Home > Risk > Is the audit committee to blame for defects in internal audit?

Is the audit committee to blame for defects in internal audit?

February 18, 2013 Leave a comment Go to comments

No sooner had I written a post about important recommendations about internal audit from the UK when I was sent a copy of an interesting paper from Belgium: Reflections on the internal auditing profession: what might have gone wrong?

While I encourage everybody either to buy the paper ($25) or contact the author, Dr. Rainer Lenz, for more information, I will try to summarize the primary thrust through excerpts.

  • Internal auditing (IA) has not generally been seen to have a significant role in the financial crisis, neither as part of the problem nor as part of the solution. (This is a point I made in a post in 2010).
  • IA has multiple customers to serve and IA aspires to render both assurance and consulting services
  • Whilst the board’s/audit committee’s priority is focused on risk oversight and reducing the downside of risk, the growth and performance objectives of management require active risk-taking, seen as an inseparable element of strategy and a crucial driver in achieving objectives, including optimizing value over time. These different perspectives, different incentives and risk tolerances may mean that, if everyone expects something different from IA, no one is likely to be satisfied in full
  • At present, IA is viewed as lacking both a clear chief stakeholder/“boss” and a clear role
  • The more IA lacks a distinct chief stakeholder/“boss” and a clear and realistic role, the more it is principally exposed to over-promising and under-delivering
  • To become a more relevant stakeholder in the corporate governance arena, the IA profession should consider clarifying both the perspective and the purpose of IA, that is, determining to whom IA should be accountable (the perspective from which its added value is judged) and clarifying/concentrating the IA’s service offering (its purpose)
  • The IIA, the globally recognised standard setter of IA practice, may consider further reflecting upon the pros and cons when re-focusing the IA profession predominantly on assurance services, possibly progressive assurance services, on governance, risk management and control processes in order to more clearly contribute to increasing the long-term value of the organization it serves. More clearly for IA needs to stress the primacy of assurance service would give lower priority to consulting services.
  • Consulting services would then be subordinated to assurance services and expected to support the latter.
  • There may be subtle indications that the IIA is moving cautiously in the right direction, as there is a trend towards moving the reporting lines of IA into the board; and the IIA is de-emphasizing the role of consulting services when defining “added value”

The article closes with a number of recommendations, of which one stands out for me. The authors suggest that the IIA study “the implications of possible tensions with senior management if IA reports straight into the board or the audit committee and IA thus becomes fully the agent of that oversight body, whilst abandoning the reporting link into management”.

Now, I don’t personally believe that internal audit is ‘defective’. But there are too many departments that in my opinion fail to meet the challenge – because they do not provide a formal opinion to the board and top management of the adequacy of governance, risk management, and related internal controls. In fact, nearly half don’t assess and report on the adequacy of risk management, let alone governance processes.

Why do I point a finger of blame at audit committees?

The internal audit department does not select to whom they will report. While they may make suggestions, they are not the ones to set the expectations of the board and audit committee.

When the audit committee does not expect and, yes, demand that internal audit perform – and by that I mean provide assurance on what matters to the organization – then only they are to blame.

I recognize that members of the board do not have a lot of time to dedicate to the task, but if (as it should) the internal audit function reports to the board and owes its primary allegiance to the board, then the board needs to step up and own that responsibility.

I leave you with this question: does the chairman of the board (or of the audit committee) provide the same level of guidance and direction to the CAE that, as a senior executive, they gave to their direct reports? Does he take responsibility for the performance of the CAE as a direct report?

  1. Larry Brown
    February 18, 2013 at 4:59 PM

    Norman – As we’ve often discussed in the past, there’s a tension between the CAE reporting directly to the audit committee and everything that goes with it – e.g., direct supervision of the CAE, etc. and provisions of Delaware law (for U.S. companies) that provide that the Board’s role is oversight, and certainly not direct management / supervision of the CAE (or the CRO and CCO for that matter). Until that tension is cleared, there will not be much movement in this area, the best efforts of the IIA aside.

    Keep up the good work.

    Best,

    Larry Brown

  2. February 19, 2013 at 9:40 AM

    Norman; This is an important topic. I encourage you to post it on your IIA blog.

    Larry: You raise an interesting point. I think there needs to be a distinction between administrative reporting lines and who internal audit believes is their primary customer. That clarity must come from boards of directors. The NACD Blue Ribbon Commission recommendations listed in my December 2012 Conference Board Director Notes article are the best I have seen to date in terms of specifying what “every board should” do in the area of risk oversight.

    I’m not convinced at this point the IIA has done anywhere near enough to clear up what internal auditors should be providing to boards to help them meet the new expectation that they should be overseeing management’s risk appetite and tolerance.

  3. ARNOLD SCHANFIELD
    February 19, 2013 at 12:11 PM

    Tim Leech hits the point precisely and not only have they not done nearly enough but the IIA has actually done very little. Can you provide real tangible evidence that would contradict this statement? They need to be very specific about what boards should be doing and what expectations they should have on internal audit. But to get them to this level is another can of worms because the IIA by itself does not have the capabilities to do this. Right now you have low expectations by the Audit Committee and the internal auditors are meeting those low expectations. It is a sad situation that we all understand and somewhat depressing and frustrating when there are possibilities of solutions but continued inaction. Such is life

  4. February 20, 2013 at 12:32 PM

    This is a bit of a cart before the horse commentary. Except in egregious situations, most Audit Committees still take their lead from management and the CFO regarding expectations of internal audit. My experience has been mixed.
    Given the amount of time the EA consumes during Audit Committee meetings, it’s easy for the CFO to conclude IA isn’t as important, relatively, and then manage accordingly. I would also suggest that many terrific auditors makee less than terrific CAEs as the skill set requirements change.
    The IIA has muddied the waters with their definition of internal audit. I’ve never liked the bit about consulting services and always thought it was a reaction to the IA outsourcing trend that existed around the time when issued. Ultimately it’s the Audit Committee, heavily influenced by Management I’m afraid, who determine the value and expectations of IA.
    Back on point, the Audit Committee must identify the performance standards it considers important for IA and then hold both the Management Team and CAE accountable.Until then, internal audit serves multiple masters, some probably not very well.

  5. February 20, 2013 at 2:09 PM

    There are two interesting elements to this debate. First, my pet hate, the consulting v audit debate. There is very little difference in my view between a properly conducted risk based audit and a piece of consultancy, except that consultancy is commissioned by management and ignored by management and that most consultants lack context-dependent knowledge to really make solutions to complex problems ‘stick’ (in fact they rarely stick around to see a solution fail). So for me that distinction between internal audit and consultancy is false. See my blog for various comments and thoughts on the matter.

    Second the idea of reporting to the Audit Committee or management. Yes there is a tension. Where management and governance bodies part, then IA is a tool of governance first and foremost, management second. IA is also independent. It should set is own agenda and plans separate from the direction and control of the Audit Committee. Clearly Audit Committee should have a strong view and be a strong stakeholder, but can you imagine a financial statements auditor’s independence being managed by the Audit Committee? No, I thought not. So, therefore, should be IA.

  6. Judy Grobler
    February 24, 2013 at 5:58 AM

    I do believe that the AC is partly to blame. We often rely and not probe enough and may leave the Internal auditors blind regarding to what we really expect of them. It is of utmost importance that we look at what they do and what the outcome is, give them guidance and direction without become too handson. Asking the right questions and getting the expected answers is not always that easy!

  1. February 22, 2013 at 12:18 AM
  2. February 25, 2013 at 6:40 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: