, , ,


Well here’s a missive from the UK Chartered Institute of Internal Auditors I missed. It’s in their January 2014 publication Whistleblowing and Corporate Governance: The Role of Internal Audit in Whistleblowing. Find it on their website http://www.iia.org.uk I think the UK institute generally gets things right, it is principles based, not overly prescriptive, thoughtful and considered, and has a sense of realism. Here though, I think they’ve got things wrong.

The argument from the Institute is that:

 ‘the responsibility for establishing and operating effective internal whistleblowing procedures lies with the executive, reporting to the board. but given the potential conflicts of interest the executive will need to devolve the day-to-day running of the process to a function that is considered to be independent.’

Okay this sounds fine so far (and I think whistleblowing should be a governance function, independent of management, because it is the management team that people are blowing the whistle on) I wonder what party within the organisation is able to provide independence from management and has an understanding of governance, risk and experience of reporting and investigations? I wonder…? The Institute continues:

‘internal audit’s independence from the executive and objectivity give it the potential to be involved in whistleblowing arrangements, e.g. in a triage role, as a channel of communication or carrying out investigations.’

Ah, spot on! Makes sense. Independent third line of defence, nested within the governance framework, good links to the audit committee and the board, well placed, skilled staff to undertake the work. Then it all goes wrong in my view:

‘but boards require assurance that the organisation’s whistleblowing policies and procedures are effective in achieving the appropriate outcomes. internal audit cannot give that assurance if it is directly involved in managing or carrying out those procedures.’

Why? I guess because internal audit cannot self review. Okay I buy that. But then boards require assurance that their assurance arrangements are suitable and adequate (another third line of defence and independent-of-management activity provided by internal audit). Yet a periodic EQA (every five years) suffices. So the Institute continues with its worry:

‘internal audit should therefore either provide assurance to the board or play an integral part in the process of internal whistleblowing in their organisations.’ 

So yet another thing internal audit cannot do for fear of not being independent! We cannot review anything twice, we cannot do consultancy, we cannot do risk management and now we cannot link counter fraud and fraud assurance! But what is the real worry from the Institute as this all sounds theoretical?:

‘boards need to ensure that internal audit’s involvement in whistleblowing does not undermine its ability to carry out its prime assurance functions and that it has the necessary skills and resources.’

So actually the concern is more about resourcing and how doing counter fraud work will draw away resource. But why, most internal audit functions are under-resourced in any case. So why should this make a massive difference? I despair that we as a profession take far too much time to discuss what we cannot do and won’t do, all for fear that our precious independence might be compromised. This is only compromised if we allow it to happen. I can re-review my work, have a different view from my last one, challenge myself. Just as our management colleagues can do as well.

Why are we different? We are different because we as a profession have this pseudo-scientific view of the world that assumes we must be right. I think this comes from our professional origins as external auditors, where opining on accounts would be a materially right and wrong answer (as there is a defined body of law and rules to test the correctness of the opinion against). Also coming from accountancy firms where we (the firms) would get sued if we got it wrong. But internal audit is not a science and in risk there is no right or wrong. So why continue with this strange, and plainly wrong in day to day risk management experience, notion?

So let’s continue with the Institute’s missive:

‘where internal audit is not playing a direct whistleblowing role it should provide assurance on the effectiveness of the system and procedures to the board. it also should have the right to be informed of all whistleblowing reports so that it can consider what impact they have on its overall opinion to the board concerning risk management and internal control in the organisation.’

So internal audit either provides assurance or helps to deliver counter fraud. Well what about the Institute’s 2004 position on risk management? Internal audit can do all sorts of risk management things, as long as it vests risk treatment decisions with the relevant management or governance function. So why have counter fraud in a position that is inconsistent with that?  So again, following the Institute’s line of argument:

internal audit should be able to reserve the right to carry out investigations into the incidents raised in whistleblowing reports as part of its work on giving assurance about internal controls. however, it is not the job of internal audit directly to detect or prevent corrupt practices. this is for executive management.’ 

Yes I think it makes sense for internal audit to follow the fraud risks highlighted by counter fraud work. I agree it is management’s role to prevent and detect corruption (and presumably fraud). But wait for the final, I think, confused, bit of thinking in this paper:

‘internal audit’s role can include promoting whistleblowing best practice, testing and monitoring systems and advising on change where it is needed. but the ultimate operational responsibility for whistleblowing procedures lies with executive management reporting to the board.’

No. Having said earlier in the paper that counter fraud work (including whistleblowing) should be independent of management, it completes the argument by saying that is now a management task, overseen by governors. I suspect this muddled thinking lies the heart of the ban on internal audit doing it. If counter fraud was a management function and not a third line governance function (as it should be) then I could buy the argument of the Institute, but it isn’t. For as the Institute recognises itself when it takes a step back and asks – what do we want?:

‘What do we want?

boards must be accountable for ensuring effective whistleblowing procedures are in place that guarantee confidentiality and anonymity and avoid conflicts of interest. Where internal audit is involved in the procedures for whistleblowing the board should ensure:

• there is a separate, independent mechanism to provide assurance on the effectiveness of the whistleblowing procedures

• internal audit’s main functions and wider assurance roles are not compromised

• internal audit is properly resourced in terms of staffing and skills’

Overall then this paper has a strange argument that is not consistent with the Institute’s stance on risk management, is not internally consistent, is driven from an external auditor’s perspective of scientific right and wrong and is cites unrelated worries, such as resourcing of assurance.

If we actually step back and consider the position afresh. Management cannot perform counter fraud and whistleblowing as presumably the whole reason these complaints are raised are because management has not responded or has done something wrong. So it is naturally a third line, independent activity, best delivered by an independent third party and overseen by a governing body. Internal audit is the perfect party to do it. It can do this without compromising independence by providing investigations that are for senior management or governing body (depending on the significance of the issue) to respond to. In other words the risk treatment decision is vested with senior management as overseen by the governing body, but the investigation is, and is seen to be, independent. Internal audit then can more holistically link fraud controls and fraud risk, inform its wider work plan and join up the forensic detailed talents of the counter fraud team with the fraud assurance and wider business assurance team. To divide the two is false and makes no sense. The two feed each other and are symbiotic.

In my view the Institute should review this paper, reconsider it, and reissue a more helpful paper.