Executive Summary
-
Audit committees are a fundamental part of the proper governance of any organization, together with executive management and internal as well as external audit.
-
An audit committee can only be as effective as is permitted by the information it receives.
-
The relationship between the committee and the chief audit executive (CAE) is critical to the successful functioning of the audit committee.
-
The relationship will be effective in an environment of mutual trust and common understanding.
-
Of all the committees involved in the management and control of an organization, perhaps the audit committee has the most significant impact on the life of the CAE.
-
Although, in general, all audit committees fulfill a similar function within the organization, the nature of the organization itself can prescribe a particular emphasis in the working of the audit committee. This, in turn, affects the nature of the relationship between the CAE and the committee as a whole.
The Role of the Audit Committee
The audit committee is intended, overall, to assist an organization to achieve an effective internal control structure derived directly from the tone at the top. The authority of an audit committee is drawn from the board of directors, the rules and regulations of the organization, and any relevant governance legislation of the country or countries within which the organization operates.
This role, of necessity, involves ensuring that the risk management process remains both comprehensive and ongoing instead of the annual process that is implemented in many organizations. Corporate policies regarding legal compliance, compliance with corporate codes of conduct, and conflicts of interest must be maintained and policed. In addition, the audit committee has a duty to review both current and pending legislation as it relates to corporate governance within the country or countries wherein it operates. Communication is the key to good governance and includes ensuring that the financial statements presented to the shareholders are both understandable and reliable, and facilitating internal communication with senior management and internal audit. Communication with internal audit should go beyond the scheduled committee meetings, and the CAE should be encouraged to communicate with the chair of the audit committee directly. The audit committee, as a whole, should meet privately with the CAE at least annually to seek assurances about the independence of the internal audit function.
To ensure effective use of internal auditing, the audit committee would normally review internal audit plans as well as reports and significant findings. It would seek to ensure that internal auditing is carried out by professionals with a comprehensive understanding of the business systems and processes as well as of the corporate culture within the organization.
The audit committee relies on the internal audit function to provide objective opinions, information, and, when necessary, education to the audit committee, while the audit committee in turn will provide oversight and validation to the internal audit function. In today’s environment this could include the outsourcing or co-sourcing of all or part of the internal audit function; however, the audit committee should ensure that the role of the CAE remains within the organization itself.
Internal Audit Reporting Structure
In order to ensure transparency and to prevent undue influence internally, the Institute of Internal Auditors (IIA) recommends that the CAE maintain a dual reporting relationship. Typically, this would involve the CAE reporting to executive management at as high a level as possible for administrative purposes to ensure alignment with corporate direction, support at a managerial level, and the normal administrative support required for a staff function. The second relationship, with the audit committee, is for operational and functional purposes, to ensure that independence and objectivity is maintained. The audit function’s independence and reporting structure are normally laid out in the internal audit charter, which specifies the dual reporting structure as well as the internal auditors’ right of access to personnel and records without hindrance or impediment, a critical part of their independence. The charter would normally be signed by both the chief executive and the chair of the audit committee.
The audit committee should provide oversight, strategic direction, accountability, and enforcement where required. Part of such oversight includes ensuring that the internal audit function is properly positioned, resourced, and supported. This involves reviewing and approving:
-
the internal audit activity’s charter, and mission statement where appropriate, to ensure they meet the needs of the organization;
-
the annual work plan to ensure that all significant risk areas are being addressed and that no restrictions are placed on the scope of internal audit activities;
-
the resources, skill levels, and budget to ensure that the work plan is achievable within the appropriate time;
-
internal audit activities, performance, and recommendations.
At the same time, the audit committee is responsible for providing input into the appointment, dismissal, evaluation, compensation, and succession planning of the CAE. This is a critical activity of the audit committee since the CAE will, of neccessity, have a high degree of interaction with the audit committee. The committee will typically seek to ensure that candidates for a CAE position have distinguished themselves professionally. They would normally have an advanced degree, the appropriate professional designation, and several years experience in an audit supervisory role. Typical professional designations could include the Certified Internal Auditor (CIA), Certified Government Auditing Professional (CGAP), Certified Financial Services Auditor (CFSA), or Certified Information Systems Auditor (CISA) among others.
The committee is also responsible for ensuring that a continuous quality assurance and improvement program exists within internal audit and that full disclosure of the results be made to the audit committee.
The Relationship with Internal Audit
The audit committee chair can foster a healthy relationship with the internal auditors, and particularly the chief internal auditor, by keeping communication channels open, getting to know the CAE as a person, frequently touching base between meetings, and taking an interest in and caring about the internal audit function. It is also a good idea for the audit committee chair to meet with the entire senior internal audit staff from time to time to get to know some of the individuals who report to the CAE, and to thank them for their efforts.
It is critical that the internal audit function be positioned well within the organization so that the internal auditors are not limited in what they can review, and that they, and the recommendations they propose, are respected by line management. It should always be remembered that the accountability for, and ownership of, good internal controls are the responsibility of management—not of the internal auditors and not of the audit committee. The internal auditors, nonetheless, must recognize that theirs is a unique yet critical role.
The CAE needs to be up to date on best practices and trends in governance, as well as on “emerging issues,” and the audit committee will seek reassurance in this area. The audit committee also needs assurance that the internal auditors understand the corporate strategy and have the professional judgment to identify all forms of risk at an early enough opportunity to allow management to take appropriate action. In order for the audit committee to be appropriately assured in these areas, performance assessment of both the CAE and internal audit will be required.
Mutual Trust
Most critical to the relationship between the audit committee and the internal audit activity is trust. The audit committee chair needs to be sure that the CAE understands and shares the committee’s concerns and priorities. In addition, the CAE must be willing to communicate results and opinions without fear or favor and regardless of who is involved. Due to its unique position and the sensitivity of information passing through its hands, the audit committee needs assurance that the internal audit activity maintains the highest level of integrity and values.
The committee needs to be able to trust that, when confronted with management resistance or a failure of management integrity, the CAE will make the right decision and take appropriate action. By the same token, the CAE must be able to rely on the support and backing of the chair of the audit committee, and the committee as a whole. This ensures that the “internal audit activity [is] free from interference in determining the scope of internal auditing, performing work, and communicating results” (IIA Standards).
Two Cases in Point
In one government department, accusations of corruption were made against the chief executive. The CAE who reported to the chief executive took the accusations directly to the audit committee chair. Although the responsible Minister was notified, it was the audit committee, acting independently, that commissioned an external forensic investigation into the allegations. The external route was chosen so that, regardless of the outcome, the CAE would be able to continue to function effectively within the department. In the event, the allegations proved unjustified, but it was the trust between the CAE and the audit committee chair which made it possible for such allegations to be brought forward without fear of reprisal. In a contrasting case involving a pension fund, allegations of abuse of power by the chief executive were brought to the attention of the CAE. These were taken to the chair of the audit committee, who immediately called the chief executive to discuss them privately. There was no follow-up. The trust between the audit committee and the CAE was destroyed, ultimately resulting in the resignation of the CAE.
Assessing Performance and Planning Ahead
The International Standards for the Professional Practice of Internal Auditing1 promulgated by the Institute of Internal Auditors requires that an external assessment, performed by appropriately qualified reviewers and carried out to professional standards, be conducted every five years. This is designed to give the audit committee assurance that the work of the internal audit function is being conducted to internationally accepted standards.
In addition, the CAE is required to ensure quality on an ongoing basis. The CAE may utilize benchmarking to develop an internal auditor balanced scorecard for the audit committee to use for assessing the performance of the internal audit function. An objective evaluation would, nevertheless, include such areas as audit scope and coverage (including financial, compliance, operational, IT, and fraud auditing), audit capabilities, independence, objectivity, supervision, and internal audit assignment quality control. In addition to ensuring the quality of the work of the internal audit function, the audit committee chair will also seek assurance on the performance of the audit committee itself. The CAE can assist in benchmarking the committee’s performance in terms of committee structure and composition, the role of audit committee members, and leadership of the committee against standards such as The Board Institute’s Audit Committee Index2 on behalf of the chair of the audit committee. The European Corporate Governance Institute (ECGI) has produced an excellent paper on such benchmarking.3 This presents an opportunity for the audit committee to review and discuss all areas of its performance, as well as to bring to the table items that committee members feel should be covered in the future, and training opportunities that would enhance performance.
It is critical that proactive succession planning for the internal audit function and the CAE be an important area of focus and support by the audit committee. Many organizations use internal audit as a training ground for future executive managers and rotate candidates through the internal auditing function. While this is beneficial to the organization in terms of managers who understand internal control, it can be devastating to the effectiveness of the internal audit function if carried out to excess. One internal audit function lost seven out of eight senior auditors in a six-month period as they were head-hunted by operational areas of the organization. Succession planning is intended to ensure that, while some of the current team may get appropriate and substantive positions in the organization as rotations end, the effectiveness of the internal audit function is not impacted. Professional, career-oriented internal auditors form the backbone of the function and they must see career opportunities with internal audit itself. In addition, succession planning is critical to the organization’s ability to attract the right talent into the internal audit activity.
Conclusion
The mere existence of the audit committee does not necessarily translate into an effective monitoring body over corporate governance. By the same token, the existence of an internal audit function, in-sourced or out-sourced, does not guarantee the effectiveness of the system of internal controls. It is the combination of the two, both acting in a professional manner for the benefit of the organization as a whole, which contributes significantly to the achievement of sound corporate governance.
Audit Committee Characteristics
-
independence
-
financial knowledge and experience
-
frequency of meetings
-
involvement in CAE appointment and dismissal
-
reviewing internal audit program and processes
-
ensuring internal audit quality
Internal Audit Function Characteristics
-
independence and objectivity
-
availability of adequate resources
-
internal audit staff expertise
-
use of external subject matter experts where appropriate
Making It Happen
In Order to Manage the Relationship the CAE Must:
-
Keep the audit committee informed on risks faced by the organization. Monitor the risk environment for new/changed risks which need to be brought to the audit committee’s attention.
-
Check that the audit committee’s charter, activities, and processes are appropriate. Periodically review the audit committee’s practices against international standards and “best practices” on behalf of the chair of the audit committee.
-
Educate the audit committee on the internal audit team’s charter, role, and activities. The CAE should seek to obtain management and audit committee buy-in on internal auditing’s goals, objectives, risk assessments, and audit plan by demonstrating their appropriateness and relevance.
-
Ensure that the internal audit function is responsive to the needs of the audit committee and the board. Meet frequently with the audit committee chair to ensure that the committee’s needs are fully understood and met.
-
Ensure open and effective communication with the audit committee and its chair. Effective communication is one of the best tools for understanding organizational priorities and reinforcing the benefits and value of internal auditing.
-
Provide training, when appropriate, to audit committee members on the topics of risk and internal control. Not all committee members will initially be up to speed on the changing needs and legislation.
-
Confirm the quality of the services provided. Internal auditing should provide quality performance indicators to show that it complies with the IIA’s International Standards for the Professional Practice of Internal Auditing and the IIA’s Code of Ethics and that it adds value on an ongoing basis.
-
Provide feedback on the internal audit function’s achievement of its operational plans and objectives.
Notes
1 Available from the Institute of Internal Auditors: www.theiia.org
2 See: www.theboardinstitute.com/web/products.asp?f=prod_acix
3 PDF download: www.ecgi.org/codes/documents/auditcom_final_paper.pdf
www.qfinance.com