Position paper: Internal audit and whistleblowing
What do we mean by whistleblowing?
Whistleblowing is when an employee, contractor or supplier goes outside the normal management channels to report suspected wrongdoing at work, i.e. speaking out in a confidential manner. This can be done via internal processes set up by the organisation (internal whistleblowing) or to an external body such as a regulator (external whistleblowing).
Public disclosure to the media is also perceived by some as whistleblowing and is of interest to internal audit as a possible indicator on the control environment and in the context of an internal auditor needing to go outside his/her organisation to get concerns dealt with.
There is a symbiotic relationship between whistleblowing and an organisation's culture - effective internal whistleblowing arrangements are an important component of a healthy corporate culture, but also effective internal whistleblowing depends on the right corporate culture that encourages concerns to be raised. Internal whistleblowing, whether it is conducted in-house or outsourced, acts as a deterrent to corrupt practices, encourages openness, promotes transparency, underpins the risk management systems and helps protect the reputation of an organisation.
The responsibility for establishing and operating effective internal whistleblowing procedures lies with the executive, reporting to the board. But given the potential conflicts of interest the executive will need to devolve the day-to-day running of the process to a function that is considered to be independent.
Internal audit's independence from the executive and objectivity give it the potential to be involved in whistleblowing arrangements, e.g. in a triage role, as a channel of communication or carrying out investigations.
But boards require assurance that the organisation's whistleblowing policies and procedures are effective in achieving the appropriate outcomes. Internal audit cannot give that assurance if it is directly involved in managing or carrying out those procedures.
Internal audit should therefore either provide assurance to the board or play an integral part in the process of internal whistleblowing in their organisations.
Boards need to ensure that internal audit's involvement in whistleblowing does not undermine its ability to carry out its prime assurance functions and that it has the necessary skills and resources.
What do we want?
Boards must be accountable for ensuring effective whistleblowing procedures are in place that guarantee confidentiality and anonymity and avoid conflicts of interest.
Where internal audit is involved in the procedures for whistleblowing the board should ensure
- There is a separate, independent mechanism to provide assurance on the effectiveness of the whistleblowing procedures
- Internal audit's main functions and wider assurance roles are not compromised
- Internal audit is properly resourced in terms of staffing and skills
Where internal audit is not playing a direct whistleblowing role it should provide assurance on the effectiveness of the system and procedures to the board. It also should have the right to be informed of all whistleblowing reports so that it can consider what impact they have on its overall opinion to the board concerning risk management and internal control in the organisation.
Internal audit should be able to reserve the right to carry out investigations into the incidents raised in whistleblowing reports as part of its work on giving assurance about internal controls. However, it is not the job of internal audit directly to detect or prevent corrupt practices. This is for executive management.
Internal audit's role can include promoting whistleblowing best practice, testing and monitoring systems and advising on change where it is needed. But the ultimate operational responsibility for whistleblowing procedures lies with executive management reporting to the board.
Boards should consider corporate culture and whistleblowing together as the two are interrelated.
With the right corporate culture internal whistleblowing will be seen as the normal and acceptable way of reporting wrong-doing, except where there are clear legal or other reasons for approaching a regulator or other authority. Public disclosure to the media should be seen as a last resort and a possible indicator of weakness in internal whistleblowing procedures.
Organisations must disseminate to staff clear policies and procedures on internal whistleblowing so that disclosures can be made with confidence that they will be handled seriously by the organisation and without prejudice to the interests of the individual. Internal processes should be able to preserve anonymity. There should also be a feedback loop to whistleblowers.
Employees should be made aware of external bodies such as regulators and others (e.g. Public Concern at Work) they can approach if the internal procedures have not worked.
Internal audit acting as a whistleblower
While we believe that it is not the job of internal audit to detect or prevent corrupt practices directly, internal auditors often come into possession of critically sensitive information that is substantial to the organisation and poses significant potential consequences. This distinguishes them from many other members of an organisation. This information may relate to exposures, threats, uncertainties, fraud, waste and mismanagement, illegal activities, abuse of power, misconduct that endangers public health or safety, or other wrongdoings. These matters may adversely impact the organisation's reputation, image, competitiveness, success, viability, market values, investments and intangible assets, or earnings. The first channel of communication of this information would be to senior management, or failing that to the board. This should not be seen as whistleblowing but as normal internal audit activity.
However if concerns are not taken seriously or overridden, an internal auditor may well face the prospect of considering whether to to communicate the information outside the organisation, either by external whistleblowing to a regulator or other authority, or by public disclosure.
Should internal auditors find themselves in this situation, both the Chartered IIA and IIA Global have issued a specific practice advisory to members relating to the role of the internal auditor and external whistleblowing - 2440-2: Communicating Sensitive Information Within and Outside the Chain of Command.
This says: Ultimately, the internal auditor makes a professional decision about his or her obligations to the employer. The decision to communicate outside the normal chain of command needs to be based on a well-informed opinion that the wrongdoing is supported by substantial, credible evidence and that a legal or regulatory imperative, or a professional or ethical obligation, requires further action.