What we do

Internal auditing is an independent,objective assurance and consulting activity that strengthens and protects organisations.

About Us

Who we are

Internal auditors support achievement of organisation objectives with pragmatic insights that strengthen governance and improve business processes. We strive to make a positive difference from the boardroom to the front line, which maintains trust and confidence in the organisation.

Find out more

Interested in a new career?

What's your potential? Rise to the call of reaching your potential by launching an internal audit career right here in New Zealand. Are you starting out in your career or getting ready to rise and side-step, taking your skills to a new challenge? Your journey into internal audit starts here with IIA NZ.

Careers in Internal Audit

Internal Audits role in whistleblowing

By James Rees-Thomas
Institute of Internal Auditors New Zealand Board Member

As we often hear on the sports field – it ends at the final whistle. But when it comes to reporting inappropriate behaviour in an organisational setting, this metaphorical blowing of the whistle actually signals the start of a very important process. The whistle can only be blown effectively if the action occurs from within a well-constructed and supportive framework. This includes a healthy organisational culture and sincere tone from the top, a robust system for escalating concerns of wrongdoing and established people and process elements that work cohesively and collectively to promote ethical and compliant behaviour.

Internal Audit has a part to play in all of this. The recently published State Services Commission (SSC) report into the aftermath of the Ministry of Transport (MOT) fraud is a useful catalyst for action for the profession. The report is valuable because it prompts the reader to reflect on, for the first time in recent memory, the legislative and organisational frameworks that should exist to support the act of whistleblowing.

These include:

  • The Protected Disclosures Act, what it covers and its limitations
  • As a logical consequence, the difference between organisational wrongdoing, and “serious wrongdoing” as defined by the Act
  • The current scope of systems and processes that organisations have in place for dealing with concerns of wrongdoing and potential gaps
  • The impact on the person raising the concern and the safeguards necessary to ensure that disclosing a wrongdoing does not result in the whistleblower being disadvantaged.

While the Protected Disclosures Act provides a (albeit limited) basis for protecting the courageous among us, it is fair to say many New Zealanders either don’t understand it or don’t trust its application. Incidents like that which led to the SSC’s investigation of whistleblowing by MOT staff has the unfortunate result of reinforcing such perceptions.

Internal Audit’s professional standards, social obligation and corporate responsibilities coupled with its natural independence makes it the ideal guardian for disclosures of wrongdoing. This means an organisation’s Chief Internal Auditor (CIA) or equivalent is best placed to ensure the following are in place. The table below, previously published in our May and June newsletters, and now expanded in light of the SSC’s findings:




Organisations should maintain a whistleblower mechanism (phone, email or personal disclosure) that enables employees to report their concerns safely and confidentially.

Internal Audit should administer, monitor and maintain the organisation’s whistleblowing mechanism. This should be configured to ensure wrongdoing concerns are disclosed directly and confidentially to the Chief Internal Auditor (CIA) or equivalent.

The recipient of the disclosure should be knowledgeable in the Protective Disclosure Act, and its practical application in a work setting.

The CIA should be knowledgeable in the Act and its limitations and ensure that staff are encouraged and able to raise concerns of wrongdoing even if these do not fall within the narrow definition of the Act.

Mechanisms should exist to ensure and safeguard the independence of the recipient of the disclosure, or alternatively, effectively workflow the disclosure while protecting the integrity of the disclosed information and that of the whistleblower.

The whistleblowing mechanism should be regularly tested for confidentiality and security. Underlying policies and processes should be in place to manage disclosures in a manner that protects the whistleblower and ensures the organisation meets its obligations to them as a good employer.

The recipient of the disclosure should hold an office of sufficient authority (organisational hierarchy, reporting lines and mandate) to reassure the whistleblower that the disclosure will be safeguarded and pursued.

The CIA should occupy a position of sufficient seniority and possess delegated authority to give staff confidence and guarantee that they will be protected without fear of punishment or reprisal.

MoST Content Management V3.0.7525