Home > Risk > Internal audit and discrimination or harassment risk

Internal audit and discrimination or harassment risk

An article in the New York State Society of CPA’s CPA Journal raises a very important and tough topic for internal auditors.

ICYMI | The Effect of Sexual Harassment on Internal Audit Risk Assessments: Are You Part of the Solution or Part of the Problem? is written by a couple of academics, one of whom has worked as an internal auditor.  (BTW, ICMI stands for ‘in case you missed it’.)

Sexual and other forms of harassment is a serious problem, especially when the great majority of cases go unreported and those that are reporting often do not end well for the person reporting harassment.

There can also be huge penalties for corporations. Just this week, NPR reported that:

The University of Southern California has agreed to pay more than $850 million to hundreds of women who were treated by a former campus gynecologist accused of sexual abuse.

The article covers only part of the ground, but it is still valuable reading. For example, it says:

  • According to a 2016 U.S. Equal Employment Opportunity Commission (EEOC) report… surveys of those who experienced sex-based harassment in the workplace tend to respond by avoiding the harasser (survey findings ranged from 33% to 75%); denying or downplaying the gravity of the situation (54%–73%); or attempting to ignore, forget, or endure the behavior (44%–70%). It appears that filing a formal complaint is a last resort.
  • Harassment can take the form of: sexual, gender identity–based, race or ethnicity, disability, age or national origin or religion, and intersectional. Examples of sexual harassment could include offensive jokes, slurs, name calling, physical assaults or threats, intimidation, ridicule or mockery, insults, offensive objects or pictures, and interference with work performance. According to the EEOC, prevention is the best tool to eliminate harassment in the workplace; this includes establishing an effective complaint or grievance system, providing anti-harassment training to managers and employees, and taking immediate and appropriate action when an employee complains.
  • …the nature of internal auditing typically brings an auditor into contact with staff throughout the company (at all levels, both management and nonmanagement). Therefore, the internal auditor is a familiar face who can provide a trusted independent objective voice in the review and evaluation of company governance, including compliance with laws and regulations.
  • Ideally, internal auditors should be prepared to identify and report suspicious behavior while working on every assignment. The nature of internal auditing brings an auditor into contact with a wide range of employees and their role places them in a unique position to spot the potential for sexual harassment and raise a red flag for human resources and the general counsel to follow up.

Unfortunately, the authors do not provide the advice (beyond that above) I believe is appropriate. The identification of the risks, how to identify and assess them, and the work internal auditors should perform is (IMHO) off target.

Before I share my advice, let me tell you about some of the experiences I had as a CAE.


Perhaps the first was when one of my auditors informed me that the office used by some of the factory staff had walls covered by calendars and pin-ups of scantily dressed ladies. She was not offended herself, she told me, and none of the female workers had complained: it was something they accepted in a male-dominated workplace. However, the auditor knew that it was a violation of company policy.

I advised her to have a quiet word with Human Resources and then the supervisor, make sure he realized that this was a violation, and ask him to have everything taken down. The (male) supervisor consented after a brief argument and he explained the company policy to the workers. I had my auditor return a few weeks later to check, and since everything was now ok we considered the issue closed. It was not mentioned in the audit report.

I didn’t see any need to escalate the issue to senior management since the response was prompt, appropriate, and lasting. There was no indication that this was a more pervasive situation.


A far more troubling incident happened a few years later. The company’s contingency planning coordinator, LeRoy, reported up to me (at the request of top management and with the approval of the audit committee) and we had a scheduled one-on-one.

LeRoy was late to the meeting. He explained that he had been listening to a complaint from a friend he had made at the refinery. She worked in operations and had come to him for a friendly ear. I was able to extract from him what his friend was complaining about: sexual harassment by her manager.

LeRoy listened sympathetically but did nothing more.

I told LeRoy that he needed to speak to his friend and ask her to contact Human Resources. He said she was reluctant to do so, fearing retaliation. But I insisted that he not only advise her to make an official complaint, but also tell her that he was also going to have to report the discussion to Human Resources himself. He was very reluctant indeed! He felt that the lady had come to him as a friend, in confidence, and had no idea that he would be obliged to report it. I explained that he was part of management and, especially as he was within the internal audit department, there was a clear obligation to report this formally to Human Resources.

