GUEST BLOG POST
I believe just about every internal audit executive would agree with me that our independence from management is critical. We need to be able to operate without undue interference from management. That means that they are not able to stop or change our audit reporting, our opinions, or our assessments.
It also means that managers cannot stop us from performing an audit, and they cannot change its scope. They also cannot command that we perform other activities (even other, lower risk audits), diverting our limited resources from our essential responsibilities. But if we use the wrong words injudiciously when talking to management, we may give them reason to believe they can do all of that. So, what are the right words to use?
When we develop and continuously update our audit plan, the schedule of audits we plan to perform, we will seek input from management.
We want to know:
- Their concerns about risks and controls.
- Their ideas and assessments of the more significant risks to enterprise objectives.
- Their plans for change.
- How they see us adding value.
- Whether they have task forces or similar projects reviewing areas that we might target for an audit.
- Their thoughts on the audit projects we are considering.
We want their collaboration on our audit plan, but it remains our audit plan. We can put that at risk by careless use of words.
Feedback and Collaboration, But not Approval
For example, if we seek their approval for our audit plan (as indicated in the sample charter recently published by the Institute of Internal Auditors and supported by prominent members of our profession – see this LinkedIn post and comments), we are saying that they can say “no.” They can disapprove. They can stop us from performing audits we believe are essential; they can demand changes in the scope of the audit; and they can add other projects we do not believe are high risk and value.
Some believe it is necessary to obtain their concurrence with it. But what happens when they say they do not concur or approve? Some commentators say that internal audit can elevate the dispute to the board and its audit committee. I believe, however, that that is giving management excessive power over our audit plan–and us–and our independence is weakened. We are put on the defensive, trying to justify what is in our audit plan.
We may have reasons for an audit that we don’t want to share with management, such as concerns about the integrity or competence of those same executives. They may even be hiding something from the board. The disagreement may be an honest one about the level of risk. But that is not always the case. In fact, they may want to close their eyes to risk that we see as real and high, because their jobs or compensation depend on moving forward with a risky situation or venture. There have also been times when management simply didn’t want us poking our noses into their business, because they were afraid of what we might see.
The answer is a clear “no!” We don’t seek their approval or concurrence. We obtain their input. We discuss their thoughts and listen carefully should they say that the related risks are low or that there would be little value in an audit. We especially listen when they ask us to add an audit of an area where they believe the risk is high or where we can add great value for them. But it is still our audit plan as a function that must be independent of management, free from undue influence.
I was the Chief Audit Executive for several public companies for about twenty years. During that time, I had these difficult experiences:
Locked out in Penang
My predecessor had been careless in his use of words and asked management of our Penang operation for their approval of his audit plan. The next year, I did not. I shared it with them as a draft and asked for their input and comments before obtaining audit committee approval, and then shared it again after that approval had been obtained.
When it came time for an audit to start in Penang, my team sent them a notification a month in advance, but they did not reply. When the team arrived to begin the audit, they were locked out! Penang management told them they had not approved the audit!
I was able to override local management by getting the regional president to make a call and explain that management did not have the ability to approve or disapprove of the audit plan.
Moving too Fast at Business Objects
When Business Objects (BOBJ) announced that it was going to be acquired by SAP, a lot of critical people left. That included our entire infosec team and our entire customer credit department in the United Kingdom.
Risks to our continued business and to the success of the acquisition and integration were very high indeed. This was especially true since the SAP CFO decreed that BOBJ would migrate to the SAP ERP from our current Oracle platform within six months! An unheard-of speed.
I moved my entire internal audit team to help management address these new sources of risk. Then I contacted my SAP counterpart and asked him to join me in the endeavor. Initially he agreed, but then demurred. He said this was not in his annual audit plan and any changes to the audit plan required the approval of the CEO!
Fortunately, the SAP CRO helped out, but ….
Can You Hold Off on that Audit?
I also spent part of my audit career at Solectron. This was a company where my team started finding financial statement frauds at a number of unrelated U.S. subsidiaries. None of them were material (thank goodness) to the consolidated financial statements, but they reflected an environment where many subsidiaries were struggling to stay afloat. They were barely, if at all, profitable and were afraid of being closed down. Some resorted to cooking the books, only for my team to uncover the frauds.
In fact, the company as a whole was struggling and the CFO had started working with an investment bank to raise money through a bond offering. He was worried that the frauds we were uncovering would dissuade the bankers from underwriting the bonds. So, he carefully asked me not to perform any more audits where we suspected fraud or at least delay them.
This put me in a very difficult position. I carefully responded with words that made sure we both agreed it was my audit plan and he was not going to be able to stop me from going ahead if I decided to do so. Of course, he could appeal to the audit committee, but that was a perilous approach for him.
I maintained my independence and was able to provide the bankers with assurance that all the frauds I was finding, and any that I suspected, were immaterial to the consolidated results and position of the company.
I deferred but did not cancel additional audits for a month or so, by which time the crisis had passed. But it was my decision, and my audit plan–and the CFO knew that.
Engaging in Constructive Discussion
So, be careful with your words. We are seeking input and advice from management when we are developing and updating the audit plan. We listen and pay attention, especially when they identify areas where they see more risk than we do, as well as those where they see less. And we seek to understand why. But it remains our audit plan.
We want to be able to tell the audit committee that we have discussed the audit plan with management. Management can raise an objection with the audit committee, but in my experience that doesn’t happen if you have engaged them in constructive discussions as you developed your plan.
The charter should make it clear, and both the audit committee and management should understand, that internal audit is independent of management. Our plan is our own, the result of obtaining management input and collaboration, and we have not sought their approval or concurrence.
It’s a little different when it comes to audit reports. Here we seek to come to an agreement with management on:
- the facts,
- what they mean, and
- what needs to be done.
But again, we do not seek their approval. I can accept concurrence, but agreement is a better word in my opinion. I believe these may be semantic differences, but it is very important for management to have a clear understanding of our independence and the lines they cannot cross.
What do you think? Please leave your thoughts in the comments section below. 
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.