"You can’t say that!”
My boss, the chief audit executive (CAE), was telling me to change the audit report. For the second year in a row, my team found that accounting was not performing important reconciliations on time. As a result, financial reporting could be materially misstated and significant fraud might go undetected.
Rather than simply advising on-time completion of reconciliations, the audit team had performed a root cause analysis. They found that, due to cost-cutting, staffing in the unit responsible for the reconciliations had not only been reduced but also tasked with numerous special projects. The unit lacked sufficient people to meet its responsibilities without significant overtime, which management would not approve. Even if it did, the level of overtime would inevitably lead to burnout and the loss of valuable employees. Although we had found deficiencies relating to reconciliations, the staffing issue might affect the performance of other important controls.
The draft audit report explained that insufficient resources had elevated the unit’s risk level and recommended adding permanent staff or contractors at month-end. The CAE, however, was reluctant to include that information. He said that his name was on the audit report, and he refused to recommend an action he was sure management would ignore. In fact, management would be angry that we had questioned its cost-cutting strategy. We delivered the report without identifying the root cause and merely recommended completion of the reconciliations.
The original report was correct, explained the business risk, and recommended appropriate corrective actions. But perhaps because he feared how management would react, the CAE kept part of the story — part of the risk — to himself. The CAE, in other words, was not brave.
It can be hard for internal auditors to tell their stakeholders, whether at the board level or in top management, what is putting the organization at greatest risk. It can be hard to say that control failures stem from insufficient staffing, inadequate pay, or imperfect leadership. It can be hard to say that the organization’s structure, processes, people, and methods are not agile enough to succeed in today’s dynamic world. But these are all truths that need to be told. If no one tells the emperor he has no clothes, he will carry on without them.
Internal auditors at every level are subject to all kinds of pressure that may inhibit them from speaking out. Yet if they are to be effective, they must be able to do so — even at great personal risk.
The Ineffective Manager
What is Bravery?
Under ideal circumstances, the audit committee would help create an environment that enables the chief audit executive to be brave. But few board members will oppose an angry CEO or CFO in favor of a respected but more junior and expendable executive.
Internal auditors need to be brave, but not reckless. Several practices can help auditors take bold action when needed, including:
- Building trusted relationships with the top executives and each individual on the audit committee.
- Planning the communication carefully, laying the groundwork for each discussion. Make sure your words are clear and unlikely to be misunderstood.
- Communicating in person, one-on-one, and not relying on others to communicate for you.
- Moving progressively up the organizational hierarchy, approaching each individual with an open mind and listening to his or her views — obtaining agreement and support before moving to the next level. Respect each individual’s needs and the implications of the situation for him or her personally as well as for the organization. Consider asking each of them to attend your meetings with more senior management, all the way to the board, as appropriate.
- Listening and being prepared to modify your assessment if you’re wrong, even if it’s just moderating the language.
- Talking with and listening to allies and others who can help you.
- Ensuring no one is surprised, especially in front of others.
- Building a reputation for maintaining professional integrity. Honesty, ethics, and professional responsibility should always be top of mind.
A few years later, when I served as CAE at another organization, I tasked my team with an audit of the Commercial Accounting function. Significant billing errors had been made, and our priority was to find out why.
When we interviewed the department head, a rising star at the company, he explained that errors had been made because his employees were incompetent. Not a single accountant had passed the CPA exam. As a result, he had to do all the challenging tasks himself, requiring him to work many hours each day and most weekends. Mistakes were inevitable. He asked that we recommend human resources change the job requirements to include a CPA or equivalent.
The audit lead asked me if we could make such a recommendation. His team confirmed that the department head was Commercial Accounting’s only CPA and that the function often needed to perform complex accounting tasks. I told him to speak with each of the Commercial Accounting staff members and form his own opinion on whether they were competent to perform the work.
The interviews went well. I was surprised to learn that the staff had many years’ experience in commercial accounting, including the more complex tasks the department head said they were not competent to perform. The employees were proficient, but their manager did not allow them to make decisions. In fact, he gave them simple assignments and never explained what he was trying to accomplish. Many of the employees were frustrated and considering leaving the company.
The department head was the root cause of the control failures. The audit team asked if we should indicate that in the audit report. I said there were better ways to communicate the results of the audit and our assessment — as well as our advice and insight — than the formal, written audit report.
I sat down with the division CEO, one of the top three executives in the company, and shared the facts. He told me he had suspected a management problem but hesitated to act because the corporate chief financial officer (CFO) favored the department head. He asked what I thought should be done — I refrained from recommending specific actions, in the interest of maintaining my independence.
We issued the audit report after discussing the situation with all senior parties. In the report, audit committee members saw an assessment that, while errors had been made, appropriate actions had been taken. I shared the rest of the story with them at the next audit committee meeting, with additional comments from the division CEO and the corporate CFO.
