Facilitating Strong Internal Audit Oversight
Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.
Ensuring strong and effective oversight of internal audit departments has always been challenging. After all, organizational independence is critical for internal audit functions, so simply reporting to senior management may not support the strongest governance. In fact, the vast majority of internal audit functions achieve a higher degree of organizational independence, at least in part, by reporting functionally to an audit committee. This relationship is usually ideal for enhancing independence, but reporting functionally to an audit committee that meets only a few days each year can create challenges not faced by other departments within the organization.
Can audit committees really be expected to maintain effective oversight over internal audit? Chief audit executives (CAEs) have made tremendous strides in the last decade toward building workable reporting relationships with their audit committees, and many audit committees excel at providing oversight. But if the audit committee doesn’t assume strong oversight over internal audit, whose fault is it, and what should be done?
I believe that in many cases, audit committees are not receiving the information from CAEs that they need to help internal audit achieve its potential. Only when the audit committee is fully informed of its responsibilities for internal audit oversight, understands internal audit’s potential to assist the board, and is armed with the right information can it be expected to fulfill its duties appropriately. And because audit committees are removed from the day-to-day operations of the internal audit function, at least part of the fault lies within the internal audit function itself: Too many in the profession are not consistently “stepping up to the plate” by furnishing the information the audit committee needs to provide effective oversight.
Recent survey statistics show we are making progress toward building stronger working relationships with our audit committees. But the statistics also raise troubling questions: For example, despite our functional reporting relationships, The IIA’s Audit Executive Center reports that only 38 percent of audit committees are involved in setting CAE performance objectives.
Compensation is also a troubling issue: More than 60 percent of audit committees report that they ensure the internal audit department has adequate budget and staffing, yet only 29 percent approve the CAE’s compensation level.
Still more troubling is the fact that only about half of audit committees receive periodic reports about internal audit quality improvement programs. In essence, the audit committee is charged with overseeing our performance, but we are not always consulting with them on our objectives, and we are not fully informing them on how well third parties have assessed whether we accomplished our objectives.
Communications may be too limited in other areas, as well. CAEs at 72 percent of organizations reported that their audit committees ensure they receive “management support,” but the danger is that in some cases, the support may be little more than lip service: The same survey reveals that only 24 percent of audit committees ensure that management communicates with and involves the CAE in major strategic initiatives. There might be many reasons for the lack of internal audit involvement in strategic initiatives, but at organizations where there’s no involvement, there should be candid discussions with the audit committee about whether or not the exclusion is appropriate.
I believe it’s time for CAEs to take the initiative to ensure our audit committees are armed with the information they need to do their jobs. Audit committees — like all other groups charged with supervision and oversight — need input on objective-setting, and they need ongoing reporting on the accomplishment of goals and objectives. Because audit committees are rarely on site to observe our performance first-hand, it is essential they receive reports on internal audit quality programs. Regardless of whether or not the information has been requested, we should furnish the audit committee with information on salaries, staffing, and professional qualifications, along with benchmarking statistics that can be useful in analyzing this information.
Where strong oversight has not been taking place, getting the audit committee more involved may seem daunting. But what’s good for the goose is good for the gander: Internal audit is an essential component of the internal control system, and oversight of the internal audit function is critical to assure our effectiveness. We should expect no less of ourselves than we do of all the people we audit.
Posted on Oct 9, 2012 by Richard Chambers
Share This Article: