Ten biggest banks scandals have costed £53bn in fines, FT 11 April 2016. The costs have had a “devastating impact” in profitability, New City Agenda think-tank said, denying shareholders billions of pounds………yet, it seems lessons have not been learned. Controls are still weak, when they exist, and senior management focus is still short term, (i.e.: reach the annual targets for the bonus), Internal Audit and Compliance departments have not much increased, rather, they have been reduced in some companies…..(involved in scandals)…..
Apparently Internal Audit and Compliance teams did not see any of the issues that caused the scandals, neither the financial crisis, yet these issues were not small. Were, then, the Internal Audit and Conpliance teams so incompetent? If so, they should all have been dismissed immediately (and I would have had scores of offers to help companies spot the big issues they have 🙂
None of this happened. So, could it be the case that Internal Audit and Compliance teams knew what was going on and did not say anything?
In my experience, as soon as I highlighted issues, management got nervous, they did not want anything in writing, they eventually told me the issue must be removed from the report, and that I was underperforming (e.g.: style of writing issues, lack of strategy,..). I received derogatory comments as “bee in the bonnet”, “old book-keeper”…
Can you imagine the VW Internal Audit team being told that they had style of writing issues as soon as they raised the emissions problem? You might think it was a joke, right? Well, this has happened to me, and more than once. Internal Audit and Compliance teams are to be stylistic and strategic (to avoid the senior executives be embarrassed for allowing/accepting/tolerating issues internally). The strategy is to keep things under the radar, so everything looks fine and, hence, the show can go on,….albeit at a $16bn cost for VW,…..and its “happy” shareholders.
Pushing further the issue is at someone’s job cost and the impact goes well beyond it, into private life. It is difficult to find another job as the internal auditor and compliance reputation is severely damaged by the company (with “Human” Resources support). Reducing someone’s way of living causes havoc. The impact is on family, spouses, chlidren, health,….and sanity, as this person is alone fighting, whilst everybody around does not believe that this person has been blacked out of the job market by a company that did not like what this person highlghted.
The way some companies reward an internal auditor or compliance person highlighting serious issues is by campaigning against, raising negative feedback against and putting him/her under huge stress. At a minimum, the internal auditor or compliance person will leave the company with no good referrals, as the aim is to make everybody believe he/she is incompetent. This way, nobody will believe what the internal auditor or compliance person is highlighting as issues. This clearly impacts sanity. This is what all whistleblowers tell when they explain what they are going through.
Companies have managed to take advantage of the employment legislation to make these actions “legally” correct. Yet, these actions do not benefit senior management, neither shareholders, nor the society. Nobody does anything about it though.
Taking into account all this, what is the role of Internal Audit? What is the role of Compliance?
I believe these roles have a bigger picture scope. The shareholders are the main beneficiaries of these roles, together with senior management (when they really want to know what is going on in the company and address it properly). There should be a way for Internal Audit and Compliance teams to reach out to the shareholders and senior management to escalate issues when their line managers are not addressing them. There should be ways to protect the whistleblowers (be it an internal auditor, compliance person, or any body in the company) from the smear campaign they are subjected to.
And what about Audit and Risk Committees? In my some 10 years experience in Internal Audit and Compliance, I only met once with them. I did not know them, neither did I have their contact details. If my line manager was not aligned with the issues I was raising, escalating them to the Audit and Risk Committee would have been like climbing up the Everest. I still do not understand why Audit and Risk Committees do not have a more direct contact with the Internal Audit and Compliance teams. They would be able to get a perspective of the business that some Heads of Audit and Compliance atemperate. Clearly, being part of an Audit and Risk Committee is not for fainthearted individuals, so there is no need to atemperate anything.
So, going back to my question above, could it be the case that the internal auditor, or the compliance person knew what was going on and did not say anything? Maybe they did say something and right now are being blacked out.
How can we make these so important roles safe from smear campaigns by line managers and/or senior management aiming to hide their own incompentence and wrongdoings?