Leadership · Insight · Knowledge

Welcome to the Institute of Internal Auditors New Zealand, the professional body for internal auditing

About UsJoin Us

What is internal audit?

Internal audit is a dynamic profession that provides independent assurance that an organisation's risk management, governance and internal control processes are operating effectively Essentially, Internal Auditors help organisations to succeed.

Read More

Membership benefits

Join our professional community and access a range of local and international benefits to expand your thinking, knowledge and networks.

Learn MoreJoin Now

Events & training

Connect with other internal audit, risk and assurance professionals and grow your knowledge and skills with a range of online and local events.

Find out more

Subscribe to newsletters

Subscribe to monthly IIA NZ Newsletters here

Subscribe

home | News & Media | news archive | September-2017

Internal Audits role in whistleblowing

 

Internal Audits role in whistleblowing

By James Rees-Thomas
Institute of Internal Auditors New Zealand Board Member

As we often hear on the sports field – it ends at the final whistle. But when it comes to reporting inappropriate behaviour in an organisational setting, this metaphorical blowing of the whistle actually signals the start of a very important process. The whistle can only be blown effectively if the action occurs from within a well-constructed and supportive framework. This includes a healthy organisational culture and sincere tone from the top, a robust system for escalating concerns of wrongdoing and established people and process elements that work cohesively and collectively to promote ethical and compliant behaviour.

Internal Audit has a part to play in all of this. The recently published State Services Commission (SSC) report into the aftermath of the Ministry of Transport (MOT) fraud is a useful catalyst for action for the profession. The report is valuable because it prompts the reader to reflect on, for the first time in recent memory, the legislative and organisational frameworks that should exist to support the act of whistleblowing.

These include:

  • The Protected Disclosures Act, what it covers and its limitations
  • As a logical consequence, the difference between organisational wrongdoing, and “serious wrongdoing” as defined by the Act
  • The current scope of systems and processes that organisations have in place for dealing with concerns of wrongdoing and potential gaps
  • The impact on the person raising the concern and the safeguards necessary to ensure that disclosing a wrongdoing does not result in the whistleblower being disadvantaged.

While the Protected Disclosures Act provides a (albeit limited) basis for protecting the courageous among us, it is fair to say many New Zealanders either don’t understand it or don’t trust its application. Incidents like that which led to the SSC’s investigation of whistleblowing by MOT staff has the unfortunate result of reinforcing such perceptions.

Internal Audit’s professional standards, social obligation and corporate responsibilities coupled with its natural independence makes it the ideal guardian for disclosures of wrongdoing. This means an organisation’s Chief Internal Auditor (CIA) or equivalent is best placed to ensure the following are in place. The table below, previously published in our May and June newsletters, and now expanded in light of the SSC’s findings:

Recommendation

Reccommedation

Expansion

Organisations should maintain a whistleblower mechanism (phone, email or personal disclosure) that enables employees to report their concerns safely and confidentially.

Internal Audit should administer, monitor and maintain the organisation’s whistleblowing mechanism. This should be configured to ensure wrongdoing concerns are disclosed directly and confidentially to the Chief Internal Auditor (CIA) or equivalent.

The recipient of the disclosure should be knowledgeable in the Protective Disclosure Act, and its practical application in a work setting.

The CIA should be knowledgeable in the Act and its limitations and ensure that staff are encouraged and able to raise concerns of wrongdoing even if these do not fall within the narrow definition of the Act.

Mechanisms should exist to ensure and safeguard the independence of the recipient of the disclosure, or alternatively, effectively workflow the disclosure while protecting the integrity of the disclosed information and that of the whistleblower.

The whistleblowing mechanism should be regularly tested for confidentiality and security. Underlying policies and processes should be in place to manage disclosures in a manner that protects the whistleblower and ensures the organisation meets its obligations to them as a good employer.

The recipient of the disclosure should hold an office of sufficient authority (organisational hierarchy, reporting lines and mandate) to reassure the whistleblower that the disclosure will be safeguarded and pursued.

The CIA should occupy a position of sufficient seniority and possess delegated authority to give staff confidence and guarantee that they will be protected without fear of punishment or reprisal.

MoST Content Management V3.0.9220