In a speech that I delivered last spring, I discussed the various roles that an internal auditor can play across what I called the “ethics continuum.” I noted that on rare occasions, when internal auditors become embroiled in a fraud or conduct, they are an “accomplice.” On other occasions, I noted, the internal auditor isn’t an accomplice. Instead, he or she simply sits on the sidelines and does not call out inefficiency, waste, fraud, or mismanagement. I called these internal auditors the “spectators.”
I also noted that from my experience, the most frequent role that internal auditors play is that of a “referee.” Much like a referee in a sporting event, internal auditors often observe the plays that make up the normal course of business operations, and blow a whistle or throw a flag when circumstances warrant. They are objective in assessing whether a “foul” or “infraction” has occurred, but they are still reacting to what took place in the past. From my experience, however, internal auditors cannot be fully effective if they are only willing to identify mistakes or fouls after an errant play. They must be willing, when circumstances warrant, to throw a flag before the play.
In a recent blog, I discussed the fiasco of the website rollout for the U.S. Affordable Care Act. Obviously the failures associated with the website rollout were not caused by the IG’s auditors. We still don’t know the entire story regarding the website problems, but it seems evident that opportunities may have been missed to sound warning bells. Either the auditors did relatively little proactively to warn agency officials of potential failures, or when warnings were given, they were less than effective in preventing the disaster. The result: One of the biggest public relations calamities to rock a government agency in recent memory.
I raise the example of the www.heathcare.gov debacle again not to continue piling on. Instead, I believe this represents a perfect case study for when an internal auditor can throw a flag before the play. When complex IT systems or websites are being designed is the time for internal auditors to become engaged. If they observe inadequate planning, internal controls, or systems design, the time to speak up is before deployment. This is true for any new business or IT initiative. Waiting until deployment and potential failure adds no value and risks the reputation of the very enterprise they are entrusted to serve.
Just as a football referee will throw a flag for an “illegal substitution” infraction or a “false start,” an internal auditor should be willing to throw the flag before the ball is snapped.
I welcome your thoughts.