Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Board Problems

With stakeholders’ growing emphasis on corporate culture, boards could benefit from ethics expertise.

Comments Views

Audit committees have a problem: They have too many problems. More precisely, they have too many types of problem — too many types of corporate misconduct to consider these days, because the definition of misconduct has expanded dramatically in the last 15 years. 

That raises questions about the expertise audit committees need, and whether corporate boards have enough of it. Quite simply, if society wants corporations to exercise a sharper sense of ethics and moral responsibility, do we need more ethics and compliance officers serving on boards? 

“It’s undeniably true,” says David Greenberg, former chief compliance officer (CCO) at tobacco manufacturer Altria and an audit committee member of International Seaways, a New York Stock Exchange-traded oil and gas tanker business. The definitions of corporate misconduct are expanding, he says, and the consequences of it are deepening. “Put those two things together, and it’s a recipe for needing more of that experience.” 

A recent regulatory enforcement example demonstrates the point. Cognizant Technologies, an IT outsourcing firm, had been accused of violating the U.S. Foreign Corrupt Practices Act when two of its senior executives orchestrated a US$2 million bribe to government officials in India. The involvement of two senior executives would typically leave Cognizant unable to avoid criminal prosecution, according to U.S. Department of Justice (DOJ) policy. Yet when regulators settled the case in February, the DOJ did decline to bring any criminal charges. Prosecutors later said why: “The company voluntarily self-disclosed the conduct within two weeks of when the company’s board learned of it.” 

Confessing egregious corporate misconduct is unquestionably the right thing to do. Still, confession is a big request — especially when doing so invites potentially serious legal and financial consequences, such as monetary penalties or a corporate criminal charge. So Cognizant’s decision to disclose its trouble immediately, without any certainty of favorable treatment, is all the more impressive. 

Where did that ethical commitment come from? It’s worth noting that Cognizant’s audit committee chair at the time was Maureen Breakiron-Evans, who worked as general auditor of Cigna in the 2000s. Also on the committee was Leo Mackay, head of ethics and internal audit at Lockheed Martin. Both still serve on Cognizant’s board.

Beyond Financial Expertise

Under the U.S. Sarbanes-Oxley Act of 2002, the audit committee of a publicly traded firm needs at least one designated “financial expert” to help the audit committee police against financial fraud. When the act was passed, that might have been enough of a kick in the corporate rear to take internal control more seriously. Today, a strong control environment has become much more important, to address all sorts of issues. Regulators don’t just want swift corrective action; they want strong preventive action. Customers, business partners, or even self-appointed social justice warriors prowling Twitter — all want to see ethical culture taken seriously, translated into tangible policies, controls, and actions. 

“A true auditor on the board, or a true employee relations or corporate compliance person, is important because what’s falling to the audit committee to investigate — it’s gone way beyond what audit committee charters originally said,” says Owen Bailitz, a former risk management and audit quality partner with RSM, who now serves on the audit committee of the American Board of Medical Specialties. “You’re basically expanding the definition of risk.” 

Audit executives could perceive all of this as a virtuous circle. Yes, data analytics captures data about business process outputs, to identify anomalous events or excessive risks. Those insights let directors draw conclusions about how the enterprise is working. We still need the other half of the circle: using those insights to change policy, procedure, and culture, so business processes can stay within ethical parameters more easily. That’s the improvement society wants to see. 

“Across stakeholders, there’s been more engagement with boards on this discussion. Ethics and culture are topics that are relevant to the full board and every committee of the board,” says Tracy Atkinson, audit committee chair of defense and aerospace systems provider Raytheon Co. “Having someone who lives and breathes this on the board adds to the dialogue in a new way.” Atkinson would know; she is executive vice president and CCO at financial services company State Street Corp. 

We see that increased engagement in various ways. For example, the Edelman Trust Barometer, which surveys more than 33,000 people worldwide about their trust in institutions, recently found that 76% say their employers should “take the lead on change” for issues such as sexual harassment, the environment, and discrimination. And 71% said it’s critical for their CEO to respond to challenging issues.

Then there are regulatory pressures. For example, a board might find itself saddled with a corporate integrity agreement where the audit or risk committee has to certify compliance with the terms. Having a compliance or internal control expert on the board would make that an easier exercise.

Those are examples at the macro level. At the micro level, chief audit executives (CAEs) have this: The Politics of Internal Auditing, a 2016 IIA study, found that 55% of audit executives had been asked to suppress unwanted findings during their career. That tells us two things. First, that internal audit executives are well-acquainted with the threats of bad ethical culture; and second, that CAEs would be well-suited to serve on boards someday — because they (like CCOs) have seen poor ethical behavior up close, and it’s their job to uncover and eradicate bad behavior anyway, whatever the consequences. 

That skill, of identifying the ethically correct step, taking it, and defending it, will only become more important. As Greenberg says, questions about disclosing misconduct, and whether voluntary disclosure is worth it, can be quite difficult. “You need people with some experience to overcome that.” 

Meanwhile, the Reality

As desirable as ethics, audit, and compliance perspective on the board might be, practical limitations abound. Boards are still desperate to recruit women and minorities; some jurisdictions now require specific quotas for female directors. Boards also are desperate for cybersecurity expertise. And yes, foremost, boards want to recruit current or former CEOs, chief financial officers, and chief operations officers — people who understand the intersection of strategy, operations, and finance. 

That leaves few open seats for other governance expertise. So boards might not rush to the idea of recruiting CAEs or CCOs, unless they’re particularly committed to foresight. As Bailitz put it: “You need to have a change of mindset among the chairpersons of these boards, to say, ‘We lack this expertise, and it’s something we need.’” 

The push for cybersecurity expertise is a good parallel. Most executives, audit committees members included, understand cybersecurity at a reasonable level — what it is, why it’s important, and what it should achieve. But they don’t understand  how to assess it, improve it, or weave it through all of an organization’s operations. Only a cybersecurity expert does.

Ethical culture is a lot like that, Atkinson says. Boards might believe they can master ethics and culture because it seems like a nontechnical issue, but introducing an audit or compliance executive can sharpen the board’s perspective in new ways. “It’s a mindset,” she says. “Having compliance and ethics as your subject matter domain, and bringing that to the board, further serves to emphasize” where ethics and the control environment might need attention.

So will boards put more audit and compliance professionals on the audit committee or even some other board committee? Will recruiters start calling CAEs and CCOs? That’s hard to say, but it’s not just self-interest for CAEs to want that to happen. This is what the future of boardroom problems looks like, and the future has a habit of arriving eventually.  

Matt Kelly
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Matt KellyMatt Kelly<p>​Matt Kelly is editor and CEO of, an independent blog about audit, compliance, and risk management issues, based in Boston. ​</p>


Comment on this article

comments powered by Disqus
  • AuditBoard_Pandemic_May 2020_Premium 1_
  • Galvanize_May 2020_Premium 2
  • IIA CERT-Online Proctering_May 2020_Premium 3