When I first read the SEC press release at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370542799812#.VAC_kFbirwK, my first response was to think it was a hoax. I mean, audit and compliance professionals are exempt from the whistleblowing statutes (Dodd Frank, etc.). Upon reading the press release, it became evident that the one “loophole” that allows audit and compliance professionals to benefit from whistleblowing activity, company inactivity, had been met.
But it still gives me an uneasy feeling. While the full facts of this case aren’t apparent from the news release, it appears a staff or senior internal auditor identified an issue and dutifully reported it to his/her manager. That manager and/or their CAE did not escalate and deal with the issue properly. This is clearly an audit failure.
Three points of fact I’d like to discuss:
1) The company failed to act appropriately,
2) 120 days passed, and
3) reporting to a supervisor was all that was require to waive internal audit confidence.
Perhaps in time, more facts will come to light, but I’m left wondering about the nature of what the auditor knew and what and how they reported it. Maybe it is the skeptic in me, but I see so many ways an audit and compliance professional could game this process. As internal auditors, we are entrusted with information and data that could present red flags. Must we chase every rabbit we flush out during our work? What are we to do with risk and materiality?
In an environment where we have annual and quarterly plans, 120 days is a very short time horizon for appropriate action. It requires audit leadership to be very nimble in addressing and communicating results. I’m not saying 120 days is unreasonable, but it is a very tight, demanding standard and CAE will have to ensure they are receptive to audit issues and be ready to analyze and assess risk in short order.
Beyond the challenges this poses to audit leadership, I am quite disturbed that the diligence standard for the audit and compliance whistleblower is so weak. Simply reporting to a supervisor means we have many points of failure in our organizations. Is every supervisor in our organization going to have the experience and judgment to evaluate information and deal with it properly. For all we know, the audit manager decided to add this item to next year’s audit plan or discuss it with the SOX testing team for consideration next year.
I would have expected a higher threshold for audit and compliance whistleblowing to include reporting on level above their direct supervisor or anonymous reporting to the company’s ethics hotline. Either would clearly have given the company the benefit of secondary judgment. But my ranting on this issue is a mute point. It is what it is and we have to manage to this reality.
Chief Audit Executives must work on the culture of their departments to ensure internal auditors feel heard and empowered. They are the ears, nose and eyes where we are the brain. Make diligence and risk conversations a part of our daily business. Listen to your staff’s concerns and ensure they are part of or aware of the decisions and actions taken.
This was the first case of reward for an audit and compliance professional. It is a shot across our bow. I hope it is the last.