It Is Time We Move Out From Under the CFO Shadow

I learned important lessons early in my career about internal audit independence and the impairments that can come from reporting relationships. I began my career as a civilian internal auditor for the U.S. Army. At the time, we had more than 1,900 internal review (audit) auditors in more than 300 Army installations and commands around the world. Virtually every one of them worked directly for the comptroller — essentially the equivalent of a corporate chief financial officer (CFO).

Recognizing the importance of auditor independence throughout government, the U.S. comptroller general soon strengthened the independence standards for government auditors and issued new standards that required internal auditors to report to the “head or deputy head” of government agencies. There was an awkward recognition throughout the Army that we were no longer in compliance because we reported to the comptroller; yet the comptrollers were by and large adamant that these reporting relationships not be dissolved. 

In the early 1980s, the head of the Army’s internal review organization at the Pentagon conducted an extensive assessment of the independence of internal review in the Army and issued a chilling report on the actual and perceived impairment of our independence by comptrollers. The report documented actual cases of internal audit plans being altered or draft internal audit reports being changed by comptrollers or senior members of their staff. As the result of this report, the Army soon changed its regulations and mandated that internal review departments report to either the chief of staff or the commander (the head or deputy head of most Army installations/commands).

So, what does all of this have to do with anything in corporate America almost 30 years later? I would submit that there were important lessons learned in a short period of time in a venerable institution like the U.S. Army that are being learned/recognized far too slowly in 21st century corporate America. The fact is that in the corporate sector today, it is estimated that more than 50 percent of chief audit executives (CAEs) report administratively to their companies’ CFO. While safeguards such as functional reporting relationships to audit committees of the board may mitigate the risk of the type of interference with internal audit that the Army witnessed at one time, reporting to the CFO is still fraught with risks and challenges for internal audit. I believe it is a sub-optimal relationship.

On the bright side, the past decade has seen marked changes in internal audit reporting relationships — in particular with respect to our functional reporting relationships. The vast majority of CAEs now report functionally to an audit committee, and all the experts seem to agree that this enhances our independence. But several recent internal audit failures have left me wondering: Are internal audit executives really as independent as we like to think we are? And if we are truly independent of management, why do we occasionally see headlines that imply CAE complicity in a financial statement fraud? Could our administrative reporting lines (particularly to CFOs) be an issue?

I am confident that the vast majority of CFOs recognize the important role that internal audit plays in their companies’ systems of risk management and internal controls; however, I fear that the temptation to direct internal audit resources in ways that best serve the CFO’s interests still prove too much for CFOs to overcome. For example, a 2007 report from PricewaterhouseCoopers found that internal audit functions that reported functionally to the CFO were 50 percent more likely to be dedicating resources to the CFO’s priorities (such as SOX compliance) than those functions that reported administratively to the CEO or another C-level executive within the company. It begged the question as to who really does set internal audit’s priorities.

Even if the CAE and CFO are committed to fostering the independence of the internal audit function, the appearance to third parties is often still problematic. The latest statistics would indicate that more than 25 percent of internal audit’s annual audit plan is still directed at providing assurance over the effectiveness of financial controls or other financial-related operations. A third party such as the CEO or audit committee should ponder whether the assurance over the effectiveness of the CFO’s operations is in any way influenced by the reporting relationship. The risks grow even more when the individual serving as the CAE is assigned from the CFO organization into the role for a designated period of time. If the CAE knows that he or she will be dependent on the CFO for his or her next career assignment, how objective can they really be (or appear to be) in assessing the CFO’s areas of responsibility?

Some regulators have begun to speak out much more vocally on internal audit reporting relationships. For example, The Interagency Policy Statement on the Internal Audit Function and its Outsourcing (issued jointly by the Federal Reserve, FDIC, OCC, and OTS in 2003) prescribes that “the internal audit function should be positioned so that the board (of directors) has confidence that the internal audit function will perform its duties with impartiality and not be unduly influenced by managers of day-to-day operations.” The guidance goes on to say that when internal audit reports functionally to a member of management, “the board should consider the potential for diminished objectivity on the part of the internal audit manager (CAE) with respect to audits concerning the executive to whom he or she reports.” Finally, the guidance says, “the chief financial officer, controller, or other similar officer should ideally be excluded from overseeing the internal audit activities even in a dual role (with the CAE reporting functionally to the audit committee).”

There are times when the perception of CFO-controlled internal audit functions takes on even more ominous tones in the minds of third parties. For example, while conducting an external quality assessment of a corporate internal audit function several years ago, the company’s general counsel put it to me like this during a one-on-one interview: “You do realize that the internal audit function is under the complete control of the CFO don’t you? The rest of us (in the C-suite) perceive them as the CFO’s tool to keep us in line.”  

The IIA’s International Standards for the Professional Practice of Internal Auditing do not preclude the CFO reporting relationship as does the U.S. Government Auditing Standards (Yellow Book); however, The IIA has gone on record in Practice Advisory 1110-2, stating that “the CAE should report directly to the chief executive officer of the organization.” While not mandatory, IIA Practice Advisories do reflect strongly recommended guidance to which regulators in certain industries are paying increasing attention (as evidenced from the financial services regulations cited above).

So what is the solution to the CFO reporting relationship dilemma? I personally have come to believe it is time for the remainder of internal audit functions to move out from under the CFO. We need strong working relationships with our CFOs, but we also need independence and flexibility to evaluate financial information and to establish audit plans without undue influence (or even the perception of influence). Most CAEs could probably establish a strong working relationship with any member of their executive management team, but the danger of undue influence is greater when internal audit answers to the finance function, either functionally or administratively.  

So where should internal audit report administratively? I believe The IIA’s practice advisory has it right. Internal audit should report functionally to the audit committee of the board of directors and administratively to the CEO. I am well aware of the argument that CEOs are too busy to supervise the CAE. However, I heard the same arguments put forth in the Army almost 30 years ago (“commanders and chiefs of staff are too busy to supervise internal review”). Then as now, that is a fallacious argument. Corporate CEOs will embrace the responsibility just as I saw senior military officials do. In fact, once they had the opportunity to directly oversee such a critical component of their system of internal controls, most would not hear of any other reporting relationships. Even today, the CEOs of many of the world’s largest companies who administratively oversee internal audit would not have it any other way.

I’m sure my own experiences involving reporting relationships have colored my perspectives, and many of you have spent more time than I have in non-government audit roles. I would like to take this opportunity to ask for your opinion. What do you consider to be the ideal reporting relationships for CAEs — not only at your own organization, but for all internal audit groups? How would you like to see our reporting relationships evolve over the coming decade? Do you believe The IIA should provide more specific advice for reporting relationships or take any other action to strengthen our reporting relationships?

If we share our opinions on this, I believe we will be fulfilling The Institute’s motto — Progress Through Sharing. Please let us know your thoughts.