How Internal Audit Can Help Protect Employees

How Internal Audit Can Help Protect Employees

Employees frequently head the list of an organization’s most valuable assets, but processes for protecting employees are far less likely to be audited than inventory, fixed assets, or receivables. CAEs have an important role to play in creating a safer workplace for employees, contractors, vendors, and other third parties on the job. Learn more about how internal auditors can evaluate enterprise risks to worker safety and well-being in this article by Tom O’Reilly, originally published in the IIA’s Internal Auditor magazine.

What’s an Organization’s Most Important Asset?

Ask any CEO what the organization’s most important asset is, and he or she will likely answer that it’s the business’ employees. Employees make the cash register ring, invent new products and services, and help meet the needs of the organization’s customers and market.

Yet too often, when chief audit executives (CAEs) are asked what organizational asset they most commonly audit, their answers include inventory, fixed assets, receivables, and petty cash. They are far less likely to audit processes for protecting employees.

How Can CAEs Help Their Organization Create a Safer Workplace?

CAEs can help their organization create a safer workplace by auditing the processes in place for protecting the organization’s employees, contractors, vendors, and other third parties on the job. They can start by better understanding the emotional, physical, and financial risks that put workers’ well-being in danger and developing a plan to evaluate the related business processes.

Workplace Behavior

Of the many troubling events that came to light in recent years, perhaps the most significant was the glaring inability of many organizations to protect their employees from the inappropriate behaviors of others at work. In terms of personal risks, two behaviors stand out: inappropriate sexual behavior and bullying.

Inappropriate sexual behavior includes leering inappropriately, standing too close to others, and touching others in ways that make them uncomfortable—or worse. Nonphysical bad behaviors include telling sexually explicit jokes, using sexual anecdotes, and sharing pornographic images.

The Workplace Bullying Institute (WBI) defines workplace bullying as abusive conduct that either threatens, humiliates, or intimidates co-workers, and other behaviors, such as verbal abuse or sabotage, that interfere with a co-worker’s ability to perform his or her responsibilities. A 2017 WBI study notes that 19 percent of U.S. adults have experienced abuse and 37 percent, including witnesses, have been affected by it.

Internal auditors can help their organization prevent or detect inappropriate workplace behavior. Practitioners who have audited ethics processes should know to evaluate whether the organization has a code of conduct that highlights inappropriate workplace behavior. That code should provide information on how to report that behavior and detail its consequences. In addition to confirming that the CEO and senior management clearly and frequently communicate this message, internal auditors should evaluate whether middle managers are doing the same.

The audit scope also should include evaluating the channels available for employees to report inappropriate behavior. Auditors should determine whether the organization has a hotline, if employees are aware of it, and whether they can report anonymously or without fear of negative repercussions. Are hotline calls addressed timely, investigated thoroughly, and resolved? Are the CEO and the relevant board committee receiving information on hotline awareness, calls, and related investigations periodically?

Physical Protection

The impact of high-profile events such as the BP oil spill and shootings at businesses, schools, and universities put organizations on notice about the importance of physical safeguards to protect employees. But it’s not just low likelihood but high impact events that can result in workers being hurt, hospitalized, disabled, or even killed.

Organizations sometimes put their employees at risk because of unsafe working conditions. This is especially true for employees who operate heavy equipment and machinery, work in construction zones, or work with or near hazardous materials. Organizations also may fail to protect their employees if they are not prepared for events such as tornadoes, hurricanes, geopolitical unrest, and violent acts by employees or others.

Internal auditors can perform many types of audits to evaluate how these security risks are being managed. Auditing to U.S. Office of Health and Safety Administration standards can help identify safety issues in different working conditions and whether workers are following generally accepted safety standards when working in high-risk areas.

Unsafe conditions will make employees flee, with lower revenues quick to follow.

Part of an organization’s business continuity program should proactively identify the risks from natural disasters and terrorist incidents. The program also should determine whether employees are aware of, and trained on, the organization’s crisis management plans. Internal auditors can leverage the ASIS physical security framework or the International Organization for Standardization’s ISO 27001 standard on information security management system to evaluate the mechanisms in place to deter or detect potential intruders. Moreover, they can recommend managing or restricting access to areas that may harm employees.

One way CAEs can focus the CEO’s attention on employee safety is to remind executives that their own safety is at risk. They should evaluate the security measures in place to protect top executives and their families from being kidnapped or held for ransom.

Data Privacy

Loss and theft of employee data, including names, Social Security numbers, email addresses, and banking information, puts employees at serious risk of identity theft and fraud. This data allows criminals to take advantage of unaware employees by creating credit card or loan accounts in their names, or collecting medical payments or Social Security benefits. Hackers use sophisticated cyberattacks to steal employee data in bulk or use phishing tactics to steal it from individuals. Employee data also is at risk from other workers who have access to it and intend to misuse it.

Perhaps the easiest way a CAE can help protect employee data is to carry out a data governance and management project. Internal auditors can document what employee data their organization has, where it is located—such as in paper records or on the network—who has access to it, and the controls in place to prevent or detect unauthorized access.

Evaluating the organization’s records management program can add value if employee data is stored in physical documents. Other audits include access-rights reviews of applications and systems that store sensitive employee data, and cybersecurity audits that evaluate how effectively an organization’s network protects employee data and detects cyberattacks.

A Top Risk

Successful organizations understand it’s their workers who make them thrive. Unsafe working conditions will make key employees flee, with lower revenues and margins quick to follow. Organizations with effective processes to protect their employees can experience higher employee morale and increased productivity. They also may be less likely to pay fines for noncompliance with related laws and regulations, better ensure the continuity of operations, and prevent damage to their reputation.

If people are an organization’s most important asset, then the risks posed to those people should be among the top risks in the business. Internal auditors who can shed light on these risks and how well-controlled these processes are can gain their CEO’s and board’s attention and support.

This article, originally titled “Protecting Employees,” was reprinted with permission from the April 2018 issue of Internal Auditor, published by The Institute of Internal Auditors, Inc.,


Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. In his role, Tom meets, collaborates, and shares internal audit and connected risk strategies and tactics with the AuditBoard community and customers to help improve the practice of internal audit and how second and third line functions work together. Connect with Tom on LinkedIn.