In a perfect world, it shouldn’t matter. Management concurrence shouldn’t be needed, and it should not be for the internal auditors to procure it. How about external auditors? Do they need it or even vie for it?
Certainly not, because management understands that it’s the external auditor’s concurrence and endorsement that they need for a clean audit report! Indeed, with external audit, it’s the other way round, because the stakes are high!
But here I don’t intend to get into the external vs internal audit debate, simply because, the external audit will always have a higher leveraging position not because of its diminished utility but because of the statutory and regulatory compulsions it enjoys the world over.
What’s important for us, the internal auditors to understand is, that this isn’t a perfect world and management concurrence comes at a significant cost, which is the internal audit’s long-term relevance and credibility.
Therefore, in our practical world, we, the internal auditors, should be focused on selling the basis of our finding(s) and its/their implications. Obtaining management concurrence on a problem that needs to be resolved, a deficiency that needs to be removed, a process that could be improved make up for attractive merchandise to sell instead of trying to sell the audit finding per se!
But let’s first try to understand, what management concurrence is, why it matters and why it shouldn’t?
Put simply, management concurrence is agreement of management on an audit finding or findings in a report. It is believed that an agreement to all the findings in the report is necessary for an audit report to be considered final and ready for issuance.
Unless the agreement is obtained, findings are not accepted and owned by management. If the findings aren’t owned, the problems aren’t resolved, or improvements are not undertaken. And if problems aren’t resolved or improvements aren’t undertaken, what good will be Internal Audit?
That’s what we believe or more appropriately are led to believe. But is it all misplaced? Let’s try to answer that.
Which auditors wouldn’t like to have a management viewpoint resonate with their own? But the issue is the cost at which one could have such harmony. If these costs include:
- Rewording the finding to dampen its impact
- Reducing its risk rating so that it could look good
- Significantly altering the substance of the finding to remove the deficient control or a control lapse for instance
- Altering the finding to reflect something management is already aware of
- ‘Adjusting’ or plainly not reporting the finding(s) in the ‘larger interest’ of working or business relationships
- Forcing a change in audit approach and / or reporting protocols
- Using administrative tools or budgetary constraints to coerce auditors into consensus
- Limiting areas for assurance or advisory if inputs over certain areas are not to the management’s liking
and more, the auditors need to make a cost-benefit analysis of such a situation, rather a cost-cost analysis since no long-term benefit is expected to flow to the auditors. The audit would simply be rubber stamping / echoing management’s assessment of the state of Governance, Risk Management and Control systems.
The long and short of such a consensus filled, hand in glove relationship with management is the internal audit’s oblivion into irrelevance, detrimental not just to its own professional identity within the entity but would also be a stain to the profession at large.
In certain scenarios, however, some of these ‘costs’ could make sense professionally. Let’s try to find out how.
|
Management Response on IA Findings |
When it shouldn’t matter! |
|
Rewording the finding |
The original wording of the finding was ‘sexed up’ to garner interest in it, like what journos do! The wording doesn’t reflect the gist of the finding or is opinionated at best |
|
Reducing the risk rating |
The original rating was based on subjective assessment / judgment rather than the objective rating / heat map-based criteria |
|
Altering the substance of the finding |
The original finding points to a pith that’s not the real statement of fact or causation |
|
Playing down the finding so that management doesn’t look bad |
If the management is indeed aware but tried to keep a lid on it and working to correct it, auditors might need to reassess their point scoring inclination. Or if management is made aware of the issue through the finding but has already begun taking corrective actions |
|
Not Reporting |
Only when the finding is materially insignificant |
|
Change in Audit Approach |
Strictly if the alternate being offered is more professional for the auditors; objectivity, independence and competence could be enhanced. |
Mind you! The last two costs; using administrative tools or budgetary constraints against auditors and limiting areas for assurance or advisory are unacceptable under any circumstances, since the former jeopardizes audit’s objectivity and independence, and the latter is a scope limitation. Both these scenarios would simply need to be reported to the ultimate reporting authority over the Internal Audit.
Concisely, it is for the internal auditors to identify, assess and evaluate the consequences they’re asked to bear for their reporting. If these are meant to challenge us to make us come back stronger than before, management consensus is welcome.
But otherwise, we need to be mindful of the fact that it is the internal auditor’s prerogative to report anything they deem fit for reporting. And that it is for the Board’s approved mechanism to determine the ratings of those findings. And finally, the management needs to be reminded of this reporting relationship.
The management can record and communicate its dissenting opinion against the finding(s), the choice between acting on the finding(s) or deciding that no action needs to be taken is that of the Board. A decision of not acting is what’s known as Risk Assumption; auditors have reported something for which the Board is willing to absorb the risk.
The learning here for auditors is to review the entity’s Risk Tolerance and see if a tweak in the reporting framework and ratings mechanism is needed, so that such recurrent findings need not be reported unless they become material cumulatively.
But what if the Board concurs with however management ‘manages’ the internal audit?
Start finding a Board that insists on a direct relationship with the internal audit.
Need I say more?