logo-newlogo-newlogo-newlogo-new
  • Home
  • Blog
  • Audit Trail Academy
  • Advisory Services
  • Books
✕
  • Home
  • Chambers on Internal Audit
  • Uncategorized
  • I Still Believe Internal Audit Shouldn’t Report to the CFO

I Still Believe Internal Audit Shouldn’t Report to the CFO

Using the New Global Risks Report to Be Risk Beacons in Our Organizations
January 24, 2021
How Do You Answer, “What Do Internal Auditors Do?”
February 7, 2021
January 31, 2021

I-Still-Believe-Internal-Audit-Shouldnt-Report-to-the-CFO

​Readers of my blog know there are a few things I have harped on over the years. One of them is what I consider to be the outdated practice of having internal audit report administratively to the chief financial officer (CFO).

For years, The IIA has conducted research on internal audit reporting relationships. The good news is our surveys have found a consistently high percentage of chief audit executives (CAEs) who say they report functionally to the audit committee. In fact, more than 80% of North American CAEs surveyed for The IIA’s upcoming 2021 North American Pulse of Internal Auditreport say they report functionally to the “audit committee, board, or equivalent.” We see a similar trend globally.

But if an internal audit department suffers from even the appearance of an independence or objectivity impairment, it is not from the functional reporting relationship. Instead, the problem emanates from where it reports administratively. And the most controversial reporting relationship remains to the CFO. It is stunning how often CAEs in North America respond to IIA surveys that they report administratively to the CFO. In the soon-to-be-released Pulse report, we show 73% of internal audit departments in publicly traded organizations have this reporting line. For respondents overall, it is 36%.

Critics of this reporting relationship often contend internal audit could be steered away from auditing the CFO’s area because the “boss” doesn’t want the scrutiny. I actually haven’t found that to be the biggest problem. Instead, statistics I have seen over the years indicate that CFOs are more likely to use internal audit to address key risks in their areas of responsibility at the potential exclusion of non-CFO risks in the organization.

I wrote about this in a 2015 blog post, “Internal Audit Should Never Belong to the CFO ,” where I noted that internal audit functions that worked administratively for the CFO were dedicating over 60% more resources to assessing internal controls over financial reporting (ICFR) than those that reported to some other official in executive management. Are ICFR risks 60% greater in companies whose CFOs have oversight of internal audit? I don’t think so. Rather, as I noted then, “I believe that many CFOs who have oversight of internal audit use it to address handiwork that otherwise would fall on other CFO functions. Such are the risks that materialize when internal audit ‘belongs’ to the CFO.”

Before I expound further on what I realize is a controversial point of view, I acknowledge that The IIA’s International Standards for the Professional Practice of Internal Auditing is flexible enough to permit a reporting relationship to the CFO. Standard 1110 states, in part, that the “chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.” Standard 1110.A1 goes a bit further, stating,”The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results.”

So, if the Standards don’t explicitly preclude a reporting relationship to the CFO, then why do I continue to express concern? The issue is not really to whom internal audit reports. Instead, it is the degree to which that individual exercises authority over internal audit and impairs its ability to “follow the risks” in the organization. Impairment of internal audit’s independence occurs not only when responsible executives steer internal audit away from sensitive risks in their areas of responsibility. Impairment also occurs when the executives steer internal audit to address risks, or operational matters, of particular interest to them — at the expense of more significant risks to the organization.

I have been sharing my concerns on the inherent dangers of having the internal audit function report administratively to someone other than the CEO since as far back as 2012. In a blog post then, “It Is Time We Move Out From Under the CFO Shadow,” I shared the opinion that:

“It is time for the remainder of internal audit functions to move out from under the CFO. We need strong working relationships with our CFOs, but we also need independence and flexibility to evaluate financial information and to establish audit plans without undue influence (or even the perception of influence). Most CAEs could probably establish a strong working relationship with any member of their executive management team, but the danger of undue influence is greater when internal audit answers to the finance function, either functionally or administratively.”  

I am not alone in recognizing the risks that emerge when internal audit reports administratively to executives with functional responsibilities. The Board of Governors of the U.S. Federal Reserve System issued a supplemental policy statement on the internal audit function in early 2013, part of which provided financial institutions additional clarification regarding internal audit independence. The part of the supplement relevant to this discussion directs audit committees to explain the rationale behind having internal audit report administratively to someone other than the CEO. It specifically states:

“If the CAE reports administratively to someone other than the CEO, the audit committee should document its rationale for this reporting structure, including mitigating controls available for situations that could adversely impact the objectivity of the CAE. In such instances, the audit committee should periodically (at least annually) evaluate whether the CAE is impartial and not unduly influenced by the administrative reporting line arrangement. Further, conflicts of interest for the CAE and all other audit staff should be monitored at least annually with appropriate restrictions placed on auditing areas where conflicts may occur.”

The Fed’s 2013 guidance continues to influence reporting relationship practices in the financial services industry, where only 18% of CAEs indicated they report to the CFO, according to the upcoming Pulse report. That is quite a contrast to the 73% of publicly traded company CAEs’ reporting relationships.

Additionally, The IIA’s International Professional Practices Frameworkaddresses the issue of organizational independence in Implementation Guidance (IG) 1110. Specifically, the IG advises:

“The IIA recommends that the CAE report administratively to the Chief Executive Officer (CEO) so that the CAE is clearly in a senior position, with authority to perform duties unimpeded.”

These important advisories strengthen the argument that the internal audit function must be positioned where it is most advantageous to enhancing true independence as it works to provide unbiased and objective assurance to management and the board.

The challenges facing businesses today are dynamic, global, complex, and emerging faster than at any time in our history. We must, then, do everything we can to protect our ability to enhance internal audit’s independence. When you add to the key attributes of independence and objectivity the factors of perception and credibility, the price is simply too high to continue the practice of internal audit appearing to “belong” to the CFO.

Maybe it’s high time for internal audit to report to the CEO.

Share

Related posts

January 31, 2023

Recent Advice on Hiring Internal Auditor’s You Can ‘Trust’ Is Misdirected


Read more
January 24, 2023

Do Performance Bonuses Impair Internal Auditors’ Independence and Objectivity?


Read more
January 16, 2023

Are Internal Auditors to Blame When Boards Are in the Dark?


Read more

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

What’s Trending

01-31-23

Recent Advice on Hiring Internal Auditor’s You Can ‘Trust’ Is Misdirected


01-24-23

Do Performance Bonuses Impair Internal Auditors’ Independence and Objectivity?


01-16-23

Are Internal Auditors to Blame When Boards Are in the Dark?


Read More

Archive

  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • October 2010
  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009
  • May 2009
  • April 2009
  • March 2009
  • February 2009

Contact Us

PO Box 1441
New Smyrna Beach, FL 32170

+1-407-463-9389
rchambers@richardchambers.com

About AuditBeacon.com

AuditBeacon.com is a resource center for internal auditors and risk professionals from around the world. In addition to more than 500 blogs authored by Richard Chambers, the site includes links to news and insights on internal audit and other information that illuminates the value of this important profession. AuditBeacon.com is provided as a service by Richard F. Chambers and Associates, LLC.

Copyright © 2023 Richard F. Chambers & Associates. All Rights Reserved.
  • Home
  • Blog
  • Audit Trail Academy
  • Advisory Services
  • Books