Independence and objectivity are hallmarks of great internal audit functions and the professional men and women who lead them. Against this backdrop, the prevailing model for the profession mandates the establishment of separate functional and administrative reporting lines that foster that independence and impartiality.
From my experience, heads of audit are less likely to be unduly influenced by management when they have a strong functional reporting relationship to the board or audit committee. Without such a relationship, it is very easy for management to confine the scope of internal audit’s work and to suppress any unfavorable results.
Recent data from the 2015 Common Body of Knowledge Global (CBOK) Practitioners Survey offers encouraging news about the progress being made along this front, with more than 70 percent of respondents having a functional reporting line to an audit committee or the board of directors.
But as with all things theoretical, reality tends to throw a wrench or spanner in the works.
The benefits of separate functional and administrative reporting lines are quickly mitigated when boards and audit committees fail to support and nurture that separation, and nowhere is that more evident than when boards or audit committees “sit on their hands” when it comes to hiring and firing the CAE.
Having the right CAE in place is a basic requirement for an effective internal audit function. The person in this position not only oversees the planning and execution of a risk-based audit plan, but ensures that the proper resources and staff are in place to get it done. He or she also must have intimate knowledge of the organization’s operational capabilities and risk appetite, and must build key relationships with management and the board to engender credibility, respect, and ultimately, trust. Above all, the individual must have the courage to address delicate or difficult issues when warranted, and to “call it like it is.”
In a previous blog post, I commented extensively on the dangers of low pay for CAEs, and how such practices are more than just examples of short-sighted efforts to save money. Indeed, in some instances it is a calculated and rather treacherous way to keep the internal audit function in check.
Readers of that post appropriately noted that such underhanded strategies are not just limited to CAE pay. Limited staffing budgets, delaying or reducing internal audit’s scope of work, and delaying or rejecting necessary travel are examples of other ways management can undermine internal audit functions.
It is therefore imperative for audit committees and boards to remain closely involved and attuned to all functions and interactions between management and the CAE.
Another figure from the CBOK survey would suggest concerns about audit committee involvement in hiring CAEs are overblown. That data shows that the board, audit committee, or their respective chairs have the final say in hiring the CAE among more than 60 percent or respondents’ organizations. But this figure can be misleading.
In many instances the process for choosing a new CAE, including establishing job qualifications, salary and benefits, are all determined by management, who then presents finalists — or worst yet a single candidate — to the board for approval. Too many boards or audit committees, already overworked by growing responsibilities, regulatory pressures, and commitments outside the organization, are all too eager to rubber stamp management’s choice. There is also a reluctance to question management’s judgment or to challenge a candidate who has been hand-picked by the CEO or chief financial officer for the role of CAE. When this happens, the newly appointed CAEs are often fully beholden to management and many tend to view the functional reporting line to the audit committee or board as a hollow reporting relationship.
Ideally, the board should take charge of the hiring process to ensure the CAE not only reports to them, but also has the qualifications and independent mind-set necessary for the role.
Similarly, audit committees must be heavily involved in any effort to fire or move the CAE into a different role within the organization. They must assure that such moves are truly in the best interest of the organization and not just for the convenience of management. I am familiar with cases where management has continued to rotate individuals out of the CAE role until it found someone it believed it could easily control. This, of course, renders the entire purpose behind separate reporting lines moot. A CAE who parrots the management line is of little use to the board.
Boards and audit committees serve an essential role in good governance by providing direction and oversight on risk management and internal control. Performing this critical role includes selecting and appointing the CAE, and that role should never be delegated to management.
As always, I’m eager to hear your views on the subject.