Home > Risk > Where should internal audit report? Should it be to the audit committee?

Where should internal audit report? Should it be to the audit committee?

I have just drafted my next Internal Auditor article (see below). In it I question my prior belief that the CAE should report to the audit committee.

I would appreciate your comments – including suggestions for upgrading the article.

Should the CAE report to the audit committee of the board?

I have been a chief internal audit executive (CAE) since 1990 and have firmly believed that the CAE should report functionally to the chair of the audit committee and administratively to a top executive, such as the chief financial officer (CFO). But, I am no longer sure that is optimal.

The first signal came soon after I became CAE of a global business and we investigated suspected inappropriate activities in our China division. At first, the only unusual aspect of the case was that the individual involved (the China CFO, who approved a facilitating payment to a customer so he would pay our bills) had only just moved into the position after a stint in internal audit. But while this was troubling on a number of levels, it was easily handled. The more difficult aspect was that the governance committee of the board wanted to be briefed on the results of the investigation and its implications for the success of our U.S. Foreign Corrupt Practices Act (FCPA) compliance program.

The Governance committee believed they were responsible for oversight of compliance and adherence to the corporate code of conduct. The company had hired a chief compliance officer, in the office of the general counsel. He reported his program’s progress to the governance committee and was reluctant to share with the audit committee. Similarly, general counsel and the chief compliance officer were not receptive to the idea that I should be appearing before ‘their’ committee to talk about any of the internal audit work. Curiously, both committees’ charters included oversight of compliance and ethics.

We worked it out. I was able to persuade the chair of the audit committee to invite the governance committee members to the first part of the audit committee meeting. In what was essentially a joint session, we discussed the results of my investigations, heard a report from the chief compliance officer, and I reported on issues of interest to both committees.

A conversation with Professor Andrew Chambers during an IIA meeting stimulated additional reflection. He spoke about the board’s assurance void, referring to its need to know that the information it receives is reliable. That assurance can and I believe should be provided by the internal audit function – through its assurance of governance and risk management processes and related internal controls. The point is that the customer is the full board, not just the audit committee. Andrew makes a cogent argument that the CAE should not only report functionally, but administratively to the board’s lead independent director – and the internal audit budget should be part of the board’s budget!

This line of thought continued as the failure of risk management and its impact on the recent financial collapse came to light. Not only were there gaps in risk management processes, but in the quality of board oversight of management’s risk management capability. A key question is whether oversight of risk management is a responsibility that has to be discharged by the full board, or whether it can be delegated to a risk committee or the audit committee.

The U.S. Securities and Exchange Commission has issued new disclosure rules that require filers to “disclose the extent of the board’s role in the risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board’s leadership structure.” While it puts a measure of pressure on boards to address their risk oversight obligations, it does not provide any guidance on whether this should be done by the board or one or more committees.

More guidance is provided by the New York Stock Exchange’s Listed Company Manual. Applicable to all companies with securities listed on the Exchange, the Manual has a section on “Audit Committee Additional Requirements”. One of the specified duties of the audit committee is (the commentary is included in the Manual):

“(D) discuss policies with respect to risk assessment and risk management;

“Commentary: While it is the job of the CEO and senior management to assess and manage the listed company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the listed company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee.”

This is not clear guidance on who should provide risk oversight. While the audit committee is instructed to discuss the risk management process (because of its relevance to the management of financial risks) it “is not required to be the sole body responsible for risk assessment and management.”

The Bank of New York Mellon Corporation (which is listed on the New York Exchange and subject to the requirements of the Listed Company Manual) has established a risk committee of the board. According to its charter, “The purpose of the Risk Committee (the “Committee”) is to assist the Board of Directors in fulfilling its oversight responsibilities with regard to (a) the risks inherent in the business of the Corporation and the control processes with respect to such risks, (b) the assessment and review of credit, market, fiduciary, liquidity, reputational, operational, fraud, strategic, technology, data-security and business-continuity risks, (c) the risk management activities of the Corporation and its subsidiaries, and (d) fiduciary activities of the Corporation’s subsidiaries.”

