The Audit Committee’s Top Concern About Internal Audit
May 6, 2024A Jury Has Spoken: Retaliation Against Internal Auditors Will Cost You Big!
May 19, 2024When I served as The IIA’s Global Chairman of the Board, my theme for the year was “Mind the Gap.” The gap, of course, refers to the potential misalignment when internal audit fails to meet stakeholders’ expectations. It has been a few years since my theme echoed around the globe, and the world has changed – a lot. Sadly, what hasn’t changed is that expectation gaps still occur in many organizations.
With that backdrop, I thought it would be timely to offer some additional insight into the topic in what is clearly a coachable moment for chief audit executives.
Navigating through a consistently turbulent and unpredictable present and future places a range of demands on CAEs. This is compounded by expanding expectations, conflicting demands, intense scrutiny in an environment of growing complexity, disruption, and ever-accelerating change.
If the CAE comes to understand and appreciate the role and input of the audit committee and board, they will more closely align to those charged with governance. The need to be proactive, display strong and ethical leadership, and ensure that the right issues and concerns are addressed is non-negotiable. Engage with the audit committee with foresight, looking beyond the horizon, and apply seasoned judgement.
There is no doubt that we are in an era in which opportunities exist to reinvent, rescale and reposition.
CAEs Should Start With A Forward-Looking Vision
It is crucial for CAEs to possess a strong vision that aligns with their organization’s strategic direction and stakeholders’ expectations. This vision, in turn, should translate into strategic and measurable plans propelled by an appropriate investment in modern audit systems, including sophisticated analytical and digital tools.
Additionally, to support the vision’s achievement, internal audit must transform. This requires new and relevant skills among internal audit staff. I suggest that CAEs focus on mentorships and talent development, as well as an ability to source the right skills, when required. Working in collaboration with the audit committee, CAEs are equipped to successfully tackle any problems that might arise, including potential bottlenecks.
CAEs also should be comfortable in their senior role in an organization and meet that responsibility by taking clear ownership of internal audit while exhibiting peer-level executive business acumen and gravitas, bringing bold perspectives and strategic thinking in support of a strong control environment.
The CAE, in other words, needs to think like a board member – and appreciate the audit committee’s pain points.
CAEs also should intuitively recognize that internal audit’s vision of a sound control environment – and the ability to add value to the business – is facilitated through strong communications. This involves informing, educating and earning the trust of a variety of stakeholders, especially those who might have differing views and expectations.
One way to accomplish this is to establish very close alignment with stakeholders by building partnerships across the three lines of defense and to make connections across business units and functions to enhance an integrated assurance strategy. I’m confident that CAEs should not experience difficulty in maintaining independence while establishing such liaisons.
Building Trust With The Audit Committee
Success for the CAE depends on a productive, trusting relationship with audit committee members. How do you get there? I often engage them through a range of probing questions, such as:
- Do we understand each other’s roles and responsibilities?
- Are we comfortable that management performs at least an annual risk assessment that is reviewed by the board? Is there a strategy in place for dealing with emerging risks?
- Do we believe the risk-assessment process prioritizes key risks? Does the process cover the full risk landscape and is it based on the correct assumptions?
- Is the audit committee confident that sufficient assurance is provided over risk exposures? Are there mitigating controls in place?
- What is the risk appetite and risk tolerance of the organization?
- To what extent is compliance achieved? Are we aligned with regard to the risk maturity of the organization?
- Is the audit committee confident that it has the required skills to provide risk oversight? How might the CAE assist them?
- Do we collectively understand where and how the organization makes its money?
- Are we confident that the reputation of our organization is well protected?
- Do we understand the culture of our organization and of the leadership team, and should we unpack what that means?
- What could really damage our organization in the next few years? Are we satisfied with any existing strategy to deal with such challenges?
- Are we discussing our cash-flow situation? Cash-flow peaks and values?
- How does bad news get to the top?
Besides other mandate expectations, it’s advisable that the CAE:
- Attends all audit committee meetings and other interventions – and always come prepared.
- Is fully aware of the organization’s situation.
- Asks questions.
- Is a good listener.
- Does not make assumptions or decide on actions unless well informed.
- Reviews their written job descriptions covering duties and responsibilities as a CAE, and considers any charter amendments.
- Is fully versed with the organization’s corporate governance guidelines and, if the CAE feels there needs to be changes, insists on having the board consider them.
- Continuously monitors and reviews the organization’s activities throughout the year.
- Continuously assesses how their own team is doing and adapts staffing, skill and technology needs accordingly.
- Assesses how information gathered through external assistance was received. Did the outsourcing better inform completion of the internal audit plan? Did it improve the organization’s risk-and-control environment? Should the CAE use that consultant again and what lessons were learned?
- Is a team player.
- Is always aware of their responsibility to the organization and to the audit committee.
- Is deeply familiar with the organization’s operations and its relationship with stakeholders, including employees, customers, suppliers, the community in which the organization does business, government, regulators and others.
- Is comfortable with the level of director educational programs and attendance requirements. How has the CAE assisted in this regard?
- Is fully informed on what is required of an audit committee and educated on the latest nuances in good corporate governance.
- Is fully familiar with ethical responsibilities, as well as those of other members of management.
- Has a handle on their experiences during the past year regarding audit committee dynamics. Is there anything the chairman should know?
For the CAE to be seen as playing an effective role in the success of the organization, they must be respectful of the C-suite, senior management, members of the audit committee and others. The chairman of the audit committee wants the CAE to be loyal and ethical, a trusted advisor and a confidant. The chairman may seek alternative views from the CAE, and the CAE must be well prepared for that.
Importantly, the chairman should want the CAE to be an active participant in audit committee meetings – not just there to present their report. This could mean altering course, but ultimately, the CAE is there to make a positive contribution and build sustainable trust.
I welcome your comments via LinkedIn or Twitter (@rfchambers).