When the Whistle Is Blown, All Lines of Defense Have Failed

When federal whistleblowers rules were enacted, it was understood that even internal auditors could be eligible under certain conditions. But the first payout ever – $300,000 in this case – to a whistleblower who performs an audit or compliance function at a company still leaves me with mixed emotions.

On one hand, the Securities and Exchange Commission has a completely valid need to ensure that appropriate action is taken whenever fraud or corruption is exposed in a publicly traded company. That goes to the core of the whistleblower program. And, according to the SEC, the individual in this precedent-making case followed all the rules, including giving the company at least 120 days to adequately address the problem before reporting it to outside authorities.

On the other hand, if internal auditors are viewed as “corporate snitches” who try to cash in whenever they come into possession of sensitive information and don’t get their way, our profession’s integrity and reputation are at risk. Some managers may hesitate to have candid conversations with internal auditors about difficult issues. Even worse, if managers and boards fear that internal auditors might reveal damaging information to outside parties, their solution might be to cut internal audit resources, including budgets and staffing.

Many details and identities have been redacted to protect the parties involved, but this whistleblower case should serve as a stark reminder of the important safety net provided through the Three Lines of Defense. Risk-based controls should have been in place to prevent such acts from taking place in the first place (the first line of defense). Internal monitoring and oversight should have detected any breakdown in controls (the second line). And, internal audit should have been able to successfully report the issue directly to the board (the third line). No matter how you feel about the reward money, one thing is crystal-clear: When an internal auditor – or anyone else in an organization – feels there’s no other option than to blow the whistle, all three lines of defense have failed.

But that’s not all of it. The “fourth” and “fifth” lines of defense (as some call them)  also crumbled. Senior management and the audit committee are responsible for ensuring that the Three Lines of Defense are firmly in place and working effectively. They obviously were not. As I said, we don’t know all the facts in this case, but governance issues seem to go far beyond the wrongdoing that was the basis for the reward.

A few weeks ago, I wrote a blog post titled “CAE to Audit Committee: I Know You Are Behind Me, But Will You Be With Me?” It discussed the importance of audit committee support for internal audit when issues involving CEO compliance or ethics are on the table. If the audit committee in this case was aware of the whistleblower’s concerns, but did not ensure that action was taken to address the problem, then this was likely an example of such a breakdown.

Should internal auditors report problems to an outside party, such as the SEC? I believe there are some situations in which such action is unavoidable. Imagine, for example, discovering that the board and senior management are involved in pervasive criminal activities that may obliterate shareholder value, raid employee pension funds, or even endanger human lives. Resorting to outside assistance would likely be ethically and morally imperative for anyone in an organization – including the internal auditors.

Our Code of Ethics sets a high standard for confidentiality. It states that internal auditors “shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.” To me, this means that we should clear a very high bar before reporting outside our organizations. For while external reporting is sometimes necessary, the Code of Ethics makes it clear that the decision to report should be made because it’s the right thing to do, not because we might be rewarded.

From that perspective, an internal auditor who is considering blowing the whistle really isn’t different from any other employee. In a perfect world, none of us would need financial incentives to convince us to do what we believe is right. But since the world and many companies are not perfect, I would only encourage internal auditors to do their best to exhaust all internal protocols within the company before pulling out the whistle.