The Daily Mail reports that Pope Francis has launched an inquiry into the Vatican bank in the wake of corruption and money laundering scandals. The announcement came after prosecutors in Salerno, Italy, placed senior Vatican official Monsignor Nunzio Scarano under investigation for alleged money laundering. Scarano has been suspended temporarily from his position in one of the Vatican's key finance offices, the Administration for the Patrimony of the Apostolic See. The bank's administration continues to function as normal, as does a new Vatican financial agency that has supervisory control over it. The commission will report back to the pope — presumably with both information and recommendations — and then will be dissolved.
This case offers auditors many points for learning, but perhaps the most important is the constant need for auditors to assess, observe, and make recommendations regarding weaknesses in the governance, risk, and control framework of the organizations they audit. Auditors should be watchful of:
Organizations that are neither "fish nor fowl." Frequently, large institutions (e.g., the Vatican) create organizations with unique mandates and legal and regulatory frameworks that are designed to be entirely legitimate. But, uniqueness often is accompanied by complexity and a degree of susceptibility to manipulation by those people with bad intentions. In this case, the Vatican bank is not among the departments of the central administrative structure of the Roman Catholic Church; nor is it a central bank responsible for a country's monetary policy or maintaining the stability of a currency and money supply. Furthermore, unlike banking for profit, the Vatican bank's surplus is intended for religious and charitable purposes.
Auditors in these unique organizations should propose and undertake governance, risk, and control audits periodically and arrange to assess their adequacy, including whether risks and established controls are working effectively. These audits can be targeted efficiently and need not be comprehensive, time consuming, or costly to be effective.
A lack of transparency, which can indicate fraud or other illegal activities. Under previous popes, Vatican bank operations largely took place behind a wall of secrecy, citing pacts signed with Italy in 1929 that provide for the complete independence of the Vatican City and of the institutions of the Holy See under international law. Collaboration with the Bank of Italy and with Italian justice mostly has been considered as an attack upon the independence and sovereignty of the Vatican. Although a governance regime has been in place, Pope Francis is nonetheless taking actions intended to address several identified weaknesses in the Vatican bank's controls, including cooperation with the Italian justice ministry and police and by creating an internal inquiry commission with authority to question anyone working inside the Vatican.
As a good auditor likely would observe, these positive actions should lead to the establishment of systematic, clear rules regarding expectations for the appropriate actions of a unique financial organization and its senior leadership — and the transparent communication of what they are and how well they are working. If carefully designed, this typically can occur in ways that respect the autonomy of a unique organization.
An effective governance, risk, and control regime that applies to everyone — not just most. A particularly worrisome example in this case is that one Vatican bank senior accountant allegedly embezzled 20 million euros — the equivalent of US $28 million — belonging to a wealthy family of ship owners from a Swiss bank and transported it to Rome in a private plane, thereby evading customs and tax controls. This underlines the importance of a stringent security background check process and objective scrutiny of the behavior of an organization's senior officials.