Home > Risk > Boards, management, and internal audit ethics

Boards, management, and internal audit ethics

The UK’s Chartered Institute of Internal Auditors (which is affiliated to the Global Institute of Internal Auditors) has updated their Code of Professional Conduct. It makes interesting reading, not only for what it contains but what it does not.

The most interesting inclusion, in my opinion, is the requirement that internal auditors act “in the public interest”.

Professional internal auditors should take into consideration the public interest and reasonable and informed public perception in deciding the actions to take, bearing in mind that the level and nature of the public interest varies between organisations depending on their role, size, systemic importance or public prominence.

Therefore, a professional internal auditor’s responsibility is not exclusively to satisfy the needs of an individual employer or client. In acting in the public interest a professional internal auditor should observe and comply with the ethical requirements of this Code.

I wonder how many boards and executive management teams would agree that internal auditors should act “in the public interest” and not put the interests of the organization first? Does this mean that internal auditors have an obligation to be whistleblowers to the public, regulators, law enforcement, etc.? The code is silent on whether there is an obligation to inform the board of inappropriate activity before going public – and under what conditions it is appropriate to go public.

This is an interesting topic for discussion at the audit committee level, and something should be reflected in the audit department charter.

Another inclusion relates to objectivity, where the code states:

Internal auditors…..Shall not accept anything that may impair or be presumed to impair their professional judgement [sic].

This brings up the issue of bonuses for internal auditors that are based on corporate performance. Does this represent a threat to their objectivity? I don’t think so, but it should be something for boards to consider.

An interesting omission is a requirement for complete reporting. The code correctly calls for a “balanced assessment”, but does not impose an obligation on internal auditors to report all concerns and issues that may represent failures to manage risks to the enterprise.

When it comes to corporate governance, the “tone at the top”, and the effectiveness of the executive management team, the internal auditor generally has an excellent view and should have a professional opinion. But, how often do they share that opinion with the board? How often do they report that the CEO is a bully or that the CFO is putting pressure on the organization to meet financial targets – in a way that encourages or at least turns a blind eye to inappropriate accounting?

I suggest that this should be a topic for discussion between the audit committee of the board and the internal auditor. What should they expect? If they demand that the internal auditor take a personal risk in communicating such matters, what is their obligation to him in return?

I welcome your comments.

  1. June 20, 2013 at 1:08 PM

    Thank you, Norman. The public interest duty is indeed interesting. Do you know whether there have been any serious attempts to define “the public interest”? Easier to rationalise after the fact, one suspects. Signed, a professional internal auditor.

  2. kathryn m tominey
    June 20, 2013 at 3:11 PM

    Norman, et al – the financial regulators need to take a page from the US NRC playbook. In the 70’s the established a requirement that utility staff, utility ccontractors & their subs were required by law to report any known or suspected violations of nuclear safety requirements to the utility mgt and the USNRC. I believe thel interval was within 24 hours to utility mgt & 48 hours to NRC.

    Failure to do this is a federal felony violation. People have been caught, prosecuted and jailed. At the time, there was much wailing, moaning & gnashing of teeth. But everyone got used to it – staff, consultants, etc. realized covering wrong-doing up would land them in the pokey.

    Apply that rule to financial & housing industry staff, accounting firms, ratings agencies, the SEC, FINFRA, etc and the type of behavior that continues to litter the streets will stop over night.

  3. June 20, 2013 at 9:30 PM

    From a legal perspective, one of the conflicting aspects of the “public interest” ideology in the United States is that U.S. law views fiduciary duty of directors and officers to the end of “maximizing shareholder value,” so notwithstanding any criminal conduct on behalf of the directors and officers putting the interest of the public before the interest of shareholders may be viewed as a fiduciary breach. Recently, states have begun adopting “Benefit Corporation” models which are intended to better balance non-shareholder interests and shareholder interests. The idea is that “maximizing shareholder value” can be legally subordinated to another “benefit” so long as that benefit is defined within the charter of the corporation.

    From an ethics perspective, internal auditors need to understand and balance stakeholder interests, including the public. The IIA’s Code of Ethics CONFIDENTIALITY principle calls for a professional internal auditor to “not disclose information without appropriate authority unless there is a legal or professional obligation to do so.” In my mind, the heart of the ‘public interest’ discussion lies within the question of when does an internal auditor exercise that “professional obligation” to disclose confidential information outside the normal reporting chain and to whom should that disclosure be made after management and the audit committee? The full board? the shareholders? the external auditors? the regulators? the department of justice? Perhaps there will never be a clear cut answer to these questions so maybe it’s best to leave that determination up to the ethical judgment of the professional internal auditor – after all the IIA’s Code of Ethics INTEGRITY principle states “The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.” Should an internal auditor find themselves in a position where they feel it is their professional obligation to disclose information outside the organization I hope they would have exhausted all their reporting options to management, the audit committee, and the full board keeping accurate records of all correspondence because these actions will become their testament to both their personal and professional integrity in the court of public opinion.

