I have offered my services as a mentor to audit and risk professionals and sometimes get some interesting emails and calls. It gives me pleasure to offer a little advice from my years of experience, and to think that I may be able to provide advice and insights that are valued.
An example of this came up this week, when I was contacted by a gentleman who shall remain anonymous. All that we need to know is that he is very proud of his IIA membership and qualification, even though right now he is not working within an internal auditing function. He takes care of the Sarbanes-Oxley program testing for a division of his employer. Let's call him Fred.
Fred reports up through the CFO's organization, with a dotted line to his division's president. He also takes direction from the overall program lead (at corporate) for the Sarbanes-Oxley effort.
During his testing, Fred identified deficiencies that were clearly important (I won't label them as significant or material; its enough to know they were not trivial). He reported them to his manager and also to the overall program lead in corporate.
The compliance lead instructed Fred to inform the division president of the issues. This was also Fred's inclination. However, his manager gave him firm instructions not to tell the division president.
Fred told me he was concerned that failing to inform the president might cause him to be in breach of the IIA Code of Ethics or Standards. He was worried.
So what would your advice be?
My advice was that Fred needs to follow the clear direction provided by his manager. By telling Fred not to inform the division president, the manager was in effect taking on that responsibiility for himself. I also suggested that Fred discuss the situation with his manager, telling him that he needed to respond to the corporate SOX manager — and that he proposed reporting that he would not be informing the president because the issue was being addressed through Fred's reporting line.
Do you agree or disagree?