In "Management vs. Internal Audit: 5 Frequent Sources of Tension," Richard Chambers (whom I consider a friend) raises some good points about tension between internal audit and management.
He first covers the situation where management wants to cut internal audit resources (perhaps as part of an overall cost-cutting initiative). I agree with Richard's perspective that the audit committee needs to make an informed decision and have actually used the technique he recommends. I also agree with his comments about disagreements on the level of risk when internal audit is not able to rely on a mature ERM program.
I only wish that Richard had pointed out that the absence of effective risk management is itself a serious risk to the organization that merits discussion with top management, the audit committee, and possibly the full board.
His third point relates to disagreements about the results of an audit.
I think we have to be very, very careful here.
The people who run the business are not idiots.
Let's not hastily assume they "don't get it."
We need to listen actively and very carefully to their rebuttal. There are multiple potential reasons for disagreement, including:
- We are right and they don't understand their own operation and its risks — how likely is that?
- We are right and they are willing to take risks that we believe the board would not support — this happens, but not that often (thank goodness).
- We are right on the facts but don't have a complete view of the big picture. Perhaps the risk is one that should be taken by the organization. We need to listen so we can grasp that big picture. We may still disagree, but it would be an informed disagreement and management would know that we have an honest and informed disagreement that can be settled by senior management or the audit committee.
- We are wrong on the facts and need to listen to understand how.
If we take every disagreement to more senior management and possibly higher without making every effort to both listen and understand, we are asking for trouble. Even if we are right, it will be a Pyrrhic victory as we deservedly lose the confidence and trust of operating management.
Richard goes on to talk about ratings and opinions.
I hate ratings. They don't mean anything!
Our stakeholders need actionable information about the effect of any deficiencies we find on the achievement of enterprise objectives. A rating is an expression of pleasure or displeasure that is unlikely to change any strategic decision or action.
But if we use the full extent of the (English or other native) language to explain why what we find matters, providing them with assurance, advice, and insight that helps them lead the organization to success, then we are earning our pay.
Tell them which objectives may be at risk, not that things are or are not satisfactory.
His last point is about relations with the audit committee and, by inference, management. One of the causes for this can be that we are not seen as helping top management succeed. We are pointing out possibilities for failure but not positioning ourselves as partners in success — and then delivering on that promise.
That requires a culture shift by internal audit that can lead to a culture shift by management.
As always, I welcome your comments.
Please join the conversation by clicking the Subscribe button, below.