I talk to quite a few members of the press in my travels for The Institute, and most of the time the questions are fairly similar. Recently, though, I was asked a new question: "Are you concerned that there is not enough transparency in internal auditing?" The reporter's concern was that, with a few exceptions, corporate internal audit reports are not available to shareholders or other outside stakeholders.
My personal belief is that our role is to provide support to key stakeholders within the organization and that our reports should not be routinely available to the public. I'm not suggesting that it's not appropriate for government internal audit reports to be publicly available. Government auditors have a key role in maintaining the public's trust in our institutions. But if, starting today, all internal audit reports were made routinely available to the public, I think we would quickly see a chilling effect on the willingness of management and the board to have internal audit look at sensitive or high-risk areas that need immediate attention.
Many times the best leads for high-impact internal audit projects come from managers who know something is broken but who want an independent assessment regarding causes and impact of the problem or the best alternatives for fixing it. As a former U.S. federal government inspector general whose audit reports were on the public record, I was told more than once by managers that they knew of significant problems — but that they would not ask me to look at the problems because they wanted to try to fix the issue before it became part of the public record.
I recognize that internal auditors are often champions for transparency, but I believe that if our reports were distributed widely to stockholders, the press, and other outside parties, over time our relationships with management might erode and our ability to add value would diminish. A price would be paid during our risk assessments in terms of candidness, and both assurance and consulting engagements could become more challenging. Obviously there is a strong need for independent reporting outside the organization. But I think that, with very limited exceptions, it is in the best interest of strong corporate governance to have separate internal audit and external audit functions, only one of which reports routinely to outside parties.
At the same time, I recognize that there are real benefits to transparency, and I respect the views of others who feel differently on this issue. I would appreciate hearing from you. Are there times that internal audit reports should be publicly available? If so, when should the reports be public? What do you think?