However, underlying all this is a broader issue for internal audit. This was driven home to me as I listened to local sports talk radio. The analysts began making comments about a recent situation in the sports world — comments that were not within their sports-knowledge wheelhouse. In an almost out-of-body experience, I watched myself scream, rant, and rave at their complete misunderstanding and total ignorance. (I happened to be driving at the time. It should be noted that screaming, ranting, and raving while driving is nowhere near as dangerous as texting and driving, but still not the smartest, safest thing in the world. I do not suggest it become a part of your standard driving protocols.)
Of what did I speak, yell, and scream?
Let’s return to the last decade for another significant whistleblower event. In 2017, Major League Baseball (MLB) was investigating the illegal stealing of signs during baseball games. (At this point I’ll apologize to any international readers who may get lost in the baseball jargon that follows. Just so you know, a lot of us from the States get lost, too.) As background, sign-stealing is an activity as old as baseball itself. Players scrutinize the signs used by the other team to try and discern the messages those signs are meant to convey. (That’s why you see Macarena-like gyrations from third-base coaches and, to the point of the current scandal, the finger contortions catchers use to let their pitchers know what pitch to throw.) Everyone agrees this kind of “stealing” is legit. However, MLB has come down forcibly against the use of technology in these situations.
In 2019, four people who had played for the Houston Astros came forward claiming the team used technology to steal signs. (It is a crazy story including using buzzers under uniforms and banging trashcans in the bullpen.) Currently, the only name released in association with the allegations is pitcher Mike Fiers. By default, he has become the whistleblowing face of the scandal.
All perdition is breaking loose as the investigation continues. There have been suspensions, firings, and the effective blacklisting of some individuals; conversations about revoking awards and forfeiting a World Series trophy; and a cloud of suspicion surrounding anyone who has even the most tangential association.
In other words, the kind of things that happen when a whistleblower has the goods and spills them.
Given what has been learned, few question the penalties that have been meted out. However, an interesting spin has arisen: People are questioning (in some cases disparaging) Fiers’ whistleblowing.
This is a common backlash against whistleblowers. The status quo has been shattered and, no matter how much people say they want the right thing done, they want it done without disrupting their lives. And, ultimately, it speaks to not understanding the role of a whistleblower, of not understanding what it takes to be a whistleblower, and not understanding the ethical standards that each of us as human beings must uphold. (And it is what caused my nigh-on-stroke-inducing rampage against the voices I was hearing in my car.)
There are three basic contentions against Fiers — complaints that are common with almost all whistleblowers.
Argument No. 1: “He should have gone through proper channels.” To start with, this assumes the whistleblower did not go through some of those channels. But it also represents a naivete about what it takes to go through proper channels. Often, those involved in the inappropriate activities are the very ones that channels would go through, nullifying the effectiveness of this approach. Further, the whistleblower may have lost confidence in the system, feeling that even those not involved cannot or will not take appropriate action. It represents a culture where communication and openness are no longer supported, and, with no other way to handle the ethics of the situation, the individual must go the route of whistleblowing.
Argument No. 2: “It is suspicious that he took so long to come forward with the allegations.” Again, this shows an extraordinary naivete about what it takes to be a whistleblower. None of us can know the pressures faced by anyone finding themselves in potentially illegal or immoral situations. Under pressure you are not sure what to do. You hear justifications all around you. You see those in authority accepting the activities and begin to wonder if you are the one who is wrong. And, perhaps, the activities have grown so slowly you do not realize how bad they are until you are knee-deep yourself. It would be nice to believe that everyone would immediately step up and say something, but sometimes our conscience has to work its way through the morass of justifications and potential betrayals. Again, culture works against the whistleblower.
And now we come to Argument No. 3 — the one that had me screaming at the radio. Baseball fans, players, executives, and pundits are chastising Fiers for breaking the “code of the clubhouse.”
Work your way around that one a little bit. (And note the hypocrisy between Nos. 2 and 3: “What took so long?” and “You shouldn’t say anything in the first place.”)
It is a situation most of us have heard before, a “code” within a group — usually a powerful group — that feels “ratting” on others within the group is somehow less ethical than the violations that are occurring. (One famous example: Serpico — the real cop; not the movie.) But it can happen anywhere. Many of the fraud situations I investigated include some variation on this theme: Many people knew what was going on, but felt pressure to be part of the team and not tell anyone.
What’s an internal auditor to do?
All of this represents the opportunity for internal audit to use its unusual power and position to really benefit the organization — the power to keep potential whistleblowers from going all the way.
Let’s start with something simple. Does the organization want to maintain communications in such a way that people do not feel they have to become whistleblowers? Then they need an effective hotline, one all employees know about. (And, if there isn’t one, or employees don’t know there is one, then internal audit has identified a bigger problem that requires immediate remediation.) Do an audit of your organization’s hotline. Do people know it exists? Is it monitored effectively? Is privacy maintained? And, the big question, is something actually done — something effective — with the information that is received?
Okay, all well and good, an excellent start. But the bigger impact occurs when internal audit reaches out and determines if a negative environment may be engendering whistleblower activities? To do that, internal audit has to learn how the organization works. Not business acumen or org charts or procedures or the PE ratio trends for the last four quarters. No, you need to understand the organization’s politics.
Before you go off on a tirade about how you don’t get involved in politics and how politics has no place in the effective running of any organization and how internal audit is above such Machiavellian machinations, let’s reboot your understanding of what that word really means. This is not “playing politics” — backstabbing, badmouthing, personal agendas, egomania, or stepping on anyone and everyone to get ahead. No, I am talking about processes and behaviors in human interactions involving power and authority that allow the organization to be a going concern. In other words, for internal audit to understand the politics within the organization, it must understand the organizational culture; the governance structures; the formal and informal communication channels (yes, I’m talking grapevine; you don’t have to be a part, but you better know how it works); and who is important, who can get things done, and where real power lies (again, formally and informally.)
For each and every one of these, conduct an audit or, at the very least, some kind of review to ensure they are effective. And from these reviews, determine if the organization is ripe for whistleblowing. Even if there does not appear to be an imminent event, make sure employees feel secure in communicating the possibilities.
But in all this, the biggest impact internal audit can have may be the easiest and the most often overlooked.
All of the above is talking about one thing — ethics. Internal audit can start with an audit over the ethics within an organization — how it supports ethics, how it allows reporting on ethical violations, how the governance structure supports ethics. But the more impactful job internal audit can take on is to be the preacher/proselytizer. We are out there among 'em. And that means we can talk to anyone — the big, the small, the managers, the executives, the worker bees, the important, the really important, the not-so-really important, anyone — emphasizing the role ethics plays in organizational success.
And if you’re in an organization where ethics is not important … well, first, if you are in that situation, get out as fast as you can — it isn’t going to end well for you. But if the ethics of the organization is not as strong as you think it should be —– maybe executives are out of touch, maybe there are misaligned priorities, maybe there is some other reason than just “they” are a bunch of crooks — then take the opportunity to become the city on the hill, increasing awareness that ethics and ethical behavior is the way business should be run.
And, fully cognizant that I have gone on too long but having promised myself that I’d get this all done in one blog post, one other thing. if you are hearing a lot of complaints, if there are a lot of hotline communications, if you’ve had more than one whistleblower pop up, then you have to ask yourself what is wrong with your organization. Maybe it warrants a specific audit — culture, communication, ethics — or maybe it warrants something more. But do not allow your department or the organization’s executives to sweep complaints under the rug, saying it is just the bluster of a few malcontents. Where there is malcontentism, there is fire. And there are whistles to be blown.
Wow. That’s about enough of that. Next time we’ll continue discussing events from the last decade — the ones internal audit ignores at its own peril. And, this time, we will turn the view inward.