Several others have tackled this subject. Some of their points I agree with, and those points inform this post. Some I disagree with, and I’ll address those as I go along.
To my mind, the truly correct answer to the question of the proper role of your Internal Audit function in your anti-corruption compliance program lies with the deeper question of what are the capabilities of your IA function? In my experience, IA is good a some things, but not good at others. And the most dangerous person is the one who doesn’t know his own limitations. Also in my experience, IA not only is really bad at certain things, but they don’t know that they’re bad.
The other piece to the puzzle—and one to always, always keep in mind—is the audience that IA plays to. IA’s reports go to at least the CEO, General Counsel, CFO, senior business leaders, and let’s not forget, the Audit Committee of the Board of Directors. That’s a huge bullhorn they’ve got. Which is fine when they’re playing to their strengths. But when they’re out of their wheelhouse, reading their reports is an exercise in controlling your cringing.
What, in my opinion, are the strengths of IA? There are two, in my experience. First is testing compliance with policy through sampling. Second is conducting financial-records investigations. IA is, inherently, a check-the-box function. I’m not saying it’s not necessary, or that check-the-box isn’t sufficient to what they do. It is and it is. When IA is doing their job, they go into a market, pull, say, 20 transactions, and ask for proof that those transactions comply with the policy that is the subject of the audit.
So, let’s posit that there’s a policy that requires that business units find out 10 things about a third party before hiring them, and that the contract with that third party contain 4 FCPA-specific contract terms. IA will go in, scope the audit at a certain number of third parties, and examine that number to see if the 10 things are there, and if the 4 contract terms are there. Then they report out on the results.
If that’s where IA stopped, I’d be a huge fan. But they don’t, and, admittedly, I’m not. In my experience, IA goes beyond the role I described. They tend to get into discussions—either in the report itself or in the “action items” that come out of the report—of whether the policy itself is sufficient.
No, no, no, no, no, no, and no.
They might, might, be able to opine on whether asking the business to collect 10 things and include 4 provisions is realistic. If a significant number of third party files fail to comply with the policy, that might be a reasonable conclusion for IA to draw. But what I see too often is IA telling the business that they’re asking for the wrong 10 things, or that the 4 provisions are the wrong ones to include. In other words, criticizing the policy itself, not just determining whether the business is following the policy as written.
In my opinion, IA has no business telling their audience that policies are bad. Here’s where my first point comes in, however. If IA has experts with greater knowledge than I do about anti-corruption compliance, then opine away. Tell me I’ve set up the wrong program. Most likely, however, I’ve trained the IA people on anti-corruption, and they don’t know more.
This isn’t just anti-corruption, by the way. I’ve seen IA talk about the sufficiency of anti-money laundering controls, sanctions controls, and privacy controls.
I don’t mind getting into a dialogue about what controls are right, and what controls aren’t worth the effort, but it’s not up to IA to tell me that I need 15 items of due diligence and 7 contract provisions. It’s even worse when they start suggesting which ones to include. It wouldn’t be so bad if I controlled the content of the final report. But I don’t. Neither do you. That’s in the bailiwick of the General Auditor. And now we come back to the audience that IA plays to. Because as soon as the report is issued, you either have to have a damn good justification for ignoring IA plus be willing to spend some political capital you desperately need for other things, or you end up going along to get along. Which means that your SME isn’t setting the priorities any more. How many of you think that’s a good plan?
Similarly, it isn’t IA’s job to tell me that I need a technology control in place versus a manual one. IA isn’t the arbiter of best practices. I find myself often thinking to myself—and sometimes saying out loud—that IA should mind their own damn business until they hire some experts.
I always want feedback on whether my processes are working in the field. That’s a crucial function, and one which IA does very, very well. I also don’t mind people challenging my decisions (I mind it even less if it’s before the decision is made.) If I can’t justify exactly why I’m doing something, it frankly needs to be rethought anyway. But ultimately, if it’s anti-corruption, and I’m the anti-corruption compliance expert, then it should be my decision, and I should set the priorities. There shouldn’t be a function with direct access to the Board and senior leadership muddying up the message.
If IA stays within their boundaries, they play a crucial part in testing the effective implementation of your program. If they don’t, they do more harm than good.
Do you have similar experiences?