HF Sinclair’s CFO, Atanas Atanasov, took a voluntary leave of absence after concerns raised by the audit committee, one week after CEO Tim Go did the same. The internal review started after concerns were raised about the company’s 2025 disclosure process and “tone at the top,” and the audit committee ultimately reported no deficiencies in financial reporting controls or disclosure procedures. Reuters also noted shares were down about 13% since Go stepped aside.
This is exactly why we treat C-suite churn as a governance, risk and compliance story, not a leadership tattle story.
What happened at HF Sinclair: audit committee and disclosure credibility
According to reporting on the company’s filing, the review began after the CFO raised concerns about the CEO’s influence on disclosure processes and “tone at the top.” The board later raised concerns about the CEO’s communications approach during the disclosure process, and later about the CFO’s behavior and management relationships.
Interim leadership was put in place, and the company said it planned to negotiate separation agreements.
The key point for senior leaders is not the specific personalities or events at play here. It’s the mechanism: once an audit committee is pulled into disclosure credibility, leadership stability becomes part of the control environment.
C-Suite exits: the impact of GRC and the trend we’re noticing
This is not isolated: the last 12 months have seen a series of prominent C-suite exits tied to governance challenges across different regions and sectors;
The United State, IT Sector: Kyndryl’s CFO and general counsel exit amid accounting review
February 2026, the Wall Street Journal reported that Chief Financial Officer and general counsel of Kyndryl left as the audit committee reviewed accounting practices following Securities and Exchange Commission (SEC) document requests, with the United States company flagging internal control weaknesses.
Japanese manufacturing, with China subsidiary exposure: Nicdec founder resigns amid accounting irregularities investigation
Also, in February 2026, Reuters reported the founder stepped down as chairman emeritus amid investigations into accounting irregularities at a China subsidiary, with Tokyo Stock Exchange governance pressure in the background.
The United Kingdom, Retail: Marks & Spencer digital and tech leadership changes after a major cyberattack
Through 2025-2026, Marks & Spencer saw senior digital and technology leadership (including the digital and tech chief), changes in the wake of a major cyberattack, with Reuters reporting an estimated £300m hit to operating profit tied to disruption.
Australia, Telecom: Optus CFO and CIO depart amid security over triple-0 outages
ABC/SBS reported planned departures of Australian HQ, Optus’ Chief Financial Officer and Chief Information Officer as scrutiny continued after a major emergency-calls outage.
While these are different sectors, different triggers, they are the same governance mechanism. It seems as when oversight tightens, leadership changes follow.
What the academic evidence says is really happening behind “sudden” C-suite exits
When an audit committee flags disclosure risk or “tone at the top” concerns, leadership churn can feel like the inevitable next.
The research frames this as a form of “legitimacy repair.” 1 When something goes wrong, firms often try to create distance from the people publicly associated with the failure, with executives taking the blame. Behind the scenes, they then tighten oversight and put stronger monitoring in place to reduce the risk of a repeat. In other words, it’s an initial optics reset followed by more substantive change.
And the numbers bear this out, one major study of financial restatements found CEOs and CFOs were more than twice as likely to exit after a material restatement, and directors and audit committee members were also more likely to leave.2
These numbers, become even sharper when the failure looks preventable; as this is seen a direct reflection on senior leadership. For example, research on security incidents shows turnover is more strongly linked to breaches attributed to “system deficiency” than breaches tied to criminal fraud or human error.3 In other words, accountability escalates when the story is “this should not have happened if controls were working.”
The business risk of leadership churn (beyond the personal risk)
Leadership churn creates a second-order risk most teams underestimate: uncertainty becomes expensive.
Investors react not only to exits, also to how succession is handled. Markets do not just react to the fact someone left. They react to what happens next and whether the board looks in control.
When there is perceived wrongdoing, investors tend to respond more positively when the company names an external successor (about +3.85% in the study’s event window). They react negatively when the company installs an interim leader (about -2.09%) and even more negatively when there is no named successor at all (about -3.49%).4
Organizations often use a CEO change as a visible signal when the organization is under scrutiny. While this can be framed positively as accountability, research suggests CEO turnover also carries real negative “symbolic weight” because it is a costly, highly visible response to pressure after restatements.5
So yes, turnover can be accountability. But it can also create operational drag, control ownership gaps, and market penalties if the monitoring and succession pieces are not handled cleanly.
