Five Probing Questions the Audit Committee Should Be Asking the CAE

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


No relationship for a chief audit executive (CAE) has been transformed more over the past decade than that with the audit committee. According to The IIA's Audit Executive Center, more than 75 percent of internal audit departments in North America report functionally to the audit committee. And in many companies, the audit committee holds a discussion session with the CAE at every meeting.
The audit committee's success is tied to the effectiveness of the internal audit department. Accordingly, audit committee members must have complete confidence in the internal audit function and its CAE. This confidence can only be achieved with a strong, continuous, and open dialogue between the CAE and the audit committee. Of course, dialogue is a two-way street; it’s as much the responsibility of the CAE as the committee members themselves. But the committee must be willing to drive that dialogue in a way that provides evidence of internal audit’s professionalism, business knowledge, and risk acumen.
I recently addressed a roundtable of audit committee members in Finland. There I was asked the age-old question: “What should the audit committee be asking the CAE?” The topics of conversation between the CAE and the audit committee are too numerous and variable to list in a single blog. However, there are five probing questions that, as an audit committee member, I would want the CAE to answer. These answers (as well as the resulting conversation) should not only provide the audit committee with enhanced confidence in the audit department, but should also foster trust and candor in the important relationship between the audit committee and CAE. 
1. Is internal audit following the International Standards for the Professional Practice of Internal Auditing (Standards), and what were the results of the last external quality assessment?
To be able to rely on information from the audit department, the first step is to ensure the department understands what practicing as a "professional internal auditor" means. The Standards provide that guidance. And by verifying that the department understands and applies them, as well as employs methods that will ensure adherence to the Standards, the audit committee can have a high level of confidence in the assurance that internal audit is providing on the adequacy and effectiveness of risk management and internal controls. 
2. How is internal audit monitoring risks on a periodic or continuous basis and revising the audit plan accordingly?
Once there is assurance that the department understands professionalism as it relates to internal auditing, the next step is to ensure that the department is achieving the crucial tasks it has been assigned. The most fundamental of these tasks is the establishment of an effective method for addressing organizational risks. The CAE should be able to articulate the risk assessment method and demonstrate how this is effective in identifying the critical and important risks, as well as showing how audit responds to those risks.
3. What are the top five risks that internal audit is not addressing due to a lack of resources or skills?
Too often, the only question that is asked about internal audit’s resources is: “Are they adequate?” As an audit committee member, I would ask more than that. I would want to know whether the resources are adequate to address the company’s key risks. One means of answering that question is to understand what is not getting done. If there are key risks that are not being addressed due to internal audit’s resource constraints, the audit committee should know what they are, and be comfortable with the fact that they will not have assurance from internal audit that the risks are being addressed adequately by management.
4. What strategies is internal audit deploying to ensure greater understanding of the business by audit staff?
One key to the success of an audit department is how well it understands the organization's business. Without a strong understanding of the company’s business strategies, organization, and processes, internal audit will struggle to assess risks adequately and to provide assurance and insight into the effectiveness of operations. This does not mean all auditors have to be experts. But it does mean that the department should have plans in place to ensure all staff are continuously learning about how the business operates.
5. Based on internal audit coverage during the prior year, what is the CAE’s assessment of the overall effectiveness of the company's internal controls and risk management?
And now we come to the most important question of all – the question that I often find is on every audit committee member’s mind, but is rarely asked. In seeking the answer to this question, the audit committee is asking the CAE to “connect the dots.” However, the committee must be prepared for an answer that it does not want to hear: that the body of internal audit’s work over the past year has not been adequate for an “unqualified” opinion or assessment on the adequacy of risk management and controls. In communicating any opinions, the CAE should be prepared to communicate qualifications based on the extent of internal audit’s coverage. If the audit committee is not comfortable with a qualified answer, then a discussion about internal audit’s resources needs to be back on the table. 
I suspect that these questions will generate some discomfort (and maybe even controversy). Sometimes, it is easier to engage in conversations with the audit committee in a “don’t ask – don’t tell” environment. Tough questions, such as those I pose above, will invariably elicit some uncomfortable answers. However, these questions drive to the heart of what we do in internal auditing. If they are troublesome, if they cannot be answered, if they represent areas where you fall short, then start taking the steps necessary to make changes in your operations. And, even if you have all the answers, find ways to make those answers even better.
I welcome your thoughts on these five questions or any that I have left off of the list.

Posted on May 1, 2013 by Richard Chambers

Share This Article:    

  1. Richard:  Really good topic.  The more boards engage and demand what they need from Internal Audit to meet their responsibilities to oversee management's risk appetite and tolerance the better.  The key is deciding what really should be the "effectiveness criteria to evaluate IA. 

    We encourage boards to ask the following questions:

    1. Is management providing the board with a materially reliable report on the areas/objectives with the highest levels of retained/residual risk?  If the answer is no, why not?

    2. What percentage of the organization's most important strategic objectives and potentally value eroding objectives have been risk assessed by management and/or internal audit? Which objectives in those categories have not been formally risk assessed by management and/or internal audit?

    3. Do your auditors know how to complete reliable risk asseessments in accordance with ISO 31000 that cover not only "controls" but all forms of "risk treatments" including risk transfer, risk sharing and risk financing vehicles?  

    4. When your internal auditors complete assessments are they providing subjective opinions on what they think is "effective control" (which is actually deciding on acceptable levels of residual risks) or providing management with reliable information on residual risk status?

    5. What is internal audit doing to enhance management/work unit risk asssessment/management capabilities?  

  1. Richard, lately there is far greater focus on the 'functional reporting line' to the audit committee and what that means. That's good. It's been fuzzy for too long. I concur with your questions 2 - 5, they must be asked and answers must be probed thoroughly. Your first question is too broad, the category 'conforms to' for external assessments is a one-size-fits-all and little comfort can be derived by an audit committee by that outcome. Another question for the CAE is "what is your major concern at the present time", is there anything that keeps the CAE awake at night and it may not be the risk profile of the organisation but rather the risk within the audit function - your 5 questions would not tease that out.

    Audit Committees are playing a greater role in setting objectives, measuring effectiveness and assessing performance for CAE's. Robust questioning is an imperative As you say "the audit committees success is tied to the effectiveness of the internal audit department". Many audit committees don't realise that !

  1. Hey i think this is a ">

  2. Recent Posts

  3. Archives

  4. Categories

  5. Related Blogs

  6. Feeds

    How to use RSS feeds