Let me start by saying, this is a touchy subject.
While there is very little debate that the head of internal audit, usually the chief audit executive (CAE), should report functionally to the board (usually the audit committee of the board), there are some strong opinions on where it should report for administrative purposes.
You are viewing: Who Does The Internal Audit Report To
This is what the Institute of Internal Auditors’ Professional Standards have to say (with my emphasis): “The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.”
The Standards go on to say: “Organizational independence is effectively achieved when the chief audit executive reports functionally to the board.” Examples of functional reporting to the board involve the board:
- Approving the internal audit charter.
- Approving the risk-based internal audit plan.
- Approving the internal audit budget and resource plan.
- Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters.
- Approving decisions regarding the appointment and removal of the chief audit executive.
- Approving the remuneration of the chief audit executive.
- Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.
The IIA Standards also raise the idea of interference: “The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications.”
The IIA Standards, however, do not discuss what is included in administrative reporting. This is what I believe is included: 1) Reviewing and approving the expenses of the CAE, and 2) Performing other administrative functions that may be required by organizational policy. These vary from organization to organization but may include the approval of purchase orders that exceed the CAE’s authority level, approval of travel, and so on.
It is customary for the CAE to be able to attend the executive’s direct reports. It is also customary, but not always a given, that the executive will be a supporter and champion of internal audit. The CAE’s cost center may or may not roll up to that of the executive.
Still, somebody has to perform these administrative functions, and it is unrealistic (with rare exceptions) to expect the chair of the audit committee to do them. So, the debate is whether the CAE should report administratively to the CEO, the CFO, or another senior executive.
Read more : Who Pays For Termite Repairs California
While it is possible for the CAE to report for administrative purposes at a lower level, for example to the corporate controller, this will generally create a perception that the CAE is middle management at best, rather than the senior executive he or she really is (or should be).
The Case for Reporting to the CEO Some years ago, the IIA stated its preference that the administrative reporting should be to the CEO. Richard Chambers, former CEO of the IIA, repeated his strong preference for that reporting structure in a recent post, New Surveys Raise Alarm Bells for Internal Audit. In the article, Chambers cites what he calls a “jaw-dropping” statistic in the IIA’s recent 2022 North American Pulse of Internal Audit report: 76 percent of CAEs at publicly traded companies say they work administratively for the CFO.
“I have never been shy about sharing my views on this reporting relationship. While many CFOs fully respect the need for internal audit to remain independent, and for internal auditors to be objective, the optics indicate that CFOs who ‘own’ internal audit are more likely to use the function to focus on their own priorities,” Chambers writes. “Even more alarming is that only 4 percent of respondents say they are concerned about reporting lines. That is, by and large, a uniquely American problem, and fortunately it isn’t widespread in either the public or not-for-profit sectors [outside the United States]. But the number of internal audit functions reporting to the CEO in publicly traded companies appears to be retreating. That is not a good development.”
The Case for Reporting to the CFO He has strong views on this and so do I. It could be that his many years as CAE in government service influenced his position. My many years as CAE in U.S. and global corporations led me to a totally different position.
First, administrative reporting does not confer, in any way, “ownership” of internal audit.
Second, I have seen CAEs who report administratively to the CEO forced to work on special projects for the CEO, even to the point of being sent to fire non-performing executives! In other words, the CEO thought he or she owned internal audit.
Third, the CEO is a busy individual and asking him or her to spend their valuable time on administrative duties like approving expense reports is absurd. In practice, the CEO will delegate those responsibilities to the CFO (at best) or an assistant (at worst, but more likely).
Fourth, you can report to the CFO and have free access to the CEO.
Fifth and extremely important, you are far more likely to be included in the CFO’s executive staff meetings than the CEO’s, even if you report administratively to the CEO. In fact, reporting to the CEO may make it harder to attend the CFO’s meetings. These meetings are very valuable sources of information about the strategies and activities of the organization.
Read more : Who Is Dean Richards Partner
Finally, the fact that 96 percent of CAEs are content with their administrative reporting should tell us something. These are smart people, and their opinion should be respected as being based on reality. Reporting to the CFO satisfies the intent of Standard 1110: “The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.”
How About Elsewhere? Should the CAE report administratively to another senior executive? This will depend on the organization and on the individual executive. I can see a case being made for reporting to one of these titles:
- Chief Administrative Officer
- Chief Operating Officer
- General Counsel
In some cases, the CAE may report to the chief risk officer. I am, however, not a fan of the CAE reporting to a specialist CRO with whom there may be conflicts over the assessment of control deficiencies and the risk they represent.
Whoever the CAE reports to administratively must respect the fact that the reporting is purely administrative, they do not own internal audit, and their role is limited. But how does the CAE make this happen? Actually, this point is addressed by the IIA Professional Practice Standards in Standard 1000: Purpose, Authority, and Responsibility.
The Importance of the Internal Audit Charter Here is what the standard says: “The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.”
“Interpretation: The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board.”
The value of the internal audit charter is not that the CAE can brandish his or her authority when management doesn’t allow internal audit necessary access to information and similar scenarios. The value is that it is discussed and reviewed by the board or its audit committee. That activity instructs whoever is administratively supporting the CAE where the boundaries of their role lie.
It is those boundaries that are most important, and what can make a difficult subject a little less touchy.
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
NOTE: This article was republished with permission from “Norman Marks on Governance, Risk Management, and Audit.”
Source: https://t-tees.com
Category: WHO