Primary navigation:

QFINANCE Quick Links
QFINANCE Reference

Home > Auditing Best Practice > Engaging Senior Management in Internal Control

Auditing Best Practice

Engaging Senior Management in Internal Control

by Philip Ratcliffe

Executive Summary

  • Internal control systems must have the backing of senior management to be effective.

  • Internal auditors should make management aware of the importance of sound internal controls, and the serious problems that could arise if they are inadequate.

  • The benefits of sound internal controls include efficiency and effectiveness, protection against losses and unpleasant surprises, optimum use of assets, and motivated staff—all in all, they make a major contribution to organizational survival and prosperity.

  • Key risks resulting from lack of good internal control are fraud, incorrect accounts, inefficiency and ineffectiveness, damage to the reputation of the organization and its management, and a consequent fall in the value of the company.

  • Internal auditors should form their own view of the specific risks facing their organization.

  • If the internal control system is inadequate, they should meet with senior management to explain the need for strong, sound controls and their benefits for the organization.

How to Get Senior Management to Take Internal Control Seriously

Top managers in any organization have many calls on their time and attention. Vying for their attention will be customers, suppliers, employees, consultants, and many others. Internal controls can easily be squeezed out of their agenda. The problem this can create is that if senior management does not take control seriously, the “tone from the top” will be wrong—and if the people in charge don’t care, then why should anyone else in the organization? Rightly or wrongly, this is the message that will be perceived across the organization, and internal control will suffer.

So, as a corporate auditor, how can you push internal control up the priority list? Showing clearly to management the benefits of strong internal control on the one hand, and the consequences of failure of internal control on the other, is one path to this goal.

Benefits of Control

A key message to communicate to management is that effective, active controls give positive benefits as well as avoiding negative outcomes. Having controls that are effective will ensure that the directions of the board and senior management are implemented as intended; that operations and activities are carried out efficiently and meet their objectives; and that the assets used in an organization are not only properly accounted for, but also that they are used effectively and efficiently for the benefit of the organization. Procedures which follow sound control principles enable people to carry out their work in an environment that is orderly and satisfying to work in. Good internal control will also protect an organization and its staff against the temptations of dishonesty, fraud, and theft.

Organizations that have sound internal controls will know where they are, and where they are going, because management information controls will tell the organization’s management what they need to know when they need to know it. If the first imperative of most organizations is survival, then good internal control can play a major role in achieving that objective. Additionally, and very importantly, there can also be an efficiency dividend for an organization if good, cost-effective internal control systems are in place; for example, when processes are streamlined and well controlled, fewer people may be needed to do the work.

The Impact of Control Failure Inside the Business

All too often, internal control only becomes a concern to top management after it breaks down. Out of the blue comes the sudden discovery of a massive fraud or a major hole in the accounts, or a business segment that was thought to be profitable is dramatically discovered not to be. There is a myriad of such possibilities. Management discovers, painfully, that when there is such a breakdown of control, almost everything else has to be thrown out of the window while the breakdown is investigated. It has to engage with internal auditors, external auditors, consultants, and specialists to uncover the root causes of the problem, as there is no cure without first making a diagnosis. The managers immediately responsible for the failure must be identified, and a conclusion reached on their degree of culpability. And if someone has to be fired, who is going to take on their responsibilities?

Then, senior managers have to make up their minds what to do about the underlying problem. What changes have to be made to ensure that it can never happen again? Should they commission reviews in other similar parts of the organization to gain assurance that the problem isn’t endemic elsewhere? Are major investments in systems or capital items needed to fix things? Should procedures be revised? Do staff need retraining or reorganizing? If so, who is going to implement the changes, and where is the money going to come from?

Control Breakdown Can Have External Implications

Another vital aspect is the impact of a breakdown on external relations. Do investors and the stock markets have to be informed? Is a profits warning necessary? How will stakeholders react? What will the (inevitably negative) impact be on the share price, and therefore the value, of the organization? Often such an announcement will create a loss of shareholder value that is many times the original operating loss. At times like these, an executive director may be lucky to keep his job; at the very least, there is a major risk of loss of personal and corporate reputation.

The Opportunity Cost is Great

On top of this, in a serious case the opportunity cost of the time that management will lose in attending to the consequences of an internal control breakdown can be massive. Strategic issues, tactical issues, business development—all these and many more normal concerns of senior management will have to take a back seat until the problem is resolved. Add to this the loss of reputation and of confidence, inside and outside the organization, because news will inevitably leak out however carefully those involved try to prevent it.

The case here has been made in the context of a commercial organization, but similar considerations apply to all other types of organization, whether governmental, private, or in the not-for-profit sector.

Back to Table of contents

Further reading


  • Sawyer, Lawrence B., Mortimer A. Dittenhofer, James H. Scheiner, Anne Graham, and Paul Makosz. Sawyer’s Internal Auditing: The Practice of Modern Internal Auditing. Altamonte Springs, FL: Institute of Internal Auditors, 2003.


Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share