An internal audit reveals that employees in a regional office are consistently bypassing established financial authorization controls. Which of the following is the most appropriate corrective action to resolve this issue and prevent recurrence?
Select an answer to reveal the explanation.
Short Explanation and Infographic
Imagine you’re the compliance officer and your internal audit team finds out that a regional office has been skipping approvals on their expenses. What do you do? If your first instinct is to fire everyone or send a nasty email to the whole company, take a breath. That doesn't fix the underlying problem! You need to find out why they were bypassing the controls. Maybe the approval software is too slow, or they never got trained on the proper steps. That's why option C is the way to go. By running a "lessons learned" session and doing a root-cause analysis, you find the real problem. Then you train them, update the procedure, and make it work in the real world. That’s how you build a healthy compliance culture!
Full explanation below image
Full Explanation
The correct answer is C. Effective corrective action requires identifying and addressing the root cause of a compliance failure, rather than just treating the symptoms or applying punitive measures indiscriminately. By conducting a root-cause analysis and collaborating with the regional staff in a "lessons learned" format, compliance and management can determine if the bypass occurred due to a lack of awareness, flawed system design, conflicting operational pressures, or intentional misconduct. Once the root cause is established, implementing targeted remediation—such as system reconfigurations, updated standard operating procedures, and focused training—helps ensure long-term compliance.
Option A is incorrect because public shaming damages company culture, discourages employees from reporting issues, and does not address the underlying operational reason why the controls were bypassed. Option B is incorrect because terminating an entire office is an extreme, disproportionate response that disrupts business continuity, ignores individual accountability, and fails to determine if the controls themselves were poorly designed. Option D is incorrect because ignoring compliance failures in regional locations creates systemic vulnerabilities, exposes the firm to localized fraud, and fails to demonstrate a commitment to an effective compliance program.