When, “Let’s Soften This” becomes an Auditor’s Risk

Deferred accountability and the quiet transfer of governance exposure to auditors

A dilemma most internal auditors face at some time, is management pressure to soften or omit issues from an audit report on the grounds that, “the regulator has access to these reports and this will create unnecessary problems for the organisation.”

The conversation is almost always polite and rational: “The issue is being addressed.” “This could trigger unnecessary regulatory questions.” “Let us deal with it operationally first.”

I have been in this conversation more times than I can count and in the moment it always sounds reasonable and common sense. That is what makes it dangerous.

This is not an abstract ethics debate, but a recurring challenge, particularly in highly regulated environments like banking, insurance or aviation. It carries a risk that is rarely named. I think of it as Deferred Accountability Risk.

Why this pressure arises and why auditors hesitate

In my experience, management pressure to soften audit reporting usually comes from understandable places.

There is often genuine regulatory anxiety. Senior executives know that audit reports can be accessed by regulators and read without context. Even balanced findings can look stark when lifted out of a broader discussion, so the instinct to manage the written record is not irrational.

There is also reputational concern. Once something is formally escalated to the Audit Committee, it becomes part of the governance record and cannot be unseen or quietly resolved. Softening language is often presented as buying time to fix the issue before it attracts attention or escalates beyond proportion.

There is also the reality of working relationships. Internal audit operates inside the organisation. Escalation can be portrayed as being rigid or disconnected from operational realities, even when the concern itself is valid.

None of this makes management unreasonable. In fact, this is precisely why auditors pause. The request appeals to pragmatism rather than compromise. The problem is that what feels like pragmatism at the time can quietly change where accountability sits.

What Deferred Accountability really looks like in practice

Deferred accountability risk arises when an organisation chooses to delay formal recognition of an issue in order to avoid immediate discomfort or scrutiny. Accountability does not vanish. It waits.

What often goes unspoken in these moments is what management is functionally asking internal audit to do. When management asks audit to soften or omit an issue from a report, they are not just asking for a different turn of phrase. They are asking audit to step slightly outside its assurance role and carry part of management’s accountability for how and when the issue is formally acknowledged.

That shift matters and at that point, the audit report stops being a mirror and starts becoming a shield for management.

While the exposure may not be obvious immediately, it becomes very obvious later, when questions are asked about who knew what, and when.

What history keeps showing us

Large corporate failures are often described as sudden but they rarely are. More often, they follow a slow, familiar pattern where issues are raised, explanations are accepted, discomfort is managed and escalation is delayed.

The sales practices scandal at Wells Fargo is a case I keep returning to. What struck me most when revisiting the timeline was not the scale of the misconduct, but how early the warning signs appeared. Internal concerns existed for years. What failed was not awareness, but escalation with enough clarity and persistence to force governance attention. When accountability finally arrived, it came through regulators, and by then the damage was extensive.

This pattern is not confined to one jurisdiction.

In India, the collapse of Satyam Computer Services showed how comfort can gradually replace verification. Cash balances were accepted rather than aggressively challenged. Each reporting cycle deferred the reckoning. When accountability arrived, it arrived publicly and painfully, with consequences that extended beyond the company itself.

In South Africa, Steinhoff International followed a similar trajectory. Complex structures produced plausible explanations. Concerns were absorbed rather than escalated. Oversight mechanisms existed, but they did not interrupt the pattern. The eventual collapse wiped out billions in value and directly affected pension funds and ordinary investors.

In none of these cases was accountability avoided. It was postponed, and the cost of that postponement compounded over time.

In these cases, early warning signs and governance red flags were present for years before decisive action occurred — whether through internal controls, risk reporting, or escalation to governance bodies — underscoring how accountability was continually deferred until regulators intervened or crises erupted.

Why agreeing to soften can feel like the sensible option

From the auditor’s point of view, agreeing to soften language can feel like a reasonable compromise. The issue is known. Management appears engaged. The relationship is preserved. The auditor retains influence.

The difficulty is that audit reports are not just internal communications. They are governance artefacts. What is included, excluded, or diluted shapes what the Audit Committee knows and when it knows it.

Once something is left out of the formal record, bringing it back later is rarely straightforward. Auditors often underestimate how irreversible these decisions are.

From an Audit Committee perspective, the question after a failure is not whether management felt pressured or whether wording was polite. It is whether the committee had enough information, early enough, to act.

