Internal audit and whistleblowing
What do we mean by whistleblowing?
Whistleblowing (also referred to as ‘speak-up’) is when an employee, contractor or supplier goes outside the normal management channels to report suspected wrongdoing usually in the work place, i.e. speaking out in a confidential manner either relating to a specific department, specific individual or in the organisation as a whole. This can be done via internal processes set up by the organisation (internal whistleblowing) or to an external body such as a regulator (external whistleblowing).
Public disclosure to the media is also perceived by some as whistleblowing and is of interest to internal audit as a possible indicator of the control environment.
There is a symbiotic relationship between whistleblowing and an organisation's culture - effective internal whistleblowing arrangements are an important component of a healthy corporate culture, but also effective internal whistleblowing depends on the right corporate culture that encourages concerns to be raised. Internal whistleblowing, whether it is conducted in-house or outsourced, acts as a deterrent to corrupt practices, encourages openness, promotes transparency, underpins the risk management frameworks, and helps protect the reputation of an organisation.
The responsibility for establishing and operating effective internal whistleblowing procedures lies with the executive, reporting to the board. But given the potential conflicts of interest the executive will need to devolve the day-to-day running of the process to a function that is considered to be independent.
Internal audit's independence from the executive and objectivity give it the potential to be involved in whistleblowing arrangements, e.g. in a triage role, as a channel of communication or carrying out investigations.
But boards require assurance that the organisation's whistleblowing policies and procedures are effective in achieving the appropriate outcomes and comply with the UK Corporate Governance Code 2018 requirements. Internal audit cannot give that assurance if it is directly involved in managing or carrying out those procedures.
Internal audit should therefore either provide assurance to the board or play an integral part in the process of internal whistleblowing in their organisations.
Boards need to ensure that internal audit's involvement in whistleblowing does not undermine its ability to carry out its prime assurance functions and that it has the necessary skills and resources.
What do we want?
Boards must be accountable for ensuring effective whistleblowing procedures are in place that guarantee confidentiality and anonymity and avoid conflicts of interest.
Where internal audit is involved in the procedures for whistleblowing the audit committee should ensure:
- There is a separate, independent mechanism to provide assurance on the effectiveness of the whistleblowing procedures.
- Internal audit's main functions and wider assurance roles are not compromised.
- Internal audit is properly resourced in terms of staffing and skills.
Where internal audit is not playing a direct whistleblowing role it should provide assurance on the effectiveness of the system and procedures to the board. It also should have the right to be informed of all whistleblowing reports so that it can consider what impact they have on its overall opinion to the audit committee concerning risk management and internal control in the organisation.
Internal audit should be able to reserve the right to carry out investigations into the incidents raised in whistleblowing reports as part of its work on giving assurance about internal controls. However, it is not the job of internal audit directly to detect or prevent corrupt practices. This is for executive management.
Internal audit's role can include promoting whistleblowing best practice, testing, and monitoring systems and advising on change where it is needed. But the ultimate operational responsibility for whistleblowing procedures lies with executive management reporting to the board.
Boards/audit committees should consider corporate culture and whistleblowing together as the two are interrelated.
With the right corporate culture internal whistleblowing will be seen as the normal and acceptable way of reporting wrongdoing, except where there are clear legal or other reasons for approaching a regulator or other authority. Public disclosure to the media should be seen as a last resort and a possible indicator of weakness in internal whistleblowing procedures.
Organisations must disseminate to staff clear policies and procedures on internal whistleblowing with regular promotion and marketing of the whistleblowing process so that disclosures can be made with confidence that they will be handled seriously by the organisation and without prejudice to the interests of the individual. Internal processes should be able to preserve anonymity. There should also be a feedback loop to whistle-blowers.
Employees should be made aware of external bodies such as regulators and others (e.g. Protect, formally Public Concern at Work) they can approach if the internal procedures have not worked.
Internal audit acting as a whistleblower
While we believe that it is not the job of internal audit to detect or prevent corrupt practices directly, internal auditors often come into possession of critically sensitive information that is substantial to the organisation and poses significant potential consequences. This distinguishes them from many other members of an organisation. This information may relate to exposures, threats, uncertainties, fraud, waste and mismanagement, illegal activities, abuse of power, misconduct that endangers public health or safety, or other wrongdoings. These matters may adversely impact the organisation's reputation, image, competitiveness, success, viability, market values, investments and intangible assets, or earnings. The first channel of communication of this information would be to senior management or failing that to the board/audit committee. This should not be seen as whistleblowing but as normal internal audit activity.
However, if concerns are not taken seriously or overridden, an internal auditor may well face the prospect of considering whether to communicate the information outside the organisation, either by external whistleblowing to a regulator or other authority, or by public disclosure.
Should internal auditors find themselves in this situation refer to IIA Standards 2400 Communicating Results, 2440 Disseminating Results and 2600 Communicating Acceptance of Risks and the associated Implementation Guides along with the Code of Ethics and the Public Interest Disclosure Act 1998 [PIDA]) and The Protected Disclosures Act 2014 in Ireland.
Ultimately, the internal auditor makes a professional decision about his or her obligations to the employer. The decision to communicate outside the normal chain of command needs to be based on a well-informed opinion that the wrongdoing is supported by substantial, credible evidence and that a legal or regulatory imperative, or a professional or ethical obligation, requires further action.