Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​Sexual Harassment Risk, Governance, and Audit

Comments Views

​None of us want to see our organizations in the news and our people accused of sexual harassment. The implications for our reputation as an organization, as well as that of our executives, can be huge. So what do we do:

  • As members of the board?
  • As risk practitioners?
  • As internal auditors?

Let's start by making sure that:

  • We not only have a policy in place but that is the right policy. It is understood by all employees, who are trained in and regularly certify their understanding of and adherence to the policy.
  • We not only have a whistleblower mechanism available for any of our employees to tell us of suspected sexual (or other) harassment, but they know about it and it is answered by people outside the regular chain of command — people who can listen objectively and make sure the right people are notified promptly.
  • Reports of suspected sexual harassment are properly investigated by objective and competent professionals and the results brought to the attention of the proper authorities within the organization.
  • Care is taken to avoid punishing those who come forward, paying particular attention to employees whom their managers say are under-performing. While those employees may be seeking to avoid disciplinary action with a false report, the performance assessment may be an attempt by their manager either to escape punishment themselves or to punish the employee for coming forward.
  • The right people receive the results of such investigations and deal with them objectively, without bias, and without regard for position or title — and ensure appropriate action is taken consistently.

But let's also ensure that:

  • The same protections apply to everybody who works at the organization or is subject to the actions of its employees, such as temporary personnel, contractors, consultants, vendors, customers, and partners.
  • Appropriate training is in place for everybody. That training goes beyond reading the policy to training based on scenarios and case studies; training not only on what not to do but also training that guides people on what to do if they see or are told of sexual (or other) harassment. Additional training may be required for the executive team to ensure they know what to do, how to set expectations, and how to respond to incidents.
  • We understand the level of risk. How many reports are received? How many are investigated? How many are found to be credible? What disciplinary actions are being taken? What are the trends? The Risk function (not internal audit, please) may want to use analytics to monitor the area.
  • We monitor, spot patterns, and act. I heard one large organization talking about hundreds of allegations over a short period. Questions should be asked about the culture, the leaders of the area of the organization where most of the reports arose, and whether there was a broader problem.
  • The level of risk is discussed by the executive committee and the board. I would expect at least annual discussion at the board level, more frequent if the level of reports demands.
  • We are confident that people are coming forward. If the culture is perceived as punishing the innocent, then people will be reluctant to come forward — even anonymously. There are tools that can help, from monitoring social media (especially internal posts) to providing safe venues for employees to speak up anonymously.
  • Our leaders are setting the right example. Not only are they vocal, but exemplars in practice.
  • We are prepared for the worst case of a senior executive or board member being subject to accusations. When will the board, CEO, and others be informed? What should they do when? How will the organization respond to media reports?
  • This is on the radar of internal audit. The CAE should work with Legal, HR, and the board to ensure appropriate audit work is performed to ensure the organization understands, monitors, and addresses the risk.

Anybody, even people we view as high integrity people, may be accused. Let's not get caught by surprise.

I welcome your comments.


Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
    • IT-General-Controls-Certificate-January-2022-Blog-3