Senior-level Salary Snoop
A new audit manager contemplates her next steps after discovering a member of her team has been viewing confidential salary and bonus information.
By Michael D. Marinaccio
ABC TECH is a global manufacturer and marketer of digital telecommunications products and associated services. The company operates primarily in China, South Korea, Taiwan, and the United States. Founded in 1989 and headquartered in Southern California, ABC has annual revenues in excess of US $8 billion and more than 3,000 employees. The company’s Internal audit team consists of 15 individuals — two directors, two managers, 10 auditors ranging from associate to senior, and a vice president/chief audit executive (CAE) who reports functionally to the audit committee and administratively to the chief financial officer.
Recently hired as a manager, Meg is the newest member of the audit management team. She brings with her eight years of industry and public accounting experience. In her role, Meg oversees the performance of corporate (home office) finance and accounting area audits, including testing related to the U.S. Sarbanes-Oxley Act of 2002. She routinely has up to three concurrent audits underway at any given time.
Currently, Meg is leading a payroll audit designed to evaluate the effectiveness of key internal controls. She was excited to receive the assignment and had looked forward to working with Rob, the senior auditor, who was also assigned to the project. Rob is considered the department’s best senior auditor, and since joining the group three years ago he has received nothing but glowing performance ratings from the audit management team.
Recently, Meg was reviewing the payroll audit workpapers and realized that the accompanying source documents had not yet been scanned into the department’s automated workpaper system. Since Rob was out of the office on another assignment, Meg took the liberty of gathering some folders related to the payroll audit from his file cabinet. Upon reviewing one of the folders’ contents, Meg made a startling discovery. Tucked away in the source document folder she found current salary and bonus information for the CAE, directors, and managers. The documents were clearly not part of the payroll audit sample. Rob apparently had used the access rights granted him to perform the audit to retrieve this highly confidential information. Meg couldn’t believe her eyes. Not only did she see her own salary information, she now knew what everyone else on the management team was earning.
Meg made this discovery late in the day while alone in the office. Moreover, the CAE is about to leave for a two-week vacation, and Rob is not scheduled to return to the office until later next week.
How should Meg handle this situation? What should her next steps be?
Share your comments below.
Depending on the code of conduct and the Internal Audit Manual, Rob could have commited a crime. However Meg as a Manager should not rush to conclusions.
I however don't know about corporate governance, that is shouldn't everyone's salary be open. Why hide it. it sets a wrong tone from the top.
Posted By: Kufahakutizwi Thomas
2013-03-14 5:51 AM
Senior level salary snoop
I think Meg should speak with her senior and advise of what she found as this is confidential information and not supposed to be part of the sample.
Posted By: Zee
2013-02-12 8:37 AM
Senior-level Salary Snoop
The Manager should go first to her Director assigned to the payroll audit (if any), not straight to the CAE unless she reports directly to the CAE (though the Director should then consult the CAE immediately). Time is not of the essence, except to pull and preserve the evidence for the CAE so that Rob can't access it further, before the CAE reviews it; there is a remote possibility the document belongs to the CAE and was inadvertently misplaced. It should otherwise be stay calm and act business-as-usual for everyone including Rob, until the CAE returns.
Posted By: Paul F.
2013-02-07 9:15 PM
Senior Level Salary Snoop
I'm not so sure the sky is falling. "Apparently used access rights" is only speculation at this point. Perhaps Rob received the information along with a bundle of other documents and just tucked it away with lots of other documents. If Rob's motivation was nefarious, why would he have kept the information in the file? Most people receiving this information, I believe, would have taken it home to avoid discovery. As CAE, I expect all members of my audit team to not run around as if their hair was on fire and do what they are supposed to do -- gather sufficient information and draw a rational conclusion. Upon returning from vacation, the CAE might want to consider having a thoughtful conversation with Meg.
Posted By: Matt M
2013-02-07 1:06 PM
Comment on Senior Level Salary Snoop
Internal Audit Management trusted Rob. Trust in itself does not prevent one to use that trust to his advantage. In my prior experiences we have limited the access to payroll records only to samples that are selected for testing. Trust it is Not a Preventative Control, and limiting access to ones job's duties is.
Megan should refer to her companies’ policy on confidentiality of information and what it entails, and see if Rob broke any "rules" as far as the company is concerned. Then she should involve CAE and discuss with him how to handle this case. It appears important enough to disturb him before he goes in vacation.
Posted By: AHall
2013-02-07 10:35 AM
Senior-level Salary Snoop solution
This incident should be reported to the Chief Compliance Officer to handle. There should be a rule to print no more than what is essential to the audit to eliminate personal identifying information or other confidential materials from being seen by unauthorized persons.
Posted By: Marlies MItchell
2013-02-07 10:09 AM
Senior Auditor Salary Breach
Regardless of the CAE's vacation, this information needs to be communicated to the CAE immediately. Withholding this information would then make Meg at fault for not properly and timely disclosing what is at the foundation of our profession, integrity. While the conversation with the Rob should not begin as accusatory or automatically saying he is guilty, questions should be asked of him. Also, because there maybe more salary infomation that he obtained access to (which Meg does not know), it would be better for the CAE to proactively get ahead of the breach so he/she (CAE) and control the message and explain what has happen to senior management. I would be more fearful of what I do not know of other salary information Rob is sitting on.
Posted By: Wayne Scott
2013-02-07 9:33 AM
Obviously get additional and unauthorized information is wrong. I could understand to get additional restricted information in some specific cases (e.g.fraud) where criminal behavior can risk losing the information. But, in this case it apparently never happened and, additionaly, confidential information wasn´t properly guarded being available to anyone. It´s necessary to report the incident.
Posted By: Fernando M.
2013-02-07 9:02 AM
Sounds like the employee abused their authority and violated their code of conduct policy if one exists. The behavior is unethical and could be grounds for termination. Inform the CAE immediately and partner with HR.
Posted By: Greg Berthiaume
2013-02-07 8:47 AM
Senior Level Salary Snoop
He clearly had no valid business reason to have the salary information of his peers or management. Therefore, he should be reported.
Posted By: TPeart
2013-02-05 4:20 PM
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>