control, and governance
control, and governance
December 2010
Filling the Void
The CAE should report where the organization will obtain best value for internal audit assurance and consulting services.
Norman Marks, CPA
Vice President, SAP
Throughout my more than 15 years as a chief audit executive (CAE), I always firmly believed that the CAE should report functionally to the chair of the audit committee and administratively to a top executive, such as the chief financial officer (CFO). But I am no longer sure that is optimal.
The first time I questioned this type of reporting relationship came soon after I became CAE of a global business and we investigated suspected inappropriate activities in our China division. At first, the only unusual aspect of the case was that the individual involved (the China division CFO, who approved a facilitating payment to a customer so he would pay our bills) had only just moved into the position after a stint in internal auditing. Although this was troubling on many levels, it was easily handled. The more difficult aspect was that the Governance Committee of the Board wanted to be briefed on the results of the investigation and its implications for the success of our U.S. Foreign Corrupt Practices Act (FCPA) compliance program.
The Governance Committee believed it was responsible for oversight of compliance and adherence to the corporate code of conduct. The company had hired a chief compliance officer in the office of the general counsel. He reported his program’s progress to the Governance Committee but was reluctant to share this information with the Audit Committee. Similarly, general counsel and the chief compliance officer were not receptive to the idea that I should be appearing before “their” committee to talk about any of the internal audit work. Curiously, both committees’ charters included oversight of compliance and ethics.
We resolved our differences. I persuaded the chair of the Audit Committee to invite the Governance Committee members to the first part of the Audit Committee meeting. In what was essentially a joint session, we discussed the results of my investigations and heard a report from the chief compliance officer, and I reported on issues of interest to both committees.
A conversation with internal audit professor Andrew Chambers stimulated additional reflection. He spoke about the board’s assurance void, referring to its need to know that the information it receives is reliable. The internal audit function can, and I believe should, provide that assurance through its assurance of governance and risk management processes and related internal controls. The point is that the customer is the full board, not just the audit committee. Chambers makes a cogent argument that the CAE should report not only functionally, but also administratively to the board’s lead independent director, and the internal audit budget should be part of the board’s budget.
This line of thought continued as the failure of risk management and its impact on the recent financial collapse came to light. Not only were there gaps in risk management processes, but also in the quality of board oversight of management’s risk management capability. A key question is whether that oversight is a responsibility that has to be discharged by the full board, or whether it can be delegated to a risk committee or the audit committee.
The U.S. Securities and Exchange Commission issued disclosure rules last year that require filers to “disclose the extent of the board’s role in the risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure.” Although the rules put a measure of pressure on boards to address their risk oversight obligations, they do not provide guidance on whether this should be done by the board or one or more committees.
The New York Stock Exchange’s (NYSE’s) Listed Company Manual provides additional guidance. Applicable to all companies with securities listed on the Exchange, the manual has a section on “Audit Committee Additional Requirements.” One of the audit committee’s duties is specified as: “discuss policies with respect to risk assessment and risk management.” The manual states:
While it is the job of the CEO and senior management to assess and manage the listed company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the listed company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management. … Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee.
This is not clear guidance on who should provide risk oversight. Although the audit committee is instructed to discuss the risk management process (because of its relevance to the management of financial risks), it is not required to be the sole body responsible for it.
The Bank of New York Mellon Corp., which is listed on the NYSE and subject to the requirements of the Listed Company Manual, has established a Risk Committee of the Board. According to its charter, the purpose of the Risk Committee is to “assist the Board of Directors in fulfilling its oversight responsibilities with regard to a) the risks inherent in the business of the Corporation and the control processes with respect to such risks, b) the assessment and review of credit, market, fiduciary, liquidity, reputational, operational, fraud, strategic, technology, data-security, and business-continuity risks, c) the risk management activities of the Corporation and its subsidiaries, and d) fiduciary activities of the Corporation’s subsidiaries.”
In its 2009 publication Effective Enterprise Risk Management Oversight: The Role of the Board of Directors, The Committee of Sponsoring Organizations of the Treadway Commission recognized that board oversight of risk should be tailored to fit the needs and capabilities of the board and the organization.
Boards of directors often use board committees in carrying out certain of their risk oversight duties. The use and focus of committees vary from one entity to another, although common committees are the audit committee, nominating/governance committees, compensation committees, with each focusing attention on elements of enterprise risk management. While risk oversight, like strategy, is a full board responsibility, some companies may choose to start the process by asking the relevant committees to address risk oversight in their areas while focusing on strategic risk issues in the full board discussion.
Many believe, and I agree, that the board should take ownership of risk management oversight. It may delegate certain aspects to specialized committees, and could ask a risk committee to manage the details. But, each of these committees should report to the full board, which should have a meaningful discussion about risk as part of its strategy sessions.
This new and appropriate emphasis on risk oversight comes at a time when many forward-looking internal audit departments are refocusing their work around risk. They have taken to heart the mandate in The IIA’s International Standards for the Professional Practice of Internal Auditing that calls for internal audit functions to provide assurance and consulting services to improve the effectiveness of governance and risk management processes and related internal controls.
Who is the customer for internal auditing’s assurance and consulting services? Shouldn’t CAEs report to that customer? Should they still report to the audit committee or, as Chambers suggests, should they report to the lead independent director of the board? It depends. The CAE should report where the organization will obtain best value for internal audit assurance and consulting services.
The governance committee or its equivalent should address to whom the CAE should report, as that committee is generally responsible for determining board and committee performance, updating charters, etc. It should consider:
- Who are internal auditing’s primary customers? Who needs to provide input into internal auditing’s planning process and receive reports after it completes engagements?
- Can internal auditing interact effectively with multiple committees if each is a customer?
- Does the full board need to obtain reports from the CAE?
- Which committee would provide the most effective direction to, and oversight of, the internal audit function?
- Is there value in having the internal audit function report both functionally and administratively to the board or a committee of the board? Does the audit committee chairman or lead independent director have time to perform the administrative function? Can some of those administrative actions (such as approving expenses, promotions, etc.) be delegated to management without compromising the independence of the CAE and his or her team?
It will be interesting to see whether CAE reporting relationships change as boards address their risk oversight responsibilities, especially as they consider the value that internal auditing can provide in filling the “assurance void.”
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.
To make something bold:
<strong>Text to bold</strong>
To make something italic:
<em>Text to italicize</em>
To make a hyperlink:
<a href="URL">Text to link</a>
