What challenges do internal auditors face when speaking out about fraud or misconduct at the executive level?
WILLIAMS One of the hurdles internal audit may face is gaining an appropriate level of support from senior management or the audit committee. Due to established relationships and common reporting structures, it may sometimes be easier for senior management or the audit committee to side with the executive. One tactic senior management might use is to avoid denial of the facts, focusing instead on helping the executive minimize the incident by painting the matter as “gray” rather than “black and white.”
GROCHOLSKI Let’s assume the fraud or misconduct has been investigated by the chief audit executive (CAE) and proven. The first challenge would be the CAE’s lack of experience in dealing with these tough matters. Let’s face it, we hope not to have a lot of experience in this area. But should it happen, the CAE needs to dig deep and develop a plan to determine who needs to be involved, who needs to know about it, how to pursue it, and when — not whether — to inform the audit committee. Have courage: These matters can involve the highest and largest personas in the company. Be thorough: One sign of incompleteness may water down the entire issue. Anticipate reactions: Clearly communicate to the executive’s superiors — and/or the audit committee — the results of your investigation and anticipate how they may react.
How can internal auditors find courage, despite these challenges?
GROCHOLSKI First, “finding courage” should have been considered before taking the CAE role. Courage is a fundamental requirement of the job. The audit committee can help immensely in supporting the CAE through the matter. At the end of the day, the CAE’s reputation, too, is on the line in terms of how well he or she maintained confidentiality, avoided character assassination, and professionally managed the matter. Depending on the issue, CAEs need to think through the legal implications — such as potential crimes and required disclosures — and this will sometimes force courage on the CAE.
WILLIAMS Auditors should realize that doing the right thing is not always easy. They are frequently put in positions where they must exhibit courageous behavior, and they should be ready to demonstrate unwavering commitment to an ethical environment. The audit profession is founded on ethical standards, and there are resources auditors can reference as they fulfill their responsibilities. They can leverage the company’s code of business conduct, code of ethics, internal audit and audit committee charters, and other governance policies, while resources such as The IIA’s International Standards for the Professional Practice of Internal Auditing offer further support.
What should internal audit do if it encounters resistance when reporting the issue?
WILLIAMS Internal audit should discuss the situation with its direct administrative reporting manager and make its case as to why the executive’s actions should be further assessed. This may require special handling, depending on who the executive is and the specifics around the organization’s formal/informal reporting structure. If met with resistance, internal audit should explain the significance of the compelling observations gathered and the obligation to elevate the matter if it is not vetted with an appropriate level of attention. Incremental escalation then generally includes separate discussions with other executives — general counsel, the chief financial officer (CFO), the CEO — relevant to aligning on investigative actions and next steps. If internal audit is still not getting support, it should let the executive team know that it has no choice but to discuss the matter directly with the audit committee chair.
GROCHOLSKI CAEs report to the audit committee for a reason — for independence. The CAE needs to investigate the matter and discuss it with the audit committee. Resistance from executive management needs to be vetted during the investigation and raised to the audit committee immediately if it prevents the CAE from doing what needs to be done.
How can CAEs build relationships to ensure they have support when they need it?
GROCHOLSKI Relationships involve trust, and trust is built over time. CAEs need to demonstrate within their engagement with management and the audit committee that they can be trusted. If you are trusted, if you are professional, if you are seen as objective — and not pursuing an agenda — I firmly believe, based on my own experience, you will have the support when needed. Executive management has a stake in this as well, as this will be a time when they, too, need to display courage, demonstrate tone at the top, and walk the talk — not just talk the talk.
WILLIAMS The optimal time to prepare for an incident like executive fraud and misconduct is when you are not in the middle of the incident. Building a relationship with management and the audit committee chair can help ensure internal audit has the support of the organization when it needs it. Get to know them on a professional and personal basis. Strive to lead by example, demonstrating consistent integrity. Let your engagements and your ability to compromise when appropriate demonstrate that you are a business person who wants to drive value and help the organization achieve its goals.
What are some tips for reporting a major incident that involves senior management?
WILLIAMS Internal audit should use a predetermined escalation and response playbook or policy, if one exists. This document should include a communications cadence that can be used depending on the nature of the incident and who is involved. For example, it should consider formal hierarchy, informal hierarchy, long-standing relationships between other executives, and external auditor expectations.
In general, a good first step is for internal audit to discuss the facts with the general counsel and ethics and compliance officer. This will help ensure consideration of attorney–client privilege. If the general counsel is involved, or has a conflict of interest in the matter, then discuss the matter with the CFO, CEO, or similar executive instead and gain alignment on next steps. Communication with other executives early on may also be necessary, but should always be done on a need-to-know basis. Internal audit should also communicate timely with the audit committee chair, bringing him or her up to speed on the facts and circumstances. The general counsel and audit committee chair should help determine whether an external firm should be engaged, and by whom, to maintain the independence of an investigation. Internal audit’s interactions with senior management and the audit committee should address communications with the independent auditor to determine the impact of the matter on its audit of the organization’s financial statements and related financial reporting controls.
GROCHOLSKI Follow internal investigative protocols first, even if that includes discussing the matter with the executive vice president of legal, IT, or human resources, or the CEO or CFO. Everyone should understand an investigation serves two purposes — each being equally vital: to prove or disprove the matter. Next, determine when to inform the audit committee chair or the entire committee. Conduct nonintrusive data gathering and see what the data is telling you. Pull additional data if necessary to further prove or disprove initial analysis. All along, document what you do in a way that will serve you well should the matter be referred to external forensics or external legal firms to either continue investigating or because the audit committee wants them to validate your work and conclusions.
There are two stages: 1) observing/hearing about it and 2) proving it. Each stage has its challenges. In the first stage, you may need to look at data, emails, expense reports, or contracts to investigate the matter; you may even have to interview employees. A challenge here may be in just accessing the data/people, as you may need legal, IT, or executive management to be aware of the need to do so. Plan ahead, there may be resistance. Be aware that you will be closely watched to see how you work through this maze of politics, sensitivities, and dealing with large personas in the company.