The Changing Role of Internal Auditors
Every company knows that its internal auditing function is the lifeblood of its compliance program. Some companies carry that to an extreme by placing the overall compliance function in the auditing department. As we all know, that is a mistake.
Auditing plays a critical role in every compliance program. Why? For obvious reasons, internal auditors usually are the first to uncover improper payments. So far, in 2012, the Justice Department has settled two FCPA cases in which the internal auditors were most directly responsible for failing to act when they uncovered (or should have uncovered) improper payments. On the other hand, several major disclosures this year of potential FCPA violations were the result of findings made by internal auditors.
Compliance officers and internal auditors work hand-in-hand. Historically, internal auditors have adhered to a “materiality” standard when conducting internal audits. That has changed, and will continue to change, in response to aggressive FCPA enforcement.
Internal auditors are now applying a “blended” approach which includes not only “materiality” but extends to risks such as bribery, fraud and other financial misconduct. It is a welcome development. Petty cash funds which usually escaped any review are now regularly included in internal audit reviews. 
Also, internal auditors are now employing more sophisticated sampling techniques to try and identify trends and potential risks without conducting burdensome and time consuming audits of entire divisions of organizations.
Given the limited resources available to internal auditors in a global company, the selection and design of an audit program must be carefully executed against an overlay of priorities and risks. Priorities have to be set based on these risks, while recognizing the importance of audits to identify important trends in operations.
Internal auditors are becoming even more skilled in conducting interviews of company personnel. The old model of auditors discovering a problem and turning it over to compliance or legal professionals is fading.
In reality, auditors may uncover a financial problem and conduct an all important initial interview of a manager or employee to try and get an explanation. This initial discussion can be critical to the company’s response to the problem.
In most cases, the manager and employee will deny any wrongdoing. That is not unusual. The initial explanation, however, usually becomes important as the first step in eventually breaking down the cover story and finding out the truth of what occurred.
Internal auditors are usually skilled in conducting these interviews. They have evidence of a problem and they need an explanation. It is hard to lie to an auditor when the numbers are staring an employee in the face.
It is no coincidence that internal auditors are usually the ones to identify and uncover an illegal bribery scheme. The internal auditing profession has embraced its new role, and done so with professionalism and diligence.
Internal auditing is an important tool and a related area is third party auditing. This is an approach that has yet to take hold. (I was co-author of the TI Assurance Framework published in June which covers assurance of the design of an anti-bribery programme*). It may be some time before companies feel confident enough to undergo external assurance and that will depend on the willingness of assurers to take on such engagements. The accountants are concerned about liability risks and also potential public misunderstanding of the assurance report. On another front we are seeing interest in certification as the BSI 10500 Specification for an Anti-bribery Management System was published last November and some companies are now undergoing certification against this. A proposal is now going into ISO for a global certification standard.
*http://www.business-anti-corruption.com/fileadmin/user_upload/pdf/TI-Assurance-Framework.pdf
Peter Wilkinson
Peter Wilkinson associates
I ran the quality program for internal audit at Siemens during the post-bribery reconstruction from October 2008 onwards. I developed an assurance approach for us to use and am convinced it changes the game completely for internal audit as well as for management. However, there are challenges. Not least in educating all (management as well as the auditors themselves) about what it means to deliver assurance, adopting new disciplines and being very careful to distinguish between positive assurance and unqualified opinions. This is far from easy to accomplish but I firmly believe the profession needs to go this way, otherwise, there is no clear, market-wide standard that governs the deliverable of internal auditors. And yet, we audit against clear, market wide regulations.