Finding the Right Balance

April 2012

A CAE recasts his audit plan to focus on operational activities, only to find the audit committee is more concerned with addressing new regulatory requirements.

Charlie Wilson, chief audit executive at Ranger Communications, regards keeping abreast of stakeholder expectations one of his most important job responsibilities. Accordingly, he has spent a great deal of effort over the past three years staying attuned to the “Big 3”: the audit committee, executive management, and operations management. And while internal audit has focused primarily on regulatory and policy compliance during that time, Charlie’s discussions with operations management have led him to change direction and consider a more progressive approach to audit (see “Change is Hard”). Executive management agrees that internal audit should take a more consultative role that provides insight on operational opportunities and not just recommendations for further control tightening. Charlie is developing an audit plan that reflects this change in direction and preparing to review it with the audit committee.

Charlie feels confident about his decision, already knowing that two of his BIG 3 will be pleased with the new approach. And even though it was a tough sell, he was able to convince the members of his audit team that the change in perspective would broaden their exposure to new areas. He also assured them it would be beneficial to their long-term career development.

As the next audit committee meeting begins, the committee chairman compliments Charlie and his group on how well things seem to have gone during the last year. He then pulls out a few articles that recently appeared in well-known business publications. Some of the articles detail new regulations that would impact Ranger; others describe regulatory and control lapses at several large, publicly traded companies that resulted in reputational damage and financial penalties. The chairman asks Charlie to explain to the committee how his audit plan would address these types of issues and “help keep Ranger and this committee out of the news and off the front page.” The other committee members nod in agreement.

Charlie is caught completely off guard. His plan covers only the basic regulatory testing required by the U.S. Sarbanes-Oxley Act of 2002, and he’s not sure he can connect the plan to some of the issues cited by the chairman, including security breaches, payment of bribes, and recent regulations like the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act. He wonders if the planned level of audit coverage will be sufficient to address the committee’s concerns. Should he move forward with his plan to convince the committee that his proposed change in perspective holds value for Ranger? Maybe he should have at least previewed the plan with the committee chairman before the meeting? At this point his options are limited. How is it possible in the current regulatory environment and uncertain economic conditions for any audit group to cover all the bases?

Share your comments below.

Finding the right balance
Risk and perception are seasonal! While a CAE can plan well ahead on what he thinks are the bases to be covered, he would also need to check with the Chairman of the Aud Com to ensure he has the considered the flavor of the year. With ever changing business climate, the business owners always have the need to weigh risks proactively and on priority basis. What constituted a non-compliance few months back may no longer be the pin up and hence, the CAE continuously needs to address this. Charlie would do well to recast the audit plan to include the regulatory framework that business now prioritizes.
Posted By: Pravin
2013-02-26 3:21 AM

Finding the Right Balance
I think Charlie may have erred a bit in creating this current audit plan. Expanding IA’s responsibilities to include a consultative role is progressive, but it should not come at the expense of addressing critical risks to the business. Perhaps, initially Charlie should have worked more in conjunction with the audit committee as well as Management in developing this plan. By reaching out early in the process, getting input from all stakeholders, he may then not have been caught off-guard by this request. Additionally, a good audit plan should have some flexibility built into it to allow for change to address new and unforeseen risks. Like many in the industry, my department currently tries to keep abreast of our profession and learn what are the new concerns of our peers. In a previous company, my audit department had a formal quarterly review of risks to attempt to update the audit plan as needed. What is a critical risk today can be overshadowed by a new risk(s) as the months go along. Lastly, perhaps Charlie should consider co-sourcing or adding staff. It is not always easy to add staff to one’s department, but by demonstrating that IA is seeking to offer additional benefits to the company through its consultative services, this may support expansion. At the very least, using outside resources to provide depth and breadth may allow Charlie to work to satisfying all his customers and cover these additional concerns presented by the Committee.
Posted By: Paul Steele
2012-04-12 2:59 PM

Finding the Right Balance
Fred, Thanks for the interesting case study. I appreciate the dilemma faced by Charlie. I would say that a CAE should cast a very wide net in viewing risks/opportunities. We do an ERM-type Heat Map that has the top 15 Risks/Opportunities that Internal Audit can do something about. For us, this includes areas such as FCPA, Compliance with Labor Laws, Compliance with Import/Export Requirements, SOX Compliance, and, Continuity/Disaster Recovery, Major IT Implementations, etc. We also consider very operational Risks/Opportunities: Transportation, Maintenance, Capital Expenditures, Product Quality, etc. -- In essence, any risk/opportunity which can be addressed by a control or process, is fair game for Internal Audit to assess. Of course, as the Heat Map is being prepared, Management and the Audit Committee should be consulted for their ideas. Manny
Posted By: Manny Rosenfeld
2012-04-12 10:00 AM

COMMENT ON THIS ARTICLE

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>