Internal audit gone wrong

In a world rife with scandals impacting all aspects of business and life, internal auditors aren’t immune to bad behavior. Here’s how to find their occasional crimes and misdemeanors, plus some practical measures to deter and detect their nefarious activities.

At the turn of the millennium, I was a junior auditor with a Big Four accounting firm with almost one year of experience. I was assigned to an internal audit outsource of a medium-sized food manufacturer. The manager leading the audit was a rising star at the firm who was also studying for his MBA at one of the top business schools in the U.S. He heavily delegated work to me and spent lots of time with me at the client site. Most days he’d finish his work in a couple of hours and spend the rest of the day reading his university course books and answering my questions. I was extremely impressed with his efficiency, and I was learning a lot. When the assignment was over, he showered me with praise in front of the partner. I left the assignment feeling fortunate to have worked with such a great manager. Shortly after, he left the firm and went to work for a well-known Wall Street company.

When I had a chance to catch up with him a few years later, I begged him to share how he was always able to complete his audit work so quickly. He hesitated and then looked at me and said, “If you want to get to the top, you need to focus more on relationships and rapport and less on executing tests of control.” He said he’d test the design of a control, and if it passed, he’d simply write down transaction numbers and unique identifiers to satisfy the sample size requirements for operating effectiveness testing. He’d then state that no exceptions or findings were identified — all without performing any actual testing. I asked why the partner never picked up on this. My former boss said, “It’s all about the story you tell and how confident you are when telling it.” I was dumbfounded as the image of the great manager came crashing down in my mind. Unfortunately, this wouldn’t be the last time I encountered an unethical internal auditor.

How common are unethical internal auditors?

Most internal auditors I’ve known are ethical, conscientious individuals. Some have even risked their own well-being to do the right thing; it was the vice president of internal audit for WorldCom who blew the whistle on its multibillion financial statement fraud. (See “Extraordinary Circumstances: An Interview with Cynthia Cooper,” by Dick Carozza, CFE, Fraud Magazine, March/April 2008.)

However, internal auditors, of course, aren’t perfect beings and can make the same mistakes in judgment that anyone else can. While no studies quantify the extent of internal auditors’ unethical behavior, we have examples of internal auditors placing their profession into disrepute:

U.S., 2022: The U.S. Office of the Comptroller of the Currency (OCC) fined the former chief auditor of Wells Fargo Bank $7 million over several “failures” relating to the 2016 fake-accounts scandal. (See “OCC judge recommends $18.5M in fines for 3 ex-Wells Fargo execs,” by Rajashree Chakravarty, Banking Dive, Dec. 8, 2022.)

Uganda, 2021: A public-sector internal auditor pleaded guilty to soliciting and obtaining a bribe. (See “Masaka senior internal auditor pleads guilty of corruption,” The Independent, News, May 7, 2021.)

Canada, 2018: The former internal auditor of the City of Windsor was sentenced to jail for submitting invoices for a friend’s business for fictitious consulting work. (See “Former Windsor auditor sentenced to seven months in jail for defrauding taxpayers,” by Doug Schmidt, Windsor Star, Nov. 13, 2018.)

U.K., 2015: An internal auditor at Morrisons Supermarkets was jailed after he leaked employee salaries to several newspapers and data-sharing websites. (See “Morrisons employee Andrew Skelton jailed over data leak,” BBC News, Leeds & West Yorkshire, July 17, 2015.)

India, 2009: Former global head of internal audit for Satyam Computer Services was arrested and charged with “willful suppression of auditing irregularities” in connection to the company’s falsified financial statements scandal. (See “ Internal auditor faces charges in Satyam scandal,” by Raghavendra Verma, AccountancyAge, Dec. 2, 2009.)

While these examples are far from comprehensive, they do give an idea of behaviors that may negatively impact the credibility of internal audit functions.

Examples of internal audit misconduct

We don’t have a one-stop shop of all possible unethical behavior that internal auditors can exhibit. It’s also difficult to make comprehensive references to the ACFE’s Fraud Tree because internal auditors don’t normally have access to assets or transactions outside of their departments. However, the Fraud Tree does contain a variety of schemes from the Fraudulent Disbursements category that internal auditors could perpetrate, such as Billing Schemes and Expense Reimbursement Schemes.

Regardless, based on information that I’ve collected from selected internal audit practitioners from around the world here are some examples (in no particular order) of internal audit misconduct that seem to be more common than others:

Claiming to have educational degrees or qualifications. Falsely claiming to be a Certified Internal Auditor or pretending to have gone to a university (prestigious or otherwise) to secure a job, a promotion or a pay raise.

