Home > Risk > Is it a management or board failure when no action is taken on audit findings?

Is it a management or board failure when no action is taken on audit findings?

My good friend, Richard Chambers (President and CEO of the IIA), recently wrote about this in C-Suite Owes More Than Simple Awareness of Internal Audit Reports.

He cited several examples where an organization experienced a public failure even though the issue had previously been identified and reported by the internal audit team.

Richard then said:

Each of these instances provides an example of governance meltdowns fed by board and management inaction or indifference to internal audit’s work. Such instances, at best, frustrate practitioners who take seriously their task of providing assurance over risk management efforts. At worst, they can demoralize internal audit staff, thereby eroding the function’s effectiveness.

I have written about this, not so much as a governance failure but as a failure of internal audit to communicate!

When internal audit is seen as focusing on the mundane and burying any gems in a haystack of words, is it any wonder that management doesn’t look forward to internal audit reports? They don’t seem them as a valuable source of insight and actionable information that is critical to their running of the organization.

In fact, the auditors should have already worked with management to agree on both the issues and the actions to be taken. The audit report is how resolution is communicated, not how change is encouraged.

This is the comment I left on the post.

Richard, while I agree that management and the board often fail to pay attention to issues raised by internal audit, it is necessary to ask whether internal audit did its job in communicating the results of its work.

  • When I see a report of 20 pages or more, I am not surprised that executives fail to read it promptly and act on its recommendations.
  • When I see an audit report with a table of contents, I am sure it will be read out of duty not because it has actionable insights.
  • When I see a report with recommendations and a management response, I see an internal audit team that has failed to work with management to agree on the correct actions to take.
  • When I see a report that talks about risks but not what they mean to the strategies and objectives of the organization I see a report that is unlikely to communicate what executive management and the board need to know.
  • When I see a report that says what IA wants to say rather than clearly and concisely tell leadership what they need to know, I put a lot of the blame on IA.
  • When I see an IA function that fails to sit down with leadership and have a discussion rather than rely on a formal, traditional audit report, I see one that does not have a seat at the table, one that is not a trusted advisor.

I could have said, but did not out of respect for Richard (for whom I have great respect): “Those who live in glass houses should not throw stones”.

How effective are your organization’s internal audit reports? I have a 34-page chapter on this topic in Auditing that Matters. This is how I closed that part of the book:

It is one thing to reach an assessment and develop our advice and insight. It is quite another to communicate that promptly, efficiently, and effectively to our stakeholders.

We are only effective when we not only perform quality work but provide the audit committee, executives, and operating management the information they need to be successful – when they need it, in a readily consumable and actionable way.

I welcome your comments – and please join the discussion on Richard’s blog.

  1. Yvonne gooch
    May 14, 2018 at 12:20 PM

    “When I see a report with recommendations and a management response, I see an internal audit team that has failed to work with management to agree on the correct actions to take.”

    Norman, I respectively disagree with your comment in quotations above. It is not the IA’s position to tell management what corrective action to take. It is IA’s job to recommend potential solutions to cited audit findings because IA is not a managerial function so therefore should not make management decisions on how to correct a deficiency. Again, IA has the responsibility to offer recommendations and discuss those with management and their potential impact/outcome if implemented. Management must take the first step toward making a statement on the corrective actions they intend to take. IA must read those responses and ascertain whether they are reasonable and justified. At this point is where IA would talk to management and “coach” them along toward a more definitive path toward resolving the issue(s).

    • Norman Marks
      May 14, 2018 at 2:43 PM

      Yvonne, I hear you but disagree. Internal audit cannot tell management what to do – although that tends to happen more often than we would like when management sees IA recommendations as mandatory. My point is that IA should work with management to agree on the facts, the risk they represent, and the actions to be taken. Then we can inform leadership not only of the actions management has decided to take but indicate our agreement with them. The report to the board and top management is not a “he said” “he said” that requires them to figure out who is right.

  2. May 14, 2018 at 10:28 PM

    I fully concur Norman. One remark: a management response or comment is not always per se a bad thing, in my humble view.

