Elizabeth Johnstone, the chairman of the ASX Corporate Governance Council in Australia, has a frank message for internal auditors: stop being intimidated by company executives and board members.
While Johnstone was addressing risk and governance failures in Australia, including multiple scandals at the Commonwealth Bank of Australia, her words serve as a good reminder to internal auditors everywhere to “speak truth to power,” escalate problems that go unresolved, and to demand accountability.
“From my own research, I have found instances where internal auditors have found issues but didn’t follow through to a satisfactory resolution,” Johnstone said during a speech today in Melbourne to the Internal Auditors Conference. She told the group of internal auditors that too often they have been intimidated into changing reports or have not been bold enough to confront those in positions of power with their concerns.
Major Failures at CBA
An investigation by Australian regulators into several governance and risk failures at Commonwealth Bank of Australia and other banks found inadequate risk management processes, poor oversight, unclear lines of accountability, and “weaknesses in how issues, incidents, and risks were identified and escalated through the institution and a lack of urgency in their subsequent management and resolution.” The Australian Prudential Regulation Authority, which conducted the investigation, laid at least part of the blame at the feet of internal audit.
During the the past year CBA, Australia’s largest bank, has been reeling from several scandals, including admitting it had lied to corporate regulators to cover up charging thousands of customers for services it did not provide. The bank also violated anti-money laundering laws, employed advisors who gave faulty financial advice, lost financial data for 20 million accounts, and was accused of collecting banking fees from customers it knew were deceased.
Internal Auditors ‘Too Timid’
Prior to her speech to the Internal Auditors Conference, Johnstone conducted more than 100 interviews with board members, CEOs, heads of risk management functions, outside advisors, and internal auditors. “People were very candid with me,” she told the Australian Financial Review in an interview before her speech.
“A number of people said to me internal auditors don’t have the experience or the seniority to speak truth to power. They are timid in the boardroom or they are too readily able to be intimidated,” she continued. “They don’t command the attention with the audit risk committees that they should, let alone the board. I was very surprised about that.”
Johnstone also said that internal audit needs to do a better job of connecting the dots among audits into various parts of a company, identifying patterns in behavior, and finding root causes of problems, including the influence of culture. She noted that the investigations into CBA and other banks found that internal audit had been aware of some of the problems and had identified some of the most serious issues.
“In some cases they have been intimidated and have diluted their reports,” she told the conference. “And in other cases they frankly haven’t been bold or brave enough to speak with authority to those who needed to hear their concerns.”
“What we don’t want to see is a relationship that becomes too cozy, where cultures become too collegial to the detriment of appropriate accountability.” 