DOJ looks for robust internal audit, guidance says

In “The Evaluation of Corporate Compliance Programs,” the DOJ tells prosecutors to, among other things, assess whether internal audit functions are conducted “at a level sufficient to ensure their independence and accuracy.” That should serve as an indicator to prosecutors of whether compliance personnel “are in fact empowered and positioned” to effectively detect and prevent misconduct, the guidance says.

The DOJ’s guidance is meant to signal to companies how their compliance efforts will be regarded by prosecutors if or when misconduct is discovered. That will help prosecutors determine whether to give companies some credit for at least trying to do the right thing, even if their policies and programs failed to deter or detect wrongdoing.

With respect specifically to internal audit, the DOJ guidance also tells prosecutors to assess the process the company uses for determining where and how frequently internal audit will undertake any given audit along with the rationale behind the process. “How are audits carried out?” the guidance asks. “What types of audits would have identified issues relevant to the misconduct?”

Prosecutors should further consider what audits occurred, what they uncovered, what kinds of audit findings and remediation activities have been reported to the board on a regular basis, how management and the board have responded, and how often internal audit conducts assessments in high-risk area.

Jim Pelletier, vice president of standards and professional knowledge at the Institute of Internal Auditors, says the latest DOJ guidance represents the first time federal prosecutors have specifically addressed the role of internal audit in corporate compliance. “The Department of Justice is recognizing the role internal audit plays when it comes to an investigatory, compliance program,” says Pelletier. “When they are looking at the potential bad activity in organizations, the guidance says here’s internal audit’s role.”

No law explicitly requires companies to have internal audit departments, except banking regulations that require entities in financial services to house internal audit functions. Internal audit became a significant force in helping companies comply with Sarbanes-Oxley, and some companies still regard internal audit’s role to be confined to financial and accounting controls, says Pelletier. “That really makes up a small piece of what internal audit is doing these days,” he says.

As an example, the IIA recently released a new paper reinforcing what internal audit provides to organizations around fraud risk. Internal auditors are expected by the profession to identify red flags, understand the characteristics of fraud and the techniques used to commit it, evaluate the indicators of fraud, and evaluate the effectiveness of controls to deter or detect fraud.

“If you’re a board member or a CEO, it’s important for you to understand internal audit is your independence assurance provider,” says Pelletier. “There are specific roles they need to play when it comes to assuring that fraud risk is being examined. In some organizations, internal audit may be underutilized.”