Allegations of misconduct by the CEO are the most difficult issue an audit or compliance professional will ever face. That’s why we should study the latest scandal in Washington, that President Trump implored his counterpart in Ukraine to investigate former vice president Joe Biden. It’s a fascinating glimpse into just how difficult investigations of CEO misconduct can be.
As of Sunday afternoon, we still don’t know exactly what the allegations are, but the broad contours seem clear. Back in July, President Trump had a phone call with Ukrainian president Volodymyr Zelensky. During that call, Trump asked Zelensky eight times to work with Trump loyalist (and personal attorney) Rudy Giuliani to investigate Biden and Biden’s son Hunter, who once served on the board of a Ukrainian gas business.
Two weeks after that call, an employee working for the Director of National Intelligence (DNI) made allegations of improper communication between Trump and a foreign leader. We don’t know with certainty which foreign leader that is, although the Washington Post says the leader is Zelensky. As of Sunday afternoon, Trump also confirmed that he spoke with Zelensky about Biden.
The DNI whistleblower — whose identity we currently don’t know — brought his allegations to the DNI inspector general, Michael Atkinson. Atkinson believes the allegations qualify as an “urgent matter,” which by law would allow him to take the allegations to the House Intelligence Committee for discussion. When Atkinson tried to do that, however, the DNI consulted with the Justice Department’s Office of Legal Counsel (OLC), which overruled him.
That led to the spectacle last week of Atkinson appeared before the House Intelligence Committee in closed-door session for three hours, and essentially saying nothing about the allegations against Trump. Which led to another round of Democrats calling for impeachment of the president, and Republicans waiting for talking points from the White House and Fox News.
On Friday Trump dismissed the whistleblower as “highly partisan” — which suggests that the president knows the whistleblower’s identity and is trying to smear that person’s reputation. Then again, moments later the president admitted he didn’t actually know who the whistleblower is.
Putting This Into Corporate Context
Trump’s latest drama involves a long list of characters, and the offices they occupy have a different structure than what audit and compliance officers typically encounter in the corporate world. So let’s start with a cheat sheet of how the actors above might exist in a corporation.
Now let’s reframe the sequence of steps into something a compliance or audit executive might encounter.
First, we have allegations of misconduct raised by a whistleblower, about the CEO. The whistleblower, hailing from an operating unit of the business, took his concerns to that unit’s head of internal audit. The internal auditor then tried to bring those concerns to the audit committee, but the legal department blocked him from doing so. Then the CEO attacked the whistleblower’s credibility in front of shareholders, customers, employees, and everyone else.
The government does have some constraints you’re not likely to encounter in the corporate realm. For example, the whistleblower is believed to be an intelligence officer who handles classified information. If that’s so, then by law he cannot approach the House Intelligence Committee directly. Also, legal opinions from the OLC are binding across the whole executive branch, so the inspector general can’t say, “I don’t report to legal” and take the allegations to Congress. And Trump does have some right to claim executive privilege in his communications with foreign leaders; a CEO couldn’t claim the same to, say, withhold his emails with the head of a state-owned enterprise overseas from the board.
Still, broadly speaking, this is a CEO misconduct mess you might encounter at some point in your career. It’s also one replete with lessons about how not to handle something so delicate.
Questions to Consider
First, does your audit or compliance function have unfettered access to information and people?
That seems to be the case so far for the DNI inspector general, Atkinson. Apparently he has seen the whistleblower’s allegations and talked to the whistleblower. We do know Atkinson disagreed with the OLC’s decision that the allegations weren’t an “urgent matter” for the House Intelligence Committee — which must mean Atkinson knows the substance of them.
If you’re an internal audit executive consider this, you want to consult the model audit charter from the Institute of Internal Auditors. Here’s the relevant passage on access:
The guidance for compliance officers is less clear. We have no widely accepted model charter like the IIA does. And while the Justice Department’s guidance on effective compliance programs does hint at unfettered access, the guidance never explicitly says as much.
Rather, the guidance suggests the idea in language sprinkled throughout the document: “Has the compliance function had full access to reporting and investigative information?” for example, or, “Has there been sufficient staffing for compliance personnel to effectively audit, document, analyze, and act on the results of the compliance effort?”
Second, can you keep the legal function from interceding an investigation into misconduct?
Atkinson couldn’t; the OLC’s decisions are binding across the whole executive branch. Corporate audit and compliance professionals don’t have that restriction upon them — but you might still encounter legal functions more interested in reducing legal liability for the organization (after all, that’s their job) than in upholding standards of ethical conduct.
Legal will respond that it needs to be part of any investigation, so it can exercise attorney-client privilege over sensitive information and protect the company. To my thinking, that’s more an argument to embed lawyers within the audit or compliance functions. Those lawyers can still exercise privilege when necessary, but they’re not beholden to the legal function, which might be acting to save the CEO’s behind rather than to pursue matters to their ethical (if difficult) conclusion.
Third, do you have proper escalation protocols to bring a matter to the board?
It seems like the answer in this Ukrainian mess is “no” — but that may be because this case involves national security issues, which a corporate misconduct scandal typically won’t encounter.
In the corporate world, whistleblowers can always drop an envelope in the mail to the audit committee and be done with it. (As a corporate secretary once told me, “Anything marked ‘For the Audit Committee’ goes straight to the audit committee.”) Or the whistleblower could call the hotline. Or the audit or compliance officer could meet the audit committee in private session, or meet the audit committee chair for a private chat.
Then again, the chairs and the ranking minority members of House & Senate Intelligence Committees are the four members of Congress who are supposed to have total access to classified material. So it should be easy enough for the chair, Rep. Adam Schiff, to learn what this person’s allegations are, right? So that’s one item unsettled.
Fourth, is the identity of the whistleblower protected?
While we the public don’t know this person’s identity, the president labeling him “highly partisan” suggests that the president does know who the whistleblower is, and has already been investigating that person. Researching the background of a whistleblower smacks of retaliation to me.
Most people in the intelligence community will say that becoming a whistleblower is the last thing they want to do. It risks career suicide. So clearly this person believes that the president’s actions are offensive enough to take that risk. If there’s any single character in this tale who deserves our support and respect, it’s the whistleblower.
That should always be the case with every whistleblower. Can your organization support and protect them like they deserve?
How this drama will unfold in the political sphere is anyone’s guess. As a technical examination of how not to handle corporate compliance and governance — yet again, the Trump Administration is the gift that keeps on giving.