• Blog

Thinking Like an Auditor


    Why Auditors Clash with Management

    February 15, 2018 | By Toby DeRoche MBA, CIA, CCSA, CRMA, CICA, CFE

    Imagine this scenario:

    Why Auditors Clash with ManagementThe audit is over, it’s time for the closing meeting, and the battle lines have been drawn. In the tension filled moments before the meeting begins, audit stands resolute, ready to argue with management, armed with the fully supported, cross-referenced audit report. Management is equally prepared with standard catch phrases to disarm the audit team like, “oh that’s just a paperwork problem”, or “this issue doesn’t seem report-worthy”, or everyone’s favorite, “if management already fixed the problem, then why do we need to have it in the report”.

    After a few hours of debate, one thing becomes very clear—both groups have a very clear, but totally different view of risk to their organization.

    Sound familiar?

    For auditors, risk is a bad thing meant to be controlled, mitigated out of existence, and insured against. Organizational leaders, especially in corporate settings, have based their entire careers on the mantra “without risk there is no reward”. Corporate offices are littered with motivational posters about taking risks featuring people jumping off of mountains. Auditors, on the other hand, usually have their certifications nailed to the otherwise empty wall behind their desks.

    When we step back and look at the general population in any organization, we can plot people on a continuum based on their understanding of risk versus their willingness to accept risk. Senior managers understand risk, and they are willing to take risks to grow the operation. Auditors also understand risk, but we are typically not willing to take risks without first implementing a full complement of controls. Interestingly, we can see a parallel relationship between middle management and staff employees. Although they may not fully understand risk, managers are willing to take certain risks to grow their departments or products, while staff employees are resistant to any risk they see as a threat to their job.

    As with most organizational issues, the key to diffusing this conflict is maintaining open communication. In our ongoing pursuit to be a relevant partner to management, internal audit needs to approach every engagement with a basic understanding of management’s stance on risk. We also need to explain our position on risk, as it relates to the organizational strategy, both before and throughout the audit process. By taking a more empathetic approach, we can encourage understanding and build better, stronger partnerships with senior management to avoid conflict in an exit meeting and find appropriate middle ground that allows both sides to achieve their goals.

  • View Demo
    Contact Us
    Request More Information