(I'm going to start with an apology. The posts on this
particular subject are going to go on much longer than I thought, planned, or hoped.
[It could be worse. You should see the original 5,000-word first draft on this subject.]
My first thought was to just put this all in one post and let everyone wade through
it. But, nope, too long. Instead, part three of this multi-part blog series
will itself be split into two parts. As Pascal famously said “If I had more time,
I would have written a shorter letter.” And, yes, I could save some space by
reducing these asides, but, well, that is the ride we’re on. Please indulge; please
To catch everyone up, I’m doing a series of posts on events
from the previous decade to which internal audit might have paid closer
attention, and how those events represent areas where internal auditors can still
provide value to their organizations. (The first two subjects related to reputation risk and disruption.) When developing the content of the posts in this series, I
actually came up with a list containing 10 or 15 items. I began winnowing
down that list and there was one area that lasted a little longer than the
others, but just never seemed strong enough to make it to the finals.
And then, in the last couple of weeks, the real world once
more reared its ugly head, and I realized the topic had to be included. And, as
I’ve put this together, I realized, yeah, this is a big deal.
Today’s topic is whistleblowers.
There’s been a lot of talk about them the last few months,
but they aren’t anything new. Go to Wikipedia. (And at this point let me emphasize
I am loath to direct anyone to this snake pit of partial and misinformation.
Never use it as a primary source. Instead, as we are doing here, use it only as
somewhere to get started.) Check out the page “List of Whistleblowers.” The first
whistleblower listed is from 1777. (Did I mention whistleblowing is nothing
new?) Scroll down — scroll, scroll, scroll — and you will eventually get to the
2010s. The list stops at 2016 (did I mention Wikipedia’s partial and misinformation?),
but it still includes approximately 30 major whistleblowers from the last
decade. If you want to see the plethora of more recent cases check out the
National Law Review’s constant updates on whistleblower statuses, the
information on whistleblowers.org, and any number of other resources. (Just google
“top whistleblowers” and start surfing.)
For pure notoriety, divisiveness, and name recognition, it
is hard to beat Edward Snowden. In 2013 he revealed a substantial number of
classified documents that were eventually published in The Guardian and
The Washington Post. The documents revealed details of a global
surveillance program run by the U.S. National Security Agency
in close cooperation with similar departments within Australia, Canada, and the
U.K. He was charged with violating the U.S. Espionage Act and currently maintains
asylum in Russia.
Depending on who you talk to, Snowden was a hero or a villain.
Opinions range from “He should be strung up” to “Heroism deserves clemency.” These
are the range of sentiments that seem to exist about all whistleblowers — some people
see bravery and positive impact; some see treachery and negative ramifications.
Just last year (still the prior decade) another whistleblower
came forward who had what can safely be called an “impact” on the political
scene. This (currently, officially-unnamed) whistleblower accused the U.S.
president of abuse of power. (There’s a lot more going on around this one, but this is not the place to get into
the politics of a situation with details that leave me as confused as a dog
staring at the finger pointing at the moon.) Much like Snowden, some hail the individual
as savior; others portray him or her as a tool of evil.
In the Snowden case, the government is looking to prosecute;
in the second case, a significant part of the government is looking to protect
the whistleblower. The difference hinges on an important aspect of various
whistleblowing laws. (And, at this point, a quick reminder that I don’t even
try to play a lawyer on TV — so these are just my informed opinions developed during
the attempts at research I’ve recently completed. If I’ve got this wrong, feel
free to let me know.) Whistleblower protection is afforded when the
whistleblower speaks out about illegal activities. The contention with Snowden
is that what he reported was classified and not illegal. The contention with
the unnamed whistleblower is that, to this point, evidence indicates it may be
about illegal activities.
And thus, hairs are split.
What’s an internal auditor to do? Well, here’s lesson No. 1 (the basic lesson). When it comes to whistleblowers, know the law, know what
you can do, and be prepared. (I guess that is three lessons, but I’m putting
them under one big umbrella.)
Internal audit lives and dies because of the information
provided by its clients, customers, co-workers, and even the general public. Most
of this comes via open and transparent communications. But, in some instances,
we may be asked for anonymity. (If your department is involved in fraud
investigation, then this probably happens quite a bit.)
I think everyone knows there is only so much protection we
can provide. In general, the only promise we can make is that anonymity will be
maintained as long as possible. It is our responsibility to ensure the individual
understands how little protection there is and the limitations internal audit
Everyone will have their own limits, and you have to understand
those limits going in. I was lucky. In my situation I could promise relatively
strong anonymity. First, I had bosses who would let me move forward without
providing names. Second (and a big part of all this), my approach was to prove the
allegations by obtaining enough corroborating information through normal audit
channels that the source would not be necessary. In other words, the work would
speak for itself and, done correctly, I would not have to reveal the source. But
I always advised that, if push came to shove, I would have to give up the
individual’s name, and they should be prepared for this.
But the bigger (and trickier) issue comes up when we become
involved in whistleblower situations. The individual may come to us first, we
may be asked to do follow-up, or we can even be in a situation where we feel we
need to act as a whistleblower. (See Cynthia Cooper.) Because of this, internal
audit has to understand its organizational role related to whistleblowers, keep
abreast of the legal requirements, and know exactly what to do before such
Let me repeat that last one — know exactly what to do before
such situations arise. Successful handling of whistleblower cases requires research,
training, and preparation. And internal audit must be ready for such situations
before they arise, lest it be blindsided.
Now, if that was all I wanted to say about the subject, then,
as I first thought, whistleblowers would make for an interesting discussion,
but would not have made my top 10 list. However, last week I found myself in the
car screaming at the Neanderthals on the local sports talk radio station who
purported to be experts. And their uninformed and misguided conversation provides
the basis for a more important lesson internal audit needs to understand about
whistleblowers. And a lesson that speaks to broader approaches, roles, and
values within the department.
Next time we’ll talk about education, mindsets, and Major League