hopingtopass
Posts: 17
Joined: Jul 2012
|
Wednesday July 11, 2012 10:19 AM
|
|
As Internal Auditors, I believe we have an obligation to report internal control weaknesses that we uncover, even though we may not always be able to find examples of negatives impacts of such weaknesses (i.e., situations where weaknesses resulted in issues).
The IIA Standards require that we report all relevant information. This would include internal control weaknesses identified. In fact, if we don't report such weaknesses, we are in non-compliance with the Standards.
Imagine what would happen if in a year, something went wrong as a result of lack of control in this area. The Board/management may ask, "I though IA looked at this. Why was this not identified as a potential issue?".
When management attempts to discount findings by saying that we did not find any situations where there was a resulting issue from an internal control weakness, we simply state that something COULD HAVE HAPPENED (and perhaps they just "got lucky").
Ultimately, it is the decision of the Audit Committee to determine if your finding is appropriate.
It is much better to report a finding that the AC deems to be not appropriate, than to keep this information from the AC, then later be asked why it was not reported.
In summary..........If you feel you have a valid finding that is based on strong internal controls, report it. Do not allow management to push you away from a valid finding.
Auditors tend to report all valid issues noted (as that is their job). Management wants to reduce the number of findings, as increased findings may cause others to view management in an unfavorable manner. So, management's disagreements are a basic element of the audit report process. Auditors must be prepared to support their findings with evidence. If you have evidence (either to show proof of errors, or support an internal control best practice), an auditor should be confident to report what they have identified.
For this specific situation, perhaps consult SOX or another internal control framework. You may possible encounter the "but we don't have to follow SOX, as we are not a public company" argument. However, your response can be quite simple...."Even though we are not legally required to follow elements of SOX, the SOX guidelines are simply a formalized compilation of strong internal control practices which reduce risks, and therefore, the concepts communicated by SOX really apply to all organizations that wish to strengthen their internal controls."
My Internal Audit Department definitely reports internal control weaknesses in audit reports (and we make no attempt to determine if errors actually exist, as we feel that is not relevent).
|
|
|
|
|
