In one bank I worked with, branch and operations managers openly viewed internal auditors as witch hunters. Audit findings were perceived as exaggerated, theoretical, and disconnected from “real business.” This mindset became most visible during discussions around operational risk.
One audit flagged poor recording and control of strong room key movements as a high-risk issue. The auditors argued that weak key custody undermined physical security and could enable fraud. Management pushed back strongly. In their view, the finding was blown out of proportion. “No cash has ever been lost,” they argued. To them, absence of loss meant absence of risk.
At the same institution, loans in arrears beyond 90 days were also not treated as high risk by management. The justification was familiar: the loans were fully secured. Yet, from a prudential and risk management perspective, the bank was already provisioning 25% loan loss provisions on those facilities. Capital had begun absorbing the risk — but management behavior had not adjusted.
The auditors were not pointing to isolated technical lapses. They were highlighting capacity gaps.
This is where many institutions misunderstand audits. The problem is rarely intent. It is rarely ignorance of governance. It is almost never malice. The deeper issue is capacity — quiet gaps in skills, systems, risk understanding, and accountability that audits simply expose.
Auditors assess what could go wrong, not just what has already gone wrong. Management often assesses risk through lived experience: if nothing bad has happened yet, the issue feels theoretical. This disconnect creates tension, resistance, and recurring audit findings.
What audits are really revealing is this:
- Where risk thinking has not evolved with scale and complexity
- Where controls exist on paper but not in daily discipline
- Where managers understand operations but not risk interdependencies
- Where accountability for corrective action is diffused
Seen this way, audit reports are not compliance documents. They are capacity diagnostics.
Institutions that mature in risk management treat audit findings differently. They:
- Interpret audit issues as signals of capacity gaps, not personal failures
- Ask what skills or decision frameworks are missing behind repeat findings
- Assess whether systems and tools still match their risk profile and growth
- Clarify ownership beyond “closing the audit” to actually fixing root causes
- Invest in targeted capacity building, not blanket or generic training
Audits do not create problems. They reveal the problems institutions have been operating with all along — quietly, comfortably, and often unknowingly.
The real risk begins when management normalizes those gaps.