Time to Face Facts About CAE Independence

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


I recently read how more than half the CAEs in a survey planned to move into a management role, perhaps in the next two years or so. Doesn't that present a significant risk to their independence and objectivity?

When I interviewed for my first CAE job, the CFO said that if he hired me (which he thankfully did) it would not be to run internal audit. It would be for the positions I would hold after I had done that for a few years.

Was I influenced? I would like to think that my personal integrity kept me honest. But is that true for every CAE?

How about the CAE who has been moved into the internal audit executive position from another area, with the plan to rotate again in a year or two? Some companies do this very deliberately, so that the CAE is always somebody who knows the business and can work effectively within it. But, is that person objective? How can they be?

Here's another question: many companies have the audit committee have the final interview and decide among 1-3 candidates for CAE. But, who selected those candidates? Was it HR, without any influence from management, or did the CFO and staff conduct the process. How likely are they to present candidates free from (unconscious) obligation, or ambition to work within the management team? Doesn't the CFO usually look for people who have the potential to move into his organization later?

Or, what about the fiction that the audit committee approves CAE compensation? They may have a word to say that is included in the performance evaluation, but how often do they lead that process and how often do they decide the level of salary and bonus? How often do they override the management process?

Finally, there is the dismal record of CAEs being pushed out the door after reporting significant issues. It is true that they rarely (these days) get fired straight away, but all reports I have heard support the notion that the death is a slow but sure one: in about two years, most are gone. Of course, the official cause for termination is always something different.

So what do you think?

What needs to be fixed?

Will audit committees see the problem and step up to own and fix it?

Posted on Apr 2, 2012 by Norman Marks

Share This Article:    

  1.  Norman,

    The post is good, and I would add one more point to it. What about CAE/CRO who are posted from business operations to head the department. Can we say that auditing and risk management are functions that require no specialized knowledge or skill set. And if a function is lead by an inexperienced person (maybe with plenty of business experience but no audit or risk management experience) can the organization be said to be sincere about risk management and internal audits, or would you say they are giving lip service to it. Such CAE/CRO's with no relevant qualification in the field, neither are bound by a code of ethics nor are they aware of it. So as you have pointed out, will they maintain indepdendence?




  1. Norman:

    I think you have opened up a discussion the IIA needs to do some serious work on.  My own view from 30+ years in the space is that few people that are in CAE developmental positions will want to risk their career, particularly for boards that haven't shown much backbone and rigor/rigour, if they have the misfortune of having to raise issues management wants suppressed .  By the same token, I have seen older people in their last career post unwilling to rock the boat and content to coast it our to pasture.

    It isn't a simple problem to fix.  The IIA needs to launch an independent and analytical look at the issue of developmental CAEs and propose ideas for companies and audit committees that don't want corrupted CAEs or even the appearance of corrupted CAEs.

    In my mind the key is a board that truly wants reliable information on the true residual risk status with timely updates when that changes.  I don't think many organizations or  IA functions deliver well on that objective right now but there are a positive signs this will change, at least in some companies.  

    I believe the IIA should show real leadership and change the standards to reflect that the number one mission of an IA function should be to ensure senior management and the board are aware of the current residual risk status, including all truly material risk acceptance positions.  That would be far more valuable than grinding away and writing another 20/50/100/500 audit reports each year and calling it a good year.

    The COSO 1992 framework and the draft COSO 2012 framework are not doing what they should to help this transition and the IIA is wed to COSO.  Either COSO should change or the IIA should file for divorce - it's time.



  1. Some very good challenges, Norman.  Interestingly in my current role, my first interview was with the Audit Committee chairman in a panel with another Audit Committee member and the CFO. Second interview was with the Group CEO.  This really impressed me because it showed that the then management team understood the need for real and visible independence even though the CFO was a panelist.  However I can see how different senior and top management over my time here have different views about the background and source of their CAEs.  Balancing a need for effective independence with business knowledge can be a challenge for Boards in their search for the right person to fill the role.  I think some have a better understanding of the role and purpose of internal audit than others and that can influence their choice and ways of working.  We still have the need to educate top management and their direct reports and I think encouraging the Audit Committee to be involved earlier helps. 



  1. Support this being raised. Its a serious question. 

    I think the issue is deeper than boards and execs "really wanting" independence ~ at a conscious level this may be what they genuinely think, but often times when something really counter-cultural is being raised, it can turn into "I want an independent view on everything" (so long as we dont hold it sacred ourselves)!!

    With these barely conscious preferences (often guised through language such as "IA needs to be commercial", "you mustnt be over bureacratic", "we must empower staff") the issue needs to be tackled at a level deeper than conventional research (which is unlikely to penetrate the deeper contradictions and tensions typically present).

    I support the training and facilitating Audit Committees on these issues would particularly highlight how disagreements with senior executives they "play out" via the CAE (and vice versa)!  

    I am a believer that CAEs may not need more standards and rules, or more research  ~ In my experience HIAs can benefit from training and coaching on the subtle subconcious ways that may cause them to "pull their punches" ~ recognising they need to manage political aspects of the role and carefully work through influencing strategies and timescales ~ which may justifiably involve agreeing a compromise in the present to be able to fight another day.. (So many of the key issues are actually shades of grey!) 

    I a huge believer in 121 coaching and action learning groups for CAEs, so they can examine their thinking and motives on these grey zone areas. These are both a great way of pressure testing these issues in a safe environment with peers you trust and were one of the reasons that I managed to stay a CAE for 7 years! I wrote about this 2 years ago in the UK IIA Magazine ~ details available on request 

    Keep up the good work!