That is where deferred accountability becomes personal.

How I have seen experienced auditors think it through

The most effective auditors I have worked with do not treat this as a binary choice between compliance and confrontation. They ask themselves uncomfortable questions.

· How would this decision read if examined in hindsight? Not by colleagues, but by a regulator or inquiry that does not know the personalities involved.

· Am I, by softening this, making a judgement on timing that properly belongs to the Audit Committee?

· Am I assuming this can be revisited later, when in reality that may be much harder than it sounds?

· Is this an isolated accommodation, or one more small adjustment in what will become a pattern?

These are not checklist questions. They are judgement calls, but they change the nature of the conversation.

Navigating the issue without burning bridges

Independence does not require theatrics. It requires clarity.

In practice, experienced Chief Audit Executives often separate recognition from remediation. They ensure that the issue and its implications are clearly articulated for the Audit Committee, while still acknowledging management’s response and context.

They stay anchored to a simple reality. While day-to-day interactions may be with management, internal audit ultimately exists to support the Audit Committee’s oversight responsibilities. When in doubt, they ensure the committee has enough information to make its own call.

That stance does not always make life easier. It does tend to build long-term credibility.

The cost of getting this wrong

The cost of deferred accountability is rarely borne by those who ask for softening in the moment. It is borne later, often by people who had no part in the original conversation.

Post-incident reviews do not dwell on tone. They focus on whether warning signs were surfaced, whether escalation was timely, and whether governance bodies were adequately informed.

I have yet to see an inquiry conclude that an organisation failed because an audit report was too clear.

A final reflection

Internal audit adds the most value when it surfaces accountability while it is still manageable.

When reporting is diluted to preserve short-term harmony, organisations do not eliminate risk. They merely decide when and how accountability will arrive, often without realising they have made that choice.

Deferred Accountability Risk is not about idealism or confrontation. It is about stewardship. Some of the most consequential audit judgements are not about what we find, but how clearly and when we choose to say it.

Navin Pasricha, a former CAE, CRO and Audit Committee Member, is author of, “Getting Ready to Roar: Chief Auditor’s Guide from Audit Room to Board Room.”

Read Story

Navin Pasricha

7 min read

When, “Let’s Soften This” becomes an Auditor’s Risk

When, “Let’s Soften This” becomes an Auditor’s Risk

Deferred accountability and the quiet transfer of governance exposure to auditors

I have been in this conversation more times than I can count and in the moment it always sounds reasonable and common sense. That is what makes it dangerous.

Why this pressure arises and why auditors hesitate

In my experience, management pressure to soften audit reporting usually comes from understandable places.

What Deferred Accountability really looks like in practice

Deferred accountability risk arises when an organisation chooses to delay formal recognition of an issue in order to avoid immediate discomfort or scrutiny. Accountability does not vanish. It waits.

That shift matters and at that point, the audit report stops being a mirror and starts becoming a shield for management.

While the exposure may not be obvious immediately, it becomes very obvious later, when questions are asked about who knew what, and when.

What history keeps showing us

This pattern is not confined to one jurisdiction.

In none of these cases was accountability avoided. It was postponed, and the cost of that postponement compounded over time.

Why agreeing to soften can feel like the sensible option

Once something is left out of the formal record, bringing it back later is rarely straightforward. Auditors often underestimate how irreversible these decisions are.

That is where deferred accountability becomes personal.

How I have seen experienced auditors think it through

The most effective auditors I have worked with do not treat this as a binary choice between compliance and confrontation. They ask themselves uncomfortable questions.

· How would this decision read if examined in hindsight? Not by colleagues, but by a regulator or inquiry that does not know the personalities involved.

· Am I, by softening this, making a judgement on timing that properly belongs to the Audit Committee?

· Am I assuming this can be revisited later, when in reality that may be much harder than it sounds?

· Is this an isolated accommodation, or one more small adjustment in what will become a pattern?

These are not checklist questions. They are judgement calls, but they change the nature of the conversation.

Navigating the issue without burning bridges

Independence does not require theatrics. It requires clarity.

That stance does not always make life easier. It does tend to build long-term credibility.

The cost of getting this wrong

The cost of deferred accountability is rarely borne by those who ask for softening in the moment. It is borne later, often by people who had no part in the original conversation.

