control, and governance
control, and governance
What Your Audit Committee Wants and Needs
Catherine L. Bromilow
Partner
PricewaterhouseCoopers Center for Board Governance
Brian S. Brown
Principal and Internal Audit Performance Improvement Leader
PricewaterhouseCoopers
When PricewaterhouseCoopers (PwC) launched its 1993 landmark book on audit committee leading practices, it was a very different world. Since then, responsibilities assigned to audit committees have expanded significantly amid an increasingly challenging and interconnected global business environment. The economic crisis that started in 2008 increased the focus on both the role of the audit committee and the information organizations disclose. Audit Committee Effectiveness — What Works Best, 4th Edition (June 2011) provides insights into how audit committees are addressing their many challenges, including their role in overseeing accurate and transparent disclosures in a shifting risk environment. Clearly the pressure on audit committees has not subsided.
We’ve also seen dramatic change in the way internal auditors operate and the scope of their work. Where once their role was primarily about assessing internal control compliance, the 1990s ushered in the era of consulting, and many departments shifted to helping management with process improvement. The role changed again with the passage of the U.S. Sarbanes-Oxley Act of 2002, which required many internal audit activities to quickly reallocate resources toward financial reporting controls. Today, internal auditors are seeking the right balance between consulting and assessing controls, while addressing the myriad of emerging risks to their organizations.
Our research and analysis in compiling both Audit Committee Effectiveness — What Works Best, 4th Edition, and PwC’s 2011 State of the Internal Audit Profession Study offer insights into the ever-evolving relationship between internal audit and the audit committee, including critical perspectives on how to refine internal audit’s role through interaction with the audit committee, the committee chair, and management. In this article, we share some of these observations. You may find it useful to consider them in light of an ongoing effort to continuously improve how your internal audit activity operates.
JUGGLING THE NEEDS OF VARIOUS STAKEHOLDERS
Different stakeholders value internal audit’s various efforts very differently. In our experience, chief audit executives (CAEs) may find it useful to focus internal audit’s efforts by looking through the eyes of various stakeholders. For example, can internal auditors provide the most value by evaluating the process that management uses to identify and mitigate significant risks? Or by championing better integration between various risk and compliance functions within the organization? Or by further analyzing key audit findings and considering how they impact the overall business? By thinking through such questions, internal auditors can better focus their efforts and limited resources on the right work — delivering value to management and providing the assurance the audit committee seeks. That, in turn, demonstrates that internal audit understands various stakeholders’ needs and is sensitive to addressing them, even when that requires reconciling potential divergence between management’s requests and the audit committee’s expectations.
Additionally, internal audit should align its annual plan with the significant risks identified by management — regardless of any resource constraints. Successful CAEs use great care when determining which risks to cover during the plan year and present their approach in a way that allows the audit committee to easily understand the planned scope of activities.
ADDRESSING EVOLVING RISKS
Our 2011 State of the Internal Audit Profession Study indicates that many internal audit activities are not yet deeply involved in addressing certain critical risks: growth in emerging markets; cross-border acquisitions; joint ventures;new technologies such as cloud computing; and new regulatory requirements relating to the industry in which the organization operates. While these areas will demand more internal audit attention and investment as businesses wrestle with these emerging risks, not all internal audit departments have the subject matter expertise to address such areas adequately. We have seen that even Fortune 50 internal audit activities feel the need to reach outside to engage specialist resources to address these areas. Not having in-house resources can no longer be an excuse for not covering these critical risks in internal audit’s scope.
Some audit committee chairs have coached internal auditors to take a proactive approach to helping management understand emerging risks and the impact they may have on the organization in the future. The most progressive internal audit activities play a significant role in helping management not only understand the risks and impacts but also incorporate risk management into strategic planning and execution. Indeed, audit committees are more likely to view internal audit as a crucial resource when it focuses its attention on the organization’s ability to manage risk effectively.
Audit committees, along with management, recognize that even the most well-conceived audit plans can benefit from flexibility to accommodate emerging risks and changing priorities such as acquisitions, unanticipated regulatory challenges, and investigations — all of which may require diversion from the original plan. We are seeing a trend toward flexibility in internal audit plans to enable shifts in commitments so that internal audit can keep pace with changing risks and priorities. In some ways, it’s the difference between thinking outside the box and getting locked in it.
ELEVATING THE STATURE OF THE CAE
The way in which internal audit interacts and communicates with management and the audit committee can significantly influence how the activity is viewed. Internal audit is often judged by its leader. A CAE who brings business acumen supported by strong interpersonal skills — the ability to communicate effectively and exude confidence as an executive — is far better positioned to earn the respect of the audit committee chair and cultivate audit committee support. That can be crucial to driving internal audit’s effectiveness and how it is perceived throughout the organization.
We have observed the most effective CAE-audit committee chair relationships are centered on ongoing dialog that extends beyond the confines of formal meetings, with the chair equally invested in achieving the same degree of interaction. In some large organizations, such meetings are scheduled monthly with informal contacts occurring more frequently as needed, perhaps even weekly. This kind of rapport enables the CAE to report timely on challenges facing the organization and helps convey the right tone in communicating internal audit’s value, both to management and within the activity itself. As one audit committee chair told us, “The audit committee can help support internal audit’s independence from management through the extent of its communications with internal audit and by making this level of engagement visible to management.”
