After writing my first blog on the Volkswagen emissions scandal I thought I should expand and explain why auditors would have a responsibility to act. I think many people are still sceptical about whether employees should involve internal auditors if they have concerns about what they are being asked to do.
Modern internal auditors should not be focusing on whether processes have been followed, but on the big risks that keep the board awake at night. Normally, internal auditors would base their audits on an assessment of the risks they had identified. However, they would also act if risks were flagged up to them. Internal auditors would might not have a formal role operating a whistleblowing process (PDF, opens in a new tab), though they would certainly be able to steer whistleblowers in the right direction and ensure that their concerns were acted upon. Once internal auditors are involved they have a responsibility to ensure that serious concerns are not simply ignored or dropped. Their place in the organisation means they have the ability, and the power to persevere if they have valid concerns.
Internal auditor – power through independence
Internal auditors are in a powerful position because they are independent of the normal management hierarchy. They are accountable to the board. Good internal auditors cannot be intimidated by the threat to go over their heads; they know that is a bluff. If internal auditors have a concern they will raise it with senior management. If the concern is not addressed, and it it is sufficiently serious then they have the right and duty to escalate their concern all the way to the board, where there should be non-exec directors who are not involved in the management of the corporation. The VW scandal would certainly have been sufficiently serious to require internal audit to escalate to the very top – if they had been aware of what was happening.
Internal auditors have to report on significant risks that affect the corporation. The risk to which VW was exposed by the emissions cheating was obviously massive. Just look at the consequences of the scandal being exposed. Also, consider how likely they were to be caught. There was always a serious risk of that because independent emissions testers who were checking emissions during road running would obtain dramatically different results from the official tests. That is how VW were caught. So a risk with dramatic, adverse consequences, and a significant probability of being realised, would be off the scale of any risk assessment.
So, in principle, the situation is clear for internal auditors who discover, or are tipped off about illegal behaviour. Breaking the law introduces big risks and the auditors have a duty to act, regardless of any ethical considerations.
Internal audit and ethical concerns
The situation is murkier if it is a strictly ethical issue. Internal auditors might have personal views, but they wouldn’t necessarily have a professional duty to act. As a rule of thumb I would describe ethical issues that require audit interest as being those which concern actions that are not illegal but which would be difficult to defend in public. They would entail some reputational damage. One possibility is developing software that is quite legal where it is being developed and tested, but which is intended for use in a jurisdiction where it would be illegal. Alternatively, using the software might actually be illegal in that country, but developing it would be within the law and the company is intending to sell it or use it elsewhere.
Another possibility is “creative compliance” where software is intended to exploit a loophole and defeat the ends of regulation. That could be particularly dodgy, because it could rest on a mistaken interpretation of the law and be genuinely illegal, or it might expose the company to very damaging publicity, or to damaging legal action before it could be established that it wasn’t illegal. There are all the sorts of things that I believe auditors would have a legitimate interest in.
It’s hard to say where auditors or testers should draw the line. I wouldn’t expect either to have any responsibility to act in the sort of routine, dark pattern usability tricks that some companies get up to. That means website features that designers know will trick users into selecting add ons, or more expensive purchases. In usability circles these are known as dark patterns. It’s an interesting subject. I find use of these tricks distasteful, and wouldn’t want to be involved, but that is a personal judgment rather than a professional one. Auditors would have a responsibility to get involved if the dark patterns edged over into fraud, or if there was a serious risk of damaging publicity. Companies that do it, but stay on the right side of the law, are generally known for that sort of behaviour, and have decided to live with the image. I’m not naming any airlines!
VW and the testing role
I have been wondering since I wrote my previous blog whether I have been unduly harsh on the VW testers in the absence of clear evidence. That would be a fair charge if I had named testers, or if I had suggested there had been a specific failure at a certain time and place. I stand by my belief that there was a moral and professional failure on the part of the VW testing community, a failure of the testing role. Given the complexity of software development in a large corporation it seems quite possible that the engine control software was assembled and tested over a lengthy period, in such a way that it would be unreasonable to pin a charge of negligence on any individual person or even team.
Nevertheless, my understanding of testing is that it should provide an assessment of what the product does, and that the testing role should enjoy some independence, or at least protection, from project management and development. If there had been such an assessment of the full functionality of the engine control software then the managers responsible for software testing would have know about the illegal defeat device.
I believe that the testers would then have had a duty to raise concerns with the development management and, if they did not receive a satisfactory response, escalate the matter to internal audit, or the compliance professionals, who would have had a clear legal responsibility to act. Whether the testers’ duty to report their concerns was an ethical or a legal duty is debatable, and that may well be argued in court. My personal stance is that testers should always have open access to internal audit. Internal auditors have to report on the risks that scare the top guys, that would keep them awake at night. If testers uncover information about such risks can there be any defence for them if they keep quiet? If they fail to find out anything about big risks that are present in the software that what is the point of testing?