It Is Time We Move Out From Under the CFO Shadow

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.
I learned important lessons early in my career about internal audit independence and the impairments that can come from reporting relationships. I began my career as a civilian internal auditor for the U.S. Army. At the time, we had more than 1,900 internal review (audit) auditors in more than 300 Army installations and commands around the world. Virtually every one of them worked directly for the comptroller — essentially the equivalent of a corporate chief financial officer (CFO).
Recognizing the importance of auditor independence throughout government, the U.S. comptroller general soon strengthened the independence standards for government auditors and issued new standards that required internal auditors to report to the “head or deputy head” of government agencies. There was an awkward recognition throughout the Army that we were no longer in compliance because we reported to the comptroller; yet the comptrollers were by and large adamant that these reporting relationships not be dissolved. 
In the early 1980s, the head of the Army’s internal review organization at the Pentagon conducted an extensive assessment of the independence of internal review in the Army and issued a chilling report on the actual and perceived impairment of our independence by comptrollers. The report documented actual cases of internal audit plans being altered or draft internal audit reports being changed by comptrollers or senior members of their staff. As the result of this report, the Army soon changed its regulations and mandated that internal review departments report to either the chief of staff or the commander (the head or deputy head of most Army installations/commands).
So, what does all of this have to do with anything in corporate America almost 30 years later? I would submit that there were important lessons learned in a short period of time in a venerable institution like the U.S. Army that are being learned/recognized far too slowly in 21st century corporate America. The fact is that in the corporate sector today, it is estimated that more than 50 percent of chief audit executives (CAEs) report administratively to their companies’ CFO. While safeguards such as functional reporting relationships to audit committees of the board may mitigate the risk of the type of interference with internal audit that the Army witnessed at one time, reporting to the CFO is still fraught with risks and challenges for internal audit. I believe it is a suboptimal relationship.
On the bright side, the past decade has seen marked changes in internal audit reporting relationships — in particular with respect to our functional reporting relationships. The vast majority of CAEs now report functionally to an audit committee, and all the experts seem to agree that this enhances our independence. But several recent internal audit failures have left me wondering: Are internal audit executives really as independent as we like to think we are? And if we are truly independent of management, why do we occasionally see headlines that imply CAE complicity in a financial statement fraud? Could our administrative reporting lines (particularly to CFOs) be an issue?
I am confident that the vast majority of CFOs recognize the important role that internal audit plays in their companies' systems of risk management and internal controls; however, I fear that the temptation to direct internal audit resources in ways that best serve the CFO’s interests still prove too much for CFOs to overcome. For example, a 2007 report from PricewaterhouseCoopers found that internal audit functions that reported functionally to the CFO were 50 percent more likely to be dedicating resources to the CFO’s priorities (such as SOX compliance) than those functions that reported administratively to the CEO or another C-level executive within the company. It begged the question as to who really does set internal audit’s priorities.
Even if the CAE and CFO are committed to fostering the independence of the internal audit function, the appearance to third parties is often still problematic. The latest statistics would indicate that more than 25 percent of internal audit’s annual audit plan is still directed at providing assurance over the effectiveness of financial controls or other financial-related operations. A third party such as the CEO or audit committee should ponder whether the assurance over the effectiveness of the CFO’s operations is in any way influenced by the reporting relationship. The risks grow even more when the individual serving as the CAE is assigned from the CFO organization into the role for a designated period of time. If the CAE knows that he or she will be dependent on the CFO for his or her next career assignment, how objective can they really be (or appear to be) in assessing the CFO’s areas of responsibility?