    • Norman Marks
      May 15, 2018 at 6:11 AM

      Rainer, I much prefer communicating that IA and management are on the same page. Look at it from the customer’s point of view. What should they take from recommendation and response, especially when they don;t seem to say the same thing?

  3. Constantin Ndoumbe
    May 15, 2018 at 12:23 AM

    Hello all, if i can say something, first of all, Norman, IA report can not be “he said” when the objectives are well and clearly defined, because the recommandation will be aligned with objectives. secondly for the content of the IA reports, i think all what you mentionned are realy basics of the profession.

  4. Bertrand
    May 15, 2018 at 4:15 AM

    I like your approach Norman and you are right to highlight the communication efforts we should all pursue. However it is unfair to let all the responsibility on the IA shoulders. Some of our clients (I know you don’t like the word “auditees”) are hostile to any form of external scrutiny, and they are uncooperative till the end (except if they can rewrite the audit report as they see fit). This is even more the case within a company where the support to IA by the CEO is weak. The content of management comments therfore reflects not only the (lack of) communication efforts by IA, but also the (lack of) quality of the “tone at the top”.

  5. Daniel
    May 15, 2018 at 5:14 AM

    Not often that I comment articles (come to think of it I don’t think I ever did..) but your post Norman really resonated with what I have been arguing in my departments over the recent years, and why we only have “agreed actions” in our reports (or, in the very rare case, a clearly stated disagreement). We also do not have a risk section/headline in our observations, for the reason you mention about diverting the focus from the organization’s objectives (plus the fact that risk descriptions often tends, to my experience and despite good intentions, to be just hollow statements).
    The counter argument that was raised in one of the comments above of course has some truth to it. However, I am yet to meet an Audit Committee member who would not appreciate being presented with an agreed solution rather than just the problem (and a more or less practical recommendation). Though I do my best to be compliant with the IPPF I am not ashamed to admit that sometimes I have to be pragmatic in finding the solutions that works best for the company I am engaged with. And as far that I am aware I am working for the AC, not the IIA (sorry Mr Chambers).
    Another counter argument that I have encountered from previous collegues is “but we are not the experts and therefore cannot decide what the best solution is”. I think if we claim to be smart enough to tell management what is wrong we should at least be smart enough to be able to facilitate the discussion with management and together be able to come up with an action agreable to both parties.
    This is just my humble opinion..

    • Norman Marks
      May 15, 2018 at 6:12 AM

      Well said, Daniel

    • May 15, 2018 at 6:45 AM

      I posted the following on Richard’s blog:
      “Norman, I agree with all your points except, “When I see a report with recommendations and a management response, I see an internal audit team that has failed to work with management to agree on the correct actions to take”
      If the management response is negative, that doesn’t mean that IA hasn’t tried its hardest to resolve the issue. If the management response is positive, that’s good but the IA recommendation and management action taken needs to remain. I can remember an example where management took action which was subsequently reversed resulting in a potential $1m dollar fraud, picked up by another control we introduced. Without evidence that we had found the weakness and management had corrected it, IA would have looked at fault.
      An internal audit report needs a clear front page which states whether the objectives in the area under audit are being met; are being met but may not be in the future due to control weaknesses; aren’t being met. My audit report in book 4 on my site at http://www.internalaudit.biz gives an example.”

      • Norman Marks
        May 15, 2018 at 6:59 AM

        David, I hear you. You clearly work hard to discuss issues and assessments with management before issuing the report. Not everybody does that, especially if they have set a metric of issuing the report within days of completing the audit.

        I feel that some IA departments see the report as a way to document the work they have done, and/or as a CYA effort, rather than a way to communicate what leaders need to know, with actionable information.

        They write for themselves rather than for the reader.

        • May 15, 2018 at 12:51 PM

          I retired from IA some time ago, but I still get the impression that some internal audit departments are following the route: annual audit plan based on what IA considers important; individual audit plan based around the previous audit and relying on questionnaires; budgeted time as last audit less 10%; report thrust at management in final meeting; final report two weeks later. Am I right? If so what should the IIA be doing to refocus IA on what matters to the board?