Maintaining incomplete/false work papers. Internal auditors should professionally perform their tasks and support their reports with factual work papers that are based on robust testing. However, lazy or incompetent auditors might miss work papers or falsify or fake them, ignore audit objectives without explanation, test less-than-required sample sizes or fail to properly follow up on any testing exceptions that have been identified.

Misuse of confidential or proprietary information. Internal auditors, by the nature of their work, regularly access confidential or even proprietary information. Unethical auditors could use this information to benefit themselves or friends by, for example, trading shares, getting preferred rates on loans, competing with their employers for business opportunities, benefiting from business plans (e.g., buying land close to a mall development that hasn’t yet been announced), misusing employee or customer personal data, leaking contract or bid price information, etc. Outsourced internal auditors could gather work products or data from one company to use or share with other companies.

Soliciting benefits from management or service providers. The value that internal auditors bring to companies is largely dependent on their objectivity. This objectivity is impaired when they look to gain benefits from those they’re currently auditing. Examples include asking management to donate to a charity with which the internal auditor is involved, schmoozing management during an audit in hopes of securing their next role within the company, trying to get game tickets from a marketing department, passing along resumes of friends or relatives, etc.

Outsourced internal auditors may focus more on obtaining add-on sales and revenue from the companies they’re auditing rather than just ongoing audits. These behaviors put pressure on those being audited and call into question the objectivity of internal audit results.

Manipulating internal audit results

Reports are the main way in which internal auditors communicate the results of their work. Crooked internal auditors can intentionally release false reports by aligning report messaging to management’s narrative (or to the agenda of a particular executive), omitting or watering down findings and ratings, misinforming the audit committee of internal audit’s progress or performance measures, etc.

Other discreditable acts

These include turning a blind eye to illegal company activities, harassment, discrimination, falsely claiming to be in compliance with internal audit standards, spying on management (e.g., retaining access to email inboxes after investigations are completed), not disclosing known errors in audit reports after those reports are issued (i.e., covering up internal audit mistakes), and so on.

See XXXXXXXX at the end of this article.

Factors contributing to unethical internal audit behavior

Part of becoming a CFE is understanding criminology topics and the Fraud Triangle. While those topics apply to all unethical behavior, the main factors that may foster unethical behavior specific to internal auditors can be summed up into two broad categories: Ineffective oversight of the internal audit function by the audit committee and poor management of the internal audit function.

Audit committee’s ineffective oversight of an internal audit function

The independence and the objectivity of an organization’s internal audit function and its head of internal audit are safeguarded by effective reporting to (and oversight by) the audit committee.

Ineffective oversight can put the internal audit function at the mercy of management, i.e., the people being audited. It also increases the chances of conflicts with management when negative audit results are presented and (in extreme circumstances) can result in hostile working conditions for the internal auditors (stress, exclusion from key meetings, denial of promotions or bonuses, etc.).

“Effective oversight involves making sure the head of internal audit has unfettered access to the audit committee and audit committee chair,” says Andrew Cox, CFE, an audit committee chairperson based in Australia. “There have been situations where oversight is weak, which has allowed management to interfere with the scope and results of the internal audit function. This sort of situation puts the head of internal audit in a difficult position where ethics might be put to the test.”

Some red flags of ineffective audit committee oversight include:

• The CEO, CFO or COO filters audit reports before submitting them to the audit committee.
• Audit committee members don’t challenge or discuss a proposed internal audit plan and a budget required to deliver that plan.
• The audit committee isn’t involved in the compensation and performance rating of the head of internal audit.
• The committee rarely meets privately with the head of internal audit without management present (or doesn’t meet privately at all).
• The internal audit function avoids auditing certain areas of the business.
• The internal audit function has never been audited before.
• Internal auditors prefer to issue reports with no ratings.
• The internal audit function has never issued an unsatisfactory report.

Poor management of the internal audit function

The head of internal audit is responsible for building their function’s processes, hiring qualified people, training their people and leading the function’s quality assurance activities. Poor quality leadership opens opportunities for unethical behavior and creates resentment among the internal audit team. Some red flags include:

• High staff turnover.
• Lack of internal audit leadership presence (weak/timid/easily intimidated/lacking courage).
• The audit team lacks skills needed to do its work.
• Internal auditors cause multiple data loss-related incidents.
• Internal audit asks IT to have access to highly protected systems (when internal audit isn’t conducting an audit).
• Internal auditors focus on networking and cozying up to management.
• Complaints against internal auditors.
• Consistent negative feedback from management in post-audit feedback surveys.
• Audit reports with major errors or omissions.
• Lack of internal audit performance measures or measures that consistently indicate poor performance.

