Whose Risk Is It, Anyway? When Management Says ‘No’ to Internal Audit

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.

One of the most frustrating events in my career was one of the first times an internal audit client firmly and repeatedly said “no” to one of my recommendations. It was an important point and I tried to explain my reasoning. Management agreed with the finding, but believed corrective action would be too time consuming and resource intensive. My supervisor also supported me, and we believed the risks of not implementing corrective action would be very high for the enterprise. But neither of us could persuade management to implement the recommendation or even find an acceptable alternative course of action.

When management says no and refuses to budge, you realize that it makes no difference how valid your recommendations are, or how hard you worked on the audit. Without results, you have accomplished nothing. The plain and simple fact is, if you can’t bring people around to your point of view, the engagement will have been a waste of time, and important risks may remain unaddressed.
In my particular situation, the issue was elevated to the chief executive officer. And, when it still wasn’t resolved, it became the first audit recommendation in several years that went all the way to the audit committee for resolution.

As the internal auditor who made the initial recommendation, I was invited to the audit committee meeting with my CAE. I had always wanted to attend such a meeting, though I never imagined my first experience would come about because management strongly disagreed with me. I wasn’t sure what to expect. Fearing the worst, I envisioned a “trial by fire” confrontation with management, with the audit committee serving as judge and jury.

To my relief, there was no major confrontation. Both the CAE and the audit committee were supportive of my point of view. If the CFO still was not in complete agreement, he was very polite about our “difference in perspectives.” The issue was quickly resolved, and we maintained a cordial working relationship.

I know that many of you have had similar experiences, and that sometimes your audit committees are not as supportive as the one in my case. The ultimate question is: “When management is willing to accept the risk of not implementing a corrective action, how far should the internal auditor be willing to go?”

Standard 2600 of the International Standards for the Professional Practice of Internal Auditing (Standards) states that, when a CAE concludes that management has accepted a level of risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the CAE determines that the issue still has not been resolved, we must communicate the issue to the board.

That’s the path we followed and, in my case, it worked. But we all need to be prepared for the consequences if the audit committee fails to show its support. So, if we are convinced that an incorrect path is being chosen regarding a significant risk, does the internal auditor have an obligation to go beyond the audit committee and the board with the information? For example, should the internal auditor take a disagreement to regulators or shareholders (or the public, in the case of internal auditors in government)?

The Standards do not specifically address what happens if the audit committee agrees with management rather than with the internal auditor. But our Code of Ethics states that internal auditors should “not disclose information without appropriate authority unless there is a legal or professional obligation to do so.”

I believe this means that, in most situations, the board is the final adjudicative authority when management doesn’t agree to implement an internal audit recommendation. We can advise and we can try to persuade, but the final decisions regarding risk and controls are not ours to make. There may come a point when we need to acknowledge that we have done all we can do, and that our job is done – even if we don’t agree with the outcome.

Of course, we must keep in mind that, if fraud or an illegal act has been disclosed, national or local laws may require us to go further if management and the board are stonewalling. These would be extraordinary circumstances, and I would always recommend obtaining legal advice before taking an issue outside of your organization.

As with all of my blog posts, these are my personal views, but I realize some of you may disagree. Do you believe the Standards and Code of Ethics address these issues adequately? What advice do you have for other internal auditors who find themselves in such conflict?

Posted on May 28, 2014 by Richard Chambers

Share This Article:    

  1. Thanks Richard Vert informative discussion. too have experienced similar "stonewalling" in a government setting. Internal Audit was in its infancy at my place of employment in question, however the end result was the same; senior management just didn't get the implications of not applying the suggested controls. The result was that the general Manager made a call and also had support of the audit committee. My learning was that no matter how you want to make the audit look reasonable to management and if you have suggested tiered control applications, based on risk, you still cannot manage some people's egos. People who aren't prepared to change simply wont. The best you can do is move on and leave the action as an "outstanding" in the register. In time maybe new management will be more objective and implement the recommended actions.
  1. It is correct to quote Standard 2600 with reference to the CAE concluding that management has accepted a level of risk that may be unacceptable to the organisation.

    When one refers to a recommondation, as borne out by the account, this normally implies that there was a finding. Now a finding is simply a difference between the criterion and the condition. If the criterion was correctly sourced from the engagement client, it seems to be that it would be untenable for the engagement client to implement that criterion, if the difference is unfavourable, which is what the recommendation should be trying to get to happen.

    If the criterion were inadequate, it would have been improper to proceed evaluating conformance to it. The proper cause of action would be to engage the engagement client to improve it.  (Standard 2210.A3) If there is no agreement to this, the concern, (not finding), then falls within the ambit of Standard 2600.

  1.  If the criterion was correctly sourced from the engagement client, it seems to me that it would be untenable for the engagement client to refuse to implement that criterion, if the difference is unfavourable, which is what the recommendation should be trying to get to happen.

  1. I guess most auditors have experienced this situation, mine is similar to yours in that disagreements get escalated if resolution can't be achieved through the management chain. At the end of the day managers manage the business and what action they take has to be their decision. I think the standards are fine on this point.

    However can I disagree with the following statement you make, "When management says no and refuses to budge, you realize that it makes no difference how valid your recommendations are, or how hard you worked on the audit. Without results, you have accomplished nothing. The plain and simple fact is, if you can’t bring people around to your point of view, the engagement will have been a waste of time, and important risks may remain unaddressed." Whilst I agree that the control framework has not been improved and (in the auditors view) important risks may remain unaddressed, I don't believe that nothing has been accomplished and I don't believe that the engagement is a waste of time. The auditors primary role is to provide an independent and objective opinion, and that must have value / accomplish something - assurance itself has a value. Exposing poorly controlled risks requires management to engage with the debate and even if they decide to do nothing that is at least a positive, open, subject to scrutiny decision that has been prompted by the auditors work. Assurance has value as well as control improvements.  

