Is the audit committee to blame for defects in internal audit?
No sooner had I written a post about important recommendations about internal audit from the UK when I was sent a copy of an interesting paper from Belgium: Reflections on the internal auditing profession: what might have gone wrong?
While I encourage everybody either to buy the paper ($25) or contact the author, Dr. Rainer Lenz, for more information, I will try to summarize the primary thrust through excerpts.
- Internal auditing (IA) has not generally been seen to have a significant role in the financial crisis, neither as part of the problem nor as part of the solution. (This is a point I made in a post in 2010).
- IA has multiple customers to serve and IA aspires to render both assurance and consulting services
- Whilst the board’s/audit committee’s priority is focused on risk oversight and reducing the downside of risk, the growth and performance objectives of management require active risk-taking, seen as an inseparable element of strategy and a crucial driver in achieving objectives, including optimizing value over time. These different perspectives, different incentives and risk tolerances may mean that, if everyone expects something different from IA, no one is likely to be satisfied in full
- At present, IA is viewed as lacking both a clear chief stakeholder/“boss” and a clear role
- The more IA lacks a distinct chief stakeholder/“boss” and a clear and realistic role, the more it is principally exposed to over-promising and under-delivering
- To become a more relevant stakeholder in the corporate governance arena, the IA profession should consider clarifying both the perspective and the purpose of IA, that is, determining to whom IA should be accountable (the perspective from which its added value is judged) and clarifying/concentrating the IA’s service offering (its purpose)
- The IIA, the globally recognised standard setter of IA practice, may consider further reflecting upon the pros and cons when re-focusing the IA profession predominantly on assurance services, possibly progressive assurance services, on governance, risk management and control processes in order to more clearly contribute to increasing the long-term value of the organization it serves. More clearly for IA needs to stress the primacy of assurance service would give lower priority to consulting services.
- Consulting services would then be subordinated to assurance services and expected to support the latter.
- There may be subtle indications that the IIA is moving cautiously in the right direction, as there is a trend towards moving the reporting lines of IA into the board; and the IIA is de-emphasizing the role of consulting services when defining “added value”
The article closes with a number of recommendations, of which one stands out for me. The authors suggest that the IIA study “the implications of possible tensions with senior management if IA reports straight into the board or the audit committee and IA thus becomes fully the agent of that oversight body, whilst abandoning the reporting link into management”.
Now, I don’t personally believe that internal audit is ‘defective’. But there are too many departments that in my opinion fail to meet the challenge – because they do not provide a formal opinion to the board and top management of the adequacy of governance, risk management, and related internal controls. In fact, nearly half don’t assess and report on the adequacy of risk management, let alone governance processes.
Why do I point a finger of blame at audit committees?
The internal audit department does not select to whom they will report. While they may make suggestions, they are not the ones to set the expectations of the board and audit committee.
When the audit committee does not expect and, yes, demand that internal audit perform – and by that I mean provide assurance on what matters to the organization – then only they are to blame.
I recognize that members of the board do not have a lot of time to dedicate to the task, but if (as it should) the internal audit function reports to the board and owes its primary allegiance to the board, then the board needs to step up and own that responsibility.
I leave you with this question: does the chairman of the board (or of the audit committee) provide the same level of guidance and direction to the CAE that, as a senior executive, they gave to their direct reports? Does he take responsibility for the performance of the CAE as a direct report?