As a newly appointed chief audit executive many years ago, I tried early to identify the other executives in the organization who would be our strongest allies. I reported to the CEO, but quickly established a strong rapport with the COO, CFO and the general counsel (the chief legal officer). I felt they all supported our mission and were champions for the work we did. Then, suddenly, I locked horns with one of them, and the relationship was in serious disarray.

During the course of an audit. one of my audit teams discovered a potential legal violation in the use of government funds for a construction project. Responsible management officials were adamant that they had done everything correctly, and they even obtained a legal opinion prior to construction. Nevertheless, I promptly reported the audit finding to the CEO, who was alarmed at the potential consequences. The next day, I received a call from the general counsel, telling me that the CEO had asked him to investigate the issue. Without hesitation, I asked how he could objectively review something that his attorneys had signed off on? He nodded and sheepishly acknowledged that I had made a good point.

During my next update with the CEO, he mentioned that the general counsel had told him of my objection to the internal legal staff’s further involvement. The CEO indicated that an outside counsel would now be retained to undertake the investigation. But then he said something I didn’t expect: “Richard, you should never challenge the general counsel. He is always on your side, and will do what is right for the organization.” I heard what the CEO said, but I wasn’t so sure whose side the general counsel was really on when the chips were on the table.

Fast forward 25 years, and this is still a topic that comes up often during internal audit roundtable discussions, and there is no shortage of opinions. Too often, CAEs express frustration with general counsels who, they believe, are more concerned about reputational and legal risks than in affording internal audit the opportunity to fully articulate results of its work.

To be sure, reputational and legal risks are important. However, general counsels too often prefer to eliminate those risks altogether in internal audit reports — in effect, silencing internal audit from sharing critical information with the board or audit committee.

Over the years, I have learned of heavy-handed actions by a number of corporate attorneys — for example, how internal auditors were persuaded to inappropriately refrain from characterizing certain foreign expenses as U.S. Foreign Corrupt Practices Act violations. The argument most often advanced is that the expenses in question are legal “facilitation payments.” Faced with intimidating legal expertise, internal auditors often fold their hands, leaving potentially critical information concealed.

As Robert Mundheim (former Dean of the University of Pennsylvania Law School) noted several years ago, “The general counsel is supposed to provide advice on the legal environment and legal responsibilities.” Mundheim also correctly points out, “General counsel’s role as a partner to senior management does create tensions. General counsel must retain the ability to make clear-eyed professional judgments and to have the backbone to raise issues with the appropriate decision-maker if, for example, the proposed course of action raises issues of compliance with the law.”

By no means am I suggesting that the CAE should disregard the advice of general counsel. Rather, I believe we must be cautious in accepting general counsel’s guidance as infallible. When it comes to the CAE’s relationship with general counsel, I suggest that it be guided by at least five principles:

• Mutual trust that each party is acting in the best interest of the organization.
• Respect for the respective roles of each party and the prism through which each views risks.
• Communication on a continuous basis to foster effective risk management, internal controls, and corporate governance.
• Collaboration to ensure risks are effectively managed and internal controls are effectively designed and implemented throughout the organization.
• Recognition of the right of each party to agree to disagree, when warranted.

That last principle should be rarely needed, but when it is, both parties should agree that the audit committee of the board must be apprised and, when appropriate, it should arbitrate the points of disagreement. The principle is intended to allow each party to makes it argument when seeing things from a fundamentally different point of view.

Back to the original question: “Is the general counsel friend or foe?” It certainly would be counterproductive for an organization if the answer is foe. However, it is unrealistic to assume that general counsel will always agree with internal audit. Instead, I characterize the best relationship as one of “professional colleagues.” The general counsel should be internal audit’s advocate, not its adversary.

My own journey with the general counsel in my company did have a happy ending. After the awkward encounter over the contract legal advice, we mutually worked to rebuild trust. He later admitted that he was more embarrassed than angry that I called out his objectivity. We went on to tackle other complicated legal issues that arose from our audit reports, and remained good friends even after I left the organization.

I welcome your thoughts.