What the CFO and the CAE Should Expect from Each Other

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.

 

I have had the privilege of writing pieces each month for CFO.com. Two related pieces discussed the relationship and mutual expectations of the CFO and CAE. Here they are, together:

 

What should CFOs expect from the head of internal audit?

The relationship between an organization’s CFO and the head of internal audit (Chief Audit Executive, or CAE) is an unusual one. In the majority of cases, the CAE reports administratively to the CFO but functionally to the audit committee of the board. This allows the internal audit function to be independent of management and able to provide objective assessments of the company’s governance, risk management, and related internal control processes. The primary customer of their assurance services is the audit committee, but the executive management team — especially the CFO — is a critically important customer as well. (For more information about internal auditing, visit The Institute of Internal Auditors' website or download this brochure).

As CFO, these are the most important things I would expect from the CAE:

  • Honesty: a direct, unvarnished assessment of how well the organization’s processes are managing the more significant risks to the organization as a whole. As CFO, my interest is not only on financial risks, but risks to the achievement of strategies and corporate objectives. I would insist on an absence of “weasel words,” and the presence of a clear, to-the-point assessment.
  • The ability to effect constructive change: the CAE and his team must be able to recommend business-practical changes that will improve business operations — and persuade management of their value.
  • A proactive, company-first attitude: internal audit’s value is not shown by the number of significant issues it finds. It is in its ability to effect long term improvements in the system of internal control, and prevent issues rather than detecting and reporting them after-the-fact. For example, I would insist that internal audit is involved in all major IT and other projects, providing risk and controls advise so that new systems "go-live" with adequate security and controls built in. There’s little worse than spending millions of dollars on a new IT system and then, six months later, being told by internal audit that there are major security and control gaps. Bottom-line: internal audit activities should be designed to help the company succeed.
  • A desire to work with me and the rest of the executive leadership team: while the independence of the internal audit team is important, and they need to be objective in their assessments, working with management in a constructive fashion is the path to success. The goals of management and internal audit should be the same: the success of the organization. The CAE should be a partner in that success, not somebody who only comes to find defects.
  • The ability to listen: while internal audit may identify risks and potential control issues, we need to work together to assess their significance and determine what action, if any, is needed. That should be a collaborative effort between management (who has ultimate responsibility for the controls) and internal audit.

What should the head of internal audit expect from the CFO?

Now let's look at what the CAE should expect from the CFO. This applies whether or not the CAE reports to the CFO because the relationship is a key one for both parties (best practice is for the CAE to report functionally to the audit committee and administratively to a top executive, usually the CFO).

As CAE, this is what I expect:

  • Honesty. I put this first because (a) it is the most important attribute the CFO should expect from the CAE, and (b) it is essential to an effective working relationship built on mutual trust.
  • Information and inclusion. One of the most significant challenges for the CAE is understanding what is happening within the organization: its objectives, strategies, and plans; the concerns and priorities of the management team; how the organization is performing; and the outlook for the future. As CAE, only when I understand what is important and what the more significant risks are can I ensure those are the areas where the audit work is performed. As mentioned last week, the CFO and CAE share a desire for the organization to succeed, and every CAE welcomes being included when information is shared with the senior leaders of the organization.
  • Support. The CFO is the first person the CAE will turn to when there is a level of concern over the adequacy of internal controls and the management of risks to the organization. Although the CFO may not be the ‘owner’ of all internal controls, I generally look to him or her as the champion within the executive management team.
  • A mentor. There are two aspects to this. The first is the ability of the CFO to help me navigate through and be effective in discussions with top management, including with the CEO. Although as CAE I should have direct access to the CEO, I won’t have the same relationship with him or her as the CFO does — and could always use advice on how to tackle sensitive issues. The second is the ability of the CFO to coach me and help me improve. Although I may report directly to the audit committee, the CFO should play an important part in assessing my performance and contributing to its improvement.

I also expect the CFO to support the internal audit function, including the provision of necessary resources. But that is not a "given." The support has to be earned by providing valuable assurance on governance, risk management, and internal control processes, together with recommendations that improve their effectiveness.

Questions

  1. Do you agree with these expectations?
  2. Are they reasonable?
  3. Is this what is in place at your organization?

 

 

Posted on Feb 28, 2012 by Norman Marks

Share This Article:    

  1. I think this is really reasonable and mature ideas based on extensive experience. Thanks for valuable thoughts.
  1. I agree with your comments, the CFO and the Internal Auditor should work together to ensure that the Strategy is implemented and identify risks. The Internal Auditor should come up with measures to mitigate the risks and ensure inplementation by the CFO.

    The internal auditor is equally part of the organisation and should be pro-active to deal with issues before it is too late. Should not only report the problems but ensure that they are addressed and let audit find no inefficiencies in the system.

  1. Norman:

    This is good.

    I would add that the CFO should expect and receive from the CAE, a candid assessment of performance by the external auditors. Such candid assessment should be driven from a minimum of three different sources- first- when internal audit provides an opinion on the adequacy of management of all major risks including the financial areas, the evaluation of the external auditors would be part of this- second- based on the CAE's personal interaction with the external audit team both verbal and written- for example- review of quality of external audit management letter and assessment of how they went about conducting their risk assessment- third- independent input from our parties in the company that had extensive interaction with the external audit team.

    I would also expect to see from internal audit very specific commentary on how their activities contributed to accomplishment of the major strategic objectives of the business and this should be readily apparent.




     

  1. Rashed Khan | May 10, 2011 at 10:35 am Replyan audit can be a real headache and you are 100% occrert when you say you need to be fluent in Excel but you know there are programs that can make this process a lot easier for you. a good Software Asset management program like Licence dashboard will actually simplify the whole process by collating and giving you all the information that a software auditor would require. Simple.

Leave a Reply