control, and governance
control, and governance
GOVERNANCE PERSPECTIVES, APRIL 2009
The Black Hole of Assurance
Filling the board’s assurance vacuum will require a change in internal auditing’s functional and administrative reporting.
BY ANDREW CHAMBERS
Throughout its history internal auditing has ceded space to occupational groups providing specialist or sector-specific assurance, while reinventing itself to hold its core ground in changing times. The profession has morphed at times when the “push” by internal audit leadership has aligned with the “pull” of demand. Current conditions may present yet another such juncture for audit professionals.
The economic crisis provides evidence that boards of directors operate in a partial assurance vacuum. From here on, how will boards obtain quality, independent assurance that management is implementing board policies and that significant internal and external risks have been identified and are mitigated appropriately? Should public-interest boards be required to receive 360 degree, independent assurance? Can internal auditors rise to this challenge, or is it territory best suited for others?
When Arthur Collins wrote his internal audit textbook, A Municipal Internal Audit, in 1904, the internal audit paradigm focused on reperformance of accounting, and it was sufficient for internal auditing to report within the accounting function. The birth of The IIA in the 1940s brought a focus on controls, and this focus provided assurance that processes would be done correctly. By 1998 authors David McNamee and Georges Selim observed in their book Risk Management: Changing the Internal Auditor’s Paradigm that internal auditing was poised on the cusp of a paradigm shift to risk. The risk-based approach offers a degree of assurance that, among items identified as presenting the highest risk to the organization, some are sufficiently controlled. This paradigm now requires an updated scope and delivery method to meet future needs. The next shift is likely to offer overall assurance to the board, and even to external stakeholders, on the identification and mitigation of both internal and external risks.
Boards rely on their top executive teams to provide the assurance they need, but too often that assurance is partial and insufficiently objective. In many cases, chief executive officers (CEOs) control the information flow to the board, which can delay communication of audit issues. The corporate wasteland is strewn with examples of boards that discovered too late the risks to which their companies were exposed. Moreover, post hoc reviews of boards by independent parties on specific issues do not adequately substitute for proactive assurance.
Boards also sometimes look outside the organization for continuous, independent assurance. In 2007, for example, BP plc’s board — as recommended by The Baker Panel, an independent body chaired by former U.S. Secretary of State James Baker aimed at investigating the oil and gas company’s North American safety culture and management systems — engaged an independent monitor to report annually to the board on process safety. On its own, however, this type of monitoring provides inadequate assurance because it focuses only on a particular category of risk.
As internal auditing has provided assurance services to higher levels of management, it naturally has needed to report functionally and administratively at higher levels. When auditing provided assurance only on low-level accounting activities, reporting to mid-level financial management was considered acceptable. With the transition to providing assurance on operational, financial, and compliance controls, internal auditing needed to report to top management. The most senior level that relies on internal audit assurance must be confident that internal auditing has not subordinated its judgment to others — a reporting relationship risks such a compromise. In fact, the close relationship between auditing and management diminishes the assurance that auditing provides to the audit committee. However, reporting functionally and administratively to the committee need not weaken the assurance that internal auditing provides to management. Indeed, assurance provided to the CEO is more robust when furnished by a party independent of the CEO.
A structure in which internal auditing reports administratively to management, and only functionally to the audit committee or board, is inadequate. For internal auditing to provide dependable board-level assurance, the audit function’s budget needs to be regarded as a cost of running the board. If the board chair is independent, the chief audit executive (CAE) should report to the chair, or to someone who reports administratively and functionally to the independent chair. If the board has a nonindependent chair, the CAE should report administratively to a senior independent director or to the board as a whole.
Alternatively, the CAE could report functionally and administratively to the board or to its independent chair, with the budget for the rest of the audit function provided by management. This arrangement would be comparable to that of many government inspectors general who remain independent of the executive but work in national audit offices that may not be fully independent.
Regardless of the specific reporting structure, audit reporting needs to extend beyond the audit committee level. Although The IIA’s International Standards for the Professional Practice of Internal Auditing’s glossary definition of board suggests that practice requirements are met if the CAE interfaces with the audit committee, communication should not stop there. Boards need to engage firsthand in the assurance debate rather than relying on the audit committee to communicate conclusions. Indeed, much of what the CAE reports to the audit committee is often filtered out of the committee’s report to the board.
Future CAEs, while remaining independent of the board, will need to have equal status with executive directors so that they can interface on equal terms and attend board meetings as well as some board committee meetings. That way, boards and board committees will get information directly from the CAE, and the CAE will learn directly about any problems that are worrying the board and its committees. Moreover, just as best practice corporate governance frowns on independent directors’ fees that include performance-related pay, tomorrow’s internal auditors, functioning independently from management, will not receive performance-related compensation.
To fill the board’s assurance vacuum, future CAEs will also need to establish a mezzanine level of highly competent “super auditors” within their department. Many of today’s auditors will be able to rise to the challenge, but enhanced recruitment and certification standards must be developed, together with the highest levels of commitment and personal accountability. And while more challenging to introduce in countries where internal auditors are more concerned about being sued, there will likely be a general roll-out of overall assurance opinions to the board by internal auditing, and a prima facie assumption of audit failure if the board has not received timely advice about risk. The scope of the internal audit risk paradigm will be modified so that risk assessment does not merely identify the systems and processes to be audited, but draws attention to unacceptable internal and external risks the business faces.
To provide robust assurance to the board, internal auditors must be allowed to determine risk assessment criteria using their own independent, professional judgment. They should neither be constrained by a rules-based approach dependent on pre-established criteria nor subject to the judgment of others, especially management. Revised professional practice standards will be required to provide auditors the necessary footing to operate in this manner.
Applying independent, professional judgment can be especially challenging in audits of highly technical activities, such as plant safety, assisted by external or nonaudit in-house support where necessary. The Baker Panel’s 2007 report noted that BP’s almost 100 percent reliance on internal gHSEr (getting Health, Safety, and the Environment right) audits had led to an internalized view of company operations and suggested that third-party reviews offer a “different level” of assurance. The panel was referring to audits conducted by technical nonaudit staff from other BP sites; the role of BP’s internal audit function was to provide assurance on the internal gHSEr audit program rather than to undertake the audits. To accommodate audits of highly technical activities, future internal audit functions will likely be multidisciplinary, using external resources to augment their internal competencies.
Repositioning internal audit functions within their respective organizations will help provide stronger assurance to the board. And eventually, audit functions may need to be even further repositioned to provide stronger assurance to outside stakeholders. There are already indications that internal auditing is increasingly serving the needs of external stakeholders, but is not strongly positioned to provide reliable assurance to them. Examples include certain obligations for auditors to report matters to industry regulators, and the auditor’s role in preparing statements on internal control addressed to shareholders and other stakeholders. Meanwhile, the profession’s immediate challenge is to fill the board’s assurance vacuum while continuing to provide the assurance to management. In the past internal auditing has been characterized by visionary leadership that has successfully expanded its role to meet emerging demands. Auditors now have the opportunity — indeed the imperative — to do so again.
ANDREW CHAMBERS, FIIA, is professor of internal auditing at London South Bank University.
To comment on this article, e-mail the author at andrew.chambers@theiia.org.
