Will We Be Able to Stay in the Board Room?

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession.

I have often characterized internal auditing’s journey over the past decade as being one from “the back room to the board room.” Following the spectacular corporate failures in 2001-2002 — and the subsequent regulatory and legislative response — internal auditing found itself front and center with the audit committee and other members of the board. The rapid elevation of stature was reflected in reporting relationship statistics. In 2002, The IIA found that only 55 percent of U.S. chief audit executives (CAEs) reported functionally to their audit committees. By 2007, PricewaterhouseCoopers found the number had leaped to 86 percent. In the past two years, internal auditing’s emphasis on assessing the effectiveness of financial controls has abated significantly. Given the shift in emphasis, I believe there is a real threat that some audit committees may lose their newfound interest in internal auditing.

I suspect my view is one that many will disagree with. After all, it will be argued, corporate audit committees have much broader missions than mere oversight of financial performance and controls. However, is that really true? From my travels in conducting quality assurance assessments of Fortune 500 companies, I was struck by how narrow audit committee charters were often written. In many instances, they were lifted directly from the NYSE’s sample audit committee charter, which is heavily tilted toward oversight of the independent auditors as well as financial statement and disclosure matters. In fact, in the entire five pages of the sample audit committee charter, only two paragraphs are exclusively dedicated to oversight of the internal auditors. I have often found the emphasis in the audit committee charter was a reflection of the focus of its members, many of whom were primarily interested in receiving assurance from internal auditing on the effectiveness of their company’s financial controls.

Given the foregoing, I believe many CAEs face a significant challenge as they correctly rebalance their internal audit coverage to include greater emphasis on operational, compliance, and strategic and business risks. Their challenge will be to ensure the audit committee drives or embraces this direction and perceives the strong value that a comprehensive risk-based approach to internal audit coverage will bring. Otherwise, I fear some audit committees will grow bored with internal auditing’s coverage resulting in non-financial risks.

As a profession, we have worked too long and hard to gain the stature we have enjoyed recently. Let’s stay in the board room. The view is much better than from the back room.


Posted on Aug 13, 2009 by Richard Chambers

Share This Article:    

  1. I have always felt that financial controls and compliance assurance were too narrow for internal audit. We should not stake our future on the next wave of regulation, but rather identify how best to execute the definition of Internal Audit.

    The value that Governance and Management needs most is to know what is expected of them, and how they are doing. We need to be operating above process level controls. The management part of risk management is actually more important. There has been a lot of appropriate talk of late about business capability/maturity models. If we can build expectations of how the organization goes about achieving its objectives, we can then compare their progress to business governance and management standards. Knowing how vulnerable they are in these areas is almost more important than knowing the risks.

    Rather than waiting for the next regulatory promotion of Internal Audit, let’s define for Governance and Management what information we can provide that will help them fulfill their roles better. Once we do, I would wager the increased demand for our services would be unprecedented. Don't we claim this already within the definition of IA.



Leave a Reply