          • Yvonne gooch
            May 15, 2018 at 12:57 PM

            David: thank you for your comment. The IIA sets the standards for IAs to follow. Yes, I know IAs are supposed to think outside the box but we do have to follow the standards. I think it is time the IIA “beefed” up their message to IA by offering training, workshops, etc. that will apply to the 21st Century and beyond. It is very difficult to run a department, complete audits, manage co-sourcing arrangements, manage the other external engagements, talk with management, etc. when there is only a two-member IA department. IAs need help and guidance.

  6. Norman Marks
    May 15, 2018 at 6:52 AM

    Just to be clear: Richard’s post focuses on governance failures, when management fails to pay attention to IA reports. While I agree that is a problem, my point is that very often (probably more often than not) we make it hard for management for all the reasons I listed. The board and executive team should, at least in theory, put pressure on IA to communicate more clearly actionable information, but that pressure is rare. In theory, they should work to understand the issues IA is trying to raise, but again that is not always the case.

    I am not saying that IA should bear all the blame. But before we blame management we should look in the mirror – are we doing all we can to communicate? In my book, I emphasize the closing meeting and the need to have a discussion rather than a one-way written, formal report.

  7. Lou
    May 15, 2018 at 4:07 PM

    Mr. Marks, your thoughts are excellent and something to which all audit finctions should aspire as they evolve and improve. Unfortunately, I have been associated with companies where execs and the board view IA as a box to check, which reflects in the person they hire as cae and the way they treat that person. I saw one such person that ultimately developed into a progressive thinking and comminicating professional, but noone was interested or cared. It was all about ticking the compliance checkbox and otherwise keeping that person at bay. Of course that person iltimately left because of this, but that is my point. An Ia finction and cae can only be as progressive and effective as management/board permits based on their attitudes. And these of. And of course these are not the organizations to work for.

  8. May 16, 2018 at 7:04 AM

    Unfortunately there are times when Internal Audit gets it wrong:
    “Deloitte acted as Carillion’s internal auditors, charging on average £775,000 a year since 2010. The role of internal audit is to “provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively”. Although Deloitte made a number of recommendations through their internal audit reports, they rarely identified issues as high priority. Only 15 out of 309 recommendations between 2012 and 2016 were deemed as such. Likewise, across 61 internal audit reports in 2015 and 2016, only a single report in 2016 found inadequate controls. They were responsible for advising on financial controls such as debt recovery, yet were unaware of the dispute with Msheireb over who owed whom £200 million. They also did not appear to have expressed concern over the high risk to the business of a small number of contracts not being met. Deloitte were responsible for advising Carillion’s board on risk management and financial controls, failings in the business that proved terminal. Deloitte were either unable to identify effectively to the board the risks associated with their business practices, unwilling to do so, or too readily ignored them.”

    From the UK House of Commons Select Committees report on Carillion available at https://www.parliament.uk/business/committees/committees-a-z/commons-select/work-and-pensions-committee/news-parliament-2017/carillion-report-published-17-19/ . If you want to see corporate culture at its worst, read the report.

  9. May 28, 2018 at 3:09 AM

    The failings of IA to effectively contribute to organisational objectives have often been the misinterpretation of its role and INDEPENDENCE. I argue often that the term Internal auditor has outlived its used in as much as the use of the word Auditee is now archaic and projects that the auditor is right and the auditee is the accused. More politically correct term such as “Business improvement professional” is more endearing to the client as much as it places a level of expectation on the services to be delivered by IA. In a nutshell IA is a business function just as IT,Finance etc and it is there to aid organisational objectives including GRC than being there as ‘accusers of the brethren”. Once this is adopted a major shift in expectation and roles will be far easy to implement contrary to current practices where a ‘Report to Management” is issued.

    • Norman Marks
      May 28, 2018 at 6:18 AM

      I think there is value in this thinking. But let’s not forget the obligation of IA to provide assurance as well as advice and insight.

  1. May 14, 2018 at 8:50 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: