Indeed, we would no longer be friends once I report you. We will be friends till I don’t do my thing. We won’t be friends anymore if I am not on your side when push comes to shove. We will remain friends as long as I don’t do what I am paid to do. Our trust in each other will end the moment I decide not to defy the faith my employer holds in me. We will be done talking to each other if I expose what needs to be exposed!
Subtle or obvious, this is what every internal auditor should expect, irrespective of what the tone at the top suggests, be it the one that emphasizes upon accountability or the one for which everything matters but accountability. Because things are easier said than done and the organizational culture is about people who make it and people’s reaction changes faster than the operating environment of the organization the auditors are so focused upon!
And it matters to internal auditors because external auditors are external, they don’t belong to a workplace they visit on a project basis. But for internal auditors, the message is clear, don’t mess with the people you work with or work on. It’s like saying we’re in this together as long as we, the auditors, do exactly as the client wants us to do!
Even though you might have understood by now what reporting in this context means, let me still break it down. Its typical internal audit reporting and it minimally entails all of the following:
- Misconduct
- Violations
- Wrong doings
- Frauds
- Failures
- Lapses
- Non-compliances
- Deficiencies
- Incongruities
- Inconsistencies
- Inadequacies
Though any typical internal audit client will have an issue with all sorts of audit findings, simply because their belief in the ages old ‘adage’ that auditors can’t be better than them is stronger than their faith in their own abilities, it is the first 5 types of reports / findings that the clients take so seriously that it’s almost like taking an offence.
Yeah, offence! But they aren’t offended by the offence committed or perpetrated but by the offence reported and the ‘offence’ of reporting! That’s because organizations seldom think it through when they’re ‘championing’ the cause of communication and self-glorifying their cultures by portraying openness and asking people to come forth and report anything.
It’s because actions speak louder than words. What’s said and not acted upon is as good as not said. It has no worth whatsoever. In fact, I’ve seen only those organizational cultures and consequently the organizations thrive who don’t do the unnecessary sloganeering and trainings thing but actually lead by actions and set examples on incidents reported.
Majority organizational cultures are actually based on “don’t get caught” and not on “never do”. They are based on “preventing reporting” and not on “preventing occurrence”. And against their sloganeering to the contrary, the messengers are dealt with disgust, admonition or simply ignored.
And this becomes uniquely messier when the ones reporting are internal auditors. Not because clients believe that internal auditors won’t toe their line, but because clients believe they might have to approach auditors differently than their own employees.
It’s true. Clients do believe that they can tame their internal auditors, and this belief has been earned over the years dealing with auditors who are more focused on their paychecks rather than their principles, independence and objectivity. Those auditors were good at math because they knew their price! And guess what? Principles, independence, objectivity and ethics is good theory. So welcome to the practical world.
But for those other types of internal auditors, those other types of approaches include:
- Not acknowledging what has been reported.
- Delaying acknowledgement.
- Belittling / Playing it down.
- Playing ‘we had knowledge of it’.
- Delaying action.
- Removing / altering evidence.
- Making inquiry committees, hiding behind procedures even when procedures have been violated!
- Making the co-offenders responsible for inquiries and investigations.
- Making the offenders communicate directly with auditors.
- Making other past offenders responsible for inquiries and investigations.
Well, the list is not exhaustive, and the approaches are underrated!
Unfortunately, the corporate world is yet to evolve a desirable understanding of the role internal audit plays in helping any entity accomplish its objectives. And this understanding needs to improve from the top. Just like internal controls efficacy and effectiveness is dependent upon the control environment, the tone at the top is responsible for an audit ready culture in the Organization, a culture where internal auditors are not considered adversaries but strategic business support and advisors.
It is the internal auditor’s job to report and call out any and every event and incident detrimental to the entity’s affairs. The entity that’s their audit client. And this is even more important if the internal auditor reckons that such reporting will rip through the relationship with management. It’s management’s stewardship on the line, rather than the congenial yet always frail management-internal auditor relationship.
A good working relationship between management and internal auditors is in fact more of a concern for the management rather than the auditors, because we can even report non-cooperation and get done with it!
What the internal auditors need to understand is that:
- Their loyalty is to their profession, the profession that works in the public interest intervening in a systematic and disciplined manner to improve Governance (Board Oversight), Risk Management (Exposures to Business Objectives & Strategy) and Controls (Means to fulfill Business Objectives, Sustain & Grow).
- They’re employed by the Organization they serve and that’s where their dedication and commitment should always lie. It’s not the people the organization employs and their taking offence with auditors doesn’t mean anything whatsoever.
We report violations, misconduct, frauds, wrongdoings perpetrated against the Organizations we serve and that’s exactly what our mandate is. Safeguarding interests of the perpetrators is not our mandate! And we’re not even required to subscribe to the client’s understanding on the matter. They can have their understanding, and we must have ours!
What’s imperative to understand is how we stand our ground in the face of adversity that comes in many forms; workplace harassment, isolation, avoidance, social boycott in official events and of course financial implications like bonus, increment cutbacks, etc. Because if we’re not willing to pay this cost, the other cost is elimination of professional identity, reputation, irrelevance and oblivion.
We need to earn our seat at the executive table purely by virtue of our unrelenting professional approach towards our work. We are not in the business of winning the hearts of people who make up the management!
Thanks to regulation around the globe, however, not all the guns reserved for internal auditors are in the hands of management. Some are with Boards as well and auditors doing it right by the Organization they serve do get noticed by the Boards.
But the question is, do Boards play a proactive role in this respect or do they as well rely on reporting?!
I harmed a friend through my auditing and reporting prowess before I sat down to write this!
And another was recently thrown a lifeline that ensured he could continue to hang around beyond his retirement. But since there are no free lunches, the trade-off was simple; he just had to do to the management’s bidding in the face of every wrongdoing exposed by the auditor.
The transition was smooth; he frequently got out of his way to not just do the bidding part but also obscure and obviate the meeting records. Such is the pull of self-interest. Management theorists and coaches can take a lesson; a sordid legacy will do just fine for a legacy…. At least it won’t let you miss out on a few more bucks when one still can!