What senior leaders should do now (checklist)
- Treat audit committee concerns as a credibility event, not an HR issue.
- Pair any leadership change with a monitoring change (controls, oversight, evidence).
- Clarify named ownership for disclosure controls, internal controls, cyber readiness, and third-party risk.
- Produce a board-ready evidence pack fast: what happened, what changed, who approved, and what proof exists.
- Tighten audit committee oversight and make independence and expertise real, not cosmetic.
- Treat IT control quality as part of financial reporting risk and fix system-level weaknesses, not just symptoms.
- Choose successors like a signal. Outsider vs insider and interim vs permanent choices change stakeholder reactions.
- Track remediation and escalation in a risk management system, not spreadsheets.
- Re-test key controls through internal audit and document results in audit management software.
- Run a third-party and incident response stress test to confirm escalation and logging work end-to-end.
Where CoreStream GRC fits
CoreStream GRC helps you operationalize the “monitoring” part so this does not become a scramble:
- Centralize ownership and evidence trails across audit management software and a risk management system workflow
- Track remediation and escalation without spreadsheet chasing using compliance automation and compliance management software
- Connect cyber and vendor governance with third-party risk management software and vendor risk management software
- Tie it all into board-ready reporting via enterprise risk management software and risk assessment software
- Provide complimentary expert-led workshops by ex-big 4 consultants and partners to audit plans and provide best-practice next steps
Not looking to buy but still want to be part of the conversations shaping the future of GRC? Join our expert community and sign up to our newsletter.
FAQ HF Sinclair CFO exit and what it signals for GRC, risk, and compliance
HF Sinclair’s CFO took a voluntary leave after audit committee concerns, shortly after the CEO also took leave. For senior leaders, the governance signal matters more than the personalities.
Because audit committee concerns typically point to oversight, disclosure discipline, and control performance. That pulls the situation into governance, risk, and compliance territory where evidence and accountability matter.
It is the practical signal of how leadership influences decisions, escalation, and behavior. If “tone” affects disclosure or control decisions, it becomes a governance risk.
Treat it as a credibility event. Confirm the failure mode, lock down evidence, assign owners, and make control changes visible and testable.
A monitoring change is the operational upgrade that prevents repeat issues, such as stronger disclosure controls, improved logging, clearer escalation, and independent verification through internal audit.
A clear timeline, what changed, who approved decisions, and supporting proof (logs, control evidence, audit trails, remediation actions). This is where audit management software and internal audit software help teams answer questions quickly with defensible evidence.
Turnover creates uncertainty, slows decisions, and can break ownership chains across controls. If succession is unclear, it can also trigger negative investor interpretation, even when the company is trying to show accountability.
Sources and further reading
- Haislip, J.Z., Masli, A., Richardson, V.J. and Sanchez, J.M. (2016) ‘Repairing organizational legitimacy following information technology (IT) material weaknesses: executive turnover, IT expertise, and IT system upgrades’, Journal of Information Systems, 30(1), pp. 41–70. ↩︎
- Arthaud-Day, ML, Certo, ST, Dalton, CM & Dalton, DR 2006, ‘A changing of the guard: Executive and director turnover following corporate financial restatements’, Academy of Management Journal, vol. 49, no. 6, pp. 1119-1136. https://doi.org/10.5465/AMJ.2006.23478165 ↩︎
- Banker, Rajiv D. and Feng, Cecilia (Qian), The Impact of Information Security Breach Incidents on CIO Turnover (March 2018). Journal of Information Systems (2019) 33 (3): 309–329, Available at SSRN: https://ssrn.com/abstract=3788478 ↩︎
- Connelly, B.L., Ketchen, D.J. Jr, Gangloff, K.A. and Shook, C.L. (2016) ‘Investor perceptions of CEO successor selection in the wake of integrity and competence failures: a policy capturing study’, Strategic Management Journal, 37(10), pp. 2135–2151. doi:10.1002/smj.2430. ↩︎
- Pozner, J-E., Mohliver, A. and Moore, C. (2019) ‘Shine a light: How firm responses to announcing earnings restatements changed after Sarbanes-Oxley’, Journal of Business Ethics, 160(2), pp. 427–443. doi:10.1007/s10551-018-3950-y. ↩︎
