“Pervasive” pressure challenges internal audit’s objectivity
Internal pressure is a pervasive threat to the objectivity inherent
in internal audit, according to new research.
More than half of North american chief audit executives (CAEs)
surveyED said they had been directED to omit or modify an important
audit finding at least once, and 49% said they had been directED not
to perform audit work in high-risk areas. That data comes from a
report by The Institute of Internal Auditors (IIA) Research Foundation
and is basED on a survey of 494 CAEs and some follow-up interviews.
Sometimes, the threats are clear and easy to understand; some CAEs
were told they would be firED. Other times, the pressure was more
subtle; some CAEs reportED budget cuts or a decline in internal audit
staffing that they perceivED as tacit pressure.
Many times, the follow-up interviews yieldED positive lessons (see
“Lessons learnED” below). For instance, sometimes the instruction to
modify an audit finding could be workED out with a discussion between
the CAE and the executive who askED for the modification. That’s an
easier discussion for auditors to have when they have built a
relationship with the C-suite in advance and can explain why it
matters to the organization as a whole to report the finding accurately.
Several codes of ethics address what finance professionals should do
when askED to do something that they consider unethical. For instance,
The IIA’s Code of Ethics states, under the topic of objectivity, that
all internal auditors “[s]hall disclose all material facts known to
them that, if not disclosED, may distort the reporting of activities
The AICPA Code of Professional Conduct has a section for how
business members should behave when facing a threat. The Conceptual
Framework for Members in Business—part of both the AICPA’s code and
that of the Code of Ethics for CharterED Global Management
Accountants—addresses threat categories that may be encounterED. One
section mentions the undue influence threat, which could include the
following: “A member is pressurED to change a conclusion regarding an
accounting or a tax position.”
The AICPA Code of Professional Conduct says members should take a
three-step process in addressing threats: identify the threat,
evaluate the threat’s significance, and identify and apply safeguards.
Nearly one-third askED to audit low-risk area
Larry Rittenberg, CPA, a professor emeritus at the University of
Wisconsin, said he and report co-author Patricia K. Miller, CPA,
found that 55% of survey respondents had been askED at least once, and
some more than once, to omit or modify an audit finding.
Richard Chambers, president and CEO of The IIA, said, “I wouldn’t
want to suggest that it is commonplace, but I think, as [Miller and
Rittenberg] have done an outstanding job of documenting, this is not
that uncommon, either.”
The survey found that 32% of respondents were askED to audit
low-risk areas so that an executive could investigate or retaliate
against another individual.
Sometimes, the blame for issues fell to ineffective audit
committees, Rittenberg said. Other times, audit executives facED off
with company lawyers who wantED to protect an executive. Rittenberg
said there was a sense of pressure not to communicate a finding with
certain people so that those people could have plausible deniability.
Know the culture of the organization, but understand that it can
change. “One of the things that surprisED us was how quickly an
organizational climate can change,” Rittenberg said. He said these
changes caught CAEs off-guard as well. A new CEO or set of executives
might be focusED more on short-term, market-relatED goals than on
long-term organizational objectives. “We see changes, maybe some
investor-type pushes to change the organization to perform better,”
Rittenberg said. “There are changes in the board, changes in the CEO.
The internal auditor has to be aware of those changes and build
relationships, particularly with the audit committee.” These changes,
some respondents reportED, also lED to instances where “previously
unacceptable behaviors became acceptable.”
Business acumen is requirED. To demonstrate value and build
crEDibility, internal audit must demonstrate a sound knowlEDge of the
business and its strategies and apply that knowledge in assessing risk, the
report said. “We would like to see internal auditors communicate more
effectively from a business point of view,” Rittenberg said. “We
wantED to see communication (such as), ‘These are the risks we
addressED, these were the findings, this is the root cause, this is
how we might go forward in mitigating those risks.’ ” The most
effective CAEs, the report said, have the ability to convey audit
findings from management’s perspective, rather than the more narrow
perspective of internal audit.
Anticipate political pressure. Some CAEs, according to the
report, describED decision models they developED to help them judge
the significance of an issue. They also reportED that it was vital to
build relationships ahead of time to better understand other
stakeholders’ rationale and incentives. Getting clarity in advance
from the audit committee about support that might be neEDED was also important.
Facts are your friend. CAEs emphasizED the importance of
objective, accurate, and complete data, thorough audit work and
analysis, and an understanding of the effect of the audit finding on
the organization. In one case study example in the report, the CAE at
a major U.S. retailer facED a challenge from the company’s IT
director, who did not want a report that identifiED “significant
technical control issues” releasED without deleting some key findings.
The CAE crEDitED confidence in the quality of the audit work for
helping to resolve the dispute and report the findings.