Post-incident reviews do not dwell on tone. They focus on whether warning signs were surfaced, whether escalation was timely, and whether governance bodies were adequately informed.

I have yet to see an inquiry conclude that an organisation failed because an audit report was too clear.

A final reflection

Internal audit adds the most value when it surfaces accountability while it is still manageable.

Navin Pasricha, a former CAE, CRO and Audit Committee Member, is author of, “Getting Ready to Roar: Chief Auditor’s Guide from Audit Room to Board Room.”

Read Story

Navin Pasricha

7 min read

Internal Audit Guidance on Evaluating KYC Frameworks and Controls

KYC requirements are fundamental to anti-money laundering efforts, ensuring that financial institutions know who their customers are, how they operate, and whether they present elevated risks. For internal auditors, providing assurance in this area requires both technical knowledge and a sharp focus on practical execution.

An effective KYC framework begins with thorough customer identification and verification. Auditors should evaluate whether policies align with regulatory requirements and whether staff consistently follow procedures. For example, is documentary evidence properly obtained and verified? Are electronic identity verification systems reliable, and are any exceptions well-documented and approved?

Risk-based segmentation is another important area. Auditors must assess whether customers are classified correctly into low, medium, or high-risk categories and whether enhanced due diligence is applied to higher-risk clients, such as politically exposed persons (PEPs) or entities operating in high-risk jurisdictions. Internal audit should review a sample of customer files to confirm accuracy and completeness.

Ongoing monitoring is equally critical. Auditors should examine how organizations track changes in customer profiles and whether they update risk ratings accordingly. Transaction monitoring should be integrated with KYC data, ensuring that alerts reflect both historical behavior and anticipated activity.

Technology brings efficiencies but also risks. Internal auditors must evaluate whether automated onboarding platforms and monitoring systems are regularly tested and calibrated. They should also review data quality, since weak data governance undermines even the most sophisticated systems.

Training and awareness are additional areas where internal audit can provide insight. Are staff sufficiently trained to recognize suspicious activity? Do they understand the importance of accurate KYC documentation? Testing staff knowledge can help identify gaps that may lead to compliance breaches.

Finally, auditors should consider escalation procedures. If red flags are identified, are they reported quickly to compliance officers and, where necessary, regulators? Weak escalation channels can undermine the entire KYC framework.

By reviewing KYC controls comprehensively, internal auditors ensure organizations are not only meeting regulatory requirements but also protecting themselves from reputational damage and financial penalties.

Feb 22, 2025

2 min read

Author:

How Outsourcing Internal Audit Functions Strengthens Governance and Risk Oversight

Internal audit plays a critical role in ensuring an organization operates within a strong governance and risk framework. For many businesses, however, building and sustaining a highly skilled internal audit function can be costly, resource-intensive, and challenging. Outsourcing offers a viable solution that enhances oversight while delivering cost efficiency and flexibility.

By engaging external specialists, companies gain access to experienced professionals who bring diverse industry knowledge, up-to-date regulatory insights, and advanced audit methodologies. These outsourced experts can identify control gaps and provide benchmarking information that an internal team may not be able to deliver alone. Their independence also strengthens credibility with boards, regulators, and external stakeholders.

Outsourcing also enables organizations to scale resources up or down depending on the audit plan and risk priorities. For example, during periods of rapid expansion, M&A activity, or regulatory change, outsourced partners can deploy additional auditors quickly. Conversely, during quieter periods, organizations can scale back without the burden of fixed staffing costs.

A blended model—sometimes called co-sourcing—is another option. Here, internal staff manage certain core audits while outsourced providers bring in niche expertise or perform specialized reviews such as cybersecurity or international compliance. This hybrid approach provides flexibility while preserving institutional knowledge.

The benefits of outsourcing internal audit extend beyond cost savings. External providers can leverage technology-enabled tools, advanced data analytics, and continuous monitoring platforms to provide real-time insights into risk exposure. This helps management make timely decisions and reduces the likelihood of control failures.

That said, outsourcing is not without risks. Companies must carefully select audit partners who understand their industry and can align with organizational culture. Clear contracts, communication protocols, and performance metrics are essential to ensure accountability and prevent gaps in oversight.

In conclusion, outsourcing internal audit functions strengthens governance by providing objectivity, deep expertise, and scalable resources. Organizations that embrace this approach often find they are better equipped to anticipate risks, meet compliance obligations, and demonstrate strong accountability to stakeholders.

