At about this time each year, I like to look back at the news events and stories that are shaping our profession. Occasionally, we have a year in which few news stories seem to be relevant to internal auditors, but this year — for better or worse — a number of headlines seem destined to affect where internal auditors are headed in the coming year. Each of these stories holds important lessons for internal auditors, so a review of a few of the most important events seems in order.
1. The Presidential Election
At first glance, the U.S. presidential election might not appear to be an internal audit news story. But according to all the experts, the outcome of the election was a clear signal that we should expect, and prepare for, a strengthening regulatory environment. (Some might call it an increasingly onerousregulatory environment, but I'm trying to keep this blog non-political.) As far as I know, internal audit was never mentioned in this year's election news, but there's no doubt that the political environment can affect internal audit priorities. Regulators are taking note of the fact that voters are not necessarily pro-business this year — and that multi-million-dollar fines for violations of the U.S. Foreign Corrupt Practices Act (FCPA) and other regulations can be a significant source of revenue for cash-strapped government coffers.
Lesson Learned: If compliance does not score high on your risk assessments this year, it might be time for another look. The risks are going up.
2. Internal Auditor Liability and Non-compliance With Standards
When it comes to new risks for the internal audit function itself, one of the biggest news stories is that of Colonial Bank of Montgomery, Alabama. In November the U.S. Federal Deposit Insurance Corp. (FDIC), as receiver for Colonial Bank, sued accounting firms Crowe Horwath and PricewaterhouseCoopers, claiming the two firms had committed "professional malpractice and breach of contract" because the auditors failed to detect that two Colonial employees helped defunct mortgage lender Taylor Bean (TBW) create hundred-million-dollar holes in Colonial's balance sheet.
I realize that suits against public accountants are fairly common, so at first glance, this story might not seem like big news for internal auditors. But Crowe Horwath had acted as Colonial's internal auditor, not as the external auditor, and the lawsuit claims the auditors did not follow professional standards. According to the FDIC's attorney, "Had they performed their auditing work in accordance with applicable professional standards, they would have learned of the TBW fraud in time to prevent additional losses suffered by Colonial."
Lessons Learned: If a government agency can sue and win based on our not following theInternational Standards for the Professional Practice of Internal Auditing, the door will be open for a plethora of similar lawsuits. We might see repercussions from this lawsuit for years to come, not just in highly regulated industries but across the board. It's time to make a New Year's resolution to review compliance with professional standards and, in particular, to ensure that your organization's next independent quality assurance review takes place within five years of the previous review.
3. …And Still More Internal Auditor Liability
Could you personally be sued by your organization's shareholders? It might sound far-fetched, but the odds are increasing. In March 2012, a securities class action suit leveled allegations against former Avon internal auditor, Fabian LaPresa. The suit claims that Avon and its senior management knew about or disregarded what the suit called "pervasive bribery activities" at Avon China as early as 2005 and lied to investors about FCPA compliance. It also alleges that former Avon Vice Chairman Charles Cramb approved additional severance benefits for the chief audit executive (CAE) after the CAE threatened to give the U.S. Securities & Exchange Commission (SEC) an internal audit report flagging several hundred thousand dollars in questionable payments.
The former CAE says there is no truth to allegations that he threatened to disclose a negative audit report in order to obtain a larger severance package. Investigations are ongoing, but regardless of the results, this is one of the first cases in which an internal auditor has been sued by the company's shareholders. Your guess is as good as mine as to what other actions or inactions might be considered grounds for shareholder lawsuits against internal audit, but now that a precedent has been established, it's a safe bet that other lawsuits will eventually follow.
Lessons Learned: I assume that the odds of any of us facing a shareholder lawsuit are low, but it's still important to remember that internal audit faces ongoing scrutiny by its various stakeholders, and one of the best ways to withstand the scrutiny is simply to follow our professional standards and the Code of Ethics. When we "play by our own rules" in every professional situation, we are building strong armor against potential charges of negligence or professional misconduct and, these days, it can't hurt for all of us to be a bit more bullet-proof. (It should be blatantly obvious that you also should avoid getting caught up in activities such as extortion schemes or the "pervasive bribery activities" alleged at Avon. If it's not obvious and you are an internal auditor, I would highly advise that you consider making a career change.)
4. Whistleblowing Woes
Fourth on my list of big news events for internal auditors is the story of the whistleblower who helped the U.S. government mount a US $1 billion fraud lawsuit against Bank of America Corp. The whistleblower was himself accused of fraud by an investor in a financing company he co-founded, and he now works at Fannie Mae (FNMA), one of two entities he claims the bank defrauded. "It could certainly be argued that the whistleblower had an interest in making the allegation either to secure employment at Fannie Mae or making himself look good at Fannie Mae," said Peter Hutt, an attorney who defends whistleblower cases, in an interview with Bloomberg.
The case is ongoing, but regardless of the eventual results, the implications are clear: Any employee, temporary worker, ex-employee, vendor, or customer might receive powerful financial incentives for becoming a whistleblower — powerful enough that a disgruntled employee might conceivably go out of his or her way to manufacture evidence against your organization. Keep in mind that in the United States, under Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, whistleblowers can recover 10 percent to 30 percent of penalties in excess of US $1 million collected by the SEC; and the Internal Revenue Service offers payments of up to 30 percent to individuals who blow the whistle on tax evasion.
However, I must note that recent IIA research shows that perhaps surprisingly CAEs are not witnessing significant changes in employee whistleblowing, even in light of the SEC's first payout under the Dodd-Frank rules. As a matter of fact, less than 5 percent of CAEs responding to a survey are concerned that employees could bypass their organization's whistleblowing process to report incidents directly to external parties, and a majority stated that the number of hotline claims has stayed the same since August 2011.
Lessons Learned: A single whistleblowing incident might result in significant financial and reputational damage. Ongoing reviews of policies, procedures, internal controls, and tone at the top can help mitigate the damage, so a rigorous internal audit plan can be your company's best defense. If you are considering internal audit budget cuts, keep in mind that the risks are growing and that certain parts of the audit schedule should never be cut too deep.
The internal audit profession has played a crucial role in helping organizations identify instances of unethical employee behavior as well as providing recommendations that have enhanced detective and preventive controls. Given the visibility of the post Dodd-Frank whistleblower provisions, we were surprised to learn that employee whistleblowing remains virtually unchanged since 2011. This could well mean that for most organizations, internal hotline practices have been working successfully and the advent of the whistleblower provisions from Dodd-Frank simply helped to remind organizations to continue ensuring their internal processes are adequately robust. However, with the number of cases the SEC has self-reported, and with only the first of an expected volume of future financial payouts, only time will tell if internal audit's general lack of concern is warranted.
5. Internal Audit Resources on the Rise
And finally, the internal audit profession finishes the year with some positive press coverage. Rather than The IIA reporting on the news, we ARE the news this time. Our recent IIA Audit Executive Center "Pulse of the Profession" survey indicates the strongest outlook for internal audit resources in five years. The survey of 545 CAEs and internal audit directors shows that despite economic uncertainties and a looming "fiscal cliff," the largest percentage of internal audit departments since 2008 (41 percent) are anticipating an increase in their resources in the coming year. Fifty percent stated budgets will remain stable, and only 9 percent expect budgets to drop — the lowest decrease percentage since 2008.
Also according to the survey, audit coverage in 2013 might still lag in two key areas: risk management effectiveness and strategic/business risks. Additionally, The IIA found more CAEs will concentrate on recruiting skills aligned with areas of emerging audit coverage. In turn, the top two skills sought for new audit staff in 2013 are analytical/critical thinking and communication. Consistent with the current concerns of boards of directors and audit committees, the survey also found that internal auditors are balancing their coverage to a diverse portfolio that aligns with the risks most companies are dealing with.
Lessons Learned: The IIA Audit Executive Center research confirms what we've been seeing for some time now: the evolving role of internal audit as a key business partner to executive management and the board. While 2013 is promising to bring about positive opportunities for internal audit, CAEs need to take advantage of this period to ensure their teams are positioned for ongoing success. Doing so will help to make sure the internal audit profession continues to enhance its relevancy in the face of the increasing velocity of change. The media certainly found this news to be of particular interest with widespread coverage. Here's just a few of the stories available online:
Other important lessons can be learned from recent news stories — lessons regarding ethics and resisting the temptation to get swept up by "pervasive" management wrong-doing; lessons regarding audit effectiveness; lessons regarding the credibility of the internal audit function itself. The issues are troublesome, and these stories can serve as red flags, pointing out how internal audit might go disastrously astray for the unprepared or the unlucky. Hopefully these stories will also serve to remind us of how we might avoid similar problems at our own organizations.