What can the audit committee do for you as internal auditor?

There’s an interesting new post, an article in the IIA’s Internal Auditor, Working in Concert: ​CAEs weigh in on the types of questions audit committees could ask them to strike the right tone.

Several CAEs were surveyed by the magazine “to find out which key questions they wish their audit committees would have asked them, but never — or rarely — did.”

They identified seven questions:

1.       What can the audit committee do for you?

2.       Is the audit plan the right one, and can it be delivered?

3.       Does internal audit have the necessary resources and skills to provide the required level of assurance?

4.       How responsive is management in dealing with the risks that internal audit and other assurance providers flag to them?

5.       What is internal audit’s view of external audit and other assurance functions?

6.       How can internal audit add value? What is your vision for the future?

7.       Would you like to have a coffee off-site?

These should all stimulate some reflection, not only by the audit committee but also by internal audit leaders. Here are my thoughts. Please read the article in full so you can see what I am essentially replying to.

1.       What can the audit committee do for you?

My audit committee invariably asked this question so I am disappointed that these CAEs identified this as their #1 missing item.

Why should the audit committee need to “champion internal audit within the organization?” If the team is doing their job, their value is recognized by both executive and operating management. Do you still need your father to champion you in your work? (I know, ouch!)

I agree that members of the audit committee should bring their expertise to the table and help internal audit understand the more significant risks to the enterprise.

I tell the story of Tom O’Malley and one of my first audit committee meetings as CAE at Tosco, an oil refining and marketing company. The genius asked if I had considered the risks due to failure in the blending process. That came out of nowhere and I had no idea what it was about, but I did the right thing. I thanked him and said I would look into it. The blending of various products into gasoline, diesel, and jet fuel was in fact an extraordinarily high risk. If it was done poorly, it could lead to impurities in the product we sold. Some years later, many diesel-fueled vehicles in the Los Angeles area had major problems, even to the point of engine damage, due to defects in the fuel. Now just imagine a 747 coming into land at a major city when the engines fail due to jet fuel impurities.

Tom O’Malley was not a member of the audit committee; he was the CEO. But the point remains valid.

Years later, Ed Hajim, a member of the Tosco audit committee, asked if I or any of my team was an expert on derivatives. The company had just established a derivatives trading for its purchases and sales of crude oil and finished products. Ed was the CEO of a financial trading company and had just been burned by his lack of understanding of derivatives. He made sure that I was given the time and budget to attend training at the New York Institute of Finance.

If the audit committee is not doing what the CAE needs from them, my position is that the CAE needs to bring this up, tactfully, in private meetings.

2.       Is the audit plan the right one, and can it be delivered?

Of course, the plan should be questioned, but not in the way suggested by the article. For example, the committee should be asking:

·         How do you determine which areas to address?

·         Are you basing your plan on management’s assessment of risks? If not, why not?

·         How do you keep your plan up-to-date so that you address the risks of today and tomorrow, not those of the past?

·         What should be in the plan but is not, for whatever reason? Which significant risks have you decided not to include?

·         Have you sufficient budget for training and staff development? How are you maintaining and growing your skills yourself?

3.       Does internal audit have the necessary resources and skills to provide the required level of assurance?

This is a necessary question, but why should the audit committee ask it? The CAE should have already given them the answer – and the actions they are taking to address the problem.

4.       How responsive is management in dealing with the risks that internal audit and other assurance providers flag to them?

If this is a problem, the CAE should have already told the audit committee. Are these CAEs, the ones surveyed, too passive?

5.       What is internal audit’s view of external audit and other assurance functions?

Similarly, if there is a problem, the CAE should have already shared that with both management and the audit committee.

The question they should be asking, in private sessions, is “what is your view of the senior management team?” That should be followed by questions about the culture of the organization and the tone at the top. These are far more difficult for the CAE to raise without initiative by the committee members.

6.       How can internal audit add value? What is your vision for the future?

Sorry, but again these reflects on the passivity of the CAE. If the members don’t see the value themselves, there’s a problem. If they ask management (and they invariably do) and don’t get a thumbs up from them, there’s a problem.

The CAE should be asking whether they are providing the audit committee and executive management team with the value they need: assurance, advice, and insight on what matters when it matters.

7.       Would you like to have a coffee off-site?

I was the one taking the initiative and asking for private, sometimes offsite, meetings.

The CAE needs to be and act like a leader, an executive with initiative. As the article says, “CAEs also can take better charge of the situation.”

Father may know best, but we should act like adults ourselves and be less passive.

I welcome your thoughts.

Advertisement