How to Disagree with Auditors – March 2008
This article was authored by Dan Swanson , president and CEO of Dan Swanson and Associates. He is a 26-year internal audit veteran, who most recently was director of professional practices at the Institute of Internal Auditors. The article appeared on the Expert Q&A section of the ICT Compliance Institute website ( www.itcinstitute.com ) and is reproduced with the kind permission of the author.
A Reader Asks: I don’t agree with a couple of points in my auditors' assessment. What’s the best strategy for getting them to revise it?
The Auditor Responds: In short, getting an auditor to revise an assessment does not require a "strategy": just facts. An auditor’s function is to provide an independent and objective opinion on the activity, project, subject, etc, that’s "under review." If you can provide facts that support your viewpoint, the auditors should adjust their opinion. If you can’t provide the facts, you cannot expect the auditors to change the report.
Disagreements are generally painful—awkward at best, disastrous at worst. Thus, you should have two goals whenever you disagree with your auditor: (1) resolving the disagreement, and (2) figuring out how to prevent disagreements in future audit cycles.
Most issues fall in one of two categories:
- The auditor's assessment is wrong, in which case you should start gathering the facts and arguments that will sway the auditor to your point of view
- The auditor's assessment is basically accurate, but you don't agree it’s a problem or you don’t want the problem to appear on a report. In reality, this is the more common type of manager/auditor disagreement. Unfortunately, it tends to spark less productive discussions, since it challenges auditor judgment, not findings. A successful strategy for swaying auditor opinion should focus on the report tone, item significance and recommended action plan.
Years ago, a colleague learned the distinction of these two categories from a managerial auditee. The manager started a review meeting of a draft audit with a statement that said, essentially, "I accept that we screwed up and that we need to fix some problems. Here is my action plan and our progress to date. Can anything be done to make the final audit report sound less harsh?" A very productive discussion between auditors and the manager ensued. Ultimately, the auditors revised the draft statement so that it was less damaging to the manager’s department. And the auditors and manager had a much better relationship in future audits.
Sometimes management disagrees not with facts, but with the auditor’s interpretation of the significance of the situation. In other words, a manager is less concerned with the facts than the "rating." What happens if the auditor and manager cannot come to an agreement? In such (hopefully rare) situations, the audit committee has ultimate authority: both the manager and the auditor should present their views to the audit committee, which will recommend an action or finding with input from the governance oversight committee.
Obviously, however, preventing a disagreement is more desirable than resolving a conflict that has already generated tension and even ill will between the disputants. To reduce the potential of audit-related conflict, management must be involved early and often with each audit—not just at the reporting stage. In fact, the earlier and more involved management is, the better and more relevant the final audit is likely to be.
During audit planning, management should discuss with auditors the audit scope, purpose, objectives, approach, and proposed evaluation criteria. During audit testing, management should understand what the audit team is doing; for example, what audit tests are being performed and generally what the test results are. Finally, during audit reporting, management should find out early (during the audit debriefing meeting) what the main issues are and what the key recommendations will be—prior to the actual writing of the audit report. Management should raise its concerns early, before the report is set in stone and while discussion can still help to clarify arguable matters.
For its part, the audit team should establish an open and transparent audit process, from start to finish, that allows managers to better understand and fully participate in the audit process. This way, when disagreements do occur (and they will) the "discussions" will be productive, and the facts will "speak for themselves." |