The enactment of the Bribery Act in the UK has got many audit teams going back out to staff at their clients providing fraud awareness and prevention training. I’m sure that this is the case for most audit teams and CAEs. This, for me, from my career experience, can be both heartening and depressing. Heartening because, in general, people get the key point of the training, that is that fraud is not black and white, it is a matter of judgement, culture and is complex. Depressing because most clients in my experience have either never been sceptical or thoughtful enough to consider fraud as a relevant factor (some of which is probably naivety) and many have a risk appetite or moral view that is significantly different from my own.
That then brings internal audit to the issue of morals and ethics. The internal audit literature is full of brave examples of whistle-blowing CAEs who have identified a major fraud and brought it to the authorities’ attention. Real life is not really like that for most CAEs. It is more mundane and a lot less clear cut. When I was a younger CAE (I am still a relatively young CAE!) I dealt in absolutes. I was a lot more sure of myself and my opinions. As I have aged and got more in-depth into how managers think, work and the complexity and cultures they operate in, I have begun to think in more shades of grey.
Things I previously thought as ‘wrong’ are now, ‘depends’, let’s look at the context. I suspect at least part of this is because, as the CAE I will have to, at some point, evidence my opinion or be involved in an investigation. It is difficult to be definitive at the best of times, add an elastic concept such as morals or ethics and the whole thing takes on another level of complexity.
A lot of internal audit dialogue is about the moral or ethical role of internal audit. This does not fit well, in my view, with the idea of management owning risk appetite and setting policy. Should internal audit set or challenge moral or ethical policy too? Perhaps a more continuum ‘appetite concept’ of morals and ethics fits better? I can live with the idea of the CAE reporting to the board if the corporate moral or ethical appetite is broken by managers, but what if the board has a different moral or ethical appetite? As an auditor I have professional moral and ethical standards set by the professional bodies and law I subscribe too. If, however, ultimately the organisation takes a hard business line that clashes with my moral appetite where do I go? Do I have the same choice as any employee, to stay or go based on my own moral stance? In which case, is there any internal audit element to this at all?
I believe the internal auditor should encourage the development of a corporate ethical and moral appetite and should play a role in ensuring that this is applied in practice. Where I feel less comfortable is dealing in moral absolutes. This will mean that the CAE will always have to check and calibrate their moral compass with their audit colleagues, mentors and clients. Far better to be on the right side than on the side of ‘right’, as there is no such thing in my view.
Perhaps you have developed a moral and ethical audit framework that is more definitive? If so, do please share.