I have often characterized internal auditing’s journey over the past decade as being one from “the back room to the board room.” Following the spectacular corporate failures in 2001-2002 — and the subsequent regulatory and legislative response — internal auditing found itself front and center with the audit committee and other members of the board. The rapid elevation of stature was reflected in reporting relationship statistics. In 2002, The IIA found that only 55 percent of U.S. chief audit executives (CAEs) reported functionally to their audit committees. By 2007, PricewaterhouseCoopers found the number had leaped to 86 percent. In the past two years, internal auditing’s emphasis on assessing the effectiveness of financial controls has abated significantly. Given the shift in emphasis, I believe there is a real threat that some audit committees may lose their newfound interest in internal auditing.
I suspect my view is one that many will disagree with. After all, it will be argued, corporate audit committees have much broader missions than mere oversight of financial performance and controls. However, is that really true? From my travels in conducting quality assurance assessments of Fortune 500 companies, I was struck by how narrow audit committee charters were often written. In many instances, they were lifted directly from the NYSE’s sample audit committee charter, which is heavily tilted toward oversight of the independent auditors as well as financial statement and disclosure matters. In fact, in the entire five pages of the sample audit committee charter, only two paragraphs are exclusively dedicated to oversight of the internal auditors. I have often found the emphasis in the audit committee charter was a reflection of the focus of its members, many of whom were primarily interested in receiving assurance from internal auditing on the effectiveness of their company’s financial controls.
Given the foregoing, I believe many CAEs face a significant challenge as they correctly rebalance their internal audit coverage to include greater emphasis on operational, compliance, and strategic and business risks. Their challenge will be to ensure the audit committee drives or embraces this direction and perceives the strong value that a comprehensive risk-based approach to internal audit coverage will bring. Otherwise, I fear some audit committees will grow bored with internal auditing’s coverage resulting in non-financial risks.
As a profession, we have worked too long and hard to gain the stature we have enjoyed recently. Let’s stay in the board room. The view is much better than from the back room.