LeRoy advised me later that day that he had told his friend to report the matter, which she said she would do, and had also met with Human Resources.

Some time later, I was in a meeting with the vice president for Human Resources. I asked him about the alleged harassment, and he got quite angry. He said that it was a fiction, cooked up by the employee because she was about to be counseled for poor performance. That counseling had now occurred, and he expected that she would be dismissed shortly.

I asked about the investigation into her complaint and who had performed it, given that he had himself been working with her manager on the performance review and counseling.

He replied that there would be no investigation; it was clear that this was retaliation by the employee.

I expressed my concern and that I believed every complaint should be objectively investigated. He repeated his position.

I decided that the best action was to discuss all of this with the head of the legal department. He got involved to make sure appropriate action was taken, including meeting with the employee himself and determining whether her complaint was justified.

The employee ended up resigning, but I believe she received a measure of compensation rather than a termination notice.


Obviously, as CAE I have had to determine which were the more significant risks to the organization that merited the attention of my team. Fortunately, there was only one time where I identified a signal that indicated a potential problem, the possibility of a serious level of risk related to discrimination of harassment.

That occurred at one of my companies that had offices in Singapore and China.

I was working to fill open positions in the team, with one in Penang, Malaysia and the other in Singapore. The Human Resources recruiter came to the office I was using and told me that I had too many female candidates on the interview schedule. Couldn’t I find any suitable males?

I was shocked and told her that I would hire the best candidate, regardless of gender. I had mostly females on the schedule because those were the qualified (based solely on experience) candidates that had been found by the recruiters. She huffed and left.

My next stop was to talk to the vice president of Human Resources for Asia. When I relayed to him what his employee had said, he told me that she had said that at his direction! He was very much opposed to filling key positions with ladies who would at some point have children and leave the company. I told him that his position was contrary to the policies and values of the (US-based) corporation; while it may be, as he said, totally legal and common practice in Singapore and other parts of Asia, it was not acceptable for an American corporation. He held to his position and I told him I would ask the corporate senior vice president for human resources to get involved.

The corporate officer would not direct the Singapore guy to change his position and practices. He said that he didn’t want to hold Singapore to American values, especially as preferring male employees was perfectly acceptable in ‘that part of the world’.

I was disappointed and later discussed it with the audit committee, but no action was taken. Fortunately for the company, this never leaked to the US press. Of course, I continued to hire the best individuals, regardless of gender, race, religion, and so on.


As I said, in all my years as CAE I rarely saw indicators of either widespread discrimination or harassment. Of course, there were several instances where allegations were made, investigated, and appropriate actions taken.

But I was only that one time “on notice” of a pervasive cultural issue. It never, in my assessment, rose to the level of a high ‘risk’ that merited an audit.

But if it had, I would definitely have taken a different approach than is suggested in the academics’ article.


For a start, it is important to recognize that this is a dangerous minefield. Harassment can occur at any level, but discrimination is quite likely to involve more senior management. In my experience, even senior officers often don’t realize where the line is between acceptable and unacceptable behavior.

I strongly believe that any audit activity relating to either discrimination or harassment should be guided by the organization’s legal function. This is because the results of any audit work could create a legal risk for the organization – if the results were made public or obtained by attorneys seeking to sue the business. Just imagine the reaction if it came to light that an audit had identified poor controls or even actual violation of societal norms and laws in these areas. Even if there is no written audit report, notes and working papers may be discoverable.

The legal function can provide instructions on how to perform the work in a way that will provide some measure of protection. In general, performing audit work at the direction of counsel such that it becomes attorney work product may be protected from ‘discovery’ (where the organization is required to disclose the report and even the working papers – and oblige the auditor to answer related questions). However, that protection is not 100% guaranteed and the CAE should listen carefully to the legal expert.

There are going to be some that will say that any investigation or audit should be performed by an independent third party, possibly a law firm. However, strong consideration should be given to using internal auditors who understand the company and its people and, hopefully, are both trusted and respected. The auditors can either perform the work or partner with an outside firm.


The next issue is what the end product should look like.

