Weak management responses destroy audit value. When management responds with three hollow words, it signals that the finding will go nowhere. This article explains why vague responses are not corrective actions — and what internal auditors must do differently to drive real accountability.
Every internal auditor has seen it. A significant finding is raised. The audit report goes through review. Management is consulted. The deadline arrives. And then — the response comes back.
"Management has noted."
Three words. No action. No commitment. No accountability. Just acknowledgment — and not even a meaningful one.
Why This Response Is a Problem
A management response is not a formality. It is a commitment. When the audit committee reviews an internal audit report, they are looking for two things: what the auditor found, and what management is going to do about it. A response that says "management has noted" communicates precisely nothing about the second part.
It does not say what action will be taken. It does not say who is responsible. It does not say when it will be done. It does not even confirm that management agrees with the finding or understands its significance.
In essence, it turns a potentially important governance communication into a document management exercise.
Why Auditors Let It Happen
The reasons are familiar. Time pressure. Relationship management. The desire to close the engagement and issue the report. An unwillingness to escalate a disagreement about wording. A belief that "we can follow up later."
But later rarely comes. The follow-up tracking is inconsistent. The finding sits in the registry. The action never materialises. And the next audit finds the same control gap in the same place.
What a Proper Management Response Looks Like
A proper management response has four components: acknowledgment of the issue, a specific corrective action, a named responsible owner, and a committed implementation date.
Not "the team will review the process." But "the Finance Manager will revise the payment authorisation matrix to include a secondary approval threshold for transactions above AED 50,000, with implementation by 31 July 2026."
That is a management response. It is measurable. It is trackable. It is accountable.
What Auditors Should Do Differently
First, brief management on response expectations before the report is issued — not during the closing meeting, but at the start of the audit. Management should understand from day one that responses require specific commitments, not expressions of awareness.
Second, do not accept vague responses. Return them. Politely, professionally, but firmly. "Thank you — could you please clarify the specific action, responsible owner, and target date?" is a perfectly reasonable request.
Third, track management actions formally. Not in an email. In a management action tracking register that is reported to the audit committee regularly. Overdue actions should be escalated — not absorbed into the background.
Fourth, close findings only when the corrective action has been verified — not when management says it has been completed.
The Broader Point
Internal audit exists to add value by improving governance, risk management, and control. That value is only realised when findings lead to actual improvement. A finding that produces no action is not a finding — it is a piece of paper.
The next time management submits a three-word response, do not file it and move on. Ask for more. Your audit committee is counting on you to do exactly that.
Share this article
LinkedIn