A Bad Month for Internal Audit Just Got a Little Better

Earlier this week, I posted a blog about recent fines levied against two former Wells Fargo internal auditors. The blog was a call to action for internal audit executives and governments around the world. I called on CAEs to consider in the factors that led to the Wells Fargo fines when setting and reviewing their own quality assurance and improvement programs. I also called on governments to legislate safeguards and protections for internal auditors who find they “are handcuffed when it comes to executing their roles free of restrictions and interference.” I noted that if governments are determined “to call “balls and strikes” on how internal audit executes its role, then they should provide safeguards that will enable internal auditors to swing the bat when needed.”

My blog on the Wells Fargo fines resonated with internal auditors around the world – generating almost 100,000 impressions on LinkedIn alone. But despite the intended message of the blog, there is no hiding the “black eyes” that such stories inflict. Respected compliance author Matt Kelly asserted in an article earlier this month that Wells Fargo’s former CAE had “ample evidence that Wells Fargo’s sales practices were a nine-alarm fire, yet he didn’t take sufficiently strong action to tell the board that the building was burning down.” Let’s be honest, bad publicity like that is never good for any profession – especially one that prides itself of being “guardians of trust.”

As if the Wells Fargo news wasn’t bad enough for the profession, last week the U.S. Public Company Accounting Oversight Board (PCAOB), issued a proposed confirmation standard for external auditors. Normally, such news wouldn’t be of significant consequence for internal auditors. However, in its infinite wisdom, The PCAOB included a provision that “internal auditor should not select the items to be confirmed, send confirmation requests, or receive confirmation responses.” Frankly, that wasn’t the bad news. As my readers know, I have long discouraged the use of internal auditors to do administrative leg work for external auditors. So that didn’t bother me too much.

The PCAOB wasn’t content to preclude internal audit support of the external auditors. Instead, they included the following rationale: “Involving internal auditors or other company employees in these activities would create a risk that information exchanged between the auditor and the confirming party is intercepted and altered. Accordingly, under the new proposed standard, using direct assistance from internal auditors for these activities would not be allowed.” So, in essence, the PCAOB believes internal auditors can’t provide this kind of administrative support because they can’t be trusted! Give me a break. A skeptic might point out that there has been more publicity about PCAOB staff who have leaked information than internal auditors.

The PCAOB comments came less than two weeks after the Wells Fargo news, and further cast internal audit in a bad light. These unrelated pronouncements by the Office of the Comptroller of the Currency (OCC) and PCAOB have had the unfortunate consequences of casting internal audit as less than trustworthy.

The double whammy of December’s bad news promised to end the year on a bad note. Then just when we needed it most The IIA weighed in on the PCAOB’s proposal. President and CEO, Anthony Pugliese, expressed “deep concern over the potential precedent the PCAOB’s proposed standard may set regarding the work of internal auditors. The internal audit profession is grounded in providing audit committees with objective assurance, independent from management, in accordance with internationally recognized internal auditing standards. The PCAOB’s proposed standard could have the unintended consequence of implying that internal auditors would intentionally ‘intercept’ and ‘alter’ information. Like external auditors, internal auditors have an obligation to exercise due care in the handling of all information.” 

As The IIA went on to note in its press release: “Internal auditors are responsible for providing audit committees with objective assurance, independent from management, on matters related to risk management, internal controls, and corporate governance, in accordance with the International Standards for the Professional Practice of Internal Auditing. Because internal auditors and external auditors have the same independent reporting relationship to the Audit Committee, it is common for external auditors to rely on work performed by internal auditors and/or for internal auditors to directly assist external auditors in the performance of certain duties.” 

The IIA added that it is presently examining the full impact of The PCAOB’s proposal and intends to submit a formal response during the exposure process in 2023.

So, what lessons should internal auditors take away from the news this month? First, we must remember that we are not immune from scrutiny and skepticism from others – including government oversight agencies. Second, we must remember that we live in glass houses, and are prime targets for those who throw stones. Finally, we must remember that in order for The IIA and other advocates to mount an effective defense on our behalf, we must “walk our talk.” We must champion ethical conduct in our organizations and hold ourselves to the same standards that we hold others.

I welcome your thoughts on this timely conversation.