After a few hours of debate, one thing becomes very clear—both groups have a very clear, but totally different view of risk to their organization.
For auditors, risk is a bad thing meant to be controlled, mitigated out of existence, and insured against. Organizational leaders, especially in corporate settings, have based their entire careers on the mantra “without risk there is no reward”. Corporate offices are littered with motivational posters about taking risks featuring people jumping off of mountains. Auditors, on the other hand, usually have their certifications nailed to the otherwise empty wall behind their desks.
When we step back and look at the general population in any organization, we can plot people on a continuum based on their understanding of risk versus their willingness to accept risk. Senior managers understand risk, and they are willing to take risks to grow the operation. Auditors also understand risk, but we are typically not willing to take risks without first implementing a full complement of controls. Interestingly, we can see a parallel relationship between middle management and staff employees. Although they may not fully understand risk, managers are willing to take certain risks to grow their departments or products, while staff employees are resistant to any risk they see as a threat to their job.
As with most organizational issues, the key to diffusing this conflict is maintaining open communication. In our ongoing pursuit to be a relevant partner to management, internal audit needs to approach every engagement with a basic understanding of management’s stance on risk. We also need to explain our position on risk, as it relates to the organizational strategy, both before and throughout the audit process. By taking a more empathetic approach, we can encourage understanding and build better, stronger partnerships with senior management to avoid conflict in an exit meeting and find appropriate middle ground that allows both sides to achieve their goals.