Ethics of Issue Writing
Internal auditors are supposed to remain independent from the organization in which they work. We usually do this by establishing reporting lines directly to an audit committee, but the reality is that we still work in this organization. We still must ride the elevator with coworkers in other departments, and we still get paid for working at this job.
Because of the unique position we are in, we often face an ethical dilemma at the end of every audit. Management wants to issue a “clean” report, while auditors need to report unbiased facts that highlight risks to the organization. In the end, we must decide if we will keep our reports intact or bend to pressure from management to sanitize the language before it gets to senior leadership.
In the tension filled moments before a closing meeting begins, auditors spend time carefully crafting the wording of each issue and recommendation, so they can preemptively appease management while still getting their point across. Management is equally prepared in a defensive stance, so they can attempt to have issues removed from a draft report. Often, management attempts to undermine the auditors with phrases like, “oh that’s just a paperwork problem”, or “this issue doesn’t seem report-worthy”, or even “if management already fixed the problem, then why do we need to have it in the report”.
After a few hours of debate one thing becomes very clear: both groups have a very clear, but totally different view of risk to their organization. For auditors, risk is a bad thing meant to be controlled, mitigated out of existence, and insured against. Organizational leaders, especially in corporate settings, have based their entire careers on the mantra “without risk there is no reward”. Corporate offices are littered with motivational posters about taking risks featuring people jumping off mountains. Auditors, on the other hand, usually have their certifications nailed to the otherwise empty wall behind their desks.
When we step back and look at the general population in any organization, we can plot people on a continuum based on their understanding of risk versus their willingness to accept risk. Senior managers understand risk, and they are willing to take risks to grow the operation. Auditors also understand risk, but we are typically not willing to take risks without first implementing a full complement of controls. Interestingly, we can see a parallel relationship between middle management and staff employees. Although they may not fully understand risk, managers are willing to take certain risks to grow their departments or products, while staff employees are resistant to any risk they see as a threat to their job.
As with most organizational issues, the key to diffusing this conflict is maintaining open communication. In our ongoing pursuit to be a relevant partner to management, internal audit needs to approach every engagement with a basic understanding of management’s stance on risk. We also need to explain our position on risk, as it relates to the organizational strategy, both before and throughout the audit process. By taking a more empathetic approach, we can encourage understanding and build better, stronger partnerships with senior management to avoid conflict in an exit meeting and find appropriate middle ground that allows both sides to achieve their goals.
While this sounds good on paper, we still must account for the human factor. No one wants to be singled out in an audit report. Even in organizations with good cultures related to audit and corrective action plans, managers will fell pressure to argue against the issues we have written. In fact, we can liken the ethical issue of dropping issues to the fraud triangle. If we look at the situation through the fraud triangle model, we can see how dropping issues is affected by the same factors: pressure, opportunity, and rationalization.
Pressure
We have already discussed the pressure from management to either soften or completely drop issues in our reports, but pressure can come from other sources as well. We could experience pressure from our own department if audit managers feel compelled to soften the report because of relationships with other internal departments. Going the other way, there may be pressure to inflate issues into something that is bigger than reality if audit managers have a preexisting bad relationship with the department being audited. Pressure also increases when the issue is compliance related (e.g. SOX, HIPAA, etc.). Compliance issues often lead to more scrutiny, so the desire to soften or remove the issue is greater.
Opportunity
Auditors have constant opportunity since we directly control the verbiage in a report. In some audit departments, the language we use when we talk about issues can even show an underlying propensity for dropping issues. If our internal process is to write “observations” and then decide if these rise to the level of an “issue”, we have left an open opportunity for auditors to use the judgment to drop issues.
Rationalization
As we just mentioned, the use of auditor judgement is a chance to eliminate issues or inflate the risk. Auditor judgement is the ultimate rationalization for us to really do as we please when it comes to deciding which issues are reportable. Auditors can rationalize anything away under the guise of auditor judgement. In the end, we have an infinite capacity for self-rationalization.
IIA Guidance
As with other questions related to audit process, we can look to the IIA Standards for guidance. In the Practice Guide, Audit Reports Communicating Assurance Engagement Results, the IIA provides guidance on writing issues. In the guide, the elements of issues and recommendations are explained. The basics include capturing the criteria, condition, cause, and effect along with recommendations and action plans. While the guidance is designed to help auditors write solid, backed up issues, so many departments use different terminology. Is it an issue or an observation? One is much softer than the other. Is it an action plan or a response? Again, one is more concrete than the other. We spend a lot of time negotiating with management on the language we use in the report, but if we are downplaying the issue write up to the extent of making it meaningless, we are at fault.
Often the audit report is wordsmithed by a director or CAE that did not review the details, so the true essence of the issue is lost. Audit staff is then pressured to accept the changes since the rewrite came from the top. We also have a practice of aggregating issues. While this practice can be useful for making a larger point, we should be careful not to water down the issues we are aggregating.
Generation Gap
Newer auditors, especially those who just recently graduated from college, are especially vulnerable to succumbing to the pressure to drop issues. They are less likely to have read the guidance, to understand the ethical repercussions, or to stand up to audit management.
Recommendation for Success
Management will always feel the need to push audit to drop issues. To help auditors resist the temptation to drop issues without good cause, we recommend a combination of training and technology.
Training focused on issue writing will ensure the department is prepared to write proper, audit report worthy issues. The IIA offers a course on Audit Report Writing that teaches the fundamentals.
Implementing audit software that requires all elements of a solid issue will help the audit department write consistent issues. Even in less than perfect cultures, management is less like to challenge strong, well-written, supported issues.
By bringing together both training and technology, auditors will be well positioned to stand firm when faced with the inevitable ethical challenge to drop issues.