  1. Richard: I agree whole heartedly with Stan. IA should see their primary mission as ensuring senior management and the board are aware of the areas of significant retained risk status. Alerting them to situations of high retained/residual risk status even when they elect to do nothing is not failure or a waste of time. The better IA is able to do that job in terms of high quality reliable information about the potential impacts on achievement of important objectives, opportunities to further treat risk, impediments, and current performance, the better the service they are providing. It is not IA's job to decide the organization's risk appetite and tolerance. It is IA's job to ensure those decisions are being made with reliable and high quality information. It is also not IA's job to act as a "critical parent", cajoling management and board's to continually implement more controls and mitigate all risks. The interchange should be "adult to adult" with a focus on ensuring management and the board are making intelligent risk acceptance decisions with "fit for purpose" information. As Stan states it is key that management and board risk acceptance decisions are "positive, open, subject to scrutiny".
  1. I wonder how much of our potential conflict with Management would be removed if we changed our language somewhat. For all the effort to be a partner with management, it seems our models and methods still frequently lean towards ideas that compel the development of organizational silos for management to deal with. I do not yet hold a CIA Certification despite 16 years in internal audit - 8 of which have been spent modeling/implementing leading IA Industry practices. About 4 years ago, I started the process but got so frustrated I stopped. It was pulling me backwards. I have restarted the process, and am happy to report great steps in the 3 part exam, yet the underlying seeds for management conflict remain. In Part 2 of the CIA exam for fraud, performance management, risk management, security, quality and other areas it leaves the auditor with the impression that a specific function should exist for each of these topics. The reality is that they are activities of larger organizational operations. A good auditor does not go in looking for a neat and tidy dedicated process with related policies... they go in first recognizing the strength of objective management, oversight and operations alignment. Then they drill into these elements with a perspective of fraud, or security, etc... Internal auditors must be the context of good operations oversight and alignment, or management will frequently not get credit for significant sets of controls that make the environment much more capable of defending against any risks. If I were a manager with great oversight and operations alignment controls, I would also refuse to implement siloed processes to help the internal auditor feel that they have meet professional risk and control standards.
  1. I'm surprised at how much auditors worry about this situation.  Internal auditors are specialized tools that are the "eyes and ears" of senior management.  If management chooses to ignore a valid recommendation that remediates a significant risk and that risk actually becomes real, guess what?  That's management's problem, not mine.  I found and highlighted the risk, management needs to do a reasonable job in mitigating that risk.  Sure, I'll end up with some egg on my face initially because the gut reaction of senior management is to start blaming people (e.g. Who's responsible for this? Why didn't the auditors catch this?) because after showing that I found the issue and escalated it as far as I could, I can fairly shifting 100% of the blame on the management who shirked on their responsibilities.  Yes, we get our paycheques cut from the same place but at the end of the day, I did my job, management didn't do theirs.  If senior management chooses to fire me even though I did my job and it was management's fault, well, that's a completely different battle.

    I agree with Stan about accomplishments.  Just because management doesn't accept a recommendation, doesn't mean that that particular part of the audit was a failure.  I'm going to publish a report that identifies a risk, lists my recommendation and lists management's response (non-action).  I can control my findings and recommendation, I have no power over how management responses beyond persuasion.  Found an issue, made a valid recommendation...job done.

  1. Not easy, but worth considering who has the authority to accept the level of exposure reported (it may be the board or AC as in the cases above).  The authority to accept certain degrees of risk exposure should be in the organisation's authority framework.

    It is also very important that all involved understand that the accepted risk, like any aspect of risk, is dynamic - risk acceptance cannot be a "set and forget" risk management strategy.  The discussions on acceptance, at whatever level they occur, should be clear on how management are going to monitor the position (ie is it actually getting worse since the acceptance decision was approved) and what their response will be if that is seen to be occurring.  I have found that driving at these two points clearly sets expectation on the responsible manager that they cannot accept and ignore the risk and avoid later responsibility.

    Finally, having the finding on the table means that there is more chance of it being considered if there is a subsequent project that could address this finding.

  1. As Stan states, the audit is not a waste of time when management refuses to implement a recommendation. This happens often in our company. Occasionally, the auditor's view of the risk is relatively myopic based on the scope of the audit. A control in Accounting might be designed to find a problem that appears as an uncontrolled risk in the Operations area. But if Accounting wasn't in scope, the audit would miss that control. Management is responsible for the risk over the entire organization, and a single finding does not necessarily mean the sky is falling.  We do well to dialog with management, all the way to the Board level, but it always remains management's responsibility to run the company and manage all the risks. If they choose to accept a risk, we keep bringing it up with every subsequent audit where the risk is a factor, and remains unmitigated.  

    The other important point is that we keep our recommendations realistic. A $50,000 technological system solution to a risk that has an impact of $5,000 to the company is not necessarily the most cost-effective solution. We should look for solutions that make sense for the company, and not merely some "best practice" in a Fortune 500 setting that we could never afford in our 250 head count company.

  1.  To my understanding, standards should be very specific & clear, only than internal auditors hard work can be valued. However, regardless of the standards, code of ethics overtakes all the decisions made not in favor of the internal audit recomendations etc. 

  1. I agree with those that say that the audit is not a waste of time when management refuses to implement a recommendation. At least it moves accountability to the right level. If management is aware of a risk and chooses, as is their prerogative, to accept the risk, then if the risk becomes a real event their decision is documented. I've seen too many situations where someone down the chain became a scapegoat when something went wrong.

Leave a Reply