Independence and objectivity are hallmarks of great internal audit functions and the professional men and women who lead them. Against this backdrop, the prevailing model for the profession mandates the establishment of separate functional and administrative reporting lines that foster that independence and impartiality.
Over the years, I have observed that chief audit executives (CAEs) are less likely to be unduly influenced by management when they have a strong functional reporting relationship to the board or audit committee. Without such a relationship, it is very easy for management to restrict the scope of internal audit’s work and to suppress any unfavorable results.
The IIA’s 2022 North American Pulse of Internal Audit survey offers encouraging news about the progress being made along this front, with more than 90 percent of respondents having a functional reporting line to an audit committee or the board of directors. In the financial services industry, internal audit reports functionally to the audit committee or board an impressive 98% of the time.
But as with all things theoretical, all that glitters is not necessarily gold.
The benefits of separate functional and administrative reporting lines are quickly mitigated when boards and audit committees fail to support and nurture that separation, and nowhere is that more evident than when boards or audit committees “sit on their hands” when it comes to hiring and firing the CAE.
Having the right CAE in place is a basic requirement for an effective internal audit function. The person in this position not only oversees the planning and execution of a risk-based audit plan, but ensures that the proper resources and staff are in place to get it done. He or she also must have intimate knowledge of the organization’s operational capabilities and risk appetite, and must build key relationships with management and the board to engender credibility, respect, and ultimately, trust. Above all, the individual must have the courage to address delicate or difficult issues when warranted, and to “call it like it is.”
In a previous blog post, I commented extensively on the dangers of low pay for CAEs, and how such practices are more than just examples of short-sighted efforts to save money. Indeed, in some instances it is a calculated and rather treacherous way to keep the internal audit function in check.
Readers of that post appropriately noted that such underhanded strategies are not just limited to CAE pay. Limited staffing budgets, delaying or reducing internal audit’s scope of work, and delaying or rejecting necessary travel are examples of other ways management can undermine internal audit functions.
It is therefore imperative for audit committees and boards to remain closely involved and attuned to all functions and interactions between management and the CAE.
A figure from The IIA’s last Common Body of Knowledge study was not overly encouraging on audit committee involvement in hiring CAEs. That data indicated that the board, audit committee, or their respective chairs have the final say in hiring the CAE among more than 60 percent or respondents’ organizations. But as I noted at the time, this figure can be misleading.
In many instances the process for choosing a new CAE, including establishing job qualifications, salary and benefits, are all determined by management, who then presents finalists — or worst yet a single candidate — to the audit committee for approval. Too many audit committees, already overworked by growing responsibilities, regulatory pressures, and commitments outside the organization, are all too eager to rubber stamp management’s choice. There is also a reluctance to question management’s judgment or to challenge a candidate who has been hand-picked by the CEO or chief financial officer for the role of CAE. When this happens, the newly appointed CAEs often feel fully beholden to management, and many tend to view the functional reporting line to the audit committee or board as a hollow reporting relationship.
Ideally, the audit committee should take charge of the hiring process to ensure the CAE not only reports to them, but also has the qualifications and independent mind-set necessary for the role.
Similarly, audit committees must be heavily involved in any effort to fire or move the CAE into a different role within the organization. They must assure that such moves are truly in the best interest of the organization and not just for the convenience of management. Over the years, I have seen far too many instances where management has continued to rotate individuals out of the CAE role until it found someone it believed it could easily control. This, of course, renders the entire purpose behind separate reporting lines moot. A CAE who parrots the management line is of little use to the board.
Boards and audit committees serve an essential role in good governance by providing direction and oversight on risk management and internal control. Performing this critical role includes selecting and appointing the CAE, and that role should never be delegated to management.
As always, I’m eager to hear your views on the subject.