Some thoughts on the role of the internal auditor
A version of this article was first published: (publication unknown) - March 1999
As a practicing company director who sits on the board of a medium sized Australian financial institution, I can honestly say that I place considerable reliance on the work of our audit committee and the continuing work of the company's internal auditor. There are a number of 'givens' – issues that no responsible person could, in my opinion, possibly disagree with. They are extremely obvious but, for the sake of completeness, I will list them:
- every board should aim to have a properly functioning audit committee,
- the audit committee should be chaired by a non-executive director (as a minimum) and ideally, should be entirely composed of non-executive directors,
- the audit committee should meet regularly,
- the audit committee should have direct access to the external and internal auditors (and vice versa),
- the audit committee should give initial approval to both the external and internal audit plans – both of which should be submitted to the full board for approval,
- the audit committee should ensure that the internal auditor is given sufficient delegated authority to discharge the full range of duties and functions set out in the relevant international standard(s),
- the audit committee and internal auditor should oversee the operations of all subsidiaries and joint ventures (where the level of risk or control warrants this),
- the internal auditor should be known to all directors and should report to the full board from time to time.
As noted above, these requirements should be self-evident. At any rate they are the minimum requirements that one would expect to find in any organisation that is serious about achieving best practice.
Beyond this, some of you may be familiar with a new Australian Standard, AS3806 - 1998, published by Standards Australia on 5 February 1998. In passing, it should be noted that both the newly formed Association for Compliance Professionals of Australia and the Institute of Internal Auditors were represented on the committee that prepared the Standard.
There is a wealth of relevant information included in the standard. However, let me highlight just a few parts that might be of interest. First, the purpose of the Standard which reads:
The purpose of this Standard is to provide a framework for an effective compliance program, the performance of which can be monitored and assessed.
A compliance program is an important element in the corporate governance and due diligence of an organisation, and should:
- Aim to prevent, and where necessary, identify and respond to, breaches of laws, regulations, codes or organisational standards occurring in the organisation;
- Promote a culture of compliance within the organisation; and
- Assist the organisation in remaining or becoming a good corporate citizen.
I have no doubt that you will have noticed one or two important principles that have been included in the Standard. The first is that the Standard includes a reference to general 'organisational standards'. This means that the full gamut of risk management policies need to be implemented and monitored once they have been defined by the board. In addition to this, there is the fascinating reference to 'good corporate citizenship' – a concept that, having been linked to compliance, must become closely embedded in the thinking of boards and management.
Although I realise that internal auditors are not necessarily responsible for an organisation's full compliance program, it may be worth considering how the Australian Standard defines the role of the person who does take on this responsibility:
- The senior executive responsible for overseeing compliance should have direct access to the Chief Executive Officer and any audit or compliance committee.
- The senior executive, or where employed, compliance manager should:
- have high status, authority, recognition and support within the organisation;
- have a record of integrity and commitment to compliance;
- have address to expert knowledge of relevant laws, regulations, codes and organisational standards;
- have good communication skills;
- have access to staff or advisors who are able to translate legal and other compliance obligations into everyday organisational procedures;
- be responsible for ensuring that practices and documentation comply with the law, including ensuring that such obligations are understood and observed by relevant managers and staff;
- have access to all levels of the organisation, as necessary, to ensure compliance;
- be able to consider and advise on compliance problems encountered by staff;
- be both formal and informal reference point on compliance matters;
- be responsible for the overall design, consistency and integrity of the system; and
- have access to senior decision-makers and participate in the organisation's senior decision-making processes.
I realise that some internal auditors will not see their traditional role in quite these terms. Instead, they may veer towards a more passive 'reporting' role. However, having observed the way things are going, I feel fairly certain that the trend is towards a situation in which the role of the compliance manager and internal auditor will be, in all practical respects, interchangeable.
This will be no bad thing as it will help to make evident, to the management community in general, the fact that those working in the field of internal audit can play a vital role in adding value to the business. For example, professionals operating in this role have been known to expand their responsibilities to include those of: managing and monitoring the process of obtaining 'quality' certification (for example, ISO9000 and ISO14000), monitoring customer satisfaction and so on).
