No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Internal Audit

Whose Risk Is It, Anyway? When Management Says ‘No’ to Internal Audit

by Richard Chambers
July 15, 2014
in Internal Audit
Whose Risk Is It, Anyway? When Management Says ‘No’ to Internal Audit

One of the most frustrating events in my career was one of the first times an internal audit client firmly and repeatedly said “no” to one of my recommendations. It was an important point and I tried to explain my reasoning. Management agreed with the finding, but believed corrective action would be too time-consuming and resource-intensive. My supervisor also supported me, and we believed the risks of not implementing corrective action would be very high for the enterprise. But neither of us could persuade management to implement the recommendation or even find an acceptable alternative course of action.

When management says “no” and refuses to budge, you realize that it makes no difference how valid your recommendations are, or how hard you worked on the audit. Without results, you have accomplished nothing. The plain and simple fact is, if you can’t bring people around to your point of view, the engagement will have been a waste of time and important risks may remain unaddressed. In my particular situation, the issue was elevated to the chief executive officer. And when it still wasn’t resolved, it became the first audit recommendation in several years that went all the way to the audit committee for resolution.

As the internal auditor who made the initial recommendation, I was invited to the audit committee meeting with my CAE. I had always wanted to attend such a meeting, though I never imagined my first experience would come about because management strongly disagreed with me. I wasn’t sure what to expect. Fearing the worst, I envisioned a “trial by fire” confrontation with management, with the audit committee serving as judge and jury.

To my relief, there was no major confrontation. Both the CAE and the audit committee were supportive of my point of view. If the CFO still was not in complete agreement, he was very polite about our “difference in perspectives.” The issue was quickly resolved, and we maintained a cordial working relationship.

I know that many of you have had similar experiences, and that sometimes your audit committees are not as supportive as the one in my case. The ultimate question is: “When management is willing to accept the risk of not implementing a corrective action, how far should the internal auditor be willing to go?”

Standard 2600 of the International Standards for the Professional Practice of Internal Auditing (Standards) states that, when a CAE concludes that management has accepted a level of risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the CAE determines that the issue still has not been resolved, we must communicate the issue to the Board.

That’s the path we followed and, in my case, it worked. But we all need to be prepared for the consequences if the audit committee fails to show its support. So, if we are convinced that an incorrect path is being chosen regarding a significant risk, does the internal auditor have an obligation to go beyond the audit committee and the Board with the information? For example, should the internal auditor take a disagreement to regulators or shareholders (or the public, in the case of internal auditors in government)?

The Standards do not specifically address what happens if the audit committee agrees with management rather than with the internal auditor. But our code of ethics states that internal auditors should “not disclose information without appropriate authority unless there is a legal or professional obligation to do so.”

I believe this means that, in most situations, the Board is the final adjudicative authority when management doesn’t agree to implement an internal audit recommendation. We can advise and we can try to persuade, but the final decisions regarding risk and controls are not ours to make. There may come a point when we need to acknowledge that we have done all we can do, and that our job is done – even if we don’t agree with the outcome.

Of course, we must keep in mind that, if fraud or an illegal act has been disclosed, national or local laws may require us to go further if management and the Board are stonewalling. These would be extraordinary circumstances, and I would always recommend obtaining legal advice before taking an issue outside of your organization.

As with all of my blog posts, these are my personal views, but I realize some of you may disagree. Do you believe the standards and code of ethics address these issues adequately? What advice do you have for other internal auditors who find themselves in such conflict?

This post was recently shared on Mr. Chambers’ blog, On the Profession, and is used here with permission.


Tags: HIPAA
Previous Post

Education and Communications: High Expectations for User Engagement

Next Post

New Brazilian Anti-Corruption Law: Compliance as a Competitive Advantage

Richard Chambers

Richard Chambers

Richard F. Chambers is president and CEO of the Institute of Internal Auditors, the global professional association and standard-setting body for 180,000 internal auditors in 190 countries.

Related Posts

people waiting in covid line

Did Covid Lead to a Lower HIPAA Fine?

by Rodney King
August 17, 2022

Eye-popping fines over violations of the right of access portion of the federal HIPAA healthcare law aren’t exactly common, and...

medical records hipaa

Survey: Majority Admit Missing Key Piece of HIPAA Compliance

by Corporate Compliance Insights
June 8, 2022

Organizations admit failing to prioritize annual security risk analysis, according to small survey

A masked professional holds up their covid-19 vaccination card.

‘My Employer Can’t Ask for Proof of Vaccination’ and Other Myths Regarding COVID-19 and HIPAA

by K Royal
September 7, 2021

When it comes to COVID-19 and HIPAA, many misunderstand the law’s scope and purview, especially in a professional setting. Privacy...

illustration of cybersecurity concept

VigiTrust Launches VigiOne Cybersecurity Compliance Platform for Managed Security Service Providers

by Corporate Compliance Insights
August 17, 2021

Easy-To-Use, Cost-Effective Solution Enables MSSPs to Keep Pace with Changing Regulations, Scale Effectively and Ensure Ongoing Compliance New York, NY...

Next Post
New Brazilian Anti-Corruption Law: Compliance as a Competitive Advantage

New Brazilian Anti-Corruption Law: Compliance as a Competitive Advantage

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT