To catch everyone up, I’m doing a series of posts on events from the previous decade to which internal audit might have paid closer attention, and how those events represent areas where internal auditors can still provide value to their organizations. (The first two subjects related to reputation risk and disruption.) When developing the content of the posts in this series, I actually came up with a list containing 10 or 15 items. I began winnowing down that list and there was one area that lasted a little longer than the others, but just never seemed strong enough to make it to the finals.
And then, in the last couple of weeks, the real world once more reared its ugly head, and I realized the topic had to be included. And, as I’ve put this together, I realized, yeah, this is a big deal.
Today’s topic is whistleblowers.
There’s been a lot of talk about them the last few months, but they aren’t anything new. Go to Wikipedia. (And at this point let me emphasize I am loath to direct anyone to this snake pit of partial and misinformation. Never use it as a primary source. Instead, as we are doing here, use it only as somewhere to get started.) Check out the page “List of Whistleblowers.” The first whistleblower listed is from 1777. (Did I mention whistleblowing is nothing new?) Scroll down — scroll, scroll, scroll — and you will eventually get to the 2010s. The list stops at 2016 (did I mention Wikipedia’s partial and misinformation?), but it still includes approximately 30 major whistleblowers from the last decade. If you want to see the plethora of more recent cases check out the National Law Review’s constant updates on whistleblower statuses, the information on whistleblowers.org, and any number of other resources. (Just google “top whistleblowers” and start surfing.)
For pure notoriety, divisiveness, and name recognition, it is hard to beat Edward Snowden. In 2013 he revealed a substantial number of classified documents that were eventually published in The Guardian and The Washington Post. The documents revealed details of a global surveillance program run by the U.S. National Security Agency in close cooperation with similar departments within Australia, Canada, and the U.K. He was charged with violating the U.S. Espionage Act and currently maintains asylum in Russia.
Depending on who you talk to, Snowden was a hero or a villain. Opinions range from “He should be strung up” to “Heroism deserves clemency.” These are the range of sentiments that seem to exist about all whistleblowers — some people see bravery and positive impact; some see treachery and negative ramifications.
Just last year (still the prior decade) another whistleblower came forward who had what can safely be called an “impact” on the political scene. This (currently, officially-unnamed) whistleblower accused the U.S. president of abuse of power. (There’s a lot more going on around this one, but this is not the place to get into the politics of a situation with details that leave me as confused as a dog staring at the finger pointing at the moon.) Much like Snowden, some hail the individual as savior; others portray him or her as a tool of evil.
In the Snowden case, the government is looking to prosecute; in the second case, a significant part of the government is looking to protect the whistleblower. The difference hinges on an important aspect of various whistleblowing laws. (And, at this point, a quick reminder that I don’t even try to play a lawyer on TV — so these are just my informed opinions developed during the attempts at research I’ve recently completed. If I’ve got this wrong, feel free to let me know.) Whistleblower protection is afforded when the whistleblower speaks out about illegal activities. The contention with Snowden is that what he reported was classified and not illegal. The contention with the unnamed whistleblower is that, to this point, evidence indicates it may be about illegal activities.
And thus, hairs are split.
What’s an internal auditor to do? Well, here’s lesson No. 1 (the basic lesson). When it comes to whistleblowers, know the law, know what you can do, and be prepared. (I guess that is three lessons, but I’m putting them under one big umbrella.)
Internal audit lives and dies because of the information provided by its clients, customers, co-workers, and even the general public. Most of this comes via open and transparent communications. But, in some instances, we may be asked for anonymity. (If your department is involved in fraud investigation, then this probably happens quite a bit.)
I think everyone knows there is only so much protection we can provide. In general, the only promise we can make is that anonymity will be maintained as long as possible. It is our responsibility to ensure the individual understands how little protection there is and the limitations internal audit faces.
Everyone will have their own limits, and you have to understand those limits going in. I was lucky. In my situation I could promise relatively strong anonymity. First, I had bosses who would let me move forward without providing names. Second (and a big part of all this), my approach was to prove the allegations by obtaining enough corroborating information through normal audit channels that the source would not be necessary. In other words, the work would speak for itself and, done correctly, I would not have to reveal the source. But I always advised that, if push came to shove, I would have to give up the individual’s name, and they should be prepared for this.
But the bigger (and trickier) issue comes up when we become involved in whistleblower situations. The individual may come to us first, we may be asked to do follow-up, or we can even be in a situation where we feel we need to act as a whistleblower. (See Cynthia Cooper.) Because of this, internal audit has to understand its organizational role related to whistleblowers, keep abreast of the legal requirements, and know exactly what to do before such situations arise.
Let me repeat that last one — know exactly what to do before such situations arise. Successful handling of whistleblower cases requires research, training, and preparation. And internal audit must be ready for such situations before they arise, lest it be blindsided.
Now, if that was all I wanted to say about the subject, then, as I first thought, whistleblowers would make for an interesting discussion, but would not have made my top 10 list. However, last week I found myself in the car screaming at the Neanderthals on the local sports talk radio station who purported to be experts. And their uninformed and misguided conversation provides the basis for a more important lesson internal audit needs to understand about whistleblowers. And a lesson that speaks to broader approaches, roles, and values within the department.
Next time we’ll talk about education, mindsets, and Major League Baseball.