Most chief audit executives (CAEs) in North America report their findings to the organization’s audit committee. The IIA recommends this practice, held globally to be part of the gold standard enshrined in the three lines of defense model of corporate governance. Per the model’s logic, CAEs sitting on the metaphorical third line have free reign to go anywhere and suggest organizational improvements, without fear of restriction or recrimination.
Getting to this position has been a fight for many CAEs, and some have still not achieved it. But The IIA’s recent research, OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk, has questioned whether reporting to the audit committee potentially constricts the value internal audit can add to some organizations. As businesses face a growing range of external threats, so internal audit’s remit has expanded. Financial risk, once the mainstay of audit departments, today typically occupies only 20% of their time. Practitioners expend the rest of their effort on a diverse range of issues including cyber risk, disaster recovery, culture risk, climate change, and social responsibility, to name only a few.
This broadening of internal audit’s remit raises the question of the extent to which a CAE should report to other board committees, and in what circumstances he or she should report to the full board. And, for those wishing to explore that route, how can they get the audience and credibility to play this enhanced role?
Expanding Audit Influence
Internal auditors are spreading their influence beyond the audit committee via other conduits to the full board, says Jenitha John, former CAE at First-Rand Bank in Sandton, South Africa, member of The IIA’s global board of directors, and former nonexecutive director on several boards. “The heartening aspect is that you see internal audit now not just serving the audit committee but also making submissions to other board committees,” she explains. John has seen internal audit increasingly called on to submit reports and present to risk committees, social and ethics committees, and even remuneration committees. “These meetings pertain to strategic issues that the company faces with regard to such topics as risk data aggregations, cybersecurity, information governance, the veracity of social matters (nonfinancial indicators), risk management, process maturity that influences bonus pool allocations, and so on,” she says.
Part of the reason for this trend has been the way businesses have approached tackling new guidance, such as sustainability reporting standards issued by the Global Reporting Initiative, and new regulation, such as the European Union’s General Data Protection Regulation (GDPR). “Regulation is causing various disciplines in organizations, which didn’t necessarily work together because they were operating in silos, to now actually converge,” John says. GDPR, for instance, has drawn together a whole range of corporate disciplines — from finance, audit, governance, compliance, risk management, and fraud to human resources and IT — because data is ubiquitous in organizations. “Internal audit has the ability to draw those teams together and collaborate with all of these other counterparts in the organization,” she says. “If you are not coordinating efforts on these matters, you are depriving internal audit teams from really growing and listening and serving the organization properly.”
To serve this more diverse constituency, internal audit needs to adopt the right approach and clearly communicate to the board the scope and focus of its work.
“Reshaping negative perceptions about internal audit is absolutely critical,” John says. “As a CAE you have to emphasize the fact that you’re pragmatic in your approach, you’re proactive, you’re collaborative, you’re agile, you focus on integrated risk-based auditing, you are educational, and that you can school your governing body and your management teams on controls, risk management, governance, and organization from a best process perspective. You don’t only focus on communicating audit observations, but you talk about business optimization and efficiencies by leveraging strengths across teams.” That can help open the door to the various board subcommittees and, on critical strategic issues, to the board itself.
Living up to that ideal is not easy. Many CAEs lack credibility because they tend to emphasize box-ticking rather than focus on what matters to the audit committee, let alone the board, according to Dotty Hayes, a former CAE at both Intuit and Hewlett-Packard. Hayes is now chair of the board at First Tech Federal Credit Union in San Jose, Calif., and a board member and audit committee chair at a range of organizations. CAEs must be able to bring matters to the board that are important to its members and demonstrate that the annual audit plan is risk-based and fits closely with the threats relating to corporate strategy. Informal meetings also can be a great place to build credibility, Hayes says. The audit team is invariably closer to the business than members of the audit committee, so it is best placed to detect trends across the organization or in isolated parts of the enterprise.
“It’s probably not the full board, but the audit committee that is your primary interface as CAE,” she says. “You know you have made it with them when they really care what you think: You’re welcomed in as a strategic partner and, perhaps in a private session, you’re asked your opinion on an issue that has to be handled very diplomatically — such as, do you believe what management has told us?”
Hayes says the credibility issue is even more important when reporting to the full board because space on its agenda for discussing a specific risk is scarce. But where a strong relationship exists, she suggests it could be valuable for the CAE to be invited to the top table. She says this may be appropriate when the internal audit team is reporting on the results of an investigation that has serious findings, for instance, or on topics of special strategic interest such as mergers and acquisitions. She also has seen this approach taken during an annual discussion of the risk appetite in an enterprise risk management program, a key strategic topic involving the full board. Most of the time, though, she sees the audit committee as the appropriate reporting channel for internal audit’s recommendations.
But, she warns, the board has its own responsibilities in choosing the right CAE for the role. “The company has to hire an internal auditor who’s got boardroom presence and can basically go toe to toe with folks in explaining how the company and senior management needs to do something differently or better. If they haven’t hired that kind of person, all hope is lost.”
