Arguing Audit Findings May Not Mean Disagreement

Written By Toby DeRoche

For many auditors, arguments over audit findings feel like an impasse. An argument can signal resistance, delay, or an attempt to weaken the report. In practice, however, disagreement is a normal and often healthy part of governance. Mature risk management environments allow space for challenge, judgment, and differing perspectives.

The key question is not whether disagreement occurs, but how it is handled and negotiated.

The Auditor’s Perspective

From the audit function’s standpoint, a finding exists for a reason. Evidence was gathered, criteria were applied, and professional judgment was exercised. When management disagrees, auditors may reasonably worry that:

  • Objective observations are being dismissed

  • Risk is being understated

  • Pressure is being applied to soften conclusions

  • Accountability may be deferred or avoided

These concerns are valid. Internal audit has a responsibility to maintain independence and ensure that significant risks are not obscured by discomfort or competing priorities.

Responding by escalating authority or becoming rigid, however, rarely strengthens that position.

The Management Counterpoint

From management’s perspective, disagreement does not automatically reflect denial of the issue or a sudden change of mind. Management may be weighing factors that extend beyond the audit scope, such as:

  • Operational constraints and competing priorities

  • Cost, timing, and feasibility of remediation

  • Risk tradeoffs already accepted by leadership

  • Strategic implications that are not fully visible within a single engagement

Management is accountable for running the business, not just complying with controls. What an auditor frames as a risk, management may see as a calculated exposure already understood and monitored.

Recognizing this context does not weaken audit independence. It strengthens audit relevance.

Why Direct Confrontation Misses the Point

When disagreement arises, auditors sometimes respond with definitive language:

  • “The evidence is clear.”

  • “This is not subjective.”

  • “We are applying the standard correctly.”

While these statements may be accurate, they shift the discussion toward authority rather than understanding. The conversation shifts to who is right rather than whether the organization is making an informed risk decision. At that point, positions harden into arguments, and meaningful dialogue stops.

Reframing the Discussion Toward Clarity

A more productive approach is to explicitly surface where perspectives diverge. One effective framing is:

“Which element of the finding do you view differently: the facts we observed, the criteria we applied, or the business impact being assessed?”

This reframing benefits both sides:

  • Audit preserves the integrity of its work by anchoring the discussion in structure.

  • Management gains an opportunity to explain concerns without appearing dismissive.

  • Both parties can distinguish factual disagreement from risk tolerance.

This approach transforms disagreement into analysis rather than conflict.

Balancing Rigor With Practicality

Auditors must avoid two common traps:

  • Over-defensiveness, which can signal inflexibility and erode trust.

  • Over-accommodation, which can dilute findings and compromise assurance.

The balance lies in being firm on what was observed and transparent about how conclusions were reached, while remaining open to reasonable differences in interpretation.

When appropriate, reframing findings in terms of outcomes can also shift the tone of the discussion. For example, focusing on reliability, resilience, or decision confidence rather than solely on deficiencies can help align audit concerns with management objectives.

Reporting With Both Perspectives Represented

Disagreement does not mean a finding disappears. It does mean the report must clearly reflect both perspectives.

A well-constructed audit report should document:

  • The criteria or standard used for evaluation

  • The condition observed and supporting evidence

  • The root cause driving the issue

  • The effect the issue has on meeting management’s objectives

  • Management’s stated position and rationale for disagreement

This transparency ensures that governance bodies can see not only the issue, but the reasoning on both sides.

Conclusion

Disagreement between audit and management is not inherently a problem. It becomes a problem only when it is handled poorly or obscured in reporting.

Effective internal auditors recognize that their role is not to force consensus, but to ensure that risks are clearly articulated, thoughtfully debated, and consciously accepted or addressed.

By acknowledging the management counterpoint while maintaining professional rigor, audit strengthens its credibility and its contribution to organizational decision-making.

 

Toby DeRoche https://www.insightcpe.com
Next

The Future of Cybersecurity Is Humans vs AI