Boards, management, and internal audit ethics
The UK’s Chartered Institute of Internal Auditors (which is affiliated to the Global Institute of Internal Auditors) has updated their Code of Professional Conduct. It makes interesting reading, not only for what it contains but what it does not.
The most interesting inclusion, in my opinion, is the requirement that internal auditors act “in the public interest”.
Professional internal auditors should take into consideration the public interest and reasonable and informed public perception in deciding the actions to take, bearing in mind that the level and nature of the public interest varies between organisations depending on their role, size, systemic importance or public prominence.
Therefore, a professional internal auditor’s responsibility is not exclusively to satisfy the needs of an individual employer or client. In acting in the public interest a professional internal auditor should observe and comply with the ethical requirements of this Code.
I wonder how many boards and executive management teams would agree that internal auditors should act “in the public interest” and not put the interests of the organization first? Does this mean that internal auditors have an obligation to be whistleblowers to the public, regulators, law enforcement, etc.? The code is silent on whether there is an obligation to inform the board of inappropriate activity before going public – and under what conditions it is appropriate to go public.
This is an interesting topic for discussion at the audit committee level, and something should be reflected in the audit department charter.
Another inclusion relates to objectivity, where the code states:
Internal auditors…..Shall not accept anything that may impair or be presumed to impair their professional judgement [sic].
This brings up the issue of bonuses for internal auditors that are based on corporate performance. Does this represent a threat to their objectivity? I don’t think so, but it should be something for boards to consider.
An interesting omission is a requirement for complete reporting. The code correctly calls for a “balanced assessment”, but does not impose an obligation on internal auditors to report all concerns and issues that may represent failures to manage risks to the enterprise.
When it comes to corporate governance, the “tone at the top”, and the effectiveness of the executive management team, the internal auditor generally has an excellent view and should have a professional opinion. But, how often do they share that opinion with the board? How often do they report that the CEO is a bully or that the CFO is putting pressure on the organization to meet financial targets – in a way that encourages or at least turns a blind eye to inappropriate accounting?
I suggest that this should be a topic for discussion between the audit committee of the board and the internal auditor. What should they expect? If they demand that the internal auditor take a personal risk in communicating such matters, what is their obligation to him in return?
I welcome your comments.