Internal auditors should BE BRAVE: Telling the truth and presenting the facts sometimes requires an act of courage.

Author:Marks, Norman

You cant say that!

My boss, the chief audit executive (CAE), was telling me to change the audit report. For the second year in a row, my team found that accounting was not performing important reconciliations on time. As a result, financial reporting could be materially misstated and significant fraud might go undetected.

Rather than simply advising on-time completion of reconciliations, the audit team had performed a root cause analysis. They found that, due to cost-cutting, staffing in the unit responsible for the reconciliations had not only been reduced but also tasked with numerous special projects. The unit lacked sufficient people to meet its responsibilities without significant overtime, which management would not approve. Even if it did, the level of overtime would inevitably lead to burnout and the loss of valuable employees. Although we had found deficiencies relating to reconciliations, the staffing issue might affect the performance of other important controls.

The draft audit report explained that insufficient resources had elevated the unit's risk level and recommended adding permanent staff or contractors at month-end. The CAE, however, was reluctant to include that information. He said that his name was on the audit report, and he refused to recommend an action he was sure management would ignore. In fact, management would be angry that we had questioned its cost-cutting strategy. We delivered the report without identifying the root cause and merely recommended completion of the reconciliations.

The original report was correct, explained the business risk, and recommended appropriate corrective actions. But perhaps because he feared how management would react, the CAE kept part of the story--part of the risk--to himself. The CAE, in other words, was not brave.

It can be hard for internal auditors to tell their stakeholders, whether at the board level or in top management, what is putting the organization at greatest risk. It can be hard to say that control failures stem from insufficient staffing, inadequate pay, or imperfect leadership. It can be hard to say that the organization's structure, processes, people, and methods are not agile enough to succeed in today's dynamic world. But these are all truths that need to be told. If no one tells the emperor he has no clothes, he will carry on without them.

Internal auditors at every level are subject to all kinds of pressure that may inhibit them from speaking out. Yet if they are to be effective, they must be able to do so--even at great personal risk.


A few years later, when I served as CAE at another organization, I tasked my team with an audit of the Commercial Accounting function. Significant billing errors had been made, and our priority was to find out why.

When we interviewed the department head, a rising star at the company, he explained that errors had been made because his employees were...

To continue reading