IIA Position Paper on Whistleblowing -

Articles on Fraud Investigation

IIA Position Paper on Whistleblowing
Application to Internal Auditors in Government

The IIA's "Position Paper on Whistleblowing" (IIA Today, September/October 1995, page 12) prompted the following inquiry to the Internal Audit Standards Board (IASB) of the IIA:

The Issues:

In state government, the internal auditor has been hired and appointed as a result of competitive examination administered and graded by the civil service agency (part of the executive branch); but was interviewed and recommended for appointment by management in the agency where the internal auditor works (also part of the executive branch). The internal auditor's pay check is authorized and drawn by the State Comptroller (an elected official independent of the executive branch), and paid from the state's general fund appropriation for the agency, as authorized by the state legislature. The internal auditor is both a public servant, and a public officer obliged to guard the best interests of the citizenry that ultimately employees him/her. The internal auditor reviews agency operations and reports to the commissioner of the agency. In government, there's no such thing as an "audit committee" that has the purpose, character and function of an audit committee in private industry.

A state internal auditor encounters the following hypothetical situation:

The internal auditor conducts a review and finds that the agency where the auditor works has entered into a memorandum of understanding with a public college wherein the public college functions as a contractor to the agency. The auditor discovers that actions taken by the public college in conjunction with the normal contract activities place the state at risk of violating a federal law. If the federal law is violated, it will be the state, as the overriding legal entity, that will be held liable for civil penalties, damages and restitution. Agency counsel are of the opinion that the law is not being violated by the agency, and that if the law is being broken by the public college, the agency itself is not at risk. Agency management, taking their cue from counsel, do nothing regarding the actions of the public college.

Where would this situation leave the internal auditor under the Standards and the Code of Ethics? Some might argue that as an employee of the state, the internal auditor has an obligation to go outside the agency and notify the Judicial branch - the State's elected Attorney General (since the State as a whole is at risk), and notify the general public through the final report.

Others might argue that the internal auditor's obligation ceases once agency counsel concluded that the agency itself was not in danger of violating the law; and that going to the State's Attorney General is "whistleblowing" ("the unauthorized dissemination by internal auditors of audit results, findings, opinions or information acquired in the course of performing their duties to anyone outside the organization or to the general public)"; and that such disclosure is neither required nor justified under the Standards or the Code of Ethics. Some might go even further and say that since agency counsel concluded there is no material risk to the agency, the internal auditor should not even include the issue in the final audit report (a public document).

The Questions

The internal auditor must resolve:

first, what constitutes the "organization": the agency where the auditor is physically located and where the audits are performed; or the State itself - the entity that encumbers and pays the auditor's salary;

second, since the final audit report becomes a public document, is it appropriate to include the issue and counsel's opinion in the final report; and

third, should the auditor suborn his/her opinion to that of counsel in this matter if the internl auditor believes too narrow a view has been taken by counsel.

Summary of the IASB Assessment:

The "organization" is the agency where the internal auditor is physically located and where audits are performed. When the internal auditor issues an internal audit report to the agency head the requirements of the Standards for the Professional Practice of Internal Auditing have been met. Barring additional requirements under law or regulation, the internal auditor is not obligated to forward the audit report to any authority outside the agency.

The state agency can not prevent improper expenditure of funds by any sub-recipient. The state agency's responsibility is to establish systems of internal control to assure that they are made aware of such violations in a timely manner for review, corrective action, and follow-up. It is the responsibility of the CPA (or State Auditor), auditing the college under OMB Circular A-128 or A-133 , to include in his audit report violations of federal laws or violations of contractual agreements.

When appropriate, the state's own CPA or State Auditor, or the agency internal auditor, should look for assurance that the state agency receives and reviews the public college's audit reports and that the state agency performs follow-up to monitor contract compliance, as required under OBM Circulars A-128 or A-133. The internal auditor might consider, with approval of the agency's Director of Internal Auditing, contacting the college's external and/or internal auditor to see if they have considered compliance with federal regulations a concern.

The internal audit report should report the basis for conclusions reached, and where appropriate, provide the user with the rationale followed. It is possible that the opinion of legal counsel may need to be discussed in the report to provide full disclosure to report users. If the internal auditor disagrees with agency counsel's opinion , the internal auditor might consider asking legal counsel to request an Attorney General's opinion on the issue.