Other factors may facilitate unethical behavior, including the type of corporate culture (e.g., toxic or a “good news” culture) and management’s moral compass. “The culture and tone at top greatly influence internal audit’s behavior and its effectiveness as some corporate failures in the United Kingdom have shown,” says Pritesh Dattani, CFE, an internal audit leader based in the U.K.

However, the existence of all these factors doesn’t necessarily mean that internal auditors are unethical, but it does increase the likelihood that unethical behavior may take place. Sometimes, internal auditors don’t have much choice in what they do or don’t do and, for a variety of reasons, are unable to find alternative employment. I know of a chief audit executive who had to anonymously use the company’s whistleblower helpline to report matters that he had to exclude from an audit report. That’s not really a situation anyone wants to be in.

So how should internal auditors behave?

Before we dive into prevention, we need to understand how internal auditors are expected to behave. “Internal auditors are in a unique role in a company that gives them access to personnel, data and systems so they may analyze the work of others and highlight areas for improvement,” says Dattani. “This unique role, which touches all aspects of a company, should only be performed by individuals who demonstrate the highest standards of ethical behavior.”

At a minimum, they’re expected to adhere to their company’s code of ethics and to the Code of Ethics published by the Institute of Internal Auditors (IIA). The IIA’s Code of Ethics defines four principles:

1. Integrity: Being honest, observing the law and not discrediting one’s company or the internal auditing profession.

2. Objectivity: Avoiding conflicts of interest and disclosing material facts, which may impact a report’s conclusions.

3. Confidentiality: Protecting the information they acquire and not using it for personal gain.

4. Competency: Comply with internal audit standards and only do audits in areas where they have the necessary skills and experience.

The overwhelming majority of internal auditors I’ve met throughout my career demonstrate the behaviors required by the IIA Code of Ethics. Adhering to the code (and the ACFE Professional Code of Ethics) provides a basis for a company to trust its internal auditors and the results of their work.

“Heads of internal audit need to be role models in conforming to the IIA Code of Ethics and not limit their role to simply communicating the code to the internal audit team and expecting the team to behave accordingly,” says Doron Ronen, CFE, an internal audit leader based in Israel. In addition, IIA standards require an independent party to evaluate whether an internal audit function complies with internal audit standards and the IIA Code of Ethics.

Practical steps to keep your internal auditors honest

While most companies won’t have trouble with their internal auditors, they do need to take practical steps to mitigate the risk of unethical behavior:

1. Hire the right internal auditors: Do thorough background checks (including calling previous employers, checking criminal histories and reviewing social media accounts) and obtain evidence of any professional qualification or degrees included in their resumes. Assess suitability for the role by asking candidates to make presentations, solve problems or write audit findings or engagement scopes. Don’t rely on interview questions alone.

2. Control the money: In the 1992 movie “Aladdin,” I learned a different version of the Golden Rule: “Whoever has the gold makes the rules.” In the context of internal audit, whoever controls the head of internal audit’s pay is the person with the most influence over the head of internal audit. Therefore, to maintain the audit function’s independence and objectivity, the audit committee should play an active role in setting the salary, bonuses and performance ratings of the head of internal audit.

3. Effectively oversee the internal audit function: Ask questions about how the audit plan links to the company’s top risks, ask what sort of quality assurance processes are in place and make sure the head of internal audit is meeting in private with the audit committee at least once a year but preferably more frequently.

“Those charged with overseeing an internal audit function should be well-versed in the IIA’s Global Internal Audit Standards, and the recommendation directed at those responsible for a company’s governance,” says Ronen. “The draft of the proposed new Global Internal Audit Standards even articulates this concept in a much more robust way.” (See “Global Internal Audit Standards,” IIA.)

4. Audit the internal auditors: While internal auditors are busy auditing the whole company, who’s auditing them? Internal audit standards require that a qualified, independent external party conduct an external quality assessment on the internal audit function every five years. (Some companies do it more frequently.) These assessments are a great tool for management and the audit committee to obtain clear pictures of the health of the internal audit function and whether it’s complying with professional standards.

Consequences of not taking action

Internal audit is an essential part of a company’s governance framework. When working correctly, internal auditors provide management and the audit committee with valuable assurance and advice to improve governance, risk management and internal control processes. Of course, unethical internal auditors can be closer to home than you think. “The consequences of unethical behavior by internal auditors could result in loss of confidence in the internal audit function or, in severe cases, fines and reputational damage to the company,” says Dattani.

