What Audit Committees (Should) Want
Michele Hooper is a highly-respected (including by me) member and chair of audit committees. She has been a passionate advocate for internal audit and its profession for many years and an advisor to the Institute of Internal Auditors (IIA). In addition, she has been very active with the Center for Audit Quality (CAQ), which is where I met her (she was chair of a CAQ meeting in San Francisco to discuss fraud and I was present as a representative of the IIA).
In December, Michele was interviewed for an article in Internal Auditor (Ia), What Audit Committees Want.
The article brings out some important points. I agree with some and disagree with others (in part because they are left unsaid).
The very first sentence is telling:
“I rely on CAEs to be my eyes and ears in the organization, reporting back on culture, tone, and potential issues that may be emerging within the business”.
The expression ‘eyes and ears’ is an old and perhaps tired phrase. On one hand, it implies that internal audit is spying on management and then running, like a child, to tell on it. On the other, it describes the important role of internal audit as a source of critical information to the board on what is happening within the organization, which may be different from what they are hearing from management.
I can accept that, but what I especially like and appreciate are the next words: “culture, tone, and potential issues that may be emerging within the business”.
Michele is not talking about controls. She is not even talking directly about the management of risk. She is talking first about the culture and tone of the organization, and then about emerging business risks and related issues.
Does your internal audit function provide the board and its audit committee with a sense of the culture and tone within the organization – at the top, in the middle, and in the trenches? If not, why not?
Does your internal audit function ensure that the board is aware of new and emerging business risks and related issues? If not, why not?
Then Michele goes astray:
“An important responsibility critical to audit committee and board discussions is the CAE’s ownership and prioritization of the process management framework for risk identification.”
The CAE should not own the process for identifying and prioritizing risks. The IIA has made that clear in its famous Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management. It says: “Management is responsible for establishing and operating the risk management framework on behalf of the board….. Internal auditor’s core role in relation to ERM should be to provide assurance to management and to the board on the effectiveness of risk management”.
When Michele is asked about the risks she and the audit committee will worry about in 2014, she comments on:
- Internal control
- Compliance, especially regulatory compliance
- Cyber vulnerabilities
- Financial reporting
- Reputation risk, and
- Oversight of the external auditor
What she does not mention are:
- The effectiveness of the organization’s ability to manage risks to the achievement of objectives
- The effectiveness of governance processes
- The need for the audit committee to work collaboratively with other board committees, such as the risk and governance committees, to ensure risks are managed at acceptable levels
I wish she had. I especially wish she had mentioned the magic word:
Let’s return to basics, but with a new twist: a new explanation of the primary purpose and value of internal auditing.
Internal audit provides objective assurance to the board and top management of the effectiveness of the entity’s organization, people, processes, and systems in managing risks to the achievement of the entity’s objectives at acceptable levels.
Does your internal audit department provide that assurance, formally, to the board and top management?