So, while we may be powerless when our recommendations are not supported by executive management and the board, there are things we can and should be doing on an ongoing basis to minimize the risk that our recommendations will be ignored. Even The IIA’s interpretation of Standard 2600 acknowledges: “It is not the responsibility of the chief audit executive to resolve the risk.” These would be extraordinary circumstances, and I would always recommend obtaining legal advice before taking an issue outside of your organization. Of course, we must keep in mind that, if fraud or an illegal act has been disclosed, national or local laws may require us to go further if management and the board are stonewalling. There may come a point when we need to acknowledge that we have done all we can do, and that our job is done – even if we don’t agree with the outcome. We can advise and we can try to persuade, but the final decisions regarding risk and controls are not ours to make. I believe this means that, in most situations, the board is the final adjudicative authority when management doesn’t agree to implement an internal audit recommendation. But our Code of Ethics states that internal auditors should “not disclose information without appropriate authority unless there is a legal or professional obligation to do so.” The Standards do not specifically address what happens if the audit committee agrees with management rather than with the internal auditor. So, if we are convinced that an incorrect path is being chosen regarding a significant risk, does the internal auditor have an obligation to go beyond the audit committee and the board with the information? For example, should the internal auditor take a disagreement to regulators or shareholders (or the public, in the case of internal auditors in government)? But we all need to be prepared for the consequences if the audit committee fails to show its support. That’s the path we followed and, in my case, it worked. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.” “When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. Standard 2600 of the International Standards for the Professional Practice of Internal Auditing (Standards) states that: The ultimate question is: “When management is willing to accept the risk of not implementing a corrective action, how far should the internal auditor be willing to go?” I know that many of you have had similar experiences, and that sometimes your audit committees are not as supportive as the one in my case. If the CFO still was not in complete agreement, he was very polite about our “difference in perspectives.” The issue was quickly resolved, and we maintained a cordial working relationship. ![]() Both the CAE and the audit committee were supportive of my point of view. To my relief, there was no major confrontation. Fearing the worst, I envisioned a “trial by fire” confrontation with management, with the audit committee serving as judge and jury. I had always wanted to attend such a meeting, though I never imagined my first experience would come about because management strongly disagreed with me. ![]() And, when it still wasn’t resolved, it became the first audit recommendation in several years that went all the way to the audit committee for resolution.Īs the internal auditor who made the initial recommendation, I was invited to the audit committee meeting along with my CAE. In my particular situation, the issue was elevated to the chief executive officer. If you can’t bring people around to your point of view, your instinct may be to view your audit efforts as a waste of time because important risks may remain unaddressed. Without results, you often feel like you accomplished nothing. When management says no and refuses to budge, you realize that it makes no difference how valid your recommendations are, or how hard you worked on the audit. But neither of us could persuade management to implement the recommendation or even find an acceptable alternative course of action. My supervisor also supported me, and we believed the risks of not implementing corrective action would be very high for the enterprise. ![]() Management agreed with the finding, but believed corrective action would be too time consuming and resource intensive. It was an important point and I tried to explain my reasoning. One of the most frustrating events in my career was one of the first times an internal audit client firmly and repeatedly said “no” to one of my internal audit recommendations.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |