http://www.theiia.org/intAuditor/ask-the-experts/2013/senior-level-salary-snoop-1/ Blogen-us Thu, 14 Mar 2013 08:53:53 AMThu, 14 Mar 2013 08:53:53 AM http://www.theiia.org/intAuditor/ask-the-experts/2013/senior-level-salary-snoop-1/2013-03-14Depending on the code of conduct and the Internal Audit Manual, Rob could have commited a crime. However Meg as a Manager should not rush to conclusions. I however don't know about corporate governance, that is shouldn't everyone's salary be open. Why hide it. it sets a wrong tone from the top. http://www.theiia.org/intAuditor/ask-the-experts/2013/senior-level-salary-snoop-1/2013-02-12I think Meg should speak with her senior and advise of what she found as this is confidential information and not supposed to be part of the sample. http://www.theiia.org/intAuditor/ask-the-experts/2013/senior-level-salary-snoop-1/2013-02-07The Manager should go first to her Director assigned to the payroll audit (if any), not straight to the CAE unless she reports directly to the CAE (though the Director should then consult the CAE immediately). Time is not of the essence, except to pull and preserve the evidence for the CAE so that Rob can't access it further, before the CAE reviews it; there is a remote possibility the document belongs to the CAE and was inadvertently misplaced. It should otherwise be stay calm and act business-as-usual for everyone including Rob, until the CAE returns. http://www.theiia.org/intAuditor/ask-the-experts/2013/senior-level-salary-snoop-1/2013-02-07I'm not so sure the sky is falling. "Apparently used access rights" is only speculation at this point. Perhaps Rob received the information along with a bundle of other documents and just tucked it away with lots of other documents. If Rob's motivation was nefarious, why would he have kept the information in the file? Most people receiving this information, I believe, would have taken it home to avoid discovery. As CAE, I expect all members of my audit team to not run around as if their hair was on fire and do what they are supposed to do -- gather sufficient information and draw a rational conclusion. Upon returning from vacation, the CAE might want to consider having a thoughtful conversation with Meg. http://www.theiia.org/intAuditor/ask-the-experts/2013/senior-level-salary-snoop-1/2013-02-07Internal Audit Management trusted Rob. Trust in itself does not prevent one to use that trust to his advantage. In my prior experiences we have limited the access to payroll records only to samples that are selected for testing. Trust it is Not a Preventative Control, and limiting access to ones job's duties is. Megan should refer to her companies’ policy on confidentiality of information and what it entails, and see if Rob broke any "rules" as far as the company is concerned. Then she should involve CAE and discuss with him how to handle this case. It appears important enough to disturb him before he goes in vacation. http://www.theiia.org/intAuditor/ask-the-experts/2013/senior-level-salary-snoop-1/2013-02-07This incident should be reported to the Chief Compliance Officer to handle. There should be a rule to print no more than what is essential to the audit to eliminate personal identifying information or other confidential materials from being seen by unauthorized persons. http://www.theiia.org/intAuditor/ask-the-experts/2013/senior-level-salary-snoop-1/2013-02-07Regardless of the CAE's vacation, this information needs to be communicated to the CAE immediately. Withholding this information would then make Meg at fault for not properly and timely disclosing what is at the foundation of our profession, integrity. While the conversation with the Rob should not begin as accusatory or automatically saying he is guilty, questions should be asked of him. Also, because there maybe more salary infomation that he obtained access to (which Meg does not know), it would be better for the CAE to proactively get ahead of the breach so he/she (CAE) and control the message and explain what has happen to senior management. I would be more fearful of what I do not know of other salary information Rob is sitting on. http://www.theiia.org/intAuditor/ask-the-experts/2013/senior-level-salary-snoop-1/2013-02-07Obviously get additional and unauthorized information is wrong. I could understand to get additional restricted information in some specific cases (e.g.fraud) where criminal behavior can risk losing the information. But, in this case it apparently never happened and, additionaly, confidential information wasn´t properly guarded being available to anyone. It´s necessary to report the incident. http://www.theiia.org/intAuditor/ask-the-experts/2013/senior-level-salary-snoop-1/2013-02-07Sounds like the employee abused their authority and violated their code of conduct policy if one exists. The behavior is unethical and could be grounds for termination. Inform the CAE immediately and partner with HR. http://www.theiia.org/intAuditor/ask-the-experts/2013/senior-level-salary-snoop-1/2013-02-05He clearly had no valid business reason to have the salary information of his peers or management. Therefore, he should be reported.