Some regulators have begun to speak out much more vocally on internal audit reporting relationships. For example, The Interagency Policy Statement on the Internal Audit Function and its Outsourcing (issued jointly by the Federal Reserve, FDIC, OCC, and OTS in 2003) prescribes that “the internal audit function should be positioned so that the board (of directors) has confidence that the internal audit function will perform its duties with impartiality and not be unduly influenced by managers of day-to-day operations.” The guidance goes on to say that when internal audit reports functionally to a member of management, “the board should consider the potential for diminished objectivity on the part of the internal audit manager (CAE) with respect to audits concerning the executive to whom he or she reports.” Finally, the guidance says, “the chief financial officer, controller, or other similar officer should ideally be excluded from overseeing the internal audit activities even in a dual role (with the CAE reporting functionally to the audit committee).”
There are times when the perception of CFO-controlled internal audit functions takes on even more ominous tones in the minds of third parties. For example, while conducting an external quality assessment of a corporate internal audit function several years ago, the company’s general counsel put it to me like this during a one-on-one interview: “You do realize that the internal audit function is under the complete control of the CFO don’t you? The rest of us (in the C-suite) perceive them as the CFO’s tool to keep us in line.”  
The IIA’s International Standards for the Professional Practice of Internal Auditing do not preclude the CFO reporting relationship as does the U.S. Government Auditing Standards (Yellow Book); however, The IIA has gone on record in Practice Advisory 1110-2, stating that “the CAE should report directly to the chief executive officer of the organization.” While not mandatory, IIA Practice Advisories do reflect strongly recommended guidance to which regulators in certain industries are paying increasing attention (as evidenced from the financial services regulations cited above).
So what is the solution to the CFO reporting relationship dilemma? I personally have come to believe it is time for the remainder of internal audit functions to move out from under the CFO. We need strong working relationships with our CFOs, but we also need independence and flexibility to evaluate financial information and to establish audit plans without undue influence (or even the perception of influence). Most CAEs could probably establish a strong working relationship with any member of their executive management team, but the danger of undue influence is greater when internal audit answers to the finance function, either functionally or administratively.  
So where should internal audit report administratively? I believe The IIA’s practice advisory has it right. Internal audit should report functionally to the audit committee of the board of directors and administratively to the CEO. I am well aware of the argument that CEOs are too busy to supervise the CAE. However, I heard the same arguments put forth in the Army almost 30 years ago (“commanders and chiefs of staff are too busy to supervise internal review”). Then as now, that is a fallacious argument. Corporate CEOs will embrace the responsibility just as I saw senior military officials do. In fact, once they had the opportunity to directly oversee such a critical component of their system of internal controls, most would not hear of any other reporting relationships. Even today, the CEOs of many of the world’s largest companies who administratively oversee internal audit would not have it any other way.
I’m sure my own experiences involving reporting relationships have colored my perspectives, and many of you have spent more time than I have in nongovernment audit roles. I would like to take this opportunity to ask for your opinion. What do you consider to be the ideal reporting relationships for CAEs — not only at your own organization, but for all internal audit groups? How would you like to see our reporting relationships evolve over the coming decade? Do you believe The IIA should provide more specific advice for reporting relationships or take any other action to strengthen our reporting relationships?
If we share our opinions on this, I believe we will be fulfilling The Institute’s motto — Progress Through Sharing. Please let us know your thoughts. 

Posted on Nov 26, 2012 by Richard Chambers

Share This Article:    

  1. For 15 years, I reported to two different CEO's administratively and functionally to the outside board of directors.  On a regular basis the CFO would remind everyone that the CAE at nearly all other companies reported to the CFO.  The CEO would regularly indicate that the CAE had his "back covered" and really all the CFO wanted was the CEO's job [you can read my story in the June 2012 Internal Auditor magazine starting on page 31].

    The issue that prompted the CAE reporting relationship to move away from the CFO in 1985 was the result of the fallout from a $656,550 duplicate payment that had the hand written signature of the CFO and the Senior Vice President & Treasurer (all checks over $50,000 required dual signature).  In fact the first payment two months prior also had their signatures.

    The CFO instructed the CAE that because the check was stopped in the mail room from going out that it was not worth reporting to the Audit Committee at the next board meeting.  The external final four accounting firm of course backed the CFO and even polled their four other insurance clients. 

    While everyone was busy arguing and blaming each other, internal audit expanded the testing and found a $79,000 duplicate payment some 6 months ago to the same payee and both checks were cashed. [Using data analysis software made this a very simple task.]

    The CEO and the audit committee agreed that audit would move to administratively reporting to the CEO.

    One thing I immediately learned is the CEO paints very few targets but expects you to hit everyone.  Past CFOs that I reported to painted a different target when ever the wanted to.

    The second most valuable lesson I learned is that by sitting in on the CEO's meetings internal audit knew what the C suite knew (or did not know) and that proved invaluable when writing audit reports.

  1.  I wholeheartedly agree with the ideas in this post.  Internal audit impairment is the previously silent topic that should be fully discussed in our community.  

  1. In the olden days when I was an audit pup we focused on financial controls and operational efficiencies, and independence was most easily achieved through a structured reporting relationship to the CEO. As an audit pup I recall several occasions when I was asked to come sit on the CEO's couch and chat with he and the senior leadership team about controls and the exposures. A reporting relationship to the CFO was considered risky in those days as we did not want the undue influence on the financial audit outcomes. Fast forward 37 years to present and our world has changed dramatically, and has become risk driven. Not financial risk, or IT risk, or operations or compliance risk - business risk. 

    When I joined my present employer 10 years ago, Internal Audit reported to the CFO. He understood Internal Audit and its role - he got it. It worked well and when we needed a push from above to get the audittee's cooperation it  was there. Yes, we did financial audits. Some at the request of the CFO, and others due to the risk. In every audit, both the CFO and CEO were briefed about the results, and each signed the reports. Fast forward 10 years and the CFO has retired. The new CFO doesn't "get" Internal Audit and we report to the CEO. Of course we don't see the CEO unless we bump into him in the cafeteria, so we no longer have the readily available and visible support.

    So  from my view, what is most important is finding or creating intellectual independence within senior ranks and finding the one key person in senior leadership that "gets it" and is visibly supportive of the Internal Audit function and role. As long as we have that ingredient, and a properly staffed audit committee, the audit universe is our oyster.

  1. I agree with Bruce.  From personal experience, reporting to a member of executive team who 'gets it' and is openly (this is important) supporting of IA seems much better than reporting to an 'invisible' CEO (form over matter?).  While the reporting line in the executive team may depend on the nature of business and all other relevant factors - CFO, General Counsel, Chief Compliance Officer,... - someone who 'get it' would support IA openly and also realize the full potential of IA to contribute, not only by way of assurance on controls and risks but going much beyond into the 'consulting' role as per IIA definition.  And with the tilt of IA work anyway shifting away from a focus on financial audits to more operational and strategic assignments, reporting to a CFO should not be seen to be a handicap, especially if the benefits as above are realized in practice.

  1. I agree 110% with Richard. I"ve a fan of Larry Sawyer's vision from my first exposure to Sawyer's Internal Auditing. Just as the profession was waking up to the ramifications of the 90's outsourcing of ineffective IA shops and started heading in the direction of Sawyer's vision, Enron set us back 30 years. In my experience, too few executives got the IA philosophy as defined in the IIA Standards (and perhaps did not even care). Instead they used their positions to drive the focus of IA in directions inconsistent with the philosophy of the Standards and best practices. One anecdote comes to mind: Many years ago at the quarterly audit committe meeting, one member ask if it was a best practice for the IA department to report to the CFO, who was a CPA. As a CIA, I was the only one in that room qualified to answer comprehensively and candidly based on the IIA Standards. But I couldn't, for 3 reasons: (1) the Big 4 partner in charge jumped right in and said that such reporting was "common practice" and *she* didn't have a probelm with it; (2) The CFO, a key player in retaining the external auditors and a former Big 4 auditor, thought it was just fine that IA should reside in the CFO organization and focus on cost savings and financial control weaknesses (in an industry where reputational damage and liability/sanction risks could have brought the organization to its knees); and (3) I reported to the CFO and got a sharp look that said "keep quiet". Not only would I not now even consider taking a position unless it reported functionally to the audit committe chair and administratively to the CEO, and I also would want to be sure that there was an IA charter in place that clearly expressed and reinforced the philosophy of the IPPF and the IA mission in the organization. To paraphrase W. Edwards Deming, without theory (the IPPF) there can be no profound knowledge; and without profound knowledge, there can be no professionalism.

Leave a Reply