I recently received a note from a LinkedIn connection informing me that he had been terminated as the chief audit executive (CAE) for his company. He was remarkably philosophical about the turn of events. He observed that the company’s culture wasn’t comfortable with an internal audit function that enjoyed any “real degree of independence.” I asked him a number of questions about relationships with key executives, and he said they were “cordial, but not genuine.” I found that to be an interesting choice of words. He indicated that the end was not acrimonious, and that the CFO (to whom he reported) ensured that he received a fair settlement (with an appropriate non disparagement clause of course).
Finally, I asked him if the audit committee had approved or anyway been involved in the decision to let him go. Then came the troubling retort that I hear far too often. He said the audit committee didn’t even know he had been let go until he called the chairman to break the news! Trying to conceal my frustration at hearing that news, I asked him how the chairman reacted. The ex-CAE sighed and said the chairman chose his words very carefully so as not to be critical of management.
I realize I only heard one side of the story from the unemployed CAE. But it is a story I hear countless times each year. The fact is that many audit committees shirk an important responsibility when it comes to internal audit. Audit committee members keep their heads in the sand when CAEs are being hired and fired. It’s not only a dereliction of their responsibilities to the companies they oversee, but also a huge problem for the internal audit profession.
Great internal audit functions are noted for their organizational independence, and the professional men and women who lead them are noted for their objectivity. It’s for these reasons that the establishment of separate functional and administrative reporting lines that foster independence and impartiality is so critical.
Over the years, I have observed that CAEs are less likely to be unduly constrained by management when they have a strong functional reporting relationship to the audit committee. Without such a relationship, it is very easy for management to confine the scope of internal audit’s work and to suppress unfavorable results.
Surveys in recent years have offered encouraging statistics on the percentage of internal audit departments with a functional reporting relationship to the audit committee. The IIA’s Pulse Survey in 2023 found that 94% of CAEs in publicly traded companies had a functional reporting relationship to the “audit committee, board, or equivalent.”
But as with all things theoretical, reality brings us crashing back to earth.
The benefits of separate functional and administrative reporting lines are quickly mitigated when boards and audit committees fail to support and nurture that separation, and nowhere is that more evident than when boards or audit committees “sit on their hands” when it comes to hiring and firing the CAE.
Having the right CAE in place is a basic requirement for an effective internal audit function. The person in this position not only oversees the planning and execution of a risk-based audit plan but ensures that the proper resources and staff are in place to get it done. He or she also must have intimate knowledge of the organization’s operational capabilities and risk appetite and must be a trusted advisor to management and the board to engender credibility and respect. Above all, the individual must have the courage to address delicate or difficult issues when warranted, and to “call it like it is.”
In a blog post several years ago, I commented extensively on the dangers of low pay for CAEs, and how such practices are more than just examples of short-sighted efforts to save money. I noted that in some instances it is a calculated and rather treacherous way to keep the internal audit function in check.
Readers of that post appropriately noted that such underhanded strategies are not just limited to CAE pay. Limited staffing budgets, delaying or reducing internal audit’s scope of work, and delaying or rejecting necessary travel are examples of other ways management can undermine internal audit functions.
It is therefore imperative for audit committees and boards to remain closely involved and attuned to all functions and interactions between management and the CAE.
The IIA’s Common Body of Knowledge (CBOK) survey several years ago suggested that concerns about audit committee involvement in hiring CAEs were overblown. That data showed that the board, audit committee, or their respective chairs have the final say in hiring the CAE among more than 60 percent or respondents’ organizations. But as I noted in the past, that figure is often misleading.
In many instances the process for choosing a new CAE, including establishing job qualifications, salary and benefits, are all determined by management, who then presents finalists — or worst yet a single candidate — to the board for approval. Too many boards or audit committees, already overworked by growing responsibilities, regulatory pressures, and commitments outside the organization, are all too eager to rubber stamp management’s choice. There is also a reluctance to demonstrate skepticism and question management’s judgment or to challenge a candidate who has been hand-picked by the CEO or chief financial officer for the role of CAE. When this happens, the newly appointed CAEs are often fully beholden to management, and many tend to view the functional reporting line to the audit committee or board as a hollow reporting relationship.
Ideally, the audit committee should take charge of the hiring process to ensure the CAE not only reports to them, but also has the qualifications and independent mind-set necessary for the role.
Similarly, audit committees must be heavily involved in any effort to fire or move the CAE into a different role within the organization. That was clearly not the case for the ex-CAE who reached out to me. They must ensure that such moves are truly in the best interest of the organization and not just for the convenience of management. I have been dismayed by cases where management continuously rotates individuals out of the CAE role until it finds someone it can easily control. This, of course, renders the entire purpose behind separate reporting lines moot. A CAE who routinely “carries management’s water” is of little value to the board.
Boards and audit committees serve an essential role in good governance by providing direction and oversight on risk management and internal control. Performing this critical role includes selecting and appointing the CAE, and that role should never be delegated to management.
I welcome your thoughts. Please share your thoughts on LinkedIn or X. Or drop me an email at firstname.lastname@example.org.