Feb 21, 2025

2 min read

Author:

Preparing Internal Audit Teams for Cybersecurity Audits through Training and Skills Development

As cyber threats intensify, internal audit functions are increasingly tasked with evaluating cybersecurity risks and controls. However, many auditors lack formal training in technical areas, leading to gaps in audit quality. To address this, organizations must invest in building cybersecurity competence across audit teams.

The first step is assessing the current skill level of internal auditors. Many auditors are skilled in risk management, compliance, and process evaluation but lack deep technical knowledge of networks, systems, and security protocols. Identifying these gaps allows targeted training programs to be developed.

Training can take multiple forms. Short-term workshops and webinars introduce auditors to key cybersecurity concepts such as firewalls, encryption, and identity access management. Longer-term solutions include professional certifications such as CISA, CISSP, and Certified in Cybersecurity (CC). These credentials not only provide valuable knowledge but also enhance the credibility of internal audit findings.

Collaboration with IT and security teams is another effective approach. Joint exercises, knowledge-sharing sessions, and cross-departmental projects expose auditors to real-world cybersecurity practices. This collaboration also builds stronger relationships, reducing friction when audits take place.

Practical, hands-on training should be emphasized. For instance, auditors can benefit from simulated phishing exercises or participation in vulnerability assessment reviews. Experiencing how attacks occur provides deeper insight than theoretical knowledge alone. Similarly, reviewing incident response plans and participating in tabletop exercises can help auditors understand the organizational impact of cyber incidents.

Soft skills are equally important. Auditors must be able to communicate cybersecurity findings to non-technical stakeholders, particularly executives and audit committees. This requires not just technical accuracy but the ability to translate complex concepts into business implications.

Finally, internal audit leaders must support continuous professional development. Cybersecurity is not static; attackers constantly evolve their methods. Without ongoing training, audit teams risk becoming outdated. Annual training budgets, access to cybersecurity conferences, and subscriptions to threat intelligence services can ensure auditors remain current.

By prioritizing skills development, internal audit functions can provide higher-quality assurance and contribute to organizational resilience. In a digital-first business environment, cybersecurity-literate auditors are not a luxury—they are a necessity.

Feb 20, 2025

2 min read

Author:

Internal Audit Guidance on Evaluating KYC Frameworks and Controls

How Outsourcing Internal Audit Functions Strengthens Governance and Risk Oversight

Preparing Internal Audit Teams for Cybersecurity Audits through Training and Skills Development

Strengthening Governance Structures Through Proactive Internal Audit Engagement

Governance frameworks thrive on transparency, accountability, and informed decision-making. Internal audit serves as an indispensable partner to the board and executive management in building strong governance structures that anticipate risks and ensure compliance.

Proactive engagement means internal audit goes beyond traditional assurance roles. Rather than simply testing controls after processes are established, auditors can provide advisory input during the design phase of governance structures. For example, when organizations revise policies around ethics, compliance, or delegation of authority, internal audit can offer an independent perspective to help ensure these frameworks are practical, risk-sensitive, and aligned with regulatory expectations.

Internal auditors are uniquely positioned to assess governance culture. Their vantage point across business units allows them to detect early warning signs of weak accountability, siloed decision-making, or unclear responsibilities. Through governance reviews, auditors can highlight how decision rights are distributed, whether escalation paths are respected, and whether leaders are fostering a tone of integrity.

An effective governance-focused audit plan may include evaluating board committee structures, reviewing board information quality, and testing the effectiveness of whistleblowing mechanisms. Internal audit can also benchmark governance practices against leading standards such as the OECD Principles of Corporate Governance or industry-specific codes.

To maximize impact, internal auditors should regularly engage with the board audit committee, presenting thematic insights on governance issues observed across the organization. Clear, evidence-based recommendations should emphasize not only compliance but also resilience and adaptability.

Ultimately, strengthening governance through proactive audit engagement creates a more trusted and agile organization. Boards that leverage internal audit as a strategic advisor position themselves to anticipate challenges, meet stakeholder expectations, and uphold long-term corporate integrity.

