By Ian Lavis on behalf of Praxity Global Alliance
Financial scandals in Australia have raised questions about the role of internal auditors on a global scale. Is there a problem with raising the red flag?
The role of internal auditors is more important than ever in helping organisations identify, understand and mitigate or leverage ever more complex international risks.
Yet, recent events suggest there are serious failings in communication when there is a whiff of financial wrong-doing.
There are claims internal auditors are either not voicing their concerns loud enough when they spot irregularities or their alarm bells are being ignored.
It follows revelations of large-scale misconduct at Australia’s largest wealth manager AMP and a report by the Australian Prudential Regulation Authority (APRA) into substantial failings at the Commonwealth Bank of Australia (CBA).
The damning APRA report found widespread complacency, a reactive stance dealing with risks, an insular culture and a failure to learn from experiences and mistakes. The report led to criticism that internal auditors had lost their authority within large corporations, were too timid to “speak truth to power” and too readily intimidated into watering down their own reports, according to an article in the Australian Financial Review.
However, Peter Jones, head of Australia’s Institute of Internal Auditors, told the Review internal auditors were in fact doing their job but the information was not reaching senior management and the board.
He says the system is failing at the audit and risk committee level, not in the internal audit function. He even claims the Institute is aware of internal auditors having their reports “diluted or suppressed” and that auditors may even have been moved sideways or dismissed.
So, which is it? Are auditors too timid or are their red flags being dismissed? There certainly seems to be a problem with communication between auditor, audit committee and the board at some larger organisations.
Jeffrey Luckins, Director of Audit and Assurance at Praxity participant firm William Buck, says he is “staggered by the amount of fraud that goes on, from small businesses to very large organisations” but he insists it’s the interests of every internal auditor to blow the whistle when they spot something wrong.
Calling on auditors to be more empowered, he says: “Internal auditors need to stand up for themselves. They are in an unbelievably powerful situation to blow the whistle and I don’t know if they are fully using the powers that they have.”
In an article published on the William Buck website, he says that claims of dis-empowerment strike at the heart of internal auditors’, whose role is to perform “without fear of favour”, and he pours cold water on the suggestion internal auditors are too meek.
“If internal auditors really are too timid to speak the truth, they are probably in the wrong occupation; they need strength of character to fulfil their obligations, both ethically and practically.”
He adds: “There is a reasonable expectation that internal auditors will perform their duties impartially: integrity, competence, due professional care and being free from influence are core principles contained within the internal auditors own Code of Ethics. The stakeholders of large corporations are many and would have an expectation that internal auditors are capable of determining whether internal control systems are operating efficiently and effectively, such that they can minimise the potential of fraud and error occurring, among other responsibilities and focus of their roles.
Commenting on the impartiality of internal auditors, he says: “Being independent means that even if the threat of losing their employment or contract is evident, they will nonetheless perform their duties and take appropriate actions to report upon and mitigate unacceptable risks. If internal auditors cannot be independent, they cannot perform their role and should resign in any event.”
If internal auditors can be relied upon to be independent and to raise the red flag when appropriate, then the challenge lies in making sure their concerns are raised with the right people within an organisation and that these concerns are acted upon in an appropriate way.
Jason Drake, Partner and International Practice Leader at Praxity participant firm Plante Moran, says it comes down to developing relationships at the right level. He explains: “It’s about making sure you have a good relationship with management and not just the CFO.”
The importance of talking to the right people is highlighted by Richard Chambers, president and CEO of the Institute of Internal Auditors (IIA). In an article published on the IIA website in which he talks about the audit challenges in 2019, he tells auditors:
“As you prepare your internal audit plans for the coming year, you should ensure that you have considered all of the risks facing your organization and discuss them with your audit committees and executive management.”
Another factor to consider is the staff employed to the audit itself and those who manage issues when they are raised. Jason Drake stresses the importance of appointing internal auditors with enough experience to do the job effectively, and ensuring there are the same checks and reviews in place as with external audit.
He adds: “If internal auditors have the right voice and can reach out to the right level, would some of these issues change? The problem is a lot of internal audits are done by junior people and no one is reviewing their work to the level of external audits.”
Should more be done to ensure the right people and procedures are in place? The recent collapse of the UK’s second-biggest builder, Carillion, amid claims of warning signs being missed or ignored, suggest this is certainly true of outsourced internal audit.
In an IIA blog published last year, Richard Chambers states: “There are at least two absolutely critical requirements that should be in place for fully outsourced internal audit engagements: (1) An in-house liaison, preferably an executive or senior management-level employee, should be assigned responsibility for "management" of internal audit; and (2) the engagement should be staffed with competent professionals who execute their responsibilities in conformance with The IIA's International Standards for the Professional Practice of Internal Auditing.”
It is clear there are several issues at play when it comes to effective internal audit, from staffing to empowerment and communication, and ensuring industry standards are followed.
As with any area of accountancy, ensuring the right people and procedures are in place is critical if internal auditors are to steer organisations through ever more complex global risks including cyber security, IT governance and fraud prevention.
But avoiding a repeat of the scandals in Australia isn’t just about the role of internal auditors. It’s about audit committees and top-level management and how they respond to auditors’ red flags. Even the most empowered and persuasive auditors will find it difficult to do their jobs effectively if they don’t have adequate support from the organisations they are endeavouring to protect.