The situation: An internal auditor makes a series of recommendations to an internal audit client, who refuses to implement one of the recommendations or address the finding.
The internal auditor's view: The recommendation covers an important point. Her supervisor agrees that the risk of not implementing the corrective action or addressing it would be significant for the organization.
The client's perspective: He concurs with the finding, but believes the corrective action would take too much time and use too many resources.
The outcome: After several unsuccessful attempts to persuade the client of the validity of the recommendation, the issue is elevated to the CEO. Lacking resolution with that step, the recommendation is sent to the audit committee. The internal auditor and her chief audit executive (CAE) attend the audit committee meeting to discuss the recommendation, gaining support from the committee and the chief financial officer. The issue is resolved (ideally, the client attends the audit committee meeting and hears the committee's decision directly, but if that is not possible, the audit committee minutes can be used to inform the client) and a cordial working relationship continues.
Although the details of this scenario may vary, it likely describes a situation that is all too familiar to most internal auditors. The recommendations the internal auditor presents may not always be welcomed or feasible, but making those recommendations is integral to internal audit's role. That role, as Michael Levy, director of internal audit at Student Transportation Inc. in Wall, N.J., describes it, is "to spotlight issues and ensure that the appropriate people are aware and informed."
But raising awareness and sharing information do not always produce the needed results. An audit client may decline to implement even the most well-researched and clearly explained recommendation, leaving risks that may affect the organization's ability to achieve objectives unmitigated. When this happens, Standard 2600: Communicating the Acceptance of the Risk directs the CAE to discuss the matter with senior management or elevate the issue to the board, if necessary.
WHAT'S BEHIND THE "NO"?
As with many instances, when two parties fail to see eye to eye, inadequate or flawed communication may be to blame. In the case of unaddressed recommendations, perhaps the internal auditors did not fully explain the value of a recommendation, or they did not adequately define what "recommendation" means within the organization's culture, or they did not describe the potential consequences of failure to implement the recommendation.
Or, perhaps it is not a case of inadequate communication, but too much of it. "Many times, auditors tend to include every detail of the audit in the report," Levy says. "I find that executive management and the board are no longer looking for the 'novel' version of reports that has become common over the years." Internal auditors must focus on creating well-organized reports that stick to the point, covering what...