Home > Audit, Compliance, COSO, Governance, GRC, Risk, Sarbanes, SOX > What Audit Committees (Should) Want

What Audit Committees (Should) Want

January 25, 2014 Leave a comment Go to comments

Michele Hooper is a highly-respected (including by me) member and chair of audit committees. She has been a passionate advocate for internal audit and its profession for many years and an advisor to the Institute of Internal Auditors (IIA). In addition, she has been very active with the Center for Audit Quality (CAQ), which is where I met her (she was chair of a CAQ meeting in San Francisco to discuss fraud and I was present as a representative of the IIA).

In December, Michele was interviewed for an article in Internal Auditor (Ia), What Audit Committees Want.

The article brings out some important points. I agree with some and disagree with others (in part because they are left unsaid).

The very first sentence is telling:

“I rely on CAEs to be my eyes and ears in the organization, reporting back on culture, tone, and potential issues that may be emerging within the business”.

The expression ‘eyes and ears’ is an old and perhaps tired phrase. On one hand, it implies that internal audit is spying on management and then running, like a child, to tell on it. On the other, it describes the important role of internal audit as a source of critical information to the board on what is happening within the organization, which may be different from what they are hearing from management.

I can accept that, but what I especially like and appreciate are the next words: “culture, tone, and potential issues that may be emerging within the business”.

Michele is not talking about controls. She is not even talking directly about the management of risk. She is talking first about the culture and tone of the organization, and then about emerging business risks and related issues.

Does your internal audit function provide the board and its audit committee with a sense of the culture and tone within the organization – at the top, in the middle, and in the trenches? If not, why not?

Does your internal audit function ensure that the board is aware of new and emerging business risks and related issues? If not, why not?

Then Michele goes astray:

“An important responsibility critical to audit committee and board discussions is the CAE’s ownership and prioritization of the process management framework for risk identification.”

The CAE should not own the process for identifying and prioritizing risks. The IIA has made that clear in its famous Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management. It says: “Management is responsible for establishing and operating the risk management framework on behalf of the board….. Internal auditor’s core role in relation to ERM should be to provide assurance to management and to the board on the effectiveness of risk management”.

When Michele is asked about the risks she and the audit committee will worry about in 2014, she comments on:

  • Culture
  • Tone
  • Internal control
  • Compliance, especially regulatory compliance
  • Cyber vulnerabilities
  • Financial reporting
  • Reputation risk, and
  • Oversight of the external auditor

What she does not mention are:

  • The effectiveness of the organization’s ability to manage risks to the achievement of objectives
  • The effectiveness of governance processes
  • The need for the audit committee to work collaboratively with other board committees, such as the risk and governance committees, to ensure risks are managed at acceptable levels

I wish she had. I especially wish she had mentioned the magic word:

ASSURANCE

Let’s return to basics, but with a new twist: a new explanation of the primary purpose and value of internal auditing.

Internal audit provides objective assurance to the board and top management of the effectiveness of the entity’s organization, people, processes, and systems in managing risks to the achievement of the entity’s objectives at acceptable levels.

Does your internal audit department provide that assurance, formally, to the board and top management?

 

  1. January 25, 2014 at 11:41 PM

    Would like to add just one word – Reasonable Assurance

    We cannot provide absolute assurance but only reasonable assurance

    The answer is yes and no. Yes, since as part of audit reports we cover most of these aspects. No, since we donot provide assurance on all aspects at a time.

    Regards,
    Kushal
    http://www.internalauditexpert.in

  2. January 26, 2014 at 12:21 AM

    With economic slowdown predominating throughout this year, the boards and audit committees are focusing to leverage the internal audit function to mitigate a wide array of risks associated with liquidity, cash management, and market volatility. Auditors today need to vigilantly track the company’s debt situation including debt maturities, access to capital markets, and the impact of the recession on the company’s supply chain and distribution channels. The pressure to maintain performance and meet expectations during the economic downturn has necessitated corresponding increase in the knowledge, skills, and expertise of internal audit professionals.

  3. January 26, 2014 at 10:38 PM

    I agree with Kushal about his point on Reasonable Assurance.

    To add, there is no absolute assurance when it comes to this industry because as the organization grows, the greater the risks are.

    Yes we cover most of the aspects when making internal audit. But covering all doesn’t mean we can give an accurate assurance to the top management. It all comes down on how we can deliver a comprehensive report as possible.

  4. Brian Robb CA CIA CRMA
    January 28, 2014 at 11:22 AM

    Just another twist in this can be our ability to “assist management obtain reasonable assurance”. We are not the only assurance providers as we think about the three lines of defence/assurance model. Management also (and should) obtain assurance from other parts of the organisation however we provide the independent assurance. This aligns with the control frameworks and risk models where it is managers responsibility to ensure their risk mitigations/controls are effective. We are one of the providers (a very important and key provider) but not sole provider of assurance. This is a message we are currently promulgating within our organisation.

  5. Devin P. Kelley
    February 2, 2014 at 11:10 PM

    “Ernst & Young’s global internal audit survey results confirm that the future of internal audit is now. Nearly three-quarters of respondents believe that internal audit has a positive impact on the organization’s overall risk management efforts. But an even larger majority believes that internal audit can do more — and wants them to do it within the next two years.

  6. February 6, 2014 at 11:48 PM

    With economic slowdown predominating throughout this year, the boards and audit committees are focusing to leverage the internal audit function to mitigate a wide array of risks associated with liquidity, cash management, and market volatility. Auditors today need to vigilantly track the company’s debt situation including debt maturities, access to capital markets, and the impact of the recession on the company’s supply chain and distribution channels. The pressure to maintain performance and meet expectations during the economic downturn has necessitated corresponding increase in the knowledge, skills, and expertise of internal audit professionals.

  1. January 25, 2014 at 4:06 PM
  2. March 10, 2014 at 5:36 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: