Let's be honest. The vast majority of internal audit engagements are positive and constructive. Internal auditors and the clients whose areas of responsibility are being audited maintain a mutually respectful relationship, and the engagement results typically drive improvements or other beneficial change.
Forging strong and effective relationships within an organization is essential for the long-term effectiveness of internal auditors. Yet, try as they might, internal auditors will sometimes find themselves on the receiving end of management's wrath.
When disgruntled executives lash out or retaliate against the internal auditors, it can feel like the empire is striking back.
From my experience, management disagreements with internal audit conclusions or recommendations are not uncommon. In fact, disagreements can be a natural part of an audit resolution process. As long as the dialogue is professional, constructive, and civil, the process can be healthy and yield a better final audit report.
However, when things become contentious, internal auditors should work tirelessly to diffuse the rancor — especially if management attempts to circumvent the process, or worse, retaliate against the internal auditors. Here are a few scenarios, and recommendations, where internal auditors might find themselves on the receiving end of management's wrath.
Highly contentious pushback on internal audit results. As I noted in a blog some years ago, "When our audits reveal gross inefficiencies or even fraud, we have to be prepared for pushback no matter how fairly the information is presented in our reports." I also noted that "when the pushback occurs, we need to listen to our clients and ensure we have presented the situation fairly — but to present the situation fairly, we must resist the temptation to sugarcoat the facts or bury the news in vague terms. Our reputations as auditors depend upon our ability to present the situation in a balanced way that neither over-exaggerates nor understates risks and possible consequences." Ideally, a reasoned response that demonstrates some flexibility on our part will diffuse the situation. But if not, we must be prepared to stand our ground.
Disgruntled management elevates the disagreement to our bosses. On a few occasions in my career, I was blindsided by an irate manager who chose not to negotiate but to escalate a disagreement. A healthy audit resolution process will always afford the option of moving a disagreement to a productive settlement. The ultimate authority on resolution of disagreements should reside with the audit committee. Unfortunately, a few managers choose not to "play by the rules," opting instead to take their disagreement to either the chief audit executive (CAE), if the disagreement is with the audit team, or the CEO/chief financial officer, if the disagreement is with the CAE. My advice in such instances is to calmly and coolly present our side of the story once the disagreement has been lodged. If we are right, the facts will usually speak for themselves.
Retaliation. The worst-case scenario when management is unhappy with audit results is an attempt to exact retribution through retaliation. Subjecting internal auditors to retaliation for simply doing their job chips away at the moral fabric of the enterprise. Retaliation can take many forms: It can be subtle, such as a reduction to internal audit's budget. It can be personal, such as a negative performance evaluation directed at those responsible for an audit. Or, it can be hostile, such as accusations of improprieties or incompetence.
Regardless, retaliation of any kind is unacceptable. We must be prepared to defend ourselves and the results of our work. But to do so, we must live in a shatterproof house and not leave ourselves vulnerable by engaging in any unethical or inappropriate behavior.
As I noted earlier, the vast majority of those we audit are professional in their interactions with us. However, as I also wrote in that earlier blog, a negative response to our work may be understandable:
It's simply a part of human nature: Behavioral psychologists often say that, when bad news is received, our natural reactions are first anger and then denial. We have to keep in mind that the occasional client who argues about every critical comment in an audit report may be justified — or he or she may once have been the over-competitive school kid who used to complain to the teacher any time his or her homework received less than an "A."
We all know that we will face pushback eventually and that, at times, it might be accompanied by visible anger. When this happens, it might indicate that our findings are incorrect or that we have presented them unfairly. It also might simply indicate that our customer needs a little time to cool off. In the long run, the important thing is not that the disagreement occurred; it's how we respond to the situation.
With any luck, you will navigate your entire internal audit career without a major battle over the results of an audit. However, I encourage every internal auditor to be a good risk manager, and to consider how you will respond if the empire does strikes back.
I welcome your thoughts.