  1. Norman

    As someone with CAE experience with both publically and privately held companies, I believe your thoughts have a lot of merit.  Unfortunately, although the IIA does a tremendous job of educating those of us in the profession, where I feel we mis the road is breaking the barrier with management.

    Whether your company is public, private, not-for-profit etc., the many auditors that I have had the opportunity to come in contact with as well as train, all seem to lament a similiar issue.  Management still determines the ultimate focus of the IA department and if they don't like it, then they just switch out the CAE.  Also, many auditors have expressed concern that their departments are isolated from the most signficant risks of the company because management doesn't want them to go near those areas in fear that something would have to be reported.

    This is all unfortunate.  I believe as a profession we have come a long way.  However, there is even a further road to travel.  Until we can establish the CAE position as a truly independent one and a person who has a strong leadership role and say in the organization, we will continue to have questions of independence and value creation.

    And yes, I've seen numerous CAE's that have been either forced out or moved to other areas because they were, in essence, following IIA standards and looking in places of highest risk often worries not just management but the audit committee.  So it is often easier for them to say....the CAE wasn't meeting expectations and move them along another path.

    Just my two cents.




  1. This raised point is so valid in the reality for many CAEs I am sure. I believe the key to this challenge depends on how effective audit committee actually is.

    In some situation, a greater challenge exists if board of directors are appointed based on the representation of stakeholders, often on a rotating basis, without independent, professional directors. I think having qualified directors do make or break the whole regime of corporate governance. Without truly qualified directors as Chair or part of the majority of the committee, governance is only a sort of form with no substance in my view, regardless of how genuine management is in stewardship.

    IIA and each internal auditor, CAE or staff, should together be the forefront to educate their audit commitee and management alike on how an truly effectiveness board of directors, audit committee as well as internal audit contribute to the acheivement of their organization. It will take time. It will get pushed back. Nonetheless, being more proactive in educating this subject will equip us with confidence to influence stakeholders to acheive long-term results.

  1. To protect our independence, we must have a knowledgeable, engaged Board, and/or Audit Committee.  Audit Charters leave too much discretion on how the Internal Audit function is set up, reporting expectations, budget oversite, hiring and firing, etc.  CAE's must get out in front of the independent structure requirements and Charter content.  It is important to take a leading role in Corporate Governance, set the agenda for meetings, track Committee responsibilities, develop relationship with with Committee Chair. Without true independence, we can't be the solidifying "fourth key pillar" of Corporate Governance. 

    When did it become a good idea to fill the CAE role with someone that has no INTERNAL audit experience?  In no other profession would this be suggested.  Thats Crazy.

    The CAE should be proficient in Corporate Governace, Risk Management and Internal Control.

    As a CAE we must do what is right for the company. Equip a team and provide insight, from an independent perspective, to give assurance coverage to both the Audit Committe and Management.  Use the Standards to guide, support, and give creditability to what we do.  Add value and provide assurance coverage to the Board and Management, and play our role to stabilize the control environment.  If Internal Audit is visible in its role, then these efforts don't go un-noticed.  

    As a Profession, high standards should be established as "Best Practice" for persons in the CAE role.  I think we have a lot of opportunity in providing Boards / Audit Committees with best practice framework to maintain Internal Audit / CAE independence.

  1.  It think that us auditors tend to put ourselves on a pedestal, when it comes to objectivity and integrity, a bit too much.  Our fellow corporate employees generally do not have their perception of us.  To them, we're just doing a job.  

    I see it that way as well - we're just doing our job.  This job is to uphold good conduct, ensure controls and be the moral beacon for the organization.  It was a very different perspective that I had as a corporate controller, pressured to meet forecasts and stay within budgets.  

    Although you're very right about one thing, when things so south and we report about a sensitive issue, we'll surely be gone before long.  

    Point is, we may be the only ones who care about our professional standards.  As well we should.  




  1. To Norman and all who have commented

    All our points are valid and will remain a burning issue until CAEs  show guts to stand up and call the spade a spade. Look at the competence chart of IIA for CAE, it tilts so much to the relationship management that the reader would feel that is the foremost duty of the CAE. 

    Then the other aspect is that of Boards and Audit Committees. Till companies continue placing favoured people rather than eligible people on the Board, it is difficult to achieve the objective of independence through them.

    Then la lack of appreciation for the bold stance is also a hinderance. The IIA and the whole IA community should publically hail and acknowledge those CAEs who risk their jobs for their core duties - standing by the ethics and truth. One this recognition is there people will weigh it against the loss of job and believe you me the satisfaction of having done something good always weigh more than that of incentives of keeping the job by compromising the conscience.  


  1. Maybe this is a radical point of view, but I have come to believe that only way to assure "objectivity and independence" is to report outside the organization. This is not  limited to internal audit. It is just as true for any one who performs a monitoring function, whether it be risk assessment, QA, QI, inspections at an oil company (remember the BP oil disaster_ or even internal affairs in the NYC Police Department.

    The IIA could be very helpful in being clear about what it means to be independent, but instead they seem to be going in the opposite direction, i.e. focusing more on relationships with management rather than reporting on the issues. 

    I agree with the consensus that we seem to be the only ones who really care if internal audit is objective.  To most in the organization, internal audit is just another finance function, without waves please.

Leave a Reply