When the Finger Points at Us

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.


Recent media coverage has focused on prosecutors who are scrutinizing a draft internal audit report from a globally recognized company in an attempt to determine whether company executives ignored or tried to conceal the report’s findings from the audit committee. The draft report flagged concern about the company’s compliance with U.S. anti-bribery laws, and whether anyone attempted to bury or hide the draft audit report. If so, prosecutors believe it could help show intent — a key element in obtaining criminal charges.

No criminal case should be “tried by blog,” and I will not focus on the specific case nor speculate about criminal wrongdoing. But an important internal audit issue is raised in cases such as this one that I think we, as a profession, need to talk about:

If an internal audit report is ignored or suppressed, whose fault is it?

One of the most fundamental roles of chief audit executives (CAEs) is to ensure that members of management and audit committees receive the information they need to make sound decisions. When someone prevents important internal audit findings from reaching the audit committee, it is an offense that undermines some of the fundamental tenets of our profession.

I recognize that many forces are at play when audit information is suppressed. The decision to censor or suppress important information rarely starts with the CAE. But despite any obstacles, clearly it is the responsibility and ultimate obligation of internal auditors to ensure that essential information gets to the audit committee, and that it is reported timely and in enough detail for management and the audit committee to take appropriate action. At times, it can be a difficult challenge — but it’s rarely impossible.

The International Standards for the Professional Practice of Internal Auditing (Standards) are clear: Reporting must include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board. Communications must be accurate, objective, clear, concise, constructive, complete, and timely. When the CAE believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the CAE must discuss the matter with senior management. If the decision regarding residual risk is not resolved, the CAE must report the matter to the board for resolution.

The Standards are clear. But to me, this issue is not just a matter of compliance with professional standards: It is a professional and moral obligation of the CAE to assure that the audit committee is advised if there is evidence that the organization may be a party to criminal wrongdoing.

Auditing is not always an easy profession. But when the going gets tough, the true audit professionals get going. We might do well to remember the example of Cynthia Cooper at WorldCom: When management tried to prevent internal audit from investigating certain matters, the auditors continued working secretly and at night when necessary to get the job done. I hope that if we were in the same situation, we all would have enough strength in our convictions to make a similar decision.

That being said, I also believe that management and the audit committee bear some of the responsibility for ensuring free and open communications between auditors and the audit committee. In organizations where the audit committee rarely meets privately with the CAE, it may be time to rethink the meeting schedule. If reporting lines are not optimal for assuring internal audit independence, objectivity, and organizational stature, it may be time to reassess internal audit reporting relationships.

Other recent headlines also have created some discomfort for the internal audit profession. Although such cases are extremely isolated, we have nonetheless seen too many instances recently where internal auditors were implicated along with their company of fraud, corruption, or other wrongdoing. As a profession, there are things we can do to help avoid the rare incidences in which internal auditors are implicated in fraud or corruption. The IIA and the profession have a Code of Ethics and all IIA members and Certified Internal Auditors are expected to maintain compliance. We should continuously advocate for high-level ethics, leading by example to our management, boards, colleagues, and young professionals. It is up to all of us, individually and collectively, to uphold our commitment to ethical behavior. And if we work together with management and the audit committee to ensure that clear channels of communication are in place, there should never again be an article that alleges an internal audit report has been suppressed.

Posted on Mar 26, 2012 by Richard Chambers

Share This Article:    

  1. Richard, thank you for raising this important issue. I agree with your position.

    There is an additional, related concern that merits discussion: A staff member may believe his findings have been suppressed if his manager or the CAE softens or removes them without explaining why. There can be a good reason (such as a more informed view of risk, or an appreciation that management is willing - appropriately - to take the risk). But sometimes this is not clear to the auditor who performed the work and drafted the report.

    In other words, findings may well be in draft reports but not final - leading some to believe in a conspiracy or such. Internal auditors at all levels should understand and address this.

  1. RIchard:

    I think your blog raises a very important issue but one that is not easily solved.  In companies where the head of IA is in a "developmental position" that aspires to more senior positions in the company, and the CEO and/or CFO doesn't want particular information going to the board, that person will feel enormous pressure to keep the people that he/she needs to impress to further their career in the organization happy. 

    In cases where the CAE is a career auditor a lot rests with the quality of the audit committeeboard.  If the CAE is forced in to a position where they feel they must report something management wants concealed they need to know that they will get a good reference from the audit committee chair and, most importantly, a good severance.  Unfortunately, I have personally seen a number of cases where the board was beholding to the CEO and the auditor that decides they should do the "right thing" pays a high personal price.  I tell my clients that there is no point being "dead right".  Sometimes a secret file is good insurance if you are in a company involved in serious wrongdoing.

    I believe the IIA should make it crystal clear that a core expectation is that CAEs report significant residual risks being accepted to the board and provide more guidance and real tangible assistance on how to best deal with situations where they could pay a high personal price for complying with the IIA standards.

  1. Richard, As a long-time advocate, member of the IIA, and currently an audit committee chair, I thank you for addressing this important issues. Your logic is clear and not refutable. We all need effective internal audits and effective audit committees. We understand the parameters of our profession and it is based on being auditors, not managers. Thanks for your analysis.
  1.  Richard,

    This is an excellant post and raises a lot of valid points. I wish to add a few more to emphasize the difficulty auditors and risk managers face today.

    In a devaint orgnaization culture, the question of such points coming up in a draft report doesn't arise. The auditors or risk managers are selected by CXOs on the capability of either lack of professional knowledge or adherence to their dictums without any questions. The clear insturction is don't put anything in the report that may cause even the remotest issue. Hence the audit committee is unlikely to hear anything about it.

    Moreover, if an auditor or risk manager does want to speak up there are numerous ways to shiut them up, specially when the CXOs are involved. Their residence and offices are bugged, hidden cameras are put, systems are hacked, telephones are tapped, they are followed everywhere and friends and relatives are not allowed to come near. With the money flowing from the organization, there is very little a single individual can do, specially if the orgnaization is large. Even when police complaints are made, the organization pays money to keep quiet. 

    Next is the issue of frauds. In the present situations, most multinationals have back office operations in emerging countries. The frauds are done at a global scale, and there is no global agency for fraud. For instance, take a simple case of account takeover fraud in a bank. Data theft is done in India of a US/UK credit card customer, the fraudulent internet transaction is done in Malaysia. If the internal fraud team is involved, no one can detect it. Which country or regulator can an auditor and risk manager go to? So how does one address this?

    Once again, thank you for raising excellent points. I follow your blog regularly.


  1.  Let me explain further how this fraud racket works.

    A few years back in a well publicised data theft and fraud case in India, a young man was suspected. A police case was filed by the fraud investigator though some in the management were not happy about it. The data was stolen by the young man of high networth UK customers and frauds were conducted in multiple ways in UK. The same customer accounts had been previously defrauded.

    The police found that the young man was contacted by a Britisher from the UK office and instructed him to do the needful. The person turned out to be a fraud investigator in the UK team. The Indian police were told to hush it, most probably with money. It further was revealed that the UK fraud investigator was working under the instructions of a British senior manager working in India. The customers were paid and the Bristish police never detected. Most probably they were also paid.

    Now how can this issue be tackled. Especially when account takeover frauds are running into millions. Which regulator or agency can deal with it?


  1. While all IIA members and Certified Internal Auditors are expected to maintain compliance with the profession’s Code of Ethics, I often wonder whether the organizations in which Internal Auditors serve expect the same?  Along my professional career I have heard and witnessed far too many incidents of bad ethics, including IA reports getting suppressed or watered down rationalized by phrases like “legal liability” and “company politics.”  This is unacceptable in my view.  I wrote the following article entitled “Is your Chief Watchdog an Esquire?,” which was published last year by the Society for Corporate Compliance and Ethics.  I think its substance is relevant to the discussion of the IIA’s Code of Ethics and some of the real challenges for Internal Auditor’s when it comes to governance, risk, and compliance assurance.  http://www.scribd.com/michael_brozzetti/d/56970266-Is-your-chief-watchdog-an-esquire

  1. Richard, you are absolutely right in saying that "It is a professional and moral obligation of the CAE to assure that the audit committee is advised if there is evidence that the organization may be a party to criminal wrongdoing."  Of course the obligation must not end with "advice".  Appropriate action must be forthcoming from the Audit Committee. If that does not happen, some "other" approach needs to be adopted by the CAE. There are several options available though none may be palatable to the Board/Audit Committee. Each country's "appropriate authority" must "authorise/mandate" some of these options so that the CAE is almost mandatorily "required" to proceed beyond the Audit Committee if the circumstances so require.

  1. Another allegation against internal audit at Biomet. See here: http://tfoxlaw.wordpress.com/2012/03/27/biomet-sec-compliant-lessons-for-internal-audit/

  1. Mr Chambers,

    Sir, you are speaking to core issues that affect our profession. As CAEs we need to have clear communications lines with managment and the Audit Committee. It is very important for auditors to have correct reporting lines within organisations which will in turn prevent the suppressing of our reports by any body.

    I can not agree with you more on making sure that as auditors we avoid been involved in wrongdoings.

  1. I cannot agree with you more Richard,

    We are sometimes faced with a situation whereby certian critical issues are ignored/suppressed due to relationship issues with the client.  This is most prevelent in the consulting business and in public sector.  I feel that this creates a barrier in service delivery and value adding.  Not only that, but the whole IA profession looses it's independence and integrity when critical findings are suppressed.  

Leave a Reply