No relationship for a chief audit executive (CAE) has been transformed more over the past 20 years than that with the audit committee. According to The IIA’s 2022 North American Pulse of Internal Audit, 90 percent of internal audit departments in North America report functionally to the audit committee. And in publicly traded companies, that number is 95 percent. In many companies, the audit committee holds an executive session with the CAE at every meeting. A lot of questions are asked of internal audit in these meetings, but there are also many unasked questions that should be.
I have long asserted that the audit committee’s success is tied to the effectiveness of internal audit. For that reason, audit committee members must have complete confidence in the internal audit function and its CAE. This confidence can only be achieved and maintained with a strong, continuous, and open dialogue between the CAE and the audit committee. Of course, dialogue is a two-way street; it’s as much the responsibility of the CAE as the committee members themselves. But the committee must be willing to drive that dialogue in a way that provides evidence of internal audit’s professionalism, business knowledge, and risk acumen.
Over the years, I have addressed audit committee members in a variety of forums. I am often asked the age-old question: “What should the audit committee be asking the CAE?” The topics of conversation between the CAE and the audit committee are too numerous and variable to list in a single blog. However, there are five probing questions that, as an audit committee member, I would want the CAE to answer. These answers (as well as the resulting conversation) should not only provide the audit committee with enhanced confidence in the internal audit function but should also foster trust and candor in the important relationship between the audit committee and CAE.
1. Is internal audit following the International Standards for the Professional Practice of Internal Auditing (Standards), and what were the results of the last external quality assessment?
To be able to rely on information from internal audit, the first step is to ensure the department understands what practicing as a “professional internal auditor” means. The Standards provide that guidance. And by verifying that the department understands and applies them, as well as employs methods that will ensure adherence to the Standards, the audit committee can have a high level of confidence in the assurance that internal audit is providing on the adequacy and effectiveness of risk management and internal controls.
2. How is internal audit identifying new and emerging risks and how is it continuously monitoring risks and revising the audit plan accordingly?
Once there is assurance that the department understands professionalism as it relates to internal auditing, the next step is to ensure that internal audit is focused on the most critical risks to the enterprise. The most fundamental of these tasks is the establishment of an effective method for identifying new and emerging risks. Modern internal audit must execute its responsibilities in an era of unprecedented risk velocity and risk volatility. In The IIA’s 2022 Pulse survey, 74% of respondents rated “responding to new and emerging risks” as one of their top 3 concerns. Internal auditors must remain vigilant in identifying new risks and in continuously monitoring risks the enterprise faces. Audit committees should encourage internal audit as it scans the horizon, and adapts its plans accordingly
3. What are the top five risks that internal audit is not addressing due to a lack of resources or skills?
Too often, the only question the audit committee asks about internal audit’s resources is: “Are they adequate?” As an audit committee member, I would ask more than that. I would want to know whether the resources are adequate to address the company’s critical risks. One means of answering that question is to understand what is not getting done. If there are key risks that are not being addressed due to internal audit’s resource or competency constraints, the audit committee should know what they are. Furthermore, members should be comfortable with the fact that they will not have assurance from internal audit for risks that are not being addressed.
4. What strategies is internal audit deploying to ensure greater understanding of the business by audit staff?
One key to the success of an audit department is how well it understands the organization’s business. Without a strong understanding of the company’s business strategies, organization, and processes, internal audit will struggle to assess risks adequately and to provide assurance and insight into the effectiveness of operations. This does not mean all auditors have to be experts. But it does mean that the department should have plans in place to ensure all staff are continuously learning about how the business operates.
5. Based on internal audit coverage during the prior year, what is the CAE’s assessment of the overall effectiveness of the company’s internal controls and risk management?
And now we come to the most important question of all – the question that I often find is on virtually every audit committee member’s mind but is rarely asked. In seeking the answer to this question, the audit committee is asking the CAE to “connect the dots.” However, the committee must be prepared for an answer that it does not want to hear: that the body of internal audit’s work over the past year has not been adequate for an “unqualified” opinion or assessment on the adequacy of risk management and controls. In communicating any opinions, the CAE should be prepared to communicate qualifications based on the extent of internal audit’s coverage. If the audit committee is not comfortable with a qualified answer, then a discussion about internal audit’s resources needs to be back on the table.
I suspect that these questions will generate some discomfort (and maybe even controversy). Sometimes, it is easier to engage in conversations with the audit committee in a “don’t ask – don’t tell” environment. Tough questions, such as those I pose above, will invariably elicit some uncomfortable answers. However, these questions drive to the heart of what we do in internal auditing. If they are troublesome, if they cannot be answered, if they represent areas where you fall short, then start taking the steps necessary to make changes in your operations. And, even if you have all the answers, find ways to make those answers even better.
I welcome your thoughts on these five questions or any that I have left off of the list.