More organizations are recognizing how critical the CAE-audit committee chair relationship is. According to The IIA’s Global Audit Information Network (GAIN) survey, 81 percent of CAEs reported directly to the audit committee chair in 2010, nearly double the 1999 finding of 43 percent.
IMPROVING INTERNAL AUDIT'S REPORTING TO THE AUDIT COMMITTEE
Internal audit’s periodic reports to the audit committee stand out to us as a prime area for actionable improvement in many organizations. Audit committee chairs tell us that internal auditors could substantially improve those reports by providing information at the right level of detail. Ideally, such reports will include an executive summary or some other thoughtful introduction that provides the context for the balance of the report and will serve to focus discussion in the committee meeting. Internal audit departments that have done this successfully have started the process by asking themselves whether — looking at the reports from the committee’s viewpoint — they are providing the right amount of detail.
Reports that show business acumen and tie internal audit’s work and findings to the organization’s business objectives and priorities can help burnish internal audit’s status within the organization. Here are some suggestions for improving periodic reports to the audit committee:
- Highlight areas of substantial concern, including issues on the horizon.
- Describe internal audit’s most significant findings, including business implications and management’s remediation strategy.
- List audits conducted since the most recent report, along with their ratings and internal audit’s view as to whether the control environment for that function or location is improving, declining, or stable.
- Include the status of significant prior audit recommendations so the audit committee can monitor management’s remediation.
In preparing their reports, many internal audit activities also make effective use of graphics and color to illustrate important trends.
One approach to testing whether internal audit’s report to the audit committee contains the right information at the right level of detail is to ensure there are substantive answers to the “So what?” question for each element and finding highlighted in the report. As one audit committee chair told us, “Internal audit reports should contain only significant or critical matters; they shouldn’t report on everything.”
The focus on providing value
To continue to enhance the value and status of your internal audit activity, routinely ask:
- Are we working with management and the audit committee to align our expectations?
- Do we adjust capabilities and approaches to reflect how our organization’s business environment is changing?
- What are we doing to ensure that internal audit has not only a “seat at the table” but also a voice?
- Do our stakeholders actively seek our insight when they are addressing an emerging issue? If not, what should we be doing differently?
- Do we make the most of our distinctive vantage point in the organization to share a clear point of view about the risks emerging from the changing business environment?
- Can we provide useful insight and counsel to our stakeholders?
- Are we doing what we can to prepare our internal audit team for the emerging challenges we expect to face in the next few years?
- Are we consistently improving upon the content and format of our reports — both the reports we provide to the audit committee and those on our individual audits?
- Do our training plans encompass enhanced business acumen and leadership skills?
- Are we systematically and strategically focused on building relationships with our stakeholders?
INTERNAL AUDITING — A CONTINUING EVOLUTION
Today’s rapidly evolving regulatory environment and accelerating technological advances can have significant impact on an organization — and sometimes represent considerable risks to its reputation. Audit committees expect internal audit will stay current with industry, regulatory, and technological developments and their effects on organizations. Effective internal audit departments do just that, repositioning their activities and engaging resources as needed to address the evolving needs of their various stakeholders.
As the business environment continues to evolve, internal audit’s role will continue to change. Astute audit committees can offer support and guidance to help focus internal audit’s role and establish priorities. Working closely with audit committee leadership, establishing ongoing dialog, and developing and building upon mutual understanding and agreement will help internal auditors add value and help the enterprise identify and manage current and evolving risks. At the end of the day, we believe internal audit can serve its best and highest purpose when it’s operating with the right degree of independence, when its plans are tied to critical organizational objectives, and when it has robust, ongoing dialog with the audit committee.
internal audit charter
please assist with the internal audit charter
Posted By: simion bett
2012-04-16 8:53 AM
Communication wth Audit Committee
In Japan,we have Board of Audit which is independent from BOD. Members of the Borad of Audit are not directers, but they are obliged to conduct the same roles as Audit Committee. Your article is very practical and useful for both of our Board of Audit and Internal Audit Division in Japan, although the form of governance is different from yours. Thank you for your valuable adivice.
Posted By: Shonosuke Beppu
2012-01-04 10:29 PM
What Your Audit Committee Wants and Needs
Dear Catherine & Brian, Thank you very much for your effort to establish this article. It is very important for me because, after reading, it helped improving my internal audit knowledge and provide clearly on how the Internal Auditor to work with Management and Audit Committee. Thank you Yours faithfully, Chhon Chanty
Posted By: Chhon Chanty
2011-07-11 11:49 PM
INTERNAL AUDIT ACTIVITIES
This article is critically addressing issues that`re on the ground affecting internal audit departments.I am an Internal Auditor and have benefited much.
Posted By: STANFORD MACHIWENI
2011-07-11 8:59 AM
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>