Organizations and fraud examiners need to remain vigilant. They must ensure that internal audit controls are in place and functioning, and they need to keep an eye out for red flags of unethical behavior. Finally, ask yourself when was the last time someone did a thorough audit of the internal audit function?

Farah George Araj, CFE, is an internal audit leader based in Australia. Contact him at fg1araj@gmail.com.

Witch hunts, job requests and other forms of unethical behavior

Internal auditors sometimes leverage their position in unethical ways, which can cross the line into fraud and other types of wrongdoing. Here are a few case studies to illustrate how this happens.

The job request

 A director at a Big Four firm (we’ll call him Paul) in the Middle East had built an excellent working relationship with his privately held client’s audit committee, CEO and leadership team after helping them build and operationalize a “fit for purpose” (sufficient to do the job it was designed to do) governance framework in addition to a risk management system. The client’s business had grown to a size whereby the internal audit function needed to supplement its resources with manpower from a co-sourced service provider — the Big Four firm.

The privately held client invited Paul to bid and attend an initial meeting with the client’s head of internal audit (we’ll call him Thomas) to discuss expectations and requirements. During the meeting, Thomas said his younger brother had recently graduated from college, was looking for a job in the Big Four and Thomas would be very grateful if Paul could help his brother secure a job at the firm. As Paul was leaving, Thomas again mentioned how much it would mean to him if his brother found a job in the Big Four.

A week after the bid submission date, Paul called Thomas to get an update. Thomas said evaluations were in progress and quickly shifted the conversation to ask about his brother’s resume. Paul shared with him the feedback he’d received from the firm’s recruitment team: The Big Four firm wouldn’t consider the brother at this time because other possible recruits were graduates with better resumes who had internships with Big Four firms.

Eventually Paul heard that his firm’s bid wasn’t successful; a competitor that offered better pricing was awarded the internal audit co-source. Paul considered that a fair-enough decision, but he discovered months later that the winning bidder had hired Thomas’ brother. A coincidence? Probably not, but the director never complained because he didn’t want to rock the boat.

A witch hunt

 Witch hunts are audits performed without risk-based rationales for the sole purpose of discrediting departments or individuals. The head of internal audit or their reporting line, e.g., CEO or CFO, can initiate them. The CEO or CFO may also use the threat of such audits to intimidate other executives (a sort of “fall in line or I’ll unleash the hounds”).

In this case history, a vice president of internal audit at a Canadian investment company was in a meeting with the CFO to receive her year-end performance appraisal rating. This rating would determine the VP’s annual bonus. The CFO assigned an appraisal rating that was less than prior years based on negative feedback he’d received from two senior executives. The VP protested the fairness of the rating to no avail. The CFO insisted that the VP should improve her rapport with the executive team in the coming year.

Rather than heeding the CFO’s advice, the VP slowly (over a couple of quarters) made changes to the internal audit plan to focus more audit activity on the areas of responsibility of the two senior executives who gave her negative reviews. She also egged on co-sourced internal audit service providers to expand the scope of their existing audits and to suggest new audits that could be performed in those areas. At her bequest, the providers exaggerated audit observations in reports (and frequently included far-fetched allusions to risks that could lead to fraud) and changed report ratings to paint an overly negative picture of their operations and controls.

Eventually, senior management and the audit committee started to get the impression that internal audit activities were no longer aligned to the company’s top risks. That, combined with even more negative feedback on internal audit’s approach and attitude, resulted in the termination of the VP. Even though it was poor governance to have the VP’s compensation set by those whom she audited, it didn’t justify her unethical behavior.

The deceitful auditor working from home

 During COVID-19, a seasoned Australian chief audit executive (CAE) adds to his small team of two by remotely hiring a new senior internal auditor who’ll work from home. The senior internal auditor does well in the first few months but then his performance begins to suffer. He becomes somewhat distant, and it becomes increasingly harder for the company to reach him through online chats or phone calls.

The CAE, concerned about the well-being of his new staff member, confides in one of his internal audit colleagues at another company. The CAE is keen to learn about the challenges that are facing other teams in a virtual world consisting solely of remote auditing. The CAE’s colleague mentions that he’s also facing a similar situation with a recent hire. As they try to learn more about one another’s situation they discover that they’d both hired the same internal auditor, who was a full-time employee at both companies. Both companies summarily terminated the duplicitous senior internal auditor.