In situations where an internal auditor uncovers significant findings that could potentially put the IT manager/responsible party in trouble, it is crucial to handle the matter with utmost professionalism, ethics, and transparency. Here's a guide on what auditors should do in such situations:

1. Maintain Objectivity:

Internal auditors must remain impartial and objective throughout the auditing process. Personal biases should not influence the reporting of findings.

2. Document Findings Thoroughly:

Record all findings in detail, including evidence and supporting documentation. This documentation is essential for transparency and in case of any disputes or challenges to the findings.

3. Follow Established Protocols:

Adhere to established audit protocols and guidelines. Ensure that the audit process aligns with industry standards and regulatory requirements. Revert back to your ISACA CISA guidelines if it’s been awhile since you saw those.

4. Inform Management:

Immediately report significant findings to the appropriate management level within the organization. Transparency is key to addressing issues promptly.  Bad news doesn’t get better with time.

5. Communicate with the responsible party:

Engage in a professional and open dialogue with the IT manager/responsible person. Clearly communicate the findings, allowing them an opportunity to provide their perspective.

6. Emphasize Ethical Conduct:

Highlight the importance of ethical conduct within the auditing profession. Emphasize the duty to report accurately and fairly, even if the findings may have negative implications.

7. Maintain Confidentiality:

Handle sensitive information with the utmost confidentiality. Ensure that only authorized personnel have access to the audit findings until they are appropriately disclosed.

8. Collaborate with Legal and Compliance Teams:

If required, work closely with the legal and compliance teams to ensure that the audit process aligns with legal requirements and industry regulations (as needed).

9. Suggest Remediation Measures:

Evaluate management’s recommendations for remediation measures to address the identified issues. Work collaboratively with the IT manager and relevant stakeholders to review the plan for improvement.

10. Consider External Reporting:

If internal channels are insufficient, consider reporting the findings to external regulators or authorities in accordance with applicable laws and regulations.  Double check applicability before executing this step. 

11. Act Professionally with the Audited Company:

Maintain a professional and respectful demeanor when interacting with the audited company. Foster a cooperative environment that encourages improvement rather than punitive actions.

12. And again, uphold the Reputation of the Profession:

Uphold the reputation of the auditing profession by acting with integrity, honesty, and professionalism. Be a role model for ethical behavior within the organization.

Need more information? Contact our team of experts.

SECURING YOUR PATH