Was this an act of bravery? Looking back, I can say that while it was difficult to tell senior management that a rising star was not only underperforming but unlikely to be effective in the future, the risk to me was minimal. I explained the facts objectively and dispassionately, allowing senior management to make an informed and intelligent decision. They respected that ability and our willingness to go beyond traditional auditing to provide them with our insights on the management of Commercial Accounting. By the time I had to report to the audit committee, I had the support of each member of management. The division CEO, who attended the meeting, told the directors he agreed with our assessment and that we had taken the appropriate action.
The Fearful CAE
At my next company, the audit team uncovered financial statement frauds in several U.S. locations within the organization’s largest business unit. The company had more than 100 locations around the world, most of which were underperforming. Senior management was thinking about consolidating operations to cut costs, placing the locations’ general and financial managers under great pressure.
I wanted to know why so many local U.S. controllers were manipulating their financial results to show profits when, in fact, they were breaking even at best. Our inquiries revealed they were not doing so to put money in their pockets; their motive was to save their unit from closure. But we also uncovered a more significant problem: When the local controllers reported a projected loss to the business unit controller at headquarters (HQ) during their quarterly updates, he consistently asked them to “find a way to make the number.” After discussing the instruction with their local general manager and finding no legitimate means of achieving their financial targets, the unit controllers fabricated profits.
Once we started auditing, the frauds were easy to find — management subsequently terminated both the local controllers and general managers. But my concern was not limited to whether the business unit controller had acted inappropriately; I also considered the possibility of a pervasive control environment or culture issue.
The HQ business unit controller did not direct the unit controllers to act inappropriately, but he failed to impress on them the need to act with integrity despite the pressure. When I explained the situation to the corporate CFO, to whom I reported, he expressed confidence in financial management of the business unit at HQ. I had no persuasive evidence that either the CFO or the HQ controller intended the units to manipulate their financial results. I asked the CFO to reinforce the need for integrity by sending a memo to that effect to the company’s entire financial staff, but he said the code of ethics already covered this principle. I suggested a conference call with global finance leadership, but he said that was also unnecessary. I also suggested it might be prudent to have the local controllers report directly to HQ and then to him; he told me that was not how the organization operated.
After completing our investigations, we concluded the frauds were not material to the financial statements. Still, the underlying conditions had not changed, and the possibility remained that additional fraud might be committed. I felt an obligation to share the facts with our audit committee, as well as my belief that the organization’s overall control environment could be improved to help the local controllers do the right thing regardless of pressure.
When I met with the committee chair, a retired CFO, he listened carefully and agreed that I had an obligation to share the facts, as well as my perspective on the control environment, with the full committee. He also agreed to talk to each of the audit committee members before the meeting to prepare them for the discussion.
Next, I informed the CFO that this would be on the audit committee’s upcoming meeting agenda and outlined what I would say. I told him I would not imply he or his team was involved in the frauds. And while I offered to forewarn the company’s CEO, the CFO insisted that I leave that conversation to him. The CFO also committed to share his perspective on the issue and what actions should be taken, after I had spoken.
Unfortunately, the committee meeting did not go well. The chair had not provided sufficient details about my report to all the committee members in advance, and one overreacted. He was afraid the CFO and corporate controller had been involved in the fraud, despite my assurance that I had no reason to believe they were. Although the committee member calmed down, the CFO did not speak up either to comment on the environment that led to the frauds or to suggest corrective actions. The CEO and the audit committee chair remained silent.
After the meeting, I spoke with the audit committee chair again. He apologized for the way the meeting had gone but said the committee would not support me in a dispute with the CFO. He knew that the CFO had at one point asked me to stop the audits that were identifying the frauds, which I declined to do, and that our relationship was strained. Moreover, he was as surprised as I was that the CFO didn’t comment during the meeting and suspected that was deliberate.
The audit committee believed in me, but the CFO was also highly respected and “had a bigger business card.” Both the CFO and the CEO wanted this issue to “go away” without having to take action themselves.
Shortly afterward, the HQ controller reached out to me; he said I had acted with integrity, agreed with my perspectives, and gave me his support. Nonetheless, the CFO and I agreed a few months later that we should part ways, and I left the company some time afterward.
Was I brave? I knew the CFO did not want this “dirty laundry” aired before the audit committee, and I knew he would likely find a way to remove me at some point. But I was professionally obliged to share the facts and what they meant with the audit committee. In hindsight, I should have spoken to each of the audit committee members myself, despite the chair saying he wanted to do it. Nobody attending the audit committee meeting should have been taken by surprise, as one director clearly was.
Perhaps others, such as the CAE I mentioned earlier, would have been more prudent. But even with hindsight, I believe I did what I had to do.
Take a Stand
Internal auditors must be determined to tell the harsh truth and do so in a way that clearly explains the facts and any recommended actions. They need to be prepared to sacrifice their job, and even their career, if necessary. Auditors must be brave, acting in the best interests of the organization and consistent with their principles. Anything less is a disservice to the profession and the stakeholders we serve.