The Perils for Internal Audit of Donning a “Black Hat”

One of the enduring challenges for internal auditors is how to sustain trusting relationships if they are frequently called upon to assist in investigations of executive and employee misconduct. As I observed in a 2014 blog post, the reality is that many internal auditors are asked to assume responsibilitie​​s related to corporate investigations.​

More than 80 percent of respondents to The IIA’s 2015 Common Body of Knowledge survey indicated that their internal audit function had some degree of responsibility for detecting fraud within their organizations. That number changed little in the past three years. Current data from IIA members s​​​how 73 percent of CAEs report having fraud auditing as part of their responsibilities. Another 31 percent report having forensic investigations under their purview.

It is not uncommon for internal audit to be asked to conduct confidential investigations outside of their normal scope of work, such as on behalf of the audit committee or executive management. In some cases, internal auditors are called upon by the general counsel or CEO to assist with specific investigatio​​ns.

In my 2014 blog post, I noted that, while there are certainly benefits to a close working relationship between internal auditors and corporate investigators, there also are big risks to internal audit. When internal auditors are deeply involved in investigations that may result in disciplinary action a​​gainst executives or other employees, it can be difficult for the internal auditors to be seen later as trusted advisors who are there to help when they return in their internal audit role.

Cross-functional arrangements are not new. When I was a federal inspector general, I was responsible by law for both the audit and investigative functions within my organization. The two groups were very different, with the investigators being federal law enforcement officers. Howeve​r, because of a shared reporting structure, my audit and investigative roles and those of my staff were inevitably linked in the minds of our stakeholders.

Frequently, I would receive a call from an irate executive exclaiming, “Your auditors are in my department flashing their guns and badges.” I would calmly offer​ assurances that we did not issue weapons or badges to our auditors, and that our investigators were in their department conducting a confidential investigation related to potential fraud or misconduct. The executives would typically calm down, but they never fully differentiated between the roles of our various staff members.

Such misunderstandings might get resolved quickly on a case-by-case basis, but an inherent confusion about the role of an internal auditor versus that of an​ investigator undoubtedly makes it more difficult for internal auditors to build and sustain the relationships that are so critical to their ultimate success.

It’s easy to get typecast as wearing either a “white hat” or a “black hat” — as hero or enforcement villain. When an internal audit department is associated stro​​ngly with the type of investigations that result in terminations or even criminal prosecutions, it can be challenging for anyone in internal audit to be regarded as a true partner.

I don’t mean to imply that internal auditors should avoid participating in tough assignments, including investigations involving potential misconduct. Internal audit​​​ors can provide a unique and invaluable contribution. And, for smaller organizations, it may not be feasible to maintain separate internal audit and investigation teams. But one of the difficulties of taking on a “black hat” role is that changing roles may not be as easy as, well, changing your hat.

If your organization decides that internal audit should routinely perform or assist in investigations, you should take the extra steps to ensure your audit–client relationships are healthy. If staff size is sufficient, the simplest way may be to assign separate teams to internal audits and investigations, and avoid ​​the temptation to use personnel interchangeably. It also is important to ensure that engagement clients clearly understand the scope and nature of the internal auditors’ work, including the fact that we must occasionally support or conduct sensitive investigations.

As a profession, we have made extraordinary progress in recent decades to raise our stature. Corporate executives and board members have a much more favo​​rable view of our capabilities today than a decade ago. While leading or supporting corporate investigations is a role that we must necessarily assume from time to time, it does not come without risks to our image and relationships in the organization. As with any risk, we must employ the appropriate mitigation strategies.

I welcome your thoughts on internal auditing’s role in supporting or leading corporate investigations.​