Internal pressure is a pervasive threat to the objectivity inherent in internal audit, according to new research.
More than half of North American chief audit executives (CAEs) surveyed said they had been directed to omit or modify an important audit finding at least once, and 49% said they had been directed not to perform audit work in high-risk areas. That data comes from a report by The Institute of Internal Auditors (IIA) Research Foundation and is based on a survey of 494 CAEs and some follow-up interviews.
Sometimes, the threats are clear and easy to understand; some CAEs were told they would be fired. Other times, the pressure was more subtle; some CAEs reported budget cuts or a decline in internal audit staffing that they perceived as tacit pressure.
Many times, the follow-up interviews yielded positive lessons (see “Lessons learned” below). For instance, sometimes the instruction to modify an audit finding could be worked out with a discussion between the CAE and the executive who asked for the modification. That’s an easier discussion for auditors to have when they have built a relationship with the C-suite in advance and can explain why it matters to the organization as a whole to report the finding accurately.
Several codes of ethics address what finance professionals should do when asked to do something that they consider unethical. For instance, The IIA’s Code of Ethics states, under the topic of objectivity, that all internal auditors “[s]hall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.”
The AICPA Code of Professional Conduct has a section for how business members should behave when facing a threat. The Conceptual Framework for Members in Business—part of both the AICPA’s code and that of the Code of Ethics for Chartered Global Management Accountants—addresses threat categories that may be encountered. One section mentions the undue influence threat, which could include the following: “A member is pressured to change a conclusion regarding an accounting or a tax position.”
The AICPA Code of Professional Conduct says members should take a three-step process in addressing threats: identify the threat, evaluate the threat’s significance, and identify and apply safeguards.
Nearly one-third asked to audit low-risk area
Larry Rittenberg, CPA, a professor emeritus at the University of Wisconsin, said he and report co-author Patricia K. Miller, CPA, former IIA global chairman and Deloitte & Touche LLP partner, found that 55% of survey respondents had been asked at least once, and some more than once, to omit or modify an audit finding.
Richard Chambers, president and CEO of The IIA, said, “I wouldn’t want to suggest that it is commonplace, but I think, as [Miller and Rittenberg] have done an outstanding job of documenting, this is not that uncommon, either.”
The survey found that 32% of respondents were asked to audit low-risk areas so that an executive could investigate or retaliate against another individual.
Sometimes, the blame for issues fell to ineffective audit committees, Rittenberg said. Other times, audit executives faced off with company lawyers who wanted to protect an executive. Rittenberg said there was a sense of pressure not to communicate a finding with certain people so that those people could have plausible deniability.
Some survey participants took part in follow-up case studies. Among the lessons learned for how to handle political pressure while performing internal audit duties:
Know the culture of the organization, but understand that it can change. “One of the things that surprised us was how quickly an organizational climate can change,” Rittenberg said. He said these changes caught CAEs off-guard as well. A new CEO or set of executives might be focused more on short-term, market-related goals than on long-term organizational objectives. “We see changes, maybe some investor-type pushes to change the organization to perform better,” Rittenberg said. “There are changes in the board, changes in the CEO. The internal auditor has to be aware of those changes and build relationships, particularly with the audit committee.” These changes, some respondents reported, also led to instances where “previously unacceptable behaviors became acceptable.”
Business acumen is required. To demonstrate value and build credibility, internal audit must demonstrate a sound knowledge of the business and its strategies and apply that knowledge in assessing risk, the report said. “We would like to see internal auditors communicate more effectively from a business point of view,” Rittenberg said. “We wanted to see communication (such as), ‘These are the risks we addressed, these were the findings, this is the root cause, this is how we might go forward in mitigating those risks.’ ” The most effective CAEs, the report said, have the ability to convey audit findings from management’s perspective, rather than the more narrow perspective of internal audit.
Anticipate political pressure. Some CAEs, according to the report, described decision models they developed to help them judge the significance of an issue. They also reported that it was vital to build relationships ahead of time to better understand other stakeholders’ rationale and incentives. Getting clarity in advance from the audit committee about support that might be needed was also important.
Facts are your friend. CAEs emphasized the importance of objective, accurate, and complete data, thorough audit work and analysis, and an understanding of the effect of the audit finding on the organization. In one case study example in the report, the CAE at a major U.S. retailer faced a challenge from the company’s IT director, who did not want a report that identified “significant technical control issues” released without deleting some key findings. The CAE credited confidence in the quality of the audit work for helping to resolve the dispute and report the findings.
— Neil Amato is a JofA senior editor.