As we continue to navigate the treacherous risk landscape that includes an ongoing global pandemic, much is being said and written about whether internal auditors are stepping up for their organizations. I am certain we are contributing value during this time, but I also know it may not always be evident — that’s because many internal auditors are not comfortable extolling their contributions in audit committee meetings.
No relationship for a chief audit executive (CAE) has been transformed more in the 21st century than that with the audit committee. According to The IIA’s Audit Executive Center, 90 percent of North American internal audit departments in publicly traded companies report functionally to the audit committee (and 80 percent overall). And in many companies, the audit committee holds a discussion session with the CAE at every meeting. Yet often these executive sessions are nothing more than a brief exchange of pleasantries with audit committee members tossing “hardball” questions like, “Do you have enough resources?”
The audit committee’s success is tied to the effectiveness of the internal audit department. Accordingly, audit committee members must have complete confidence in the internal audit function and the CAE. That can be achieved only with a strong, continuous, and open dialogue between the CAE and audit committee.
Of course, dialogue is a two-way street: It’s as much the responsibility of the CAE as the committee members themselves. But both parties must be willing to drive that dialogue in a way that provides evidence that internal audit is focused on the right risks — particularly in the COVID-19 environment.
If neither the audit committee nor the CAE is interested in consequential or provocative conversations, frankly, none will take place. But with so much at stake, I challenge CAEs to take the lead in discussing how internal audit is responding in the pandemic.
Here are five things the CAE should be able to tell the audit committee now — and ensure that audit committee members are hearing.
1. Internal audit has altered its coverage dramatically to address the risks presented by the COVID-19 health and financial crisis.Recent surveys by The IIA and others confirm that sweeping changes were made to internal audit plans in the first half of 2020. Almost 50 percent cancelled some of the engagements on their annual plan, in most cases replacing them with new engagements to address pandemic-related risks. While it is likely CAEs are briefing their audit committees about changes to the plan, this presents a unique opportunity to explore the rationale behind such changes — including whether they were requested by management or initiated by internal audit.
2. Internal audit is employing a continuous methodology to assess risks, and identifying those that present the most significant threats to the organization — before they arrive. I have been expounding on the need to audit at the speed of risk for years. Risk velocity has never been greater than it is now. The IIA and International Federation of Accountants (IFAC) recently jointly issued Six Recommendations for Audit Committees Operating in the “New Normal.” The first of those recommendations is: “Staying informed: Audit committees must have a clear-eyed view and understanding of risk areas, and internal audit should support this by providing timely risk assessments. In a post-COVID world, those assessments will be more frequent and possibly continuous.”
The audit committee will gain real comfort by knowing that internal audit is looking at and beyond the horizon in identifying risks for audit coverage. For more on this topic, check out my 2018 blog: Internal Audit and Emerging Risks: From Hilltops to Desktops.
3. Internal audit has adapted to a remote workplace environment, and no key risks are falling through the cracks because they can’t be audited in person.In the face of the pandemic, a great many professionals have been working remotely. Internal auditors are no different. Adapting to this environment requires a resilient and transformative mindset. A recent whitepaper from AuditBoard, Building Operational Resiliency, offers five critical steps for internal audit to respond to crisis-related challenges:
4. Internal audit continues to emphasize audit quality despite the obstacles. While it may be obvious, internal audit must not relax its commitment to quality or conformance with The IIA’s International Professional Practices Framework (IPPF). Most internal audit departments have time-tested comprehensive methodologies for undertaking internal audits. In conformance with IIA Standard 1300, CAEs must “maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.” When evidence can’t be physically examined because of a remote work environment (as 25% of respondents to a recent survey by the accounting firm Frazier & Deeter reported), internal audit’s policies and procedures must be updated to ensure that a basis for internal audit’s conclusions can be established. In communicating with the audit committee, the CAE should embrace the opportunity to emphasize the department’s commitment to quality and the steps being taken in the current environment to ensure the accuracy and timeliness of the information it provides.
5. The impacts from the pandemic will linger well into 2021. Internal audit is already assessing the risks and planning audit coverage. Finally, internal audit should already be focused on key risks for 2021. An ongoing dialogue with the audit committee will not only ensure its members are well-informed, but that their perspectives are being considered. This year has been full of disruptive and unexpected events. While 2021 is still months away, it is likely that key risks will linger or become more severe. These risks are likely to include:
There is obviously a lot to unpack from this blog. CAEs have a lot on their plates in 2020, and keeping the audit committee fully and currently informed should always be top of mind. Of course, I captioned my list as “five things the CAE should be able to tell the audit committee now.” The list clearly implies that these are things we are doing. If not, you have more work to do than briefing the audit committee.
I welcome your thoughts.