Are Regulators Trying to Redefine Internal Audit?
Internal audit is under great pressure — pressure to meet growing stakeholder expectations, pressure to adapt to new and rapidly emerging risks, pressure to keep up with new technologies and threats.
This is not a new phenomenon with our profession. Over the decades, internal auditing has been under near-constant pressure to meet ever-changing demands. From the beginnings of modern internal auditing in the 1930s and '40s, one of the great strengths of the profession has been its ability to evolve — growing and becoming better able to meet stakeholder needs as it conquers each new challenge.
Key to this evolution is the ability for internal audit to remain an independent and objective function that provides assurance and advice. Indeed, the very definition of internal auditing focuses on maintaining that independence and objectivity while "bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
However, we are seeing signs of a different kind of pressure on the horizon, one that, if not treated carefully, may threaten to erode internal audit's reputation for independence.
As regulators are demanding more transparency from publicly traded companies, they are relying more on internal audit and its work products to provide assurance on the accuracy of internal control over financial reporting (ICFR). This in and of itself is not a negative, unless regulators begin treating internal audit as their "boots on the ground."
We already are seeing fallout from this, as pointed out in a report recently released by the IIA's Research Foundation (IIARF). In A Global View of Financial Services Auditing, authors Jennifer Burke and Steven E. Jameson note that assistance provided by internal audit to external auditors is growing, especially within the financial and insurance sectors. Based on responses to the IIARF's Common Body of Knowledge Practitioners Survey, 34 percent of financial services auditors reported spending more than four weeks annually supporting external auditors.
Beyond the increased regulatory workload, we must tread carefully when it comes to doing work that could be viewed more as serving regulators than serving the organization. Internal audit can struggle to find a balance between reporting functionally to the board or audit committee while reporting administratively to management. Adding a third master in the form of the regulator would further complicate an already delicate relationship.
A second example of outside authorities potentially upsetting that balance involves the recent announcement by the U.S. Department of Justice (DOJ) regarding individual accountability for corporate wrongdoing. DOJ Deputy Attorney General Sally Quillian Yates announced a fundamental change in the way the DOJ will deal with corporations seeking leniency by cooperating with investigators. In order to qualify for any cooperation credit, corporations must provide to the DOJ all relevant facts relating to the individuals responsible for misconduct.
This change is aimed at bringing those accountable for corporate wrongdoing to justice, which is a laudable goal. However, the devil in the details threatens to transform the internal audit function into an internal investigation unit for the DOJ.
The new rules require that, in order for a company to receive any consideration for cooperation, "the company must completely disclose to the Department all relevant facts about individual misconduct. Companies cannot pick and choose what facts to disclose," according to a Sept. 8 memorandum from Yates.
What's more, no credit can be earned if a company "declines to learn such facts." In other words, a company can lose its chance for leniency if it fails to follow up on all potential leads.
Yates recently elaborated on the new rules before an audience at New York University and made clear the new rule's intent.
"It's all or nothing," she said, according to a transcript of her prepared remarks. "No more picking and choosing what gets disclosed. No more partial credit for cooperation that doesn't include information about individuals."
She later added, "And we're not going to let corporations plead ignorance. If they don't know who is responsible, they will need to find out. If they want any cooperation credit, they will need to investigate and identify the responsible parties, then provide all non-privileged evidence implicating those individuals."
That last phrase — "all non-privileged evidence implicating those individuals" — is key. This makes possible, even likely, that internal audit will be asked to take on an investigator's role within a company seeking to cooperate with a DOJ investigation. By definition, findings from corporate council investigations are privileged. That leaves internal audit as the most logical choice to carry out investigations designed to develop relevant, non-privileged evidence.
Practitioners should take pride in their ability to bring an unbiased and critical look at organizational operations, including their skills at unraveling carefully crafted cover-ups by wrongdoers. However, I'm certain that moonlighting for the DOJ is not something most internal auditors envisioned as part of their careers.
As we move forward, we must be cognizant of the forces shaping the profession and be ready to respond. We have worked tirelessly in recent years to raise the profession's stature as "trusted adviser" to management and the board. The dialogue on how internal audit should respond to these new pressures — including where and when it must draw a line on becoming a "double agent" for government authorities while simultaneously serving the organization — must start now. I'd like to hear your thoughts.
ABOUT THE AUTHOR
Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA, is president and CEO of The IIA. In Chambers on the Profession, he shares his personal reflections and insights based on his 40 years of experience in the internal audit profession.