Register now or log in to join your professional community.
you are the Internal auditor and your auditee/staff refuses to provide data, what would be your course of action?? a) cancel the engagement b) give qualified/disclaimer opinion c) give resignation d) others plz explain
The objective of the internal auditor is to minimise the risk of the organisation & safeguard the assets by suggesting appropriate controls and checking the existence of control system and making sure the controls are followed.
In order to respond/advise on this professionally the circumstances need first to be established -
1.Does the Internal Audit Charter, approved by the Audit Committee and Board of Directors make it clear Internal Audit's3rd Line of Defence role and resultant authority to perform reviews to fulfil this role?
2. Is the particular review in question part of an Internal Audit plan, a draft of which was discussed with Senior Management prior to being submitted to the Audit Committee for approval, and then forwarded to Board members for information?
3. Did the approved plan make clear the intended risks and relevant business objectives to be addressed in each review and proposed scheduling of completion?
4. Was the detailed scope, timing and mode of completion forf the review finalised with relevant executive management prior to its commencement during pre-planning phase?
Assuming the answer to all the above is 'Yes' [If not then IA role/processes need to be enhanced accordingly] the auditee/staff need to be given an opportunity to explain why they are not complying with IA's request in accordance with the Board approved IA Charter. Whatever reason for not providing the data needs to be considered by IA Management [calmly] and a determination made as to whether continue, re-schedule the review is justified or, if not, referral to the relevant Senior Executive management to inform them that in the absence of completing the review IA will not be able to render assurance to Audit Committee/Board.
If items1 -4 above have been conducted professionally, and the Head of IA has a constructive relationship with Senior Executive management hopefully the situation depicted in the question should rarely, if ever, occur. All staff should want to ensure that risk management arrangements are adequate and effective in practice.
Keith R Johnston.MBA, CPFA, CMIIA