Blogs Richard F. Chambers, CIA, CRMA, CFE, CGAP Feb 10, 2020
When I wrote that first blog post on Feb. 10, 2009, I could have never imagined what a powerful way it would become to communicate with internal auditors worldwide. I was simply exploring new ways to communicate critical and timely insights for members of the profession.
Today, the blog is published in English, Spanish, French, Portuguese (and occasionally in Chinese and Turkish). Last year, the blog was read more than 400,000 times by practitioners and others around the world. So, as the anniversary of my blog's debut approached, I reflected on the many issues and events covered in those past 440 blog posts. The lion's share offered practical advice to practitioners on how to better their skills, manage relationships, and elevate their work to the level of trusted advisor.
However, many others — indeed, too many — focused on examples of governance failures and examined where internal audit fit into those scenarios. A recent filing by the U.S. Department of the Treasury's Office of the Comptroller of the Currency (OCC) offers another painful example. The Jan. 23 notice of civil charges against former executives of a well-known American bank includes the bank's former chief auditor and former executive audit director among the defendants.
While the charges are yet to be adjudicated, and all parties are entitled to the full due process afforded to them under the U.S. civil court system, the details outlined in the OCC filing nevertheless allege an unflattering picture of internal audit turning a blind eye to serious and systemic misconduct at the bank.
The allegations in the OCC complaint brought to mind several instances where internal audit was implicated in corporate scandals. In 2009, I addressed the fraud scandal at Satyam Computer Services, often referred to as India's Enron. As the fraud unraveled, Satyam's chairman/CEO confessed to manipulating financials over the course of several years. Indian authorities ultimately charged the internal auditor with helping to falsify accounts.
In other scandals, such as FIFA, Toshiba, and Volkswagen, the role of internal audit was not as clear, though investigations into those cases offered a hint. For example, I wrote about the Toshiba scandal in 2015 based on an investigative report commissioned by the company's board. While there were many issues that contributed to the company's systemic and prolonged financial misstatements, one of the key factors was that too many people were willing to look the other way. I wrote in 2015:
When Toshiba's top executives set unrealistic performance (profit) goals, division presidents, line managers, and employees below them carried out inappropriate accounting practices to meet targets in line with the wishes of their superiors. … Instead of questioning the wisdom of these earnings goals, "…(Toshiba's) employees felt cornered into resorting to inappropriate measures," according to the report. One has to wonder whether this contributed to the internal audit department accepting the decisions to ignore early findings of accounting irregularities.
Later that year, I wrote about the wholly unacceptable behavior of a senior internal auditor at Morrisons, one of the U.K.'s largest and oldest supermarket chains. He was found guilty of stealing and illegally sharing the banking, salary, and national insurance information of nearly 10,000 Morrisons employees. I wrote:
His actions are light years from the high ideals all internal auditors must live up to. Indeed, when the profession takes on the mantel of ethical overseer, it must be held to the highest standards and operate beyond reproach. As internal audit practitioners, we tell ourselves we are a breed apart. Often misunderstood and underappreciated, internal auditors help protect organizations from threats, both internal and external. In our roles as the guardians of trust, we provide assurance to help businesses operate efficiently, effectively, and ethically.
This is a high bar, but it is one that every internal auditor must meet. What's more, it is important to understand that our obligation goes beyond avoiding direct complicity. Internal auditors must beware of and accountable to the risk their actions create. This also includes inactions. Simply put, we are complicit in wrongdoing when we fail to act or speak out.
Occasionally, someone attempts to connect the dots about ethical lapses in our profession, and a troubling article or headline emerges. Such was the case in 2012, when a Forbes.com blog headline screamed, "Infernal Audit: When Internal Auditors Go Bad." But overall, we have been fortunate over the past 11 years. There has been very little high-profile media or regulatory questions about the collective ethics or competence of our profession. I believe that is because the vast majority of internal auditors maintain strong integrity in diligently executing their responsibilities. However, we shouldn't underestimate the risk that a high-profile internal audit scandal could tarnish us all. As the old saying goes: "One bad apple can spoil the bunch."
Internal auditors have an obligation to protect the public good. If we are inept in our performance or, worse yet, become an instrument of those with nefarious motives, we imperil our organizations, our profession, and ourselves.
As always, I look forward to your comments.