News
Handling Difficult Audit Clients*
12-Jul-2021
By: Alaa Abdul Aziz Abu Naba’a
MACC, CIA, CPA, CRMA, CICP
An expert in Internal Auditing, Control, and Governance
One of my colleagues asked me: how do you handle audit clients that refuse to address the important audit observations included in the internal audit activity report? Because this is an important question, and in my opinion many colleagues face that situation every now and then, I’d like to write about this crucial topic.
Before answering this important question, I’d rather discuss the root causes of the rejection.
Rejection might not arise after issuing the report (follow-up phase), but may occur before that phase, the main reasons behind that include: the absence of prior documented agreement between “the internal audit team” and “the audit client”. This agreement should include the levels of assessment of the importance of the audit observations of the internal audit activity, that’s why we find, in many cases, great inconsistencies between the two parties regarding the importance of the audit observations. A very important or a risky audit observation, from the point view of the internal auditor, might not be important from the point view of the client. The biggest misfortune occurs when this disparity exists between the members of the internal audit team.
To avoid this problem, I recommend the following:
(1) To avoid the problems between the members of the internal audit team (for example, between the audit supervisor and the audit manager), it is always preferred to have a prior agreement about the levels of assessment in the planning phase followed by documenting such agreement in the work documents.
(2) To avoid problems between the internal audit team and the audit client, it is always preferred to reach a prior agreement about the assessment levels, specifically at the kick-off meeting, then documenting this agreement in the minutes of the meeting.
In this context, the reader may wonder: “What if an agreement was not reached at the beginning? In my opinion, this happens a lot, especially in the cases where the senior management fails to define the risk appetite of the organization and have it approved by the board of directors.
Auditing Standard No. 2120 - Risk Management - stipulates that: “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes”, in the implementation Guides of this standard, a reference was made to the chief audit executive (CAE) and the internal auditors, indicating that they should clearly understand the organization’s risk appetite form one hand, and its consistency with the vision and objectives of the organization on the other hand, through a comprehensive understanding of the organization’s work strategies and the risks that were defined by the board of directors; to achieve two main goals:
(1) To link the internal audit plans to the strategies, vision, and objectives of the organization.
(2) To form recommend responses to the risks that are consistent with the organization’s readiness to take risks.
Therefore, I recommend that the senior management should define and document the organization’s levels of acceptable risks and risk appetite, then get them approved by the board of directors with a recommendation from an audit committee or risk management committee (if any) or from the executive management of the organization. Internal audit activity may help greatly in this matter by providing the relevant advice and information.
In this context, the reader may also wonder:
(1) Does the audit client have the right to refuse the audit observations, the audit recommendations, or both in his comment or response to it?
(2) What if the audit client accepted the risks that will arise as a result of not addressing the audit observations?
To answer the first question, I will ask a question: Should the acceptance of the audit observations or related recommendations be imposed on the audit client? The answer is definitely no, the audit client is entitled to reject any audit observation or audit recommendation and the internal audit report could be issued while including such rejection, as the audit committee or the board of directors have the final say to accept or reject that. At the end of the day, all those working in internal auditing must realize that all the recommendations issued by the internal audit activity or the audit committee are not binding to the executive management, they become binding only when these recommendations are approved by the board of directors, or if there’s a prior authorization to the committee to accept the outcomes, because the audit committee has no direct powers over the CEO of the organization unless through the board of directors.
Before answering the second question, I’d like to point out that this also happens a lot, I’d also like to remind the reader that the main purpose of the work of the internal audit activity, through various reporting, is to reassure the senior management and the board of directors and advise them about the governance, risk management, and controls of the organization. If the CAE found that the senior management has accepted a level of risk that should not be accepted by the organization, the CAE should discuss this matter first with the senior management to understand their point of view, but if they both couldn’t reach a settlement, standard No 2060 - reporting to senior management and the board of directors, and standard No 2600 - communicating the acceptance of risks - oblige the CAE to report the matter to the board of directors. However, if the issues are urgent and cannot be postponed to the time of the board’s meeting, it’s better to take the needed arrangements to report immediately.
One of the great quotes of Larry Harrington, the former president of the Institute of Internal Auditors: " “At the end of the day, we don’t get paid for the audit reports we write, or for the results we conclude, we get paid for what we do to make our organizations better” Therefore, internal auditors should maintain the good reputation of the activity by caring for the quality of their output, the sound planning for the various internal audit tasks, and finally they should work to continuously improve the services they provide.