Regular readers of this blog know its focus is to provide internal audit practitioners insight and advice on doing their jobs and ultimately helping their organizations reach their goals. This is why my most-read posts often involve straightforward and practical advice and observations about the daily work of internal auditors. Over the years, posts that include lists of specific recommended actions have proven to be some of the most popular.

Yet, I find it is also necessary to comment occasionally on high-profile news events, adding important context to how risks associated with these events could impact organizations and, therefore, internal audit.

For several weeks, I have been wrestling with whether and how to take on one such issue that has become the elephant in every corporate boardroom — sexual harassment. While the issue has been a persistent workplace risk in every organization for decades, its pervasive and often-tolerated presence can no longer be ignored.

Courageous women and men speaking out and the #MeToo social media campaign have combined to shine a white-hot light on the issue. The flood of allegations against prominent individuals, from Hollywood producers and actors to members of Congress and political candidates, has piqued the public’s outrage like never before and emboldened even more victims to come forward.

Clearly, this is a risk that organizations cannot afford to overlook. Most today have policies addressing sexual harassment that may include required training and periodic refresher courses. But this, like ethics and conflict-of-interest training, is vulnerable to becoming a checklist exercise.

There are often complex factors and influencers that can mute or erode even the best-intentioned policies. For example, a zero-tolerance policy against sexist behavior or sexual harassment is only as good as how consistently it is applied. If exceptions are made, such as for C-suite executives or high-performing employees, the culture within the organization will be very different from the stated policy.

As the #MeToo campaign has shown, those who feel they have been sexually harassed have easy access to powerful social media tools to take their stories public. If they have no faith that the policies intended to protect them are working, they will find other ways.

Management’s approach to prevention of sexual harassment and response to allegations can deviate significantly from what boards may desire. One example is management weighing the cost of reputational and brand damage versus cash settlements and non-disclosure agreements. In most cases, the latter prevails. Under such circumstances, boards of directors may not be aware of the number of settlements and, therefore, have a skewed view of the extent of the problem.

Beyond the risks associated with mishandling clearly inappropriate behavior, an organization can also succumb to subtler biases that can make it vulnerable to gender-related problems.

A survey in Women in the Workplace 2017 found significant differences between how men and women view themselves at work. For example, while 8 percent of men said gender has played a role in missing out on a raise or promotion, 37 percent of women said it had. The survey also found that 15 percent of men said their gender will make it harder to get a raise or promotion while 39 percent of women did.

The survey, which involved 70,000 employees from 222 companies, also found disturbing views on women in leadership. Nearly 50 percent of male respondents think women are well represented in the leadership in organizations, where only one in 10 senior leaders is a woman. A third of women said the same thing. It’s difficult to disagree with the report’s conclusion that, “It is hard to imagine a groundswell of change when many employees don’t see anything wrong with the status quo.”

When it comes to discriminatory practices or sexual harassment, internal auditors owe it to their organizations to provide assurance on how effectively the risks are being managed. This may require delving into practices of the human resources department or the general counsel. Internal auditors will likely hear the tired refrain that we are not qualified to assess management of legal or HR risks. But if not us, then who?

We owe it to employees and shareholders of our organizations to ensure that management has these critical risks on their radars and has controls in place that protect against those who would discriminate or prey on the vulnerable.

As always, I look forward to your comments.