Courageous Internal Auditors Sail Toward the Storm

Trouble is something most people avoid. With rare exception, the desire for safety and security is deep seated. The same holds true in business where often there is an instinct in the corporate sector to avoid examination of controversial topics such as executive compensation, legal compliance, culture, and others that could well bring the wrath of those who feel targeted.

But in my experience, this tendency to look the other way more often than not compounds unexamined problems that may exist. After all, ignoring the source of smoke may well lead to an uncontrollable fire.

Sadly, some internal auditors fear that auditing high-risk areas will not resonate well with executive management. And, there are certainly many companies where oversight is not valued. But a brief examination of this avoidance game quickly reveals the fallacy that sidestepping controversy will keep management happy or the organization out of trouble.

In a previous blog post, I described executive compensation as the “third rail” for internal audit. Indeed, almost 70 percent of respondents to The IIA’s most recent Global CBOK survey indicated that they dedicate minimal to no effort in looking at C-suite remuneration. CAEs often indicate that they steer clear of the topic because of the extraordinary sensitivity and perceived career risk of examining or questioning their bosses’ pay.

Unfortunately, avoiding executive compensation doesn’t make it any less of a risk. In fact, executive compensation programs that are never audited can become even greater risks over time.

One obvious risk is shareholder unrest over exorbitant pay and bonuses. Just this year aircraft-maker Bombardier and pharmaceutical company Mylan have been pressured into rethinking or retracting pay plans for their top executives. Of more concern for internal audit are plans that tie pay to performance in that they can encourage risky management behavior.

I’ve also written about the sometimes uneasy relationship between internal audit and the general counsel. Too often, CAEs express frustration with general counsels whom they believe are more concerned about reputational and legal risks than affording internal audit the opportunity to fully articulate the results of their work.

I’ll concede that reputational and legal risks are important. However, general counsels too often would prefer to eliminate these risks altogether in internal audit reports — in effect, silencing internal audit from sharing critical information with the board or audit committee.

Fear of reputational risks is not limited to legal counsel. Often, public-sector auditors are discouraged by elected officials from reporting unflattering findings. The Politics of Internal Auditing offers a case study where one city’s internal audit team found appraisal and negotiation processes had been compromised in land purchases. Based on independent appraisals, it appeared the city had overpaid on real estate by as much as 25 percent. Despite pressure from elected officials and senior staff, the CAE made public his team’s findings. Unfortunately, doing the right thing cost the CAE his job when the same elected board did not renew his contract.

For more than a year, I have been raising awareness of the influence of culture on risk. This too can be an area viewed as taboo for internal audit, especially in companies or regions of the world where there is a strong deference to authority. The challenge here is overcoming an assumed infallibility of high-ranking company executives, or more precisely defeating the cultural convention that such challenges are disrespectful or improper.

The Politics of Internal Auditing offers a case study for this, as well, recounting the experience of a CAE at a large financial institution, where a highly valued chief technology officer (CTO) routinely resisted and dismissed internal audit’s technical findings.

The CAE shared a specific audit that involved a personal conflict of interest between the CTO and a technical vendor. The CTO had the power to stop the audit, and did so. Although the CAE escalated the stoppage all the way to the board, the CAE was not successful in restarting the investigation. The board and the CEO backed the CTO.

At this point, the writing on the wall was clear that the CAE would be unable to change the tone at the top that allowed deference to authority to trump good governance. The CAE moved on to another organization with a stronger commitment to internal control.

Each of these examples offers strong anecdotal evidence that avoiding controversy is a short-sighted and dangerous game for internal audit. The past few months, I have been leveraging an analogy that great internal audit departments detect the thunder before the storm. It is also true that great internal audit departments do not fear difficult or uncomfortable topics. They courageously sail toward the storms in order to alert management and the board when risks are not being managed and controls are not adequately designed and implemented.

As always, I look forward to your comments.