What the CFO and the CAE Should Expect from Each Other
Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
I have had the privilege of writing pieces each month for CFO.com. Two related pieces discussed the relationship and mutual expectations of the CFO and CAE. Here they are, together:
The relationship between an organization’s CFO and the head of internal audit (Chief Audit Executive, or CAE) is an unusual one. In the majority of cases, the CAE reports administratively to the CFO but functionally to the audit committee of the board. This allows the internal audit function to be independent of management and able to provide objective assessments of the company’s governance, risk management, and related internal control processes. The primary customer of their assurance services is the audit committee, but the executive management team — especially the CFO — is a critically important customer as well. (For more information about internal auditing, visit The Institute of Internal Auditors' website or download this brochure).
As CFO, these are the most important things I would expect from the CAE:
- Honesty: a direct, unvarnished assessment of how well the organization’s processes are managing the more significant risks to the organization as a whole. As CFO, my interest is not only on financial risks, but risks to the achievement of strategies and corporate objectives. I would insist on an absence of “weasel words,” and the presence of a clear, to-the-point assessment.
- The ability to effect constructive change: the CAE and his team must be able to recommend business-practical changes that will improve business operations — and persuade management of their value.
- A proactive, company-first attitude: internal audit’s value is not shown by the number of significant issues it finds. It is in its ability to effect long term improvements in the system of internal control, and prevent issues rather than detecting and reporting them after-the-fact. For example, I would insist that internal audit is involved in all major IT and other projects, providing risk and controls advise so that new systems "go-live" with adequate security and controls built in. There’s little worse than spending millions of dollars on a new IT system and then, six months later, being told by internal audit that there are major security and control gaps. Bottom-line: internal audit activities should be designed to help the company succeed.
- A desire to work with me and the rest of the executive leadership team: while the independence of the internal audit team is important, and they need to be objective in their assessments, working with management in a constructive fashion is the path to success. The goals of management and internal audit should be the same: the success of the organization. The CAE should be a partner in that success, not somebody who only comes to find defects.
- The ability to listen: while internal audit may identify risks and potential control issues, we need to work together to assess their significance and determine what action, if any, is needed. That should be a collaborative effort between management (who has ultimate responsibility for the controls) and internal audit.
Now let's look at what the CAE should expect from the CFO. This applies whether or not the CAE reports to the CFO because the relationship is a key one for both parties (best practice is for the CAE to report functionally to the audit committee and administratively to a top executive, usually the CFO).
As CAE, this is what I expect:
- Honesty. I put this first because (a) it is the most important attribute the CFO should expect from the CAE, and (b) it is essential to an effective working relationship built on mutual trust.
- Information and inclusion. One of the most significant challenges for the CAE is understanding what is happening within the organization: its objectives, strategies, and plans; the concerns and priorities of the management team; how the organization is performing; and the outlook for the future. As CAE, only when I understand what is important and what the more significant risks are can I ensure those are the areas where the audit work is performed. As mentioned last week, the CFO and CAE share a desire for the organization to succeed, and every CAE welcomes being included when information is shared with the senior leaders of the organization.
- Support. The CFO is the first person the CAE will turn to when there is a level of concern over the adequacy of internal controls and the management of risks to the organization. Although the CFO may not be the ‘owner’ of all internal controls, I generally look to him or her as the champion within the executive management team.
- A mentor. There are two aspects to this. The first is the ability of the CFO to help me navigate through and be effective in discussions with top management, including with the CEO. Although as CAE I should have direct access to the CEO, I won’t have the same relationship with him or her as the CFO does — and could always use advice on how to tackle sensitive issues. The second is the ability of the CFO to coach me and help me improve. Although I may report directly to the audit committee, the CFO should play an important part in assessing my performance and contributing to its improvement.
I also expect the CFO to support the internal audit function, including the provision of necessary resources. But that is not a "given." The support has to be earned by providing valuable assurance on governance, risk management, and internal control processes, together with recommendations that improve their effectiveness.
- Do you agree with these expectations?
- Are they reasonable?
- Is this what is in place at your organization?
Posted on Feb 28, 2012 by Norman Marks
Share This Article: