Recent media coverage has focused on prosecutors who are scrutinizing a draft internal audit report from a globally recognized company in an attempt to determine whether company executives ignored or tried to conceal the report’s findings from the audit committee. The draft report flagged concern about the company’s compliance with U.S. anti-bribery laws, and whether anyone attempted to bury or hide the draft audit report. If so, prosecutors believe it could help show intent — a key element in obtaining criminal charges.
No criminal case should be “tried by blog,” and I will not focus on the specific case nor speculate about criminal wrongdoing. But an important internal audit issue is raised in cases such as this one that I think we, as a profession, need to talk about:
If an internal audit report is ignored or suppressed, whose fault is it?
One of the most fundamental roles of chief audit executives (CAEs) is to ensure that members of management and audit committees receive the information they need to make sound decisions. When someone prevents important internal audit findings from reaching the audit committee, it is an offense that undermines some of the fundamental tenets of our profession.
I recognize that many forces are at play when audit information is suppressed. The decision to censor or suppress important information rarely starts with the CAE. But despite any obstacles, clearly it is the responsibility and ultimate obligation of internal auditors to ensure that essential information gets to the audit committee, and that it is reported timely and in enough detail for management and the audit committee to take appropriate action. At times, it can be a difficult challenge — but it’s rarely impossible.
The International Standards for the Professional Practice of Internal Auditing (Standards) are clear: Reporting must include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board. Communications must be accurate, objective, clear, concise, constructive, complete, and timely. When the CAE believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the CAE must report the matter to the board for resolution.
The Standards are clear. But to me, this issue is not just a matter of compliance with professional standards: It is a professional and moral obligation of the CAE to assure that the audit committee is advised if there is evidence that the organization may be a party to criminal wrongdoing.
Auditing is not always an easy profession. But when the going gets tough, the true audit professionals get going. We might do well to remember the example of Cynthia Cooper at WorldCom: When management tried to prevent internal audit from investigating certain matters, the auditors continued working secretly and at night when necessary to get the job done. I hope that if we were in the same situation, we all would have enough strength in our convictions to make a similar decision.
That being said, I also believe that management and the audit committee bear some of the responsibility for ensuring free and open communications between auditors and the audit committee. In organizations where the audit committee rarely meets privately with the CAE, it may be time to rethink the meeting schedule. If reporting lines are not optimal for assuring internal audit independence, objectivity, and organizational stature, it may be time to reassess internal audit reporting relationships.
Other recent headlines also have created some discomfort for the internal audit profession. Although such cases are extremely isolated, we have nonetheless seen too many instances recently where internal auditors were implicated along with their company of fraud, corruption, or other wrongdoing. As a profession, there are things we can do to help avoid the rare incidences in which internal auditors are implicated in fraud or corruption. The IIA and the profession have a Code of Ethics and all IIA members and Certified Internal Auditors are expected to maintain compliance. We should continuously advocate for high-level ethics, leading by example to our management, boards, colleagues, and young professionals. It is up to all of us, individually and collectively, to uphold our commitment to ethical behavior. And if we work together with management and the audit committee to ensure that clear channels of communication are in place, there should never again be an article that alleges an internal audit report has been suppressed.