The General Counsel will probably direct the CAE to address any report, whether written or oral, to him or her. Then, as legal counsel to the organization, the GC will share the results with his or her client: senior management and the board.

When it comes to any form of compliance audit, I always prefer to assess the adequacy of the controls and whether they provide a reasonable level of assurance that the risk of a violation is at an acceptable (very low) level. That requires judgment, for sure, but enables the identification of areas that need work.

There is danger in performing work that expresses any form of opinion as to whether there have been violations. Not only is there a risk of that opinion becoming public, but the determination of whether there has been a violation is a legal one that should be left to the attorneys.

The end product should be discussed carefully with the GC and he or she should, with input from the CAE, make the determination.


There are many ways to conduct the work, including working with Human Resources to survey all or a select group of employees. The potential outcomes of each approach should be considered very carefully indeed. For example, before sending a survey, can you assure respondents that their responses will be 100% confidential and protected? If not, you will get fewer responses and they will be suspect due to fear of retaliation for telling the truth. You also need to be prepared to act if the survey identifies problems – and you have to decide, early and not after the fact – whether you will inform the employee population of the results and how the organization is responding: what actions are being taken and why.

I think I would start by interviewing the members of the legal function. After all, they should be involved in every employee complaint and investigation. (If not, there may be a problem immediately.) Those interviews should tell me whether this is perceived by them as a problem, its scale and frequency, the level of allegation against senior management, and even whether there is a bias among the legal team.

That might, in itself, set the direction of additional work. Its possible, although unlikely, that it might be sufficient to reach a conclusion and discuss it with the GC.

My next step would be to interview the various members of the Human Resources team. Interviewing the head of HR is clearly insufficient – unless that discloses a problem and suggests enough work has been done. But, interviewing every member of HR that has contact with employees, not just those receiving complaints, can be eye-opening.

HR may themselves be the problem, as in my Singapore case.

You may be asking why I didn’t start by assessing the organization’s policies, such as the Ethics Policy and annual certification and testing. My answer is that as an employee myself I am already familiar with them. I

know from personal experience whether they are sufficient. I would have already talked to management if they were not, at least prima facie, sufficient.


My interviews with HR would be similar to those with Legal. I want to see if they are biased, whether they are part of any discrimination, and whether they at least appear to be objective when receiving, analyzing, and investigating any complaints. They should know how often and how significant the complaints are, whether they are concentrated in any one area (or under any one manager), and how many are found to be supported by evidence and how many are dismissed.

How any allegations are investigated is important, so my audit would move on to that activity, considering:

  • Who performs the investigations?
  • Are they properly trained and experienced?
  • Are they objective?
  • Are their objective assessments overruled by more senior management?
  • How are the results reviewed and acted upon?


I could go on, but so much will depend on what I am finding out in these early interviews. I would want to stop as soon as I have sufficient information to form an opinion and report to the GC. I also want to focus on those, hopefully limited, areas where there appears to be the greatest risk.


The bottom line is:

  • This is an important area that should at least be considered for action by the CAE.
  • The CAE and his or her team need to act should they become aware of a possible violation.
  • The CAE should consider an audit if there are red flags indicating a more pervasive problem.
  • But the focus has to be on getting management to do the right thing. Inform them as soon as you can so they can act.
  • Beware of audits that result in an opinion that could create or exacerbate a legal problem for the organization.
  • Work carefully with the GC and make sure your audit committee knows what you are doing.
  • Don’t turn a blind eye and be part of the problem.

XTurn a blind eyeX

I welcome your thoughts.

  1. Mike
    April 2, 2021 at 9:12 PM

    Norman, a relevant topic which requires much further debate on what the various roles for internal audit should be in reviewing these risks and also being a leader here. My past experience also involves instances with compliance or investigation involving legal and HR which you discuss. That being said, there is also place to look at proactive programs and initiatives that are being taken. Such as awareness and training, company wide reviews or surveys, mental health initiatives and supports along with many others. We have seen organizations even being silent or non responsive to events outside the organization in their communities risk being named or called out impacting their reputation.

  1. March 29, 2021 at 10:39 AM
  2. April 1, 2021 at 12:29 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: