A Strong Ethical Compass: An Essential Trait for Internal Auditors

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.
 
Internal auditors are ethical — right? After all, we think of ourselves as the “beacon of ethical light” in every organization. If you can’t trust the internal auditor, who can you trust? Yet, at the end of the day, we are also human. We are subject to the same pressures (culturally, politically, and organizationally) as everyone else in the enterprise. So, maybe we are vulnerable after all.
 
But can we afford the luxury? I think not.
 
In the past few months, I have become increasingly troubled by isolated instances when the “ethical compasses” of internal auditors appeared to fail — rather spectacularly. In some instances, they were accused of concealing audit results from the audit committee at the behest of senior management. In other instances, they took it upon themselves to spare their organization embarrassment, and withheld negative audit results fearing bad publicity. In the end, each of the cases ended as badly for the internal auditors as they did for management. Why? Because “the cover-up is often worse than the crime”!
 
After almost 37 years in the profession, I have encountered more than a few professional ethical dilemmas. They typically involved whether to “call it like it was” despite the potential personal and professional consequences. Fortunately, I was always a little too naïve, foolish, or (maybe even) daring to care. I did what I needed to do. But, I could easily see how others would take a different path. Unfortunately, when we do take the easier path, we sacrifice not only our own professionalism, but we chip away at the reputation of our profession as well. I often observe that “I would rather no one know what internal auditors do than to draw conclusions from those who do it poorly.”
 
A blog is too short to explore all of the intricacies of every ethical dilemma we face. However, I have identified several dilemmas that commonly arise for the internal auditors. As I am sure you will agree, these dilemmas often force us to face the areas of grey rather than the pure black and white world in which we prefer to live. I would suggest you answer each of these questions as though you were facing a personal ethical dilemma:
  • You audited an area for which you were previously responsible and found major control deficiencies related to the period over which you exercised control. You didn’t know the deficiencies were present when you had responsibility for the area. Would you report them?
  • Your annual risk assessment identified a key business process related to how the company performed during the winter holiday season. Scheduling the audit for the coming year would mean that you and your team would have to sacrifice holidays with your family. Would you schedule it anyway?
  • You audited an area where a family member or close friend had key management responsibilities. You identified major problems. What do you do?
  • You are in a rotational assignment in internal audit. You are slated to rotate into an undetermined business unit in a year. You just audited the business unit in which you most want to work, and have some critical findings. Do you report them or sit on them?
  • You are the chief audit executive (CAE) of a Fortune 500 company. Your audit team just identified potential violations of the Foreign Corrupt Practices Act. Disclosure would create havoc and bring disrepute to the company. Do you finalize the report and send it to the audit committee?
  • You just completed an audit of the company’s expense reporting processes and found several violations of travel expense policies. However, you know that you do not personally comply with these policies. Do you call out noncompliance anyway?
  • You have been accruing company stock in your 401K and stock options in your company since you accepted the role of CAE. Your audit team just delivered a draft audit report to you that cited a potentially serious fraud involving the company’s financial reporting. Disclosure would likely devastate the share value along with your personal worth. What do you do?
My guess is that you were easily able to answer these questions in your mind. Of course you would do the right thing. Yet, too often I have seen those faced with the real dilemmas cited above whose “moral compass” failed them. Don’t let that happen to you.

Posted on May 17, 2012 by Richard Chambers

Share This Article:    

  Comments (2) un-categorized
  1. Comment by: Tim Leech   (5/18/12 09:52 AM)   http://www.riskoversight.ca

    Richard: Thanks for elevating some of the issues that make the life of a traditional "direct report" internal auditor difficult. The term "direct report" means an approach where the internal auditor is the primary risk/control analyst/reporter.  The majority of organizations in the world use this approach.  This casts the internal auditors as the person that decides whether the current "risk treatments" (known as "controls" to traditional direct report auditors) are resulting in a residual risk status that is within the organization's risk appetite. The direct report approach to internal audit regularly puts the internal auditor in to very difficult ethical situations on a regular basis if they are covering issues of real importance. 

    The IIA and every internal audit department in the world needs to do everything they can to convince management and work units that they should be the primary risk/control analysts and reporters. The role of internal audit should be to quality assure the risk assessments done by work units and provide independent opinions on their reliability to the organization's board of directors.  If the work unit discloses serious residual risk status situations reliably and candidly they should receive high positive reports from Internal audit even if the news is bad.  The traditional direct report audit paradigm does not incentivize work units to candidly disclose significant retained risk positions and in fact encourages work units to conceal areas where risk treatments are resulting in high residual risk.  IA needs the support of the board to help this transition

  1. Comment by: Harish Kumar   (7/17/12 01:36 PM)   

     I see lot of your points on internal auditors ethical dilemma. Let us take an example of an organization where there is no internal audit function at all. We call red flags and violations and potential violations where management has to place emphasis to remove unethical issue and comply ethically and legally. Thererfore, internal auditor's issue about direct reporting has the same concept here. Residual risk of what "not reporting unethical issues knowing fully well that they are unethical to begin with at the first place". It does not come across as right here. Internal auditors professional standards call for "quiet period" between operational responsibility vs., "audit responsibility". Not reporting issue on unethical points should fall under "red flags" in the normal control environment and standards, hence, that argument about auditor having easy time compared to the rest of the individuals fail the litmus test also. Standards are standards for controls under COSO, IIA & International governing bodies on the businsess risk measurement & controls.

Leave a Reply