I frequently peruse various news feeds for articles on internal audit. Some of those written by non-internal auditors are quite good. Some are quite bad. And there are some that offer bad information or advice that I cannot resist calling out. One such article appeared recently on the noted thought-leadership website JDSupra.com.
To be fair, the article, titled SEC Compliance Internal Audit Tips: 4 Things You Should Know, appears well-intended and provides some useful advice for executives of regulated securities firms. For example, the author advises securities firm executives to “take prompt action” on information provided in internal audit reports. Executives are also urged to keep internal audit and compliance functions separate. I have no arguments with either of those tips.
But there is one piece of advice that stands out: The section titled “Some Internal Auditors Can File Whistleblower Claims, So Be Careful Who You Hire.” My first thought was, uh-oh, where is this going? As I read on, the intent became clear. The author concluded by cautioning, “Make sure you hire an auditing team that you can trust to keep the audit internal.”In my opinion, that advice could prove difficult – and dangerous – to pursue.
I have always believed that internal auditors have an obligation, first and foremost, to their organization. The IIA’s Code of Ethics mandates that “Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.” So, my objection is not that internal auditors should not keep matters internal (including the board). My concern is how can management and the board ensure they are hiring someone they can trust on this particular point?
“Can I trust you to never take an issue to anyone outside of the company?” That is not a question I would ever ask a prospective candidate for an internal audit position. Imagine the signal that would send. As a candidate for a CAE role, I was once asked, “Are there any circumstances you could ever envision when you would disagree with the CEO?” I offered an evasive answer, and withdrew my name from consideration soon after that interview. I felt it was an inappropriate question that signaled a potentially toxic culture.
In my opinion, the best course of action to ensure an internal auditor never takes an issue external is to maintain a strong system of governance, risk management and controls fostered by a culture of compliance and accountability. Management and boards would be better advised to invest in well-resourced, independent internal audit functions than to worry about whether those internal audit functions are going to turn on them.
As always, I welcome your views.