Call it the Battle of Bismarck — a political turf battle unfolding in the state capital of North Dakota, which actually turns on a question audit executives everywhere can appreciate.
How does an audit function work when the chief audit executive and audit committee disagree over what the function should do?
On one side of the issue is Josh Gallion, elected state auditor in 2016. On the other is the Legislative Audit and Fiscal Review Committee, the state's version of an audit committee. Earlier this year lawmakers quietly adopted a provision requiring Gallion to get approval from the audit committee before he conducts "performance audits" of government offices.
Gallion politely but firmly told the Legislature in July that he doesn't believe the law is constitutional, since it impedes his autonomy as a duly elected executive officer of the state. The state attorney general agrees with him. The top budget analyst for the Legislature does not.
"We will not be seeking approval of performance audits, but what I will tell you is communication is key," Gallion told North Dakota lawmakers during a recent hearing.
That wasn't what state Rep. Gary Kreidt, chair of the legislative audit committee, wanted to hear. He was unhappy that Gallion has been announcing the results of performance audits to the public, without first letting audit committee members review the findings.
"I don't like to read in the newspaper an audit that's been completed and not have been notified that this audit was done," Kreidt said in that same legislative hearing.
The backstory here is interesting reading for political junkies and audit professionals alike. First, "performance audits" are defined as examinations of specific agencies or offices, to assess whether the agency achieves its stated goals and whether it does so in an economical manner.
Putting Differences Aside
In the corporate world, best practices to avoid these situations abound. Among them:
- The chief audit executive should meet with the audit committee chair regularly and informally, between committee meetings, just to build rapport and trust.
- The CAE, management, and the audit committee should collaborate while drawing up the risk assessment and preparing the audit plan. That at least prevents anyone from being caught by surprise, which is one criticism North Dakota lawmakers had about Gallion.
- Allow management sufficient time to review the audit findings and prepare a rebuttal that is included in the report, again to prevent anyone from being caught by surprise.
- Incorporate the IIA's model charter language as much as possible, spelling out roles and responsibilities clearly. "A flawed charter will certainty trigger challenges to the authority of any internal audit function," Hughes says.
Gallion undertook such an audit last year, to examine Gov. Doug Burgum's use of state aircraft. That audit came after reports that Minnesota energy company Xcel Energy flew Burgum and his wife to Super Bowl LII in 2018. Gallion also released an audit earlier this year that raised questions about a powerful state senator, who didn't disclose a conflict of interest while working at a North Dakota state college.
In April, just before the end of North Dakota's legislative session, lawmakers tucked that provision about seeking the audit committee's permission for performance audits into the state's must-pass budget bill.
Cynics say the provision was retribution for an auditor unapologetic about doing his job. That may be so. For the rest of us, the tensions here set up an important lesson in best practices — how can organizations avoid this sort of a standoff?
Lines of Authority
In the corporate world, an audit committee telling the audit executive not to examine certain issues without the committee's permission would be a big red flag. ("I'd certainly look for the exit," one IT audit executive told me.) But as daft as that idea might be, a corporation's audit committee theoretically could do it.
Public sector audits are different, because they're more susceptible to criticism that an audit was driven by political motives. Audit committees overseeing public sector audit functions are likewise susceptible to accusations of undermining the independence or objectivity of the function for political purposes.
"There's a huge risk of [those arguments] happening," says Kip Memmott, director of audits for the Oregon secretary of state. "Actually, it's not a risk — it happens quite frequently."
Memmott sees the challenge as one of strained relationships and communications. Not everyone might see the value in a performance audit, or understand the risk that audit is trying to assess. The employees in question might also feel vulnerable as targets of the audit.
That means the audit executive really needs to work on communication with those stakeholder groups if he or she wants to succeed. So one fair but pointed question: does the audit function have leadership in place to handle those human challenges? Or is it run by skilled technical auditors who have been promoted into a role that needs different skills?
"Audit is about relationships and communications," Memmott says — and "as a field, we have not done as well as we could have."
Generally Accepted Government Auditing Standards, maintained by the U.S. Government Accountability Office and commonly known as "The Yellow Book," spell out exacting standards for independence. If a public auditor doesn't meet them, the auditor should disclose that in the performance audit itself, along with whatever mitigating steps the auditor has taken. Even then, the auditor is still open to accusations of pursuing certain audits for political reasons.
"Given that the public has long been 'sold' on the integrity and objectivity associated with unqualified or unmodified opinions, any qualifiers tend to trigger concerns regarding the objectivity of an audit," says Peter Hughes, assistant auditor-controller and chief audit executive for Los Angeles County. "Thus the reason that state and legislative auditors may challenge the benefit of such qualified audits."
The wrinkle in North Dakota is that nobody can fire anybody else for flouting any of these practices; the auditor, the lawmakers, and the governor are all elected by voters. They must work together.
Which brings us back to Memmott's point that communication to foster strong, working relationships is paramount. Yes, that can be painstaking, and in some instances political motivations will be entrenched. Audit leaders still need to try.
"I don't know if chief auditors can control it, but certainly if they can't, they better be aware of it," Memmott says.
We don't know how North Dakota's impasse over performance audits will end. A proposed voter referendum to repeal the restrictions failed to gather enough signatures. Some lawmakers say they will try to repeal the restrictions in the 2021 legislative session. And despite Gallion and the legislative audit committee being at odds on that issue, both sides also say they will continue to work together on other issues.
The rest of us can watch and wonder what we might do.