Internal auditors as compliance program helpers: opportunities and independence challenges

Internal auditors often have the skill set and opportunities to lend an important hand to their respective companies’ C&E programs beyond the program-related audits that they conduct.  But such assistance can raise independence issues where the activity in question itself  should be audited.  This post considers what some of these opportunities are and which are problematic from an independence point of view.

First, in some companies auditors answer the help line.  This seems problematic to me, as a company’s responding to help line inquiries is sufficiently important – particularly under the Caremark case – and challenging that it should be audited, at least in companies with a relatively high degree of compliance risk.

On the other hand, in many companies auditors do receive in-person compliance-related inquiries from employees on an ad hoc basis – particularly during site visits.  Given the relatively infrequent and unplanned nature of this sort of activity, it generally need not be audited – and so I think that no significant independence issues are raised by auditors helping C&E programs in this way.

Related to responding to help line inquiries is, of course, conducting investigations into suspected violations of  C&E policies – which internal auditors often do, particularly on financial-misconduct related matters.  I believe that an internal investigations functions should be audited periodically (either as part of the help line audits or on a stand-alone basis) but for many companies – particularly medium and small sized ones – there is no practical alternative to having auditors conducting investigations.  While not ideal from an independence perspective, I think this is a compromise many companies can live with (although for some having an external assessment for this activity may be warranted).

A somewhat less obvious, but often useful, C&E program role for internal auditors concerns training/other communications.  The line I would draw here is, on the one hand, between an auditor designing training and/or determining who should receive it – which one might want to audit, at least in high-risk companies, as they involve the exercise of a significant amount of judgment; and, on the other hand, acting in a more ministerial/facilitating capacity  – e.g., delivering training that others have developed, particularly on site visits – where there is generally less of a need to audit.

Finally, and perhaps most significantly, internal auditors sometimes assist in designing C&E-related policies, monitoring measures and process controls. Here, too, the appropriate line to draw is between the auditor acting in a facilitating role – which, in my view, is generally acceptable independence wise, versus her having principal responsibility for such activity – which should be avoided, if possible.   But, as with auditors conducting investigations, in some companies independence perfection is not possible with these sorts of efforts, and where that’s the case companies need to do whatever’s reasonably possible to maximize independence possibilities for such situations – including in some cases using external resources for the audit/assessment.

A final point:  I hope I don’t seem overly willing to accept compromises in this area, but in analyzing the involvement of internal auditors in C&E programs I’m mindful of the fact that so long as their pay (and that  of the boards that serve as their protectors) comes from the companies where they are employed total independence is not attainable.  (In this sense, independence issues and conflicts of interest in companies are indeed different – because one can have a zero tolerance approach to COIs, but not to independence challenges.)  So, the task here is striking the right balance and not seeking to attain complete purity.

For additional reading:

– A post regarding internal audit and reporting relationships on the web site of the Institute for Internal Auditors by Mike Jacka – Internal Audit is the Midst of a Great War.

– An important real-world experiment involving conflicts of interest and auditors.