First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Is it a management or board failure when no action is taken on audit findings?

Is failure to take action on reported audit findings an issue on management’s side or should auditors do a better job communicating the results of their work so that the action is taken?

failureMy good friend, Richard Chambers (President and CEO of the IIA), recently wrote about this in C-Suite Owes More Than Simple Awareness of Internal Audit Reports.

He cited several examples where an organization experienced a public failure even though the issue had previously been identified and reported by the internal audit team.

Richard then said:

Each of these instances provides an example of governance meltdowns fed by board and management inaction or indifference to internal audit’s work. Such instances, at best, frustrate practitioners who take seriously their task of providing assurance over risk management efforts. At worst, they can demoralize internal audit staff, thereby eroding the function’s effectiveness.

I have written about this, not so much as a governance failure but as a failure of internal audit to communicate!

When internal audit is seen as focusing on the mundane and burying any gems in a haystack of words, is it any wonder that management doesn’t look forward to internal audit reports? They don’t see them as a valuable source of insight and actionable information that is critical to their running of the organization.

In fact, the auditors should have already worked with management to agree on both the issues and the actions to be taken. The audit report is how resolution is communicated, not how change is encouraged.

This is the comment I left on the post.

Richard, while I agree that management and the board often fail to pay attention to issues raised by internal audit, it is necessary to ask whether internal audit did its job in communicating the results of its work.

  • When I see a report of 20 pages or more, I am not surprised that executives fail to read it promptly and act on its recommendations.
  • When I see an audit report with a table of contents, I am sure it will be read out of duty not because it has actionable insights.
  • When I see a report with recommendations and a management response, I see an internal audit team that has failed to work with management to agree on the correct actions to take.
  • When I see a report that talks about risks but not what they mean to the strategies and objectives of the organization I see a report that is unlikely to communicate what executive management and the board need to know.
  • When I see a report that says what IA wants to say rather than clearly and concisely tell leadership what they need to know, I put a lot of the blame on IA.
  • When I see an IA function that fails to sit down with leadership and have a discussion rather than rely on a formal, traditional audit report, I see one that does not have a seat at the table, one that is not a trusted advisor.

I could have said, but did not out of respect for Richard (for whom I have great respect): “Those who live in glass houses should not throw stones”.

How effective are your organization’s internal audit reports? I have a 34-page chapter on this topic in Auditing that Matters. This is how I closed that part of the book:

It is one thing to reach an assessment and develop our advice and insight. It is quite another to communicate that promptly, efficiently, and effectively to our stakeholders.

We are only effective when we not only perform quality work but provide the audit committee, executives, and operating management the information they need to be successful – when they need it, in a readily consumable and actionable way.

I welcome your comments – and please join the discussion on Richard’s blog.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Send to Kindle

, , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.