​Willful Subversion of Second Line of Defense Can Land You in Jail

Among my earliest memories as an internal auditor was the constant refrain from officials in my organization that, as internal auditors, our job was to keep them "out of jail." It was their light-hearted way of signaling how important we were to them. I didn't take them too seriously, because I didn't know of too many people who went to jail because of an internal control or compliance failure. But, as Bob Dylan so famously sang, "the times they are a-changin'!"

The recent guilty plea by a former drug company compliance officer on conspiracy and other charges is yet the latest example of when willful compliance failures can lead to jail time for executive management. The related arrest of a second company executive, the former CEO, shows that prosecutors are willing and able to reach high into the C-suite to send a message.

The stunning arrests of the former Rochester Drug Cooperative executives reflect the high stakes associated with certain kinds of control and compliance failures and, more specifically, the dangers of willfully ignoring them. Some have gone as far as characterizing this as a test case for federal authorities prosecuting drug company executives for trafficking narcotics.

Prosecutors allege that the two indicted executives were repeatedly warned that the company was dispensing dangerous opioids, such as oxycodone and fentanyl, to individuals who had no legitimate need for them. What's more, the company made deliberate decisions "not to investigate, monitor, and report" individuals it knew were diverting controlled substances for illegitimate use, according to charging documents filed by prosecutors in the U.S. District Court Southern District of New York.

As a registered drug distributor, Rochester Drug Cooperative was required to maintain "effective control[s] against diversion of particular controlled substances into other than legitimate medical, scientific, and industrial channels," according to the charging document. It also was responsible for reporting to the U.S. Drug Enforcement Administration (DEA) any, "orders of unusual size, orders deviating substantially from a normal pattern and orders of unusual frequency."

While the company met the requirement to create necessary policies and controls, it is accused of ignoring numerous red flags warning that drugs were being dispensed for other than legitimate medical purposes. One of the most damning incidents cited in the charging document was a 2014 compliance consultant recommendation. The consultant urged Rochester Drug to comply with the DEA's "know-your-customer" due diligence policy, presciently warning that, unless the company changed its practices, it would become a DEA target, "because of [its] willful blindness and deliberate ignorance."

Assuming the information in the charging document is accurate, this case is different from other recent, high-profile governance failures in three significant ways:Second-line compliance process and structures appear to have been working as designed.The first line apparently subverted the second line by willfully ignoring warnings.The first line repeatedly thwarted the second and possibly the third line, in all likelihood without the board's knowledge.
This incident points to the need for internal auditors to build strong relationships across all lines within the organization, not just with their audit committees and boards.Internal audit should be in a position to support second-line efforts and step in when compliance functions in the second line are effectively thwarted.Internal audit should provide an effective challenge to management when management fails to protect and support control processes and structures.Internal audit should communicate all risk management or compliance failures first to management, then directly to the board (especially if management is complicit).Internal audit should provide some level of assurance on information that is presented to the board by management.


The 2019 North American Pulse of Internal Audit, Defining Alignment in a Dynamic Risk Landscape, addresses internal audit's involvement in information going to the board. This is an area where internal audit can improve. According to the Pulse survey, nearly 6 in 10 CAEs report that internal audit rarely or never provides assurance on the quality of information given to the board, nor does internal audit have formal discussions about the information with the board and management.

As regulators' expectations grow about board oversight, it is imperative that we fulfill our responsibilities as internal auditors. In doing so, not only will we fulfill our missions of protecting and enhancing organizational value, but we may also be keeping officials in our organizations out of jail.