Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​On the Frontlines: When an Audit Leader Changes Your Findings

Comments Views

In the everyday work of internal auditors, it sometimes happens that an audit manager makes changes to the drafted audit findings. An audit leader may delete some or even all of a finding or change the risk criticality. If the auditor and audit manager agree that the changes are needed to improve the quality of the audit report or ensure consistency with the risk criticality methodology, there is no issue. However, what happens in situations when there is no mutual agreement about the necessity to change the drafted findings and their risk criticality? More importantly, what happens if the audit manager's changes result in a report that presents totally different facts than what was intended — or even wrong conclusions?

There are several reasons why an audit manager might want to change audit findings and their criticality ratings — other than a desire to improve the quality of the audit report. One of them could be that the manager does not want to have a too-critical report, as it may attract a lot of attention. The opposite could also be true: The audit manager feels the report should attract more attention, so it should be made more critical. Another, unfortunate reason might be that the audit leader is misusing audit reports for reasons involving internal politics.

Or it's possible the audit manager uses audit reports in the context of personal relationships with other managers. This could include a situation in which the audit manager wants to keep good relationships with all the other managers in the organization and thus does not want to have a lot of severe findings in the audit reports. The opposite situation is possible too — having a bad relationship with another manager in the organization and using the audit report to present this manager's area as riskier than it objectively is.

Regardless of the reason behind the changes of audit findings and their risk criticality, there are several steps auditors can take in their everyday work to stay in compliance with The IIA's International Standards for the Professional Practice of Internal Auditing and protect themselves from any potential adverse effects.

Be objective and fact based. Objectivity is one of the main pillars of audit work. Auditors should strive to be and even appear to be subjective in their work. If the objectivity of audit team members involved in the engagement is impaired, that could be a reason for a misunderstanding with the audit manager.

Document your work. Even though there are different opinions about this aspect of audit work, documenting work is a regular part of an audit engagement and becomes very important when needing to present the facts and provide evidence for conclusions. Documentation should be kept at a reasonable level — one that would enable a third party to come to the same conclusions as the auditor.

Consider the audit manager's perspective. Imagine the audit manager's role in the situation and try to talk openly. Perhaps there are certain aspects involved with the findings of which the audit team is not aware. Taking all relevant factors into consideration may help the parties involved reach a win-win situation.

Ask for an additional opinion. Involving another auditor who was not involved with the specific audit engagement could be helpful in situations when a common understanding is hard to reach. A "fresh pair of eyes" can contribute to objectively assessing the findings.

Take a stand and have arguments for it. Auditors should be brave enough to stand for their findings. However, this does not mean they should not be willing to change a single letter of what they have written. Having a strong stand should be balanced with being reasonable.

Inform the audit managers of requirements based on the Standards. It is always useful to remind team members about The IIA Standards requirements. Sometimes a simple thing like this can resolve the misunderstanding and help in achieving a solution.

Revaluate your position. As trusted advisors, auditors should be adding value to the organization with their work. It might be useful to ask, "How does this work add value to the organization?" Thinking about it this way could put the audit findings into an entirely different, yet important perspective.

Finally, choose your battles wisely. Auditors are creative magicians in using words, graphics, pictures and all forms of communication to pass their messages to the audience. Often just a small change in wording or a slightly different presentation can help change the appearance of the findings and make everyone happy, while the facts remain unchanged.


Maja Milosavljevic, CIA, CRMA, is an internal auditor in Vienna and a 2015 Internal Auditor Emerging Leader.

Want to be a part of Your Voices? Click here to learn how to contribute a blog post.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
  • Fraud-Virtual-Conference-January-2022-Blog-2
  • IT-General-Controls-Certificate-January-2022-Blog-3