The Perils of Internal Audit as ’Corporate Police’

I recently saw a LinkedIn post with a compelling photograph of a smiling police officer and the caption, “Internal Auditors Are Not the Organization’s Police Force.” My first instinct was to agree with the post, but I reflected on the fact that many are seen as playing the role of corporate cop – some by their own choice, some by the choice of management.

Those internal auditors who choose to be “the police” by the way they execute their roles should never complain about relationship struggles they might endure. Choices have consequences.

But as I have observed in my blog over the years, the reality is that many internal auditors are asked to assume responsibilities involving corporate investigations. I am far more sympathetic to these professionals who may have no choice. But the enduring challenge is how to sustain trusting relationships if an internal auditor is frequently called upon to lead or assist in investigating executive and employee misconduct. ​

More than 80 percent of respondents to The IIA’s last Common Body of Knowledge survey indicated that their internal audit function had some degree of responsibility for detecting fraud within their organizations. That number has changed little over the years: An IIA survey last year found that more than half of CAEs said fraud investigations were part of their duties. Another 32 percent said they were responsible for their company’s ethics or whistleblower programs.

Even for those who aren’t permanently assigned investigative roles, it is not uncommon for internal audit to be asked to conduct confidential investigations outside their normal scope of work, such as on behalf of the audit committee or executive management. In some cases, internal auditors are called upon by general counsel or the CEO to assist with specific investigations.

The fallout is that it can be difficult for internal auditors to be seen later as trusted advisors when they return to their normal internal audit role.

To be sure, cross-functional arrangements are not new. When I was a federal inspector general, I was responsible by law for both the audit and investigative functions within my organization. The two groups were very different, with the investigators being federal law enforcement officers. However, because of a shared reporting structure, my audit and investigative roles and those of my staff were inevitably linked in the minds of our stakeholders.

Frequently, I would receive a call from an irate executive exclaiming, “Your auditors are in my department flashing their guns and badges.” I would calmly offer​ assurance that we did not issue weapons or badges to our auditors, and that our investigators were in their department conducting a confidential investigation related to potential fraud or misconduct. The executive would typically calm down, but they never fully differentiated between the roles of our various staff members.

Such misunderstandings might get resolved quickly on a case-by-case basis, but an inherent confusion about the role of the internal auditor versus that of the​ investigator undoubtedly would make it more difficult for internal auditors to build and sustain relationships that are so critical to their ultimate success.

It’s easy to get typecast as wearing either a white hat or a black hat — as hero or enforcement villain. When an internal audit department is associated strongly with the type of investigations that result in terminations or even criminal prosecutions, it can be challenging for anyone in internal audit to be regarded as a true partner, and it’s no wonder they are often seen as the corporate police.

I don’t mean to imply that internal auditors should avoid participating in tough assignments, including investigations involving potential misconduct. Internal auditors can provide a unique and invaluable contribution. And, for smaller organizations, it may not be feasible to maintain separate internal audit and investigation teams. But one of the difficulties of taking on a black-hat role is that it may not be easy to change hats later on.

If your organization decides that internal audit should routinely perform or assist in investigations, you should take the extra steps to ensure your audit–client relationships are healthy. If staff size is sufficient, the simplest action may be to assign separate teams to internal audits and investigations and avoid ​​the temptation to use personnel interchangeably. It also is important to ensure that engagement clients clearly understand the scope and nature of the internal auditors’ work, including the fact that we must occasionally support or conduct sensitive investigations.

As a profession, we have made extraordinary progress in recent decades to raise our stature. Corporate executives and board members have a much more favorable view of our capabilities today. While leading or supporting corporate investigations is a role that we might necessarily assume from time to time, it does not come without risks. And, as with any risk, we must employ the appropriate mitigation strategies.

I welcome your thoughts on internal auditing’s role in supporting or leading corporate investigations.​