Those who follow me know that I have long been an outspoken defender of internal auditors and chief audit executives who are victims of retaliation, or simply victims of cultures that don’t welcome oversight. I recently applauded a jury who awarded the former CAE of a Washington state university more than $3 million in compensation for retaliation against her. As I observed in the blog:

During my years as president and CEO of The IIA, I advocated strongly for the protection of internal auditors. When instances of retaliation occurred or were strongly suspected, I spoke out. Most times, the problem was in the public sector. But that was only because of greater transparency in government. I knew there were plenty of instances in the private sector, as well. Sadly, those cases often went unreported.

It didn’t take long after the blog was published before I started hearing from those who were on the receiving end of retaliation in the corporate sector. None of it surprised me. No matter how many times I have written that it is a “hazard of the trade,” it still happens far too often.

The practice of ushering out a CAE who is simply doing his or her job is bad enough. But a practice that is even more egregious occurs in companies who make a practice of doing it until they get what they believe will be a go-along-to-get-along CAE. I have referred to this practice as “CAE shopping” and it happens more often than you think. Unfortunately, there is no formal requirement for publicly traded companies to even report they have a CAE – much less that they have had three in three years!

CAE shopping often flies under the radar, and only the displaced former CAEs who were pushed out in quick succession realize what happened. This phenomenon isn’t confined to specific industries or organizational sizes. I recall a Fortune 500 company where clashes between management and a seasoned CAE led to their demotion and subsequent replacement, only for the replacement to be replaced within a year. To an outsider, this revolving door of CAEs should have raised red flags about internal company dynamics.

As I’ve emphasized in previous writings, the effectiveness of an internal audit function diminishes when management can handpick a CAE who aligns with their agenda. A cozy relationship between the CAE and management undermines the organization’s best interests. Moreover, senior management’s resistance to robust internal audit leadership may signal a toxic or misaligned corporate culture, favoring compliance over vigilance.

This scenario points once again to inadequate oversight by the audit committee. A situation where management can override the CAE indicates a failure on the part of the audit committee to fulfill its role as the functional reporting line for internal audit. As I observed in a January 2024 blog titled: Where Are Audit Committees When The Head of Internal Audit is Being Fired?:

Audit committees must be heavily involved in any effort to fire or move the CAE into a different role within the organization…They must ensure that such moves are truly in the best interest of the organization and not just for the convenience of management. I have been dismayed by cases where management continuously rotates individuals out of the CAE role until it finds someone it can easily control. This, of course, renders the entire purpose behind separate reporting lines moot. A CAE who routinely “carries management’s water” is of little value to the board.

So, what can be done to protect CAEs who are moved out of their roles because they might not be perceived as the team players management wants? I believe we need regulatory disclosure requirements. If publicly traded companies were required to disclose CAE arrivals and departures as part of annual reports to the SEC or similar regulators, some executives might reflect a little longer before making these moves. And boards might be far more attentive when the practice occurs. A succession of annual reports indicating the old CAE departed and a new one arrived would serve as a red flag to regulators and shareholders alike.

While a disclosure requirement would be a step in the right direction, we are unfortunately a long way from making that happen. In the United States, the SEC and NASDAQ don’t even require listed companies to have an internal audit function – much less report on its operation. Now that Internal Audit Month is behind us, let’s rededicate ourselves to exploring how we create awareness with regulators about the protections the internal audit profession needs.  

Before closing, let me temper this discussion. There are instances where the CAEs performance doesn’t meet the company’s requirements, and turnover in this position is natural in any organization. However, sudden exits, demotions, or repeated dismissals of CAEs should raise alarms for investors, regulators, and investigators. If such occurrences become frequent or coincide with a wave of voluntary departures from the internal audit department, it warrants serious inquiry. CAE Shopping signifies deeper organizational and cultural issues and is unfortunately a practice that is alive and unwell in 2024.