In its 2009 publication Effective Enterprise Risk Management Oversight: The Role of the Board of Directors, COSO recognized that board oversight of risk needs to be tailored to fit the needs and capabilities of the board and the organization.

“Boards of directors often use board committees in carrying out certain of their risk oversight duties. The use and focus of committees vary from one entity to another, although common committees are the audit committee, nominating/governance committees, compensation committees, with each focusing attention on elements of enterprise risk management. While risk oversight, like strategy, is a full board responsibility, some companies may choose to start the process by asking the relevant committees to address risk oversight in their areas while focusing on strategic risk issues in the full board discussion.”

Many believe, and I agree, that the board should take ownership of risk management oversight. It may delegate certain aspects to specialized committees, and could ask a risk committee to manage the details. But, each of these committees should report to the full board who should have a meaningful discussion about risk as part of strategy sessions, etc.

This new and appropriate emphasis on risk oversight comes at a time when many forward-looking internal audit departments are refocusing their work around risk. They have taken to heart the mandate in IIA Standards that calls for internal audit functions to provide assurance and consulting services to improve the effectiveness of governance and risk management processes and related internal controls.

Who is the customer for internal audit’s assurance and consulting services? Shouldn’t the CAE report to that customer? Should they still report to the audit committee or, as Professor Chambers suggests, should they report to the board in the person of the lead independent director?

The correct answer is “it depends”. The CAE should report where the organization will obtain best value for internal audit assurance and consulting services.

I believe this question should be addressed by the governance committee or equivalent, as that committee is generally responsible for determining board and committee performance, updating charters, etc. They should consider:

  • Who are the primary customers of the internal audit function? Who needs to provide input into their planning process and receive reports after they complete engagements?
  • Can internal audit interact effectively with multiple committees, if each is a customer?
  • Does the full board need to obtain reports from the CAE?
  • Which committee would provide the most effective direction to and oversight of the internal audit function?
  • Is there value in having the internal audit function report both functionally and administratively to the board or committee of the board? Does the audit committee chairman or lead independent director have the time to perform the administrative function? Can some of those administrative actions (such as approving expenses, promotions, etc.) be delegated to management without compromising the independence of the CAE and his team?

It will be interesting to see whether CAE reporting relationships change as boards address their risk oversight responsibilities, especially as they consider the value that internal audit can provide in filling the “assurance void”.

  1. M. Jones
    May 25, 2010 at 7:28 AM

    Hello Mr. Marks,

    I am a student working on a bachelor’s thesis for Linköping University in Sweden. We are researching white collar crime from an internal auditor’s perspective and would be interested in asking you a few questions. Additionally, we would also be interested in citing this blog post and other articles you have written on the subject.

    My e-mail is marjo784 (at) student (dot) liu (dot) se


    M. Jones

  2. Larry Brown
    May 26, 2010 at 3:11 PM

    An interesting, but largely rhetorical question, Norman. I do believe the IIA guidance is adequate, with a functional line to the audit committee and an administrative line to the CEO, but I would like the IIA to come out with a practice advisory stating that if the CAE reports to the CFO that would likely be a violation of the Standards, at least for reporting entities, due to the obvious design flaw / conflict of interest in “auditing your boss.”

    Upping the ante, if you will, as Professor Chambers suggests, is not likely to make much difference – reference the largely ineffective two-tiered board structure in Europe and the pending legislation in the U.S. to layer in yet more oversight/overhead on the financial services industry (Does anyone really think this will improve the behavior of the relatively few “bad actors” in the crowd?).

    Keep up the good work!


    I believe you’re onto something with aligning governance activities, and a strong focus on the COSO IC Framework “Tone at the Top” will go a long way to guiding good performance.