Having said this, there is no denying the fact that internal auditors are often placed in a very difficult position – especially when they are seen as the bearers of bad news about the performance of line management. The reality is that only the most flinty of souls can be unaffected by the prospect of having to identify the failures of their colleagues. As such, internal auditors can face a particularly poignant kind of conflict of interest (or perhaps, more accurately, conflict of duties).
Of course, the potential for this kind of conflict is virtually written into the job description. However, the conflicts can often manifest themselves in especially challenging forms. Let me give a few examples:
- Imagine that you have discovered a breach in the lending policies of your bank. The trouble is that the recipient of the funds is a company that provides most of the employment in a district where the majority of your family lives. What would you do? What should you do?
- Suppose that you uncover a transaction that has been structured in such a way as to defer profits until the next financial year. The manager asks you to do nothing as economic indicators suggest that the funds will be needed to support employment, within the bank, in the next financial year. What would you do? What should you do?
- What if you uncover a breach of procedures that, if reported, will lead to a colleague having her bonus cut. Your colleague is supporting her aged parents and she pleads with you to ‘turn a blind eye’. What would you do? What should you do?
Questions such as these are not easily answered. Yet, the internal auditor has no option but to face them squarely. How might this be done?
One approach is to recognise that internal auditors are bound by the very general obligations that attach to any person who claims to be a ‘professional’. The term is one loosely applied to many occupational groups, these days.
Furthermore, I know that the very idea of the professions has been receiving quite a battering from people who no longer believe that members of the professions honour the kind of commitments that I wish to outline below.
Instead, a growing body of opinion thinks that members of the profession hide behind a noble sense of their calling while, at the same time, ruthlessly exploiting every opportunity to advance their self-interest. I must confess that I fall into a more 'conservative' camp that still believes that the ideas of professional service are distinctive (and problematic) but worth preserving (even if only as an aspiration) all the same.
One particularly influential definition of a profession was offered by Roscoe Pound. It goes as follows:
The term refers to a group ... pursuing a learned art as a common calling in the spirit of public service – no less a public service because it may incidentally be a means to livelihood. Pursuit of the learned art in the spirit of public service is the primary purpose.
The point should be made that to act 'in the spirit of public service' at least implies that one will seek to promote or preserve the public interest. A person who claimed to move in a spirit of public service while harming the public interest could be open to the charge of insincerity or of failing to comprehend what his or her professional commitments really amounted to in practice.
In August of 1993, the Australian Council of Professions issued a discussion paper, Professional Services, Responsibility and Competition Policy. Significantly, a press release about this paper was issued under the title, In The Public Interest. Both the paper and the release sought to distinguish a profession from "more commercially minded occupational associations". As opposed to others, professional practitioners:
... must at all times place the responsibility for the welfare, health and safety of the community before their responsibility to the profession, to sectional or private interests, or to other members of the profession.
If the idea of a profession is to have any significance, then it must hinge on this notion that professionals make a bargain with society in which they promise conscientiously to serve the public interest – even if to do so may, at times, be at their own expense. That is, to be a professional is to face the very real prospect of having to act with moral courage.
This may be especially important in the case of those who help to maintain the integrity of financial institutions. I say this because so many ordinary people, indeed the community as a whole, depend on the banks and other financial institutions being sound – both above and below the waterline. As we all know, the failure of financial institutions can have devastating effects on the lives of people.
While not wanting to suggest that internal auditors are required to be especially ethical or courageous they do have the advantage of belonging to a professional association that can support them, if it is minded to do so. Individuals acting alone may feel unable to raise their concerns for a variety of reasons which might include: a lack of access to relevant information, concern about continued employment prospects and so on.
Internal auditors enjoy peer support, which should be directed to helping them to discharge professional obligations – especially those relating to integrity, an orientation towards the truth and a commitment to the provision of independent advice.
Let me be clear, I am not suggesting that internal auditors ought to substitute their judgement for that of their employer on matters of policy. Instead, I am saying that internal auditors must not suspend their judgement in deference to those who exercise power or influence. That is, the critical assessment by internal auditors should bolster a more general tradition in which professionals provide impartial advice and service to their employer.
To do so is quite consistent with a more general professional obligation to discern the difference between a client's interests and wants. This is to engage in the distinctive form of 'best practice' that informs the work of members of the professions.
