Dear Audit Committee – Guess Who Audits The Most Critical Risks?

An Open Letter to Audit Committee members

To: Members of the audit committee
From: Richard Chambers
Re: Reassessing your role when it comes to internal audit

Congratulations on being a member of the audit committee for your company!

Your service in this role reflects that you are a seasoned executive whose business and financial acumen places you among the elite members of your board. However, before you pat yourself on the back for the job you are doing, perhaps you should reflect on the full scope of your responsibilities.

The role of the audit committee and its value to the organization have dramatically increased in importance in the past decade. Regulators, executive management, and shareholders increasingly rely on the audit committee to provide significant direction and oversight, not just on financial controls and reporting, but also on a growing list of complex risks that challenge all modern businesses.

Your qualifications as an audit committee member likely include significant experience with, or knowledge of, financial controls and reporting. It is also likely that you are deeply familiar with the role the external auditor plays as the independent reviewer of financial statements. In fact, you probably think the oversight of the external auditors is the most important responsibility you have as an audit committee member.

It is less likely that you have a deep understanding of the internal audit function and the support it can provide to the audit committee, and management, and the value it brings to the organization. Seasoned audit committee members often describe internal audit as their “eyes and ears” in the organization, and they see the chief audit executive (CAE) as a trusted adviser who can be relied upon for valuable insight on the effectiveness of the organization’s risk management and internal controls.

If your background didn’t afford you a lot of contact with strong internal audit functions, it might be useful to review the key roles internal auditors play and the value they can bring:

• Risk-based assurance on the effectiveness of internal controls to mitigate financial, operational, compliance, and strategic/business risks. Audit committee members often view this as the most critical service internal audit provides. You are charged with oversight of risk management, but where do you get your assurance? During an era of “risk bedlam” when new risks seemingly emerge at warp speed from out of nowhere, your internal auditors and risk managers can have your back. Use them!
• Assurance on the effectiveness of risk management. Good internal auditing is based on an understanding of the organization’s risks, risk management, risk appetite, and risk culture. In the post-global-financial-crisis era, corporate boards are expected to provide oversight of risk management in their companies. There is no more objective source of assurance on the effectiveness of risk management than a well-resourced, independent internal audit function.
• Insight and foresight. Audit committee members are sometimes inclined to think of internal auditors in a 20th century context — as bean-counters who are focused on the past (hindsight). However, 21st century internal auditors are equipped to provide insight and advice on risk management and control in the company. They also are increasingly able offer foresight — perspectives on strategic and business challenges the company could face if key risks are not effectively identified and managed.
• Assurance and insight on the health of the corporate culture. Some of the 21st century’s biggest corporate scandals, from Enron and WorldCom to “Dieselgate” and Well Fargo’s woes, have been attributed to culture or, more specifically, the breakdown of organizational culture. Internal audit is positioned to keep its finger on the pulse of corporate culture and report problems before they grow into scandals.

Of course, these benefits and more can be realized only when the internal audit function is allowed to do its job. This will require a number of commitments from you and your fellow audit committee members. The audit committee must:

• Develop strong communications with the CAE. Frank and frequent communication with the CAE, including executive sessions free from management influence, are fundamental to a healthy and independent internal audit function.
• Demand and support a dual-reporting system. Internal audit’s independence relies on being free from management pressures. That is why the CAE should report administratively to the highest levels of management (preferably the CEO) and functionally to the audit committee.
• Ensure adequate resources. The internal audit function can be muted or manipulated by management in a number of ways. One of the most insidious and effective ways is through the purse strings. The audit committee must ensure that internal audit has the budget to do its job.
• Ensure the company has a strong CAE. A good audit committee is intimately involved in the CAE’s hiring, firing, performance review, and compensation. Those responsibilities cannot be handed over solely to management, as they can be used to manipulate the internal audit function through the assignment of CAEs who are not qualified or fully objective.

Strong audit committee members add value by asking probing questions. Not long ago, I authored a blog post on Five Questions the Audit Committee Should Ask the CAE – But Doesn’t. I would encourage you to review that list before your next meeting. Don’t be reluctant to raise these and other pertinent questions when internal audit is in the room.
The external auditors may be more important to you than the internal auditors. But consider this: the most lethal risks to shareholder value aren’t financial. They’re strategic, business, operational, and compliance risks. Guess who audits those?

Best of luck as you reassess how to get more value from your internal auditors. Please don’t hesitate to reach out to me if you have any questions.

Sincerely,
Richard F. Chambers