The Detailed IASB Response:

"(The) inquiry raised several issues about an internal auditor's role in state government. ... In some instances, we were not able to provide complete answers (due to) lack of information or incomplete knowledge of the (state) laws, rules, and regulations that guide the internal audit function.

...It appears that moneys being provided to the public college by the state agency include federal funds. In all likelihood the amount of funds received by the public college from the state agency meet the dollar thresholds that require an audit under OMB Circular A-128, Audits of State and Local Governments, or OMB Circular A-133, Audits of Institutions of Higher Education or Nonprofit Organizations. As such the state agency should have required the public college by contract to engage an independent public accountant to audit the college for compliance with the terms of federal grant agreements.

If a violation is found, it is the responsibility of the CPA auditing the public college, to report the violation in his audit report. A copy of the CPA report should be forwarded to the state agency for review and follow-up. If there are questioned costs, in all likelihood any moneys to be paid back to the federal government will come from college funds. While it is true that moneys which might have to be paid back come from the state as a whole, we do not feel that the state agency can prevent the improper expenditure of funds by any sub-recipient. The state agency's responsibility is to establish systems of internal control to assure that they are made aware of such violations in a timely manner for review, corrective action, and follow-up. It is the responsibility of the CPA (or State Auditor) auditing the college, to include in his audit report violations of federal laws or contractual agreements. This is true unless there is some contractual agreement that requires the state agency internal auditor to audit the expenditure of funds by the college.

It is the responsibility of the CPA or State Auditor, auditing the state agency, to review the systems of internal control within the agency. The CPA would look for assurance that the sub-recipient contracts require the performance of audits pursuant to OMB Circular A-128 or A-133. When appropriate the CPA would also look for assurance that the state agency receives and reviews the public college's audit reports and that the state agency performs follow-up to monitor contract compliance. If there are violations, the state agency would be expected to address those issues prior to entering into future contracts with the public college. It is possible that the internal auditor may have also reviewed the system of internal controls when conducting internal audits within his agency.

Government Auditing Standards issued by the Comptroller General of the United States and the requirements of OMB Circulars A-128 and A-133 address external reporting to funding agencies and also address the auditor's responsibility to ensure that the funding organizations, as well as other organizations receive copies of audit reports.

When the internal auditor issues an internal audit report to the agency head he has met the requirements of the Standards for the Professional Practice of Internal Auditing. If any further distribution of the internal audit report is called for, we would suggest the internal auditor review state statute or executive branch rules or regulations which may address the distribution of internal audit reports beyond the requirements of the IIA Standards and may provide further clarification on reporting responsibilities.

Some additional suggestions may be to: (1) review the contract between the state agency and the public college to determine external audit requirements; (2) obtain a copy of the college's independent auditor report and review for comments about noncompliance with the specific contracts (grant) in question; and (3) review internal controls within the agency relating to the grant, to include the college's fiscal and programmatic reporting and the state agency's monitoring and follow-up procedures. In addition, the internal auditor might consider, with approval of the agency's Director of Internal Auditing, contacting the college's external and/or internal auditor to see if they have considered compliance with federal regulations a concern. The organization is the agency where the internal auditor is physically located and where audits are performed. State statutes, which established the internal audit function, might broaden the internal auditor's reporting responsibilities beyond the agency to which assigned. Statutes, rules and/or regulations relating to the internal audit function should be considered when defining the organization.

(Regarding possible violation of laws) it would appear that the focus should be on the systems of internal control established within (the) agency to assure that audits of the public college by its independent auditor are forwarded to the state agency for its review, follow-up, and corrective actions. If (the internal auditor) disagrees with agency counsel, (the internal auditor) might consider asking legal counsel to request an Attorney General's opinion on the issue.

It may be appropriate to address the question in the internal audit report and providing the user of the report legal counsel's rationale and opinion that helped to resolve the issue. Internal auditors should be very careful if this approach is used. Internal auditors should consider providing legal counsel an opportunity to review and comment on the proposed report to avoid a later problem with interpretation.

There needs to be clear and continuing communication with legal counsel. The internal audit report should report the basis for conclusions reached, and where appropriate, provide the user with the rationale followed. It is possible that the opinion of legal counsel may need to be discussed in the report to provide full disclosure to report users."

Internal Auditing and Fraud Investigation

Mark R. Simmons, CIA, CFE

Articles on Fraud Investigation