A Tale: Audit vs. Compliance
My phone rang the other day; it was the U.S. compliance officer at a large global business whom I know quite well. “Hey,” he said, “you know the statistic that more than half of internal audit people have felt pressure to cover up awkward findings in their work? I have a complaint about that.”
I am indeed familiar with that statistic, I said. What’s your complaint about it?
“That sometimes internal auditors are real [expletives] who don’t know what they’re talking about.”
And suddenly I had the subject of my next blog post.
To be fair, my CCO friend wasn’t challenging the idea that internal auditors sometimes face pressure from management to dilute their findings in an audit, or pressure not to audit certain parts of the business where problems were sure to be discovered. That statistic came from research the Institute of Internal Auditors published in 2016, where 55 percent of audit professionals said they’d faced that sort of pressure at least once in their career.
My CCO friend’s complaint was more that internal auditors can sometimes express an opinion about a corporate issue — like, say, the effectiveness of a compliance program — when they’re not well versed in the nuance of how compliance programs work. “So you have to correct them, as opposed to ‘pressuring’ them to change answers or findings,” he said. “Sometimes the report is outright wrong.”
For example, my friend said, an internal auditor at his global organization once reviewed the company’s anti-corruption program. (Background: my friend’s company has had FCPA trouble, significant enough that if I named the company you’d all say, “Oh, those guys.”) The auditor found an issue with a faulty control meant to prevent suspicious payments, and declared in an audit report: “This is a blatant violation of the FCPA.”
My friend had several objections to that. First, deciding that something is an FCPA violation is a legal question, and auditors aren’t qualified to make that call. (Valid point; corporate legal teams spend years wrangling with prosecutors over that question.) An auditor should avoid making such sweeping statements, especially if those statements go into a report that could be subject to discovery from regulators or opposing counsel sometime in the future.
Second, my friend said, sometimes an auditor will flag one control failure but not appreciate the larger picture, where other controls can keep misconduct in check. For example, his auditor flagged one control that failed to stop suspicious payments and labeled it “moderate.” Except, a second, backup control further down the payment process did work as intended, so the suspicious payments were never sent.
“So I can’t actually see what the issue is,” my friend continued. “Yes, one control failed, but the process as a whole did work effectively. So how is that a moderate finding?”
My CCO friend didn’t disagree that the control had failed, or that it should be fixed. He just viewed it as a “small” failure rather than a “moderate” one, and certainly nothing that warranted “This is a blatant violation!” going into a report.
“In compliance at least, this can be completely benign and reasonable,” he said. “Sometimes internal audit [messes] it up, because they’re not professionals in the area … There are times when it’s a difference of views, and because we are supposed to be the experts in compliance, we expect them to take our views into account.”
Can’t We All Get Along?
My friend’s views are certainly provocative, and in the end they were pretty far removed from his original beef about the IIA statistic on auditors feeling pressure — but they weren’t wrong, either. On the contrary, they raise interesting questions about how internal audit can work well with other business units, especially other risk management functions like compliance.
I suspect that my internal audit friends would say my CCO friend had a bad experience with one auditor, who isn’t representative of good internal audit practice. For example, I know plenty of chief audit executives who recruit audit staff from within business operating units, so those people can help career auditors understand the business processes they’re auditing. That doesn’t seem to be what happened with my CCO friend.
It’s also worth remembering that most career auditors start by auditing financial controls. Once you start wandering into other fields such as a compliance program, you’re auditing policies and practices to guide human judgment. That’s not the same as auditing numbers and financial transactions; it’s a substantial change in lanes. Plenty of auditors can navigate that difference, but others can’t.
Perhaps the most fundamental issue, however, is person-to-person trust. Especially for global organizations where departments and staffs might be quite independent from each other, CCOs and CAEs need to foster a sense of mutual respect between each other and between their respective teams. My CCO friend, for example, likes the internal audit lead in the United States (“a great guy”). The auditor who gave him grief worked in an overseas unit, much closer to FCPA risk.
It’s not [expletive], people: personal relationships matter.