Thursday, February 25, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Internal Audit

Whose Risk Is It, Anyway? When Management Says ‘No’ to Internal Audit

by Richard Chambers
July 15, 2014
in Internal Audit
Whose Risk Is It, Anyway? When Management Says ‘No’ to Internal Audit

One of the most frustrating events in my career was one of the first times an internal audit client firmly and repeatedly said “no” to one of my recommendations. It was an important point and I tried to explain my reasoning. Management agreed with the finding, but believed corrective action would be too time-consuming and resource-intensive. My supervisor also supported me, and we believed the risks of not implementing corrective action would be very high for the enterprise. But neither of us could persuade management to implement the recommendation or even find an acceptable alternative course of action.

When management says “no” and refuses to budge, you realize that it makes no difference how valid your recommendations are, or how hard you worked on the audit. Without results, you have accomplished nothing. The plain and simple fact is, if you can’t bring people around to your point of view, the engagement will have been a waste of time and important risks may remain unaddressed. In my particular situation, the issue was elevated to the chief executive officer. And when it still wasn’t resolved, it became the first audit recommendation in several years that went all the way to the audit committee for resolution.

As the internal auditor who made the initial recommendation, I was invited to the audit committee meeting with my CAE. I had always wanted to attend such a meeting, though I never imagined my first experience would come about because management strongly disagreed with me. I wasn’t sure what to expect. Fearing the worst, I envisioned a “trial by fire” confrontation with management, with the audit committee serving as judge and jury.

To my relief, there was no major confrontation. Both the CAE and the audit committee were supportive of my point of view. If the CFO still was not in complete agreement, he was very polite about our “difference in perspectives.” The issue was quickly resolved, and we maintained a cordial working relationship.

I know that many of you have had similar experiences, and that sometimes your audit committees are not as supportive as the one in my case. The ultimate question is: “When management is willing to accept the risk of not implementing a corrective action, how far should the internal auditor be willing to go?”

Standard 2600 of the International Standards for the Professional Practice of Internal Auditing (Standards) states that, when a CAE concludes that management has accepted a level of risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the CAE determines that the issue still has not been resolved, we must communicate the issue to the Board.

That’s the path we followed and, in my case, it worked. But we all need to be prepared for the consequences if the audit committee fails to show its support. So, if we are convinced that an incorrect path is being chosen regarding a significant risk, does the internal auditor have an obligation to go beyond the audit committee and the Board with the information? For example, should the internal auditor take a disagreement to regulators or shareholders (or the public, in the case of internal auditors in government)?

The Standards do not specifically address what happens if the audit committee agrees with management rather than with the internal auditor. But our code of ethics states that internal auditors should “not disclose information without appropriate authority unless there is a legal or professional obligation to do so.”

I believe this means that, in most situations, the Board is the final adjudicative authority when management doesn’t agree to implement an internal audit recommendation. We can advise and we can try to persuade, but the final decisions regarding risk and controls are not ours to make. There may come a point when we need to acknowledge that we have done all we can do, and that our job is done – even if we don’t agree with the outcome.

Of course, we must keep in mind that, if fraud or an illegal act has been disclosed, national or local laws may require us to go further if management and the Board are stonewalling. These would be extraordinary circumstances, and I would always recommend obtaining legal advice before taking an issue outside of your organization.

As with all of my blog posts, these are my personal views, but I realize some of you may disagree. Do you believe the standards and code of ethics address these issues adequately? What advice do you have for other internal auditors who find themselves in such conflict?

This post was recently shared on Mr. Chambers’ blog, On the Profession, and is used here with permission.


Tags: HIPAA
Previous Post

Education and Communications: High Expectations for User Engagement

Next Post

New Brazilian Anti-Corruption Law: Compliance as a Competitive Advantage

Richard Chambers

About the Author Richard F. Chambers is president and CEO of the Institute of Internal Auditors, the global professional association and standard-setting body for 180,000 internal auditors in 190 countries.

Related Posts

AICPA: Implications of Blockchain in SOC for Service Organization Examinations

AICPA: Implications of Blockchain in SOC for Service Organization Examinations

January 7, 2021
Protiviti & ISACA: IT Audit Perspectives 2021

Protiviti & ISACA: IT Audit Perspectives 2021

December 28, 2020
fintech cloud emanating from smartphone on blue-green background

Fintech Pressure on Internal Audit

November 30, 2020
illustration of professionals in videoconference

4 Tips for Conducting Virtual Internal Audits

November 11, 2020
Next Post
New Brazilian Anti-Corruption Law: Compliance as a Competitive Advantage

New Brazilian Anti-Corruption Law: Compliance as a Competitive Advantage

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights