An audit committee can only be as effective as is permitted by the information it receives.
The relationship between the committee and the chief audit executive (CAE) is critical to the successful functioning of the audit committee.
The relationship will be effective in an environment of mutual trust and common understanding.
Of all the committees involved in the management and control of an organization, perhaps the audit committee has the most significant impact on the life of the CAE.
Although, in general, all audit committees fulfill a similar function within the organization, the nature of the organization itself can prescribe a particular emphasis in the working of the audit committee. This, in turn, affects the nature of the relationship between the CAE and the committee as a whole.
The Role of the Audit Committee
The audit committee is intended, overall, to assist an organization to achieve an effective internal control structure derived directly from the tone at the top. The authority of an audit committee is drawn from the board of directors, the rules and regulations of the organization, and any relevant governance legislation of the country or countries within which the organization operates.
This role, of necessity, involves ensuring that the risk management process remains both comprehensive and ongoing instead of the annual process that is implemented in many organizations. Corporate policies regarding legal compliance, compliance with corporate codes of conduct, and conflicts of interest must be maintained and policed. In addition, the audit committee has a duty to review both current and pending legislation as it relates to corporate governance within the country or countries wherein it operates. Communication is the key to good governance and includes ensuring that the financial statements presented to the shareholders are both understandable and reliable, and facilitating internal communication with senior management and internal audit. Communication with internal audit should go beyond the scheduled committee meetings, and the CAE should be encouraged to communicate with the chair of the audit committee directly. The audit committee, as a whole, should meet privately with the CAE at least annually to seek assurances about the independence of the internal audit function.
To ensure effective use of internal auditing, the audit committee would normally review internal audit plans as well as reports and significant findings. It would seek to ensure that internal auditing is carried out by professionals with a comprehensive understanding of the business systems and processes as well as of the corporate culture within the organization.
The audit committee relies on the internal audit function to provide objective opinions, information, and, when necessary, education to the audit committee, while the audit committee in turn will provide oversight and validation to the internal audit function. In today’s environment this could include the outsourcing or co-sourcing of all or part of the internal audit function; however, the audit committee should ensure that the role of the CAE remains within the organization itself.
Internal Audit Reporting Structure
In order to ensure transparency and to prevent undue influence internally, the Institute of Internal Auditors (IIA) recommends that the CAE maintain a dual reporting relationship. Typically, this would involve the CAE reporting to executive management at as high a level as possible for administrative purposes to ensure alignment with corporate direction, support at a managerial level, and the normal administrative support required for a staff function. The second relationship, with the audit committee, is for operational and functional purposes, to ensure that independence and objectivity is maintained. The audit function’s independence and reporting structure are normally laid out in the internal audit charter, which specifies the dual reporting structure as well as the internal auditors’ right of access to personnel and records without hindrance or impediment, a critical part of their independence. The charter would normally be signed by both the chief executive and the chair of the audit committee.
The audit committee should provide oversight, strategic direction, accountability, and enforcement where required. Part of such oversight includes ensuring that the internal audit function is properly positioned, resourced, and supported. This involves reviewing and approving:
the internal audit activity’s charter, and mission statement where appropriate, to ensure they meet the needs of the organization;
the annual work plan to ensure that all significant risk areas are being addressed and that no restrictions are placed on the scope of internal audit activities;
the resources, skill levels, and budget to ensure that the work plan is achievable within the appropriate time;
internal audit activities, performance, and recommendations.
At the same time, the audit committee is responsible for providing input into the appointment, dismissal, evaluation, compensation, and succession planning of the CAE. This is a critical activity of the audit committee since the CAE will, of neccessity, have a high degree of interaction with the audit committee. The committee will typically seek to ensure that candidates for a CAE position have distinguished themselves professionally. They would normally have an advanced degree, the appropriate professional designation, and several years experience in an audit supervisory role. Typical professional designations could include the Certified Internal Auditor (CIA), Certified Government Auditing Professional (CGAP), Certified Financial Services Auditor (CFSA), or Certified Information Systems Auditor (CISA) among others.
The committee is also responsible for ensuring that a continuous quality assurance and improvement program exists within internal audit and that full disclosure of the results be made to the audit committee.
- Page 1 of 3
- Next section The Relationship with Internal Audit