September 2014

September 30, 2014

How Long Should Former CAEs Blame Themselves for Subsequent Calamities?

When there’s a serious breakdown in controls, sooner or later someone will pose the inevitable question of “where were the internal auditors?” It’s not just a blame game. After any audit failure, the CAE must re-evaluate and learn from possible mistakes to prevent similar gaps in the future.

In the past, whenever a calamity occurred in an organization, reviewing the CAE’s role was often cut and dried. Perhaps the internal audit function had insufficient independence and authority to address the risk that eventually blew up. Or its risk assessments didn’t cover all parts of the organization. Maybe internal auditors hadn’t immediately identified and reported on an issue, or they failed to follow up in a timely manner to ensure management had taken action.…

September 22, 2014

Internal Auditing in a Tone-deaf Environment

As internal auditors, we understand the importance of a strong tone at the top. It defines an organization’s culture and often the organization itself. A strong and positive tone sets a clear direction – operationally, ethically, and morally – and enables us to do our jobs and serve our stakeholders effectively.

But for some organizations, management and/or the board may seem profoundly tone-deaf and unable to articulate a clear path or purpose. Or worse, the tone they do set is less than desired and perhaps even counter-productive. The impact may go unnoticed, or it may become quite visible: goals and objectives are missed, morale and productivity falter, revenue and profitability plummet.…

September 15, 2014

Are Internal Audit Clients Always Right?

When customers are unhappy, most organizations will scramble to fix the situation. As the old adage goes, the squeaky wheel gets the grease, even when a complaint might seem groundless.

So, does this translate to our profession? Are internal audit clients always right, too? And how far should we go to accommodate a client’s point of view, especially when we are convinced they really might be wrong?

Internal auditors serve many stakeholders. We can’t simply back off recommendations to one when we know other stakeholders are depending on our assurance. There are no money-back guarantees in internal auditing, because customer satisfaction cannot always be assured, but our goal is to come to consensus.…

September 8, 2014

When the Whistle Is Blown, All Lines of Defense Have Failed

When federal whistleblowers rules were enacted, it was understood that even internal auditors could be eligible under certain conditions. But the first payout ever – $300,000 in this case – to a whistleblower who performs an audit or compliance function at a company still leaves me with mixed emotions.

On one hand, the Securities and Exchange Commission has a completely valid need to ensure that appropriate action is taken whenever fraud or corruption is exposed in a publicly traded company. That goes to the core of the whistleblower program. And, according to the SEC, the individual in this precedent-making case followed all the rules, including giving the company at least 120 days to adequately address the problem before reporting it to outside authorities.…

September 2, 2014

It’s Hard to Be a Watchdog When Your View Is Obstructed

I was fortunate during my tenure as inspector general of the Tennessee Valley Authority and deputy inspector general of the U.S. Postal Service to have boards that understood the important role IGs must play and the statutory independence envisioned by the U.S. Inspector General Act, which created the current IG model in the United States. The boards conveyed a z​ero-tolerance policy to management within the agencies in terms of interference with our work.​

However, I encountered many instances during more than 25 years as an auditor in the U.S. government, where officials tried to block access to records, provided misleading information, or delayed the release of audit reports containing bad news.…