Internal Audit Guidance on Evaluating KYC Frameworks and Controls

How Outsourcing Internal Audit Functions Strengthens Governance and Risk Oversight

Preparing Internal Audit Teams for Cybersecurity Audits through Training and Skills Development

Strengthening Governance Structures Through Proactive Internal Audit Engagement

Building Audit Readiness for ESG and Sustainability Reporting Regulations

The rise of ESG and sustainability regulations represents one of the most significant regulatory shifts of this decade. From the European Union’s Corporate Sustainability Reporting Directive (CSRD) to the U.S. Securities and Exchange Commission’s climate disclosure proposals, organizations are being asked to report on far more than financial performance. Internal audit has a central role in ensuring that sustainability information is reliable, consistent, and aligned with regulatory expectations.

One of the first challenges internal audit must address is data quality. Unlike financial information, ESG metrics often draw from disparate sources such as energy usage records, HR systems, or supplier surveys. Internal audit should assess data governance frameworks, controls over data collection, and the reliability of underlying systems. This may involve reviewing processes at the operational level, including energy meters, travel logs, or vendor certifications.

Second, internal audit teams need to evaluate reporting frameworks. Different jurisdictions may require adherence to different standards such as ISSB, GRI, or SASB. Audit functions should help ensure that management’s chosen reporting framework is appropriate, consistently applied, and responsive to regulatory requirements.

Third, assurance expectations are increasing. Regulators and investors alike are demanding limited or even reasonable assurance on ESG disclosures. Internal audit can assist by performing readiness assessments, testing internal controls over ESG data, and identifying gaps that external auditors are likely to highlight.

Another key area of focus is supply chain transparency. Regulations increasingly demand that organizations disclose not only their own emissions and practices but also those of their suppliers. Internal audit should consider whether supplier onboarding, due diligence, and monitoring processes are sufficiently robust to capture and validate sustainability information.

Capacity building is also crucial. Internal audit professionals may need training in environmental metrics, human rights compliance, or carbon accounting. Many leading audit functions are partnering with subject-matter experts to strengthen their knowledge base and build credibility in this emerging field.

Finally, internal audit must communicate findings effectively. Boards and audit committees require clear, actionable insights into ESG readiness. Reports should not only highlight compliance gaps but also provide guidance on how organizations can enhance transparency and resilience.

In conclusion, sustainability regulations represent both a compliance obligation and an opportunity for organizations to demonstrate accountability. Internal audit functions that proactively build ESG assurance capabilities will be instrumental in navigating this evolving regulatory landscape.

Leveraging Payment Data Analytics for Internal Audit Readiness and Risk Detection

Payment processes are data-rich environments. Every transfer, card transaction, or vendor payment leaves behind a trail of information that, when analyzed, can uncover both strengths and weaknesses in controls. Internal audit preparation increasingly relies on payment data analytics as a proactive tool to enhance readiness and detect hidden risks.

Organizations should begin by consolidating data sources. Payments often span multiple platforms—ERP systems, treasury solutions, banks, and third-party processors. Bringing this data together provides auditors with a complete picture. Fragmented data is a common stumbling block that not only delays audits but also obscures potential red flags.

Once consolidated, data quality validation becomes paramount. Errors in payment records—duplicate entries, missing vendor IDs, or incorrect dates—can mislead auditors and cast doubt on system reliability. Conducting data cleansing exercises before an audit ensures integrity and reduces audit findings.

Advanced analytics tools allow for pattern recognition and anomaly detection. For example, payments just below approval thresholds, unusually timed transactions, or duplicate vendor accounts can indicate fraud or policy circumvention. Highlighting these insights ahead of an audit shows auditors that management is proactive in mitigating risks.

In addition to anomaly detection, trend analysis provides valuable insight. Auditors may want to know whether late payments are increasing, or if vendor concentration risk is emerging. Being able to present historical trends alongside explanations signals maturity in payment governance.

Audit preparation also benefits from continuous monitoring dashboards. These dashboards, powered by payment analytics, allow internal teams to monitor exceptions in real-time rather than waiting for audit cycles. When auditors arrive, organizations can demonstrate that monitoring is ongoing, not reactive.

Finally, payment data analytics supports strategic audit scoping. Instead of preparing broadly, organizations can anticipate which areas auditors are likely to focus on based on transaction patterns. This improves efficiency and reduces the time required to gather evidence.

By embedding analytics into audit preparation, organizations move beyond compliance. They demonstrate foresight, transparency, and control maturity—qualities that reassure both auditors and stakeholders that payments are well-managed and resilient to risk.