  3. Valentin Sereda
    June 1, 2010 at 2:08 PM

    Thank you for the post, Mr. Marks!
    Actually the same opinion I’ve read at Glaim’s paper (Paper 1, SU2) for CIA learning: at Practise advisory 1110-1. The difference is that there’s stated that administratively the reporting should be addressed to CEO, not to CFO as Mr.Marks write, basing on his experience.
    It was interesting for me to read in the main post’ context about possible roles of risk committee.
    And I totally share Mr. Marks’ conclusion and general (ie non-related to someone’s specific exp. or exact organisation) point of ‘it depends’. Indeed the CAE’ reporting is up to multiple factors; thus optimal should be for the reporting recipients to achieve best value from internal audit.

  4. Venkat Venkataraghavan
    June 10, 2010 at 3:52 AM

    Norman, I would respond to the subject citing the Indian perspective. We have Clause 49 of the Listing Agreement issued by Securities Exchange Board of India (SEBI) that is applicable for all listed companies. Accepting the fact that IA is an independent assurance provider away from management’s ‘influence’, appointment and fixation of remuneration of the CAE is vested with the Audit Committee (AC) and the CAE reports legally to the AC. This clause introduced in end 2005 made a paradigm shift in treatment meted and recognition and importance to the function that was earlier embroiled in the power plays of management and were sometimes treated as stooge to play one upon another!! The present laws, in my view, is the best win-win for all aiming towards corporate governance and excellence. So are we in India ahead of others? If so, it is gratifying and we feel proud about it.

  5. Kerubo
    June 21, 2012 at 5:33 AM

    It is very clear from the standards of internal auditing that the internal auditor reports functionally directly to the Audit committee who are actually part of the board and therefore the internal auditor reports to the board directly. He reports also to the CEO administratively since it is clear from the organisation chart that the auditor is a departmental head and ofcourse junior than the CEO. However, at times the CEO will want the auditor to share every report and agendas for the audit committee. That one is at the discretion of the auditor.

    • Norman Marks
      June 21, 2012 at 7:45 AM

      Anne, do you see internal audit as part of management – implied from your statement that the CAE is a department head?

      Also, the IIA standards do not state IA should report to the audit committee, but to the board or a committee of the board. With IA providing assurance on issues pertinent to other board committees, the point of the blog post is to ask whether it remains appropriate to report to the audit committee alone.

      Thanks for your interest

      Norman D. Marks, CPA, CRMA
      OCEG Fellow, Honorary Fellow of the Institute of Risk Management
      Vice President, Evangelist
      Better Run Business

      Join me online: IIA Governance blog | GRC and Audit blog | Twitter | LinkedIn

  6. Gary Kral
    October 25, 2013 at 1:30 PM

    Is it ever OK for the internal audit function to report to the controller if the head of internal audit is also responsible for setting the agenda and running the AC meetings, while not functionally reporting to the AC?

  7. Norman Marks
    October 26, 2013 at 4:25 AM

    Gary, the IIA Standards are clear. Internal Audit must report functionally to the board or it’s audit committee, and administratively to a senior official: preferably the CEO, but often the CFO. Burying it under the Controller is an issue.

  8. sam
    April 30, 2014 at 7:16 AM

    hey, can anyone tell me which internal auditor would be more independent? the one who reports to the CFO or the one who reports to the audit committee?

  9. Norman Marks
    April 30, 2014 at 10:20 AM

    Sam, the internal auditor should report functionally to the audit committee and preferably administratively to the CEO – but the CFO is probably ok

  10. sam
    April 30, 2014 at 9:58 PM

    Mark, i am doing a research assignment and the question is.. Are internal auditors independent? and which internal auditor would be more independent? the one who reports to the CFO or the one who reports to the audit committee? can you please your comment on this? thanks

  11. Norman Marks
    May 1, 2014 at 7:28 AM

    Sam, who is Mark? Please see my answer. If internal audit is working for management he/she is not independent. QED

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: