Mind of Jacka: Internal Audit's Responsibility to the Public

The article discusses the ethical principles for government auditors as outlined in the yellow book (the Goverment Accountability Office's (GAO's) Government Auditing Standards). Those principles should not be a surprise to any of us using the red book (The IIA's International Professional Practices Framework). The yellow book's principles include integrity; objectivity; proper use of government information, resources, and positions; and professional behavior. And, without a lot of work, you can see the parallels that exist between these principles and those contained in the red book: integrity, objectivity, confidentiality, and competency.

But the yellow book includes an additional principle. In fact, it is the first principle listed. And it warrants this lofty position because it spells out an important role for internal audit — an ethical consideration that, while I think we are all aware of our need to consider it, may not be in the forefront of our thoughts.

That ethical principle is "the public interest."

Before diving into what the GAO means by this concept, let's talk a little about internal audit's responsibilities. We know we are responsible to the board/audit committee. (And, as always, insert the comparable body to which you report.) If a situation arises where we are unable to work with the client on a solution regarding a potential issue, we work our way up the chain. And, if it is a big enough deal and agreement continues to elude us, the issue eventually winds up in the board's lap. We state our side, the client states its side, and the board, with ultimate responsibility, has the final say.

That is generally the way I've heard it, that is generally the way I've taught it, and I believe that is generally the consensus we would get if we asked internal auditors from all walks of life what they thought.

But let's throw a potential monkey wrench into this understanding of responsibility by looking at what the yellow book has to say about their first ethical principle, public interest:

"The public interest is defined as the collective well-being of the community of people and entities the auditors serve. Observing integrity, objectivity, and independence in discharging their professional responsibilities assists auditors in meeting the principle of serving the public interest and honoring the public trust."

I think we can all agree that, in government auditing, this scope of "the public" is an obvious interpretation. But should this be a consideration for all internal auditors?

Of course, we serve the board. But what is our responsibility to the stakeholders themselves? The role of the board is to represent and protect the stakeholders' interests. So, if we feel the board is not doing its job — if we feel (with conviction based on the audit work and results) that the board is no longer acting in those interests — is it okay for us to walk away and say, "Well, we reported it; our work here is done"?

To take this a step further, what if the decisions of the board are contrary to the "collective well-being of the community …" Depending on the issue, might it even be that the general public has a right to know?

Do we, as internal auditors and, perhaps more importantly, human beings, have a responsibility to the public interest? How do we honor the public trust?

Here's another quote from the yellow book. "A distinguishing mark of an auditor is acceptance of responsibility to serve the public interest." Makes perfect sense for the government auditor. But why is this not a distinguishing mark of internal audit in general? Does our buck stop, as noted above, at the board? Or does that mean such actions fall short of the ethical standards in which we should believe?

I like the way the author of the Yellowbook-CPE article stated this.

"In government, our first responsibility as an auditor is to the public — not to the person who hired us and who writes our checks. Not to the federal grantor or other government oversight body. We are responsible for bringing anything to light that harms the beneficiaries of government programs (like the children, elderly, and disabled) and that often means making the person who hired us look bad."

Take the phrases related to government out. Now it begins "Our responsibility as an auditor is to the public …" and, suddenly, our responsibility becomes broader and more important.

Look, I know I'm starting to step into the discussion of internal auditors as whistleblowers and issues of confidentiality. But I don't think we can run away in fear because we don't want to confront the potential conflicts. We have to address our roles and responsibilities in those situations where we report to the audit committee/board and find their actions do not protect the public interest.

When is an audit department/auditor going too far? Are their boundaries? Where does an auditor's responsibility stop? And, if it isn't our responsibility, whose is it?

Take a look at the article from Yellowbook-CPE. It does a nice job of spelling this all out. But pay particular attention to that first principle. Because that is where we have to ask ourselves if we have gone far enough in standing up and taking accountability for our broader responsibilities. And it kind of makes me wonder if we need our own statement about the public interest.

When you take a step back and look, it seems kind of important.