At the request of subscribers, Compliance Week offers a Remediation Center, in which readers can submit questions—anonymously—to securities and accounting experts. Compliance Week’s editors will review all questions and then submit them—confidentially, of course—to specialists who can address the issues. The questions and responses will then be reprinted in a future edition of Compliance Week. Below is one of the Q&As; ask your own questions by clicking here.
QUESTION
In creating an internal audit charter, we stated that internal audit shall have full and unrestricted access to all company records, personnel, and so forth, which is pretty standard. When our legal department reviewed the document they disagreed with the full and unrestricted access, and suggested a change to state that access must comply with legal privilege, contractual obligations, and regulatory requirements.
Does this conflict with internal audit being independent of management and audit’s need to access proper evidence to carry out our audits? My interpretation is that this conflicts with the Institute of Internal Auditing standards and could be interpreted as a limitation of scope in appearance. Are my concerns valid or am I overreacting?
ANSWER
What you describe is a fairly common scenario that we see in many companies: The internal audit and legal departments are both doing their jobs to protect the company and to mitigate risks, in their own ways of course. This sometimes presents conflicts in the approaches that each department takes, and the only way to resolve such conflicts is to understand where each side “is coming from.”
That said, every situation is unique and no “one size fits all” approach solves every such difference of opinion. Fortunately, you can turn to best practices that the industry has adopted as a baseline for your arguments and use that to justify your position on the internal audit charter you are creating.
Specifically, in your situation, the IIA standards clearly support your argument that internal audit must have full and unrestricted access to all company records, personnel, board members, and the like. However, they also say that information given to internal audit “must be handled in the same prudent and confidential manner as by those employees normally accountable for them.” In legalese, this translates into the “must comply with legal privilege, contractual obligations, and regulatory requirements” that your legal department wants you to include.
I therefore recommend the following:
Base your charter on generally accepted industry standards, in particular such as the sample charters available at the IIA Website. Adopting best practices is always a good way to put your legal department at ease, and more importantly to defend and protect your company in the event of a lawsuit.
Discuss with, and explain to, your legal department the highly restrictive nature of the phrase they want to add. Explain why the alternate, but equally protective phrase (“documents and information given to internal audit must be handled in the same prudent and confidential manner as by those employees normally accountable for them”) will achieve the same goals while still letting you do your job without any hindrance or harm.
Clearly establish and state in the chain of command or hierarchy that internal audit reports to the audit committee and that its activities are supervised and monitored by the audit committee. This enables IA to retain its independence while still being held accountable to the best interests of the company. The legal department’s concerns and fears will be allayed by the additional oversight provided by the audit committee.
Both internal audit and the legal department exist to protect the company. As a result, they are both risk averse in their own ways. Frequently the legal department goes a step beyond internal audit and imposes conditions that could prevent internal audit from doing its job to the fullest extent possible. What we have seen here is one example. In most cases, it comes down to communication and “expectation setting.”
I applaud you for going through the appropriate channels (namely, legal) to have your IA charter “blessed” by them before you make it a living, breathing, enforceable document within your company. That alone should help make your legal team feel comfortable that whenever sticky or questionable situations arise (and inevitably they will) that the IA team will solicit the input of the legal department when it makes sense to do so.
Hope this helps, and congratulations on taking the first steps toward an IA charter. The good news is: It only gets easier from here. This is based on my experience working with IA departments from more than a dozen companies. Getting started is always the hardest part.
No comments yet