Internal Audit Manifesto

INTERNAL AUDIT

MANIFESTO

This is perhaps my most delicate and difficult article because it talks about the most vilified part of a function, which is at the same time the most necessary and the most feared by companies.


This article follows on from the previous tab:

Origins of Internal Audit

This article refers to the the December 2022 judgement I explained in the Origins of Internal Audit tab:


US Court Judgement sanctioning Wells Fargo's Chief Auditor, the Executive Audit Director and the Chief Risk Officer (CRO), here is the link:


https://www.radicalcompliance.com/2022/12/08/judge-blasts-ex-wells-fargo-execs/


for failing to report internally the irregularities and illegal acts that were committed at the bank, as they clearly failed to perform the duties of their functions

This is what the judge wrote: the executives "separately and collectively engaged in unsafe or unsound banking practices by individually failing to identify and effectively address inadequate controls over known issues of risks related to sales goals pressure in the Community Bank." In so doing, they intentionally avoided escalating concerns and misled regulators "regarding the efficacy of controls over risks related to sales goals pressure,...

This judgement is a storm warning, because it establishes the negligence of the internal auditor in failing to comply with his/her duty by not reporting and escalating concerns, risks and failures and irregularities with respect to the effectiveness of controls over risks (in this case, sales target pressures). And also, for misleading regulators.


Based on this argument, any internal auditor is at risk, as it is not so easy to identify all risks and those that are not identified can neither be checked nor evidenced, let alone escalated. I, therefore, believe that all internal auditors should have this judgement on their desk.


Moreover, any internal auditor who is in any way unduly influenced, or coerced, not to report in his/her report, or via his/her reporting line to the Board of Directors, in fulfilment of his duty, may be in for an even more unpleasant surprise if he does not do his/her duty. And I understand very well the pressures not to report.


This judgement also highlights the importance of the internal audit function, a function that companies listed on the New York Stock Exchange and the NASDAQ Stock Market are required by law to perform. This function has responsibilities to the Board and regulators and failure to perform the work of that function diligently may be considered negligence. I cannot emphasise this any further.


Thus, the
internal auditor must be prepared to report any irregularities or risks of irregularities to the Board of Directors, and some may even have to contact the authorities or regulators. 

In reporting, my preference has always been that the audited area knew in advance the result of my audit tests that I was going to report. I recognise that in sensitive situations it may well not be possible to do so.


Interestingly, companies are concerned that any irregularities will come to public attention. However, it is when irregularities are not addressed and reported by the internal auditor that things end up blowing up very publicly. Having an internal auditor reporting to the Board of Directors can prevent this

And yes, there are people who publicly expose irregularities in the company by going to the press. These are the so-called whistleblowers, usually employees who happen to see something. These people are explicitly protected by law. I do not believe that an internal auditor can be a whistleblower to the press, as the internal auditor has his/her own reporting channels to the Board of Directors (and even to the authorities), in accordance with the duties of his/her position. I have not seen it myself, nor have I been aware of any of my colleagues doing such a thing. 



I have reported fraud, corruption, bribery, and other crimes to the Board of Directors via my internal audit reports and following the reporting line of my managers in Internal Audit. I never even considered reporting publicly. And I recognise that many times, neither the Board of Directors, nor the authorities, nor the regulators, nor the courts, have been up to the task. Obviously, the executives:


And here I make a specific remark. I have never seen, in any of the irregularities and crimes I have reported, the caretaker, receptionist, .... or similar positions involved. What I have consistently found is senior executives involved


And obviously, these executives did not thank me, in general, for having diligently fulfilled my role as internal auditor, except on one occasion.


Well, as Cynthia Cooper, one of my role models together with Sherron Watkins, says, "we don't do it for the thanks". We do it to fulfil a duty that meets a need for shareholders, investors and society to ensure that corporate crime is not committed and that society, in general, does not suffer the consequences.

I also call on legislators, regulators and authorities to protect a necessary function that is still not protected today and whose professionals are often sidelined and suffer retaliation from company executives. 


Neither the European Directive on the protection of persons who report breaches of Union law, nor PIDA (Public Interest Disclosure Act in the UK) protect the internal auditor, because, firstly, they are not designed to protect a professional whose duty is to look for possible irregularities or wrongdoings in order to report them diligently to the Board of Directors. These legislations only try to promote that if a person, an employee, sees something irregular by chance, he/she feels at ease to report it without fear of retaliation. 

And secondly, because companies are a few steps ahead of the law, and have already developed tools that allow them to circumvent these legislations, via so-called (sometimes euphemistically) performance plans, giving bad feedback to the internal auditor (that his/her writing style is a problem, that he/she does not know how to speak to senior executives...) and generally, threatening to undermine his career and his survival mode.

And yet, despite showing evidence to authorities, regulators, courts, of the falsity of such performance plans or false feedback, no one challenges them. And it is curious that those who most try to bring down the internal auditor are precisely the executives of the audited area. What is fascinating is that no one raises the issue of false or misleading negative feedback being given against the internal auditor.


It would be like allowing a judge to be evaluated by any of the parties in the trial. Obviously, the party that has lost the trial will not speak well of the judge. What is fascinating is that these situations are allowed to happen with internal auditors. 


I am not saying that an internal auditor should not be evaluated and corrected if his or her performance is not up to standard. I do not understand, and it is difficult to defend and justify, that the evaluation of that performance must be done by the audited area, who may be very good professionals in their functions, but who have no idea about internal auditing.

By tolerating and accepting that these situations arise, all we are doing is jeopardising the benefits derived from this internal audit function, which is so necessary, otherwise, why would they have made it compulsory for companies listed on the New York and Nasdaq markets?

AMBASSADOR OF TRUST

Share by: