Facilitating Strong Internal Audit Oversight

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.


Ensuring strong and effective oversight of internal audit departments has always been challenging. After all, organizational independence is critical for internal audit functions, so simply reporting to senior management may not support the strongest governance. In fact, the vast majority of internal audit functions achieve a higher degree of organizational independence, at least in part, by reporting functionally to an audit committee. This relationship is usually ideal for enhancing independence, but reporting functionally to an audit committee that meets only a few days each year can create challenges not faced by other departments within the organization.

Can audit committees really be expected to maintain effective oversight over internal audit? Chief audit executives (CAEs) have made tremendous strides in the last decade toward building workable reporting relationships with their audit committees, and many audit committees excel at providing oversight. But if the audit committee doesn’t assume strong oversight over internal audit, whose fault is it, and what should be done?

I believe that in many cases, audit committees are not receiving the information from CAEs that they need to help internal audit achieve its potential. Only when the audit committee is fully informed of its responsibilities for internal audit oversight, understands internal audit’s potential to assist the board, and is armed with the right information can it be expected to fulfill its duties appropriately. And because audit committees are removed from the day-to-day operations of the internal audit function, at least part of the fault lies within the internal audit function itself: Too many in the profession are not consistently “stepping up to the plate” by furnishing the information the audit committee needs to provide effective oversight.

Recent survey statistics show we are making progress toward building stronger working relationships with our audit committees. But the statistics also raise troubling questions: For example, despite our functional reporting relationships, The IIA’s Audit Executive Center reports that only 38 percent of audit committees are involved in setting CAE performance objectives.

Compensation is also a troubling issue: More than 60 percent of audit committees report that they ensure the internal audit department has adequate budget and staffing, yet only 29 percent approve the CAE’s compensation level.

Still more troubling is the fact that only about half of audit committees receive periodic reports about internal audit quality improvement programs. In essence, the audit committee is charged with overseeing our performance, but we are not always consulting with them on our objectives, and we are not fully informing them on how well third parties have assessed whether we accomplished our objectives.

Communications may be too limited in other areas, as well. CAEs at 72 percent of organizations reported that their audit committees ensure they receive “management support,” but the danger is that in some cases, the support may be little more than lip service: The same survey reveals that only 24 percent of audit committees ensure that management communicates with and involves the CAE in major strategic initiatives. There might be many reasons for the lack of internal audit involvement in strategic initiatives, but at organizations where there’s no involvement, there should be candid discussions with the audit committee about whether or not the exclusion is appropriate.

I believe it’s time for CAEs to take the initiative to ensure our audit committees are armed with the information they need to do their jobs. Audit committees — like all other groups charged with supervision and oversight — need input on objective-setting, and they need ongoing reporting on the accomplishment of goals and objectives. Because audit committees are rarely on site to observe our performance first-hand, it is essential they receive reports on internal audit quality programs. Regardless of whether or not the information has been requested, we should furnish the audit committee with information on salaries, staffing, and professional qualifications, along with benchmarking statistics that can be useful in analyzing this information.

Where strong oversight has not been taking place, getting the audit committee more involved may seem daunting. But what’s good for the goose is good for the gander: Internal audit is an essential component of the internal control system, and oversight of the internal audit function is critical to assure our effectiveness. We should expect no less of ourselves than we do of all the people we audit.

Posted on Oct 9, 2012 by Richard Chambers

Share This Article:    

  1. Richard,

    Can't say I disagree with any of your comments.  But in reality it always seems to be easier said than done.  On the audit committee's side I believe they need to take a hard look at their charter and ask themselves if they are getting what they need to satisfy the responsibilities listed in the charter.  CAE's can help audit committees by creating a "charter checklist" of the items required by the charter and providing a status report on compliance therewith at each audit committee meeting.  If CAEs are able to meet privately with their audit committee chair this is a good opportunity to tee up issues such as those you have mentioned in your comments.

    Another practice that can help audit committee chairs get more engaged in a CAEs performance review, goal setting, and compensation review is if the CAE sends the audit committee chair a "self-assessment" of their performance.  List the CAEs goals for the year and provide a status report prior to the CAEs annual review.  This can also be helpful to any internal management the CAE reports to as well.  Sometimes CAEs need to provide a friendly reminder of all the accomplishments they and their department complete over the course of an evaluation cycle.

    Another good way for CAEs to help audit committees bring up some of these issues is to participate in The IIA's Global Audit Information Network (GAIN) benchmarking and provide their audit committee with peer and industry comparisons.  I have seen this generate discussions that result in the audit committee setting goals, and providing necessary resources, to bring audit groups more in line with peer or industry benchmarks.

    Regards, Steve Jameson

  1. Richard, I agree with your comments.  Overall, in many cases, internal audit needs to take a more proactive role with the audit committee.  For example, re the standards, how many CAE's have really gone over them with their audit committee including pointing out tough issues like covering governance or that a QAR is not an option but is required. 

    In the end, your topic, to me, revolves around the direct, personal relationship between the CAE and the audit committee chair.  Most audit committees are a reflection of their chair so a lot of what you are saying goes back to that CAE/chair relationship.  Here, I'm really talking about the quality of that relationship not just how many times they talk or the communication of the audit results.  If that relationship is deep and trusting, the CAE can have a straight-forward discussion of these kind of issues. 

    Finally, the CAE needs to ensure that they really understand what the chair wants and are delivering on that.  Some good comments and guidance came from Lord Robert Smith of Kelvin when we had him at the audit committee roundtable in Kuala Lumpur last year.  Here's a couple of comments and advice from him about what he expects;

    -  "...I want objective and creditable feedback."

    -  "...get under the skin of the business."

    -  "...focus on the critical risks and changes to the risk profile"

    -  "...understand the economic substance and risks of activities"

    -  "...error on the side or more communications not less"

    Good advice to help build that trusting relationship.

  1. Richard;

    I believe that the real opportunity for internal audit will come when boards of directors accept the National Association of Corporate Directors recommendations related to board oversight of risk outlined in the Blue Ribbon Commission report "Risk Goverance: Balancing Risk & Rewards".   This would expand the narrow focus and view many boards have that IA is mainly focused on financial issues with a heavy bias to supporting reliable financial statements.  In cases where boards form a risk oversight committee this would be a far better place for IA to report than Audit Committees.  

    Unfortunately many boards do not currently see IA as an important source of help for them to discharge their risk oversight responsibilities.  The board risk oversight guidance issued in June in Canada still sees little role for IA in this area.  The NACD in the states has not issued any strong support for the notion that boards should look to IA for help meeting their risk oversight responsibilities.  

    This needs to change and the IIA should focus resources on getting boards to recognize that IA, with the type of training offered by the CRMA, can play a key role in this area. IA charters should state that their number one job is not to do audits and issue audit reports - it is to ensure senior management and the board are aware of significant risks being accepted across the enterprise.

Leave a Reply