Talk of 'best practice' frequently leads people to concentrate on a quasi-technical framework in which measurable standards are defined. The focus is on defining what constitutes superlative technique. But is this enough? Let me state clearly that I think it essential that people aim for technical excellence. However, to leave it at that would be to endorse the development of a lop-sided kind of practitioner who is only concerned with how best to prosecute the means to an end.
While a concern for means is important, let me suggest that the idea of 'best practice' should also encompass the development of skills, understanding and dispositions that allow for excellence in the assessment of ends. It can only be so if you accept my suggestion that internal auditors should play a vital and creative role in assisting organisations to exercise informed judgement. Informed judgement should reflect on the destination as well as the means of travelling! It is important to ensure that both means and ends can be justified. How many times have we heard statements that boil down to nothing more than a claim that 'the ends justify the means'?
It is possible that my discussion of this topic has enlarged the role of the internal auditor well beyond what many people consider to be an acceptable boundary. In doing so, I am bound to have made life rather more complicated than most would have preferred it to be.
Unfortunately, it is difficult to see how the conclusions that I have reached could have been avoided. The world is a more complicated place for companies to negotiate. Many directors feel uncomfortable in this world and are ill-equipped to deal with an emerging paradigm of corporate governance that goes well beyond today's formal requirements.
This is where the internal auditor can play such an important role. Part of the task is to help the board have a proper appreciation of the internal and external risks that need to be managed. However, beyond this is an even more fundamental task – namely, to act as the eyes and the ears of the board. Or, perhaps, a better analogy might be that the internal auditor should act as a lookout, sitting atop the crows' nest, keeping an eye out for trouble.
I suppose that a number of you will have seen James Cameron's film epic Titanic. It offers a powerful metaphor for contemporary life. For all the power of the technology that powered the doomed ship, she was still consigned to the deep by an iceberg. Titanic is also a serviceable simile for what happened at a host of institutions like the doomed bank, Tricontinental. Indeed, the parallels are eerily similar. In both cases, the captain was blind to the risks, in both cases there was inadequate supervision, in both cases the risk of harm to the most vulnerable people were disproportionately high when compared to those better off. In both cases, the bulk of the risk lay below the water line – waiting to strike. In both cases, the fatal risk could have been avoided.
A good look out, in constant communication with those in charge of the helm, could never hope to save a Titanic; but he or she could certainly hope to prevent the harm from occurring in the first place. Internal auditors are in a position to play an equivalent role.
I want to conclude by stressing the need for a practical response to the issues outlined above. In the context of this paper, this means drawing attention to some specific aspects of the corporate governance equation. For example, the preceding discussion begins to throw a somewhat different light on issues such as; the need for non-executive directors, the role of audit committees and so on. Some see initiatives in corporate governance as nothing more than a fashionable response to the problems of the past.
However, if the general welfare of stakeholders is dependent on the company adopting best practice in corporate governance (as more broadly construed), then it is essential that boards set an adequate example and establish institutional structures that support the desired outcome.
Most of the points outlined above relate to prudential reasons for encouraging best practice in corporate governance. There are also ethical reasons which bring us back to the central theme of this paper. Corporate governance is about setting a framework within which extraordinarily complex relationships unfold on a daily basis.
Business is a human institution. Whether human nature is set in stone or not is open to debate. My own view is that the good within people can be liberated within supportive social environments. If we want a better world, then it is incumbent on directors to exercise positive influence over those parts of society that they control. In turn, directors ultimately depend on the existence of a trusted source of feedback that lets them know that their policies are having the desired effect.
Internal auditors have the capacity to provide this information – not as a way of 'second guessing' or contradicting management – but as a form of assurance and reassurance for the directors who bear ultimate responsibility for the conduct of the company.
There is a profoundly moral aspect to corporate governance. Not only does a board have to decide the broad parameters within which a company will operate, it also has to decide how the company will be. That is, the board has a vital role to play when helping the organisation to answer the questions, “Who are we? What do we stand for?”. Having helped to define the answers to these key questions, there is an essential role to be played by professionals involved in the internal audit functions of a company.
I, for one, have a broad expectation of internal auditors. That is, I do not see their role as being confined to an examination of systems and procedures limited to financial issues. Good governance is a creative act. It is therefore fraught with risk and difficulty. Internal auditors help to manage that risk – not by applying strict controls alone. Rather, they should be available to offer wise counsel and assistance to their colleagues.