The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry has shone a spotlight on the role of internal auditors and with it, collateral damage to at least four Directors of AMP and several of their senior executives who have subsequently resigned.
The red flags are flying at full mast and creating an opportunity for internal auditors to be empowered to play their role effectively to protect the wider interests of all stakeholders of larger corporations.
Yet, in response to criticism that internal auditors have lost their authority in these large corporations, the head of the Institute of Internal Auditors, Peter Jones has called out instances of dis-empowerment in the profession.
Jones’ claims that internal auditors had their reports diluted and suppressed as well as instances of derailed careers when they raised ‘red flags,’ are serious allegations; not only against those corporations, but to the core function of audit, whose role is to perform their duties without fear or favour.
How can our profession be reinstated to prime influence such that auditors can focus more in their commitment to quality?
Thwarted by these allegations, it’s my duty as an auditor to raise the potential red flags of the auditing profession.
Red flag #1 What substantive evidence is there to support this claim?
Ironically, the role of any auditor is to prepare their opinions based upon sufficient appropriate evidence and although Jones did not present any substantive evidence to support his assertion that internal auditor’s reports are suppressed and ignored, it is entirely possible that his claims are valid.
Elizabeth Johnstone, the Chairman of ASX Corporate Governance Council (previously the director of the Auditing and Assurance Standards Board), also claims her research gathered from interviews with 100 people has found failings in the internal audit function in Australia.
To empower the role of auditors, it would helpful for the Royal Commission to seek substance to these claims such that allegations these types of allegations can be fully investigated and recommendations made if necessary.
Red Flag #2 Are auditors really too ‘timid’ to ‘speak truth to power’?
If internal auditors really are too timid to speak the truth, they are probably in the wrong occupation; they need strength of character to fulfil their obligations, both ethically and practically.
There is a reasonable expectation that internal auditors will perform their duties impartially: integrity, competence, due professional care and being free from influence are core principles contained within the internal auditors own Code of Ethics.
The stakeholders of large corporations are many and would have an expectation that internal auditors are capable of determining whether internal control systems are operating efficiently and effectively, such that they can minimise the potential of fraud and error occurring, among other responsibilities and focus of their roles.
Being independent means that even if the threat of losing their employment or contract is evident they will nonetheless perform their duties and take appropriate actions to report upon and mitigate unacceptable risks. If internal auditors cannot be independent, they cannot perform their role and should resign in any event.
Red Flag #3 Do internal auditors really need a direct line to the Board?
In normal arrangements, at least one Board member with appropriate financial reporting skills and experience, chairs the Audit & Risk Committee and reports back to the Board.
Jones advocates for a direct line to the Board if a risk and audit team cannot do their job. If a risk and audit team cannot do their job effectively, this suggests they are either:
- Incompetent for ignoring the reports of internal auditors or
- Corrupt for suppressing the findings of internal auditors.
However, logically, internal auditors do have choices. In fact, there are many.
 If there was knowledge that Audit & Risk Committee Chairs were ignoring, or worse still suppressing their reports, internal auditors could indeed sound out non-executive independent Directors to ensure they are fully informed and able to act in the best interests of the Company.
Secondly, if in the internal auditor’s findings, showed there were potential breaches of laws, but the Company chose not to address them, then internal auditors could have liaised with the external auditors to seek their support, and in my experience internal and external auditors work well together.
Assuming there are potential breaches of the Corporations Act 2001 there are also protections for the internal auditors who inform ASIC. These are easily accessible and discussed under the Guidance for whistleblowers section of the ASIC website.
Lastly, if all else fails, the internal auditor can resign in an ultimate demonstration of their independence.
Therefore, While Jones suggests that the system is not failing at the internal audit function, but at the audit and risk committee level; failing to take any of the above recourse means there were instances where auditors were in fact failing the system.
If there really is a problem, I suspect it actually is with governance and culture or ‘tone at the top’, as suggested by Jones.
Back in June 2016, ASIC was concerned about culture, arguing that ‘culture matters,’ at the Regulatory Summit.
In a speech made at the summit, Mr. Greg Medcraft, the former Chairman of ASIC, expressed their belief that culture is the key driver of conduct in the financial services industry.
Medcraft stated that culture had the potential to impact the integrity of financial markets and erode investor and financial consumer trust and confidence; pointing to the Board and senior executives as critical for setting culture.
Fast forward to today and it appears the tone at the top remains a weakness in large corporations, as evidenced by the findings of the Royal Commission and specifically by the banks and AMP. However, what ASIC was concerned about then, was quite possibly an open avenue for internal auditors to use sound judgement and have their voices heard.
If there is a key learning out of the Royal Commission already, it should be that Directors and key management personnel should be feeling more risk averse and likely to positively act on the findings of internal auditors.
Indeed, the spotlight is on internal auditors and they should feel empowered to play their role effectively to protect the wider interest of the companies and all of its stakeholders. However, although auditors have raised red flags on corporations, if these allegations are true, there are red flags within the profession which may also need attention.