Regardless of the level of media focus on the issue of sexual harassment, it is important for an internal auditor to maintain a neutral mindset with respect to their involvement with the company harassment system. This is called “applying skepticism.” In this setting, internal auditors should be more concerned with appropriately assessing control risk and allocating resources effectively.
Risk assessment is something internal auditors apply every day. From an internal audit perspective, there are two components of control risk with respect to sexual harassment: 1) the risk that there is noncompliance (either intentional or unintentional), and 2) the risk that the noncompliance is not prevented or is not detected on a timely basis. As a practical consideration, risk may not be absolutely eliminated for numerous reasons, such as cost-benefit constraints, circumvention of controls, inappropriate design and implementation of controls, lack of control environment, accountability, and others. One approach to mitigating risk is to develop and maintain a harassment complaint system for high-risk situations.
Internal audit is ideally positioned to play a role in developing and maintaining an effective harassment complaint system or whistleblower hotline. Internal auditors are trained problem solvers possessing unique experience advising on a wide variety of company topics, ranging from the strengths and weaknesses of internal controls to audits of company operations and finances. In addition, the nature of internal auditing typically brings an auditor into contact with staff throughout the company and at all levels, both management and non-management. Therefore, the internal auditor is a familiar face who can provide a trusted independent objective voice in the review and evaluation of company governance, including compliance with laws and regulations.