Karen Brady, corporate vice president of audit and chief compliance officer at Baptist Health in South Florida, became chair of The IIA’s North American Board early in 2018. Her theme for her year of tenure was “Find Your Voice,” and she spent 12 months visiting hundreds of internal auditors across the U.S. and beyond to spread that message. She remains agnostic when it comes to the question of CAEs speaking to the full board, because she saw many different practices and arrangements that worked. In her own organization every member of the audit committee is also on the full board, so she says the reporting line to the audit committee is more than adequate.
But if internal audit wants to be credible with the board, or a board subcommittee, it has to be able to perform at the highest level. “Executive management tends to have conservative views of what internal audit can deliver, and that view follows through to the board because many executive officers also sit on audit committees in other organizations,” she says. “CAEs need to be able to innovate and do things in ways that are above and beyond expectations to challenge those views. If you want to be perceived as valuable to the organization, you have to be valuable to the organization.”
For Brady that means being perceived as a professional by sitting for the Certified Internal Auditor exam and following the International Standards for the Professional Practice of Internal Auditing. Implementing Standard 1312: External Assessments, she says, is an important part of this. She is even more convinced now about the need for internal audit departments to have a quality assurance review of their function than before her tenure as chair. “Internal audit’s quality assurance review is objective assurance to the board that your department is effective,” she says. “It adds credibility, especially if on top of that you are prepared to innovate, to identify areas of improvement in the organization, and to focus on strategic risk areas.”
Understand Emerging Technology
Technology is a key area in which internal auditors can innovate — Brady is preparing for her team to learn robotics. She says almost all businesses are either currently considering or deploying a wide range of emerging technologies, from drones and robots to blockchain and artificial intelligence. It is a subject that Thomas Sanglier, senior director, internal audit, at Raytheon in Waltham, Mass., and author of the book Auditing and Disruptive Technologies, has been focusing on for the past few years.
“Emerging technologies are a risk and an opportunity for internal auditors,” he says. “They are a risk because if you are unaware that robotic process automation is being used in your business, you are in the unfortunate position of missing an important risk to your organization. If you are adding assurance to the board in such a critical area, on the other hand, you will gain credibility and may even have the opportunity to grow your team and scope of responsibility.”
One of the challenges for internal auditors is to choose the technologies most relevant to their particular industries, because trying to learn about several new technologies at once can be overwhelming, he says. Raytheon has set up internal working groups — called councils — for each new, relevant technology. Sanglier and his team have participated in those groups to understand how those technologies are being used in the company.
“If you know what is in your products and processes, you can ask the right questions about risk and risk mitigation,” he says. “If you are lucky to have a subject-matter expert in your business, hitch yourself to them and learn everything you possibly can.” But he warns of becoming overdependent on one person, a criticism leveled at CAEs who were seen to be too reliant on their chief information officers for assurance around IT in The IIA’s OnRisk 2020 research.
“People are looking at emerging technologies as being IT-led; that’s a mistake,” he says. Internal auditors need to be looking at how those technologies are going to operate in the business, and how they may affect products and services. More broadly, CAEs can help the board understand how well the organization is positioned to use emerging technologies. For example, Sanglier points out that many new technologies depend on acquiring and processing clean data from across the enterprise, but data governance is often poor. “If nothing else, internal auditors, as part of every single audit, can look at data governance for whatever emerging technology the business is considering. When the technology comes — and it’s coming — you’re going to run into problems implementing it if the data is bad. It’s an issue the board needs to know about.”
Reshaping the Audit Committee
While some may point the finger at internal audit for being too focused on detail, or for not exploring emerging threat areas, audit committees may also need to reform. In the U.K., for example, the financial services industry regulators require regulated firms to have an audit committee and a separate risk committee. The requirement has helped raise the profile of risk within those businesses. Plus, recent guidance produced by the Risk Coalition, an industry body that aims to establish consensus on risk management practice, recommends that the risk committee invite the CAE to its meetings “as necessary or appropriate.”
Hanif Barma, one of the architects of the Risk Coalition and founder of the consultancy Board Alchemy, says many audit committees outside of the financial services sector would benefit from extending their remit to reflect the increased array of risks their organizations face. “Internal audit has changed from being largely focused on financial controls to becoming more concerned with the broader risk landscape,” he says. “The question is, has the body it reports to changed sufficiently as well? In many cases, it has not. They are largely focused on financial control and financial reporting, rather than acting as audit and risk committees.”
Reformulating the audit committee as a risk and audit committee could help internal audit develop a more strategic, risk-based role, he says. Barma chaired the board of a children’s charity that has made such a transition. The change has helped the organization take a more holistic approach to managing its risks, he says, and it has enabled the reformed committee to take deep dives into selected threats at its regular meetings. He explains that bringing those issues to a full board meeting may not be as effective because of the limited time they would receive. “To do internal audit justice, having a separate committee that gives focus to its work is really important,” he says.
On the other hand, with issues of strategic importance, CAE presentations to the full board can be worthwhile. “What has been missing in the evolution of corporate governance is that internal audit has not had access to the full board,” he says. “Perhaps the CAE does not have to sit through a full board meeting, but when the chair and company secretary are working on the board agenda, they should be considering whether there are issues on which the CAE could usefully come and give their perspective.”
Extending Internal Audit’s Reach
Clearly, more CