Ask almost any CAE if he or she has the full support of the audit committee, and the answer will usually be “yes.” But, in reality, that may not always be the case.
Audit committees typically have our back on the relatively easy stuff — for example, when we explain the need for more resources, or when we propose a change to the internal audit charter or schedule. But support may soften when a really difficult conversation needs to take place.
If I could ask a single question of every audit committee chair, it would be, “Do you think your organization’s chief audit executive would feel comfortable bringing an issue involving CEO compliance or ethics to your attention?” This is critically important: If a CAE hesitates bringing forward sensitive issues involving the most senior executives in the organization, the overall effectiveness of the internal audit function may be seriously compromised. What is even more significant is the legal or reputational risk that festers for the organization if the CAE remains silent under such circumstances.
Most audit committees recognize that fraud is a serious risk, and they look to the external auditors and internal auditors to ferret out misdeeds and report them promptly. However, when an ethics or compliance issue involves the chief executive, it’s not unusual to find the board’s and audit committee’s loyalties divided. Corporate scandals have repeatedly revealed how difficult it can be for any board member to imagine the worst about their organization’s chief executive.
This is an open message to both CAEs and audit committee members: No matter how much faith you have in your organization’s senior executives, remember that even the smartest, most talented people on the planet sometimes do dumb things, and good people are often capable of doing bad things.
We need to be open to the fact that the “unthinkable” might happen. It’s not uncommon to find that a senior executive has violated a travel policy, for example, or that an occasional “justifiable” exception is granted to rules regarding nepotism or cronyism. Calling for an internal audit doesn’t mean that you distrust anyone; it means a consistent policy of “trust but verify” is crucial to the audit function.
A productive working relationship between the audit committee chair and the CAE requires a special kind of trust. The audit committee chair must have confidence that the CAE will bring up any significant risk or problem. The CAE, in turn, must trust that action will be taken when a problem is unearthed — and that no part of the organization is exempt from internal audit.
We never know when a difficult conversation will be necessary, but if we wait until the moment arises, we may have waited too long. It takes time to build trust, and it takes time to build understanding. Ask yourself, “Would I feel comfortable bringing a potential issue about the CEO to my audit committee chair?”
Being a CAE isn’t easy. As a former CAE of a major global company recently put it: “The audit committee always told me they were ‘behind me.’ What I didn’t realize was that, when I had a real battle on my hands in the company, they wouldn’t be ‘with me.'” I encourage both CAEs and audit committee chairs to genuinely assess whether the words of support that are so often uttered by audit committee members in support of internal audit are genuine or hollow. We all need to know that internal audit will have the full support of the audit committee — not just that they stand behind the CAE when routine activities are underway, but that they stand with the CAE every step of the way.
Richard Chambers, CIA, CFE, CGFM, QIAL, CRMA, CGAP, is the founder and Chief Executive of Richard F. Chambers and Associates, LLC. From 2009-2021 he served as the president and CEO of The Institute of Internal Auditors (IIA), the global professional association and standard-setting body for internal auditors. Chambers has more than four decades of experience serving in and on behalf of the internal audit profession.