    Closing thought: “When you want to do the right things for the right reasons, it is often a matter of finding the right people to listen rather then trying to explain to the wrong people the reasons in which are right.”

  4. June 21, 2013 at 3:27 AM

    Norman: I believe the regulators, at least in the financial services sector see a key “public interest” role for internal auditors in their global guidance paper for national regulators titled
    Thematic Review of Risk Governance. National security regulators, including the SEC, would do well to heed the recommendations in this report.

    http://www.financialstabilityboard.org/publications/r_130212.pdf

    The FSB paper is calling on national financial sector regulators to make it the law that internal auditors report on the reliability of risk management processes, including those processes that provide information to the board on the true state of risk and risk management processes. This opens a tremendous opportunity for internal auditors. Requiring that all CAE hirings and dismissals be authorized by boards would be another very important step in the right direction.

    Internal auditors need to play a much greater public interest role but current corporate frameworks leave conscientious internal auditors exposed personally to the risks that can come with being “dead right” if they are privy to truly “risky” information..

  5. Denver E. Higgins
    June 29, 2013 at 11:49 PM

    This paper examines the case of the internal auditor from a sociological and ethical perspective. Is it appropriate to extend the designation of professional to internal auditors? The discussion includes criteria from the sociology literature on professionalism. Further, professional ethical codes are compared. Internal auditors’ code of ethics is found to have a strong moral approach, contrasting to the more instrumental approach of certified professional accountants. Internal auditors are noted as using their code of ethics to help resolve professional ethical dilemmas.

  6. July 1, 2013 at 1:18 AM

    While internal auditors are not independent of the companies that employ them, independence and objectivity are a cornerstone of the IIA professional standards; and are discussed at length in the standards and the supporting practice guides and practice advisories. Professional internal auditors are mandated by the IIA standards to be independent of the business activities they audit. This independence and objectivity are achieved through the organizational placement and reporting lines of the internal audit department. Internal auditors of publicly traded companies in the United States are required to report functionally to the board of directors directly, or a sub-committee of the board of directors (typically the audit committee), and not to management except for administrative purposes.

  7. Jody N. Rivers
    July 12, 2013 at 1:35 AM

    This paper examines the case of the internal auditor from a sociological and ethical perspective. Is it appropriate to extend the designation of professional to internal auditors? The discussion includes criteria from the sociology literature on professionalism. Further, professional ethical codes are compared. Internal auditors’ code of ethics is found to have a strong moral approach, contrasting to the more instrumental approach of certified professional accountants. Internal auditors are noted as using their code of ethics to help resolve professional ethical dilemmas.

  8. July 15, 2013 at 12:20 PM

    Norman – Interesting review. I think the designation of in the public interest is perhaps a UK cultural aspect. In the UK professionals and professions are required to be above reproach. Hence as UK chartered accountant and auditor and I can witness legal documents in the same manner as clergymen etc. I do think the public interest if taken in micro terms can be difficult to determine, but broadly I think in a macro sense it can be defined. e.g. be against illegal or uncompetitive acts etc.

    I’m agree, bonuses are not an impediment to objectivity and independence. A good internal auditor is there to contribute to the success of the organisation and should be rewarded for doing so.

    The final point about the full reporting of risks is one of proportionality, hence the UK guidance is less prescriptive. It does relate to risk appetite, but whose? The auditor’s or the organisation’s. This same debate applies to the public interest and moral point – who decides?

    My blog debates this point – I’m think I come down on the auditor’s (in macro terms). i.e. if a corrupt organisation wants to do something wrong, i.e. have an unacceptable risk appetite the definition of this should ultimately be down to a professional auditor’s ethics.

  9. July 18, 2013 at 12:30 AM

    While internal auditors are not independent of the companies that employ them, independence and objectivity are a cornerstone of the IIA professional standards; and are discussed at length in the standards and the supporting practice guides and practice advisories. Professional internal auditors are mandated by the IIA standards to be independent of the business activities they audit. This independence and objectivity are achieved through the organizational placement and reporting lines of the internal audit department. Internal auditors of publicly traded companies in the United States are required to report functionally to the board of directors directly, or a sub-committee of the board of directors (typically the audit committee), and not to management except for administrative purposes.

  10. Kathryn M. Tominey
    July 18, 2013 at 8:38 AM

    If your paycheck and thus your livelihood depends on your employer then you need more than an ethics code to limit reprisal risk. Institute by law a requirement that folks in that role be required to inform senior mgt if they observe or think you have observed a risk issue. For regulated firms, the observer must inform the regulator within 48 hours of when you informed mgt.

    It has been working in the nuclear power industry for decades. Consider how much better off the shareholders & employees of Enron would have been had Mr. Bass been required to inform the regulator regarding the accounting fraud
    That he was observing.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: