The seven-year federal prison sentence for former Volkswagen executive Oliver Schmidt has weighed on my mind since it was handed down in December. Schmidt led Volkswagen's U.S. regulatory compliance office during the period when the German automaker was installing "defeat devices" on its vehicles designed to circumvent U.S. emissions rules.
During his allocution in federal district court, Schmidt admitted knowing of the existence of cheating software in Volkswagen's two-liter diesel vehicles. He also acknowledged knowing VW employees were intentionally providing misleading explanations to U.S. regulators.
It is stunning to me that such admissions would come from the head of compliance for any organization, much less one from a venerable and respected global automaker.
A year ago, not long after the federal indictments against Schmidt and other VW executives were announced, I wrote a blog post that noted the risks associated with compliance are no longer just about fines and penalties to a company.
"Instead, government officials are increasingly likely to haul offending executives in front of judicial authorities. Instead of the old expression "comply or explain," for contemporary offenders, it is 'comply or explain (to the judge).'"
Schmidt learned that lesson the hard way and is now paying for the misdeed with his freedom, a $400,000 fine, and deportation to his native Germany once his prison sentence is completed.
Volkswagen's "dieselgate" scandal provides a sobering example of a dramatic breakdown in compliance risk management. It is a fundamental function of internal audit to evaluate and improve the effectiveness of risk management, control, and governance processes for the organization — especially where statutory and regulatory compliance are concerned.
That specific wording comes from the Definition of Internal Auditing contained in The IIA's International Professional Practices Framework (IPPF). What's unwritten — yet should be understood — is that internal auditors must also be advocates for the critical business processes that foster effective compliance.
In my previous post, I offered several ways that internal auditors can help strengthen governance and mitigate compliance risks:
Assess compliance risks continuously. On the basis of continuous risk assessments, ensure the internal audit plan is regularly updated to reflect significant/emerging compliance risks.
Clearly identify governance processes examined in every engagement. By identifying the specific governance processes in engagement reports, internal audit reminds management and the board of the value of varied governance processes, from those designed to deter fraud to those that protect against data breaches.
Develop trust relationships with stakeholders. As trusted advisors, internal audit will be more likely to be invited to provide input on strategies and goals that may impact governance and ensure effective compliance.
Keep your house in order. Every chief audit executive must ensure the effectiveness of compliance controls within the internal audit function itself. It's hard to preach the value of compliance risk management and effective governance if you have governance and compliance failures of your own. Having a quality assurance and improvement program in place is a must.
Don't forget about culture. There is a symbiotic relationship between governance and culture. When one goes bad the other suffers. Most of the high-profile compliance failures had a cultural component as a root cause. Educating stakeholders about this fundamental relationship is one of the most important ways to ensure effective compliance and good governance.
This final point deserves further examination. There is a significant difference between a compliance failure and actions by an organization designed to circumvent regulations. All the information that has emerged to date about dieselgate points to a calculated and deliberate attempt to break the rules and not get caught.
It is unrealistic to expect that internal auditors will uncover every instance where pressure to achieve company goals is so great that illegal actions are viewed as viable options. But culture and risk tolerance can provide some insight into an organization's vulnerability to such missteps.
I believe Uber offers another example of the challenges associated with freewheeling, rule-bending cultures. In 2017, Uber faced one crisis after another, and in October Bloomberg reported that the company faced no fewer than five criminal investigations from the U.S. Justice Department.
When culture drives risk tolerance to a high level, good governance and risk mitigation are much more complex and daunting. This is something every internal auditor must take to heart.
As always, I look forward to your comments.