Auditors must be reminded that they are independent of management and as such an audit recommendation that is not considered favourable to management does not mean it was not a good recommendation, niether does it mean that it was not one that would better the organization. Management might have an another objective or might be set on doing things one way.

    I whole heartedly agree that the good and bad must be included in the audit report. This is one evidence of a good audit report. Management need to know what is being done well and what is not being done well and what needs to be done going forward.

     

     

  1. Very good.  Fully agree with what Richard and everyone else have said.  I have heard those 5 statements (either personally or from colleagues) at one time or another.  I do personally believe, however, that a variation of David's suggestion could be considered.  We may have to be careful about giving a numerical value to the risks reported - as the failure of controls in 2 out of 50 risks that were not operating properly may have a significant impact on the bottom line of the business. 

  1.  I also found out that management just do not want internal auditors to have all "important information" for the simple reason that information is power. They do not want you to be armed with information because they are not sure whether having analysed it you would not "shoot at them" with it, particulary when management is cutting corners (associated with high risk taking) in pursuit of business objectives. This ofcourse is a case of management thinking of internal audit as a problem child.

    The other reality whether we like it or not is that no matter how smart we are about report presentation, it is human nature that people do not want to be repeatedly told what they are not doing right. So management may like internal auditors approach to work and reporting but they still just do not like auditors. This is why internal audit is a function of the board and not management. And ironically when the Board members are acting as management in their own respective organisations, they find themselves in a similar situation where they also dont like auditors! Bottom line, lets do our job professionally with eyes focussed on value addition. The rest is work politics to be managed. Has someone done a survey comparing how many management teams would be interested to hire internal auditors and compare with similar results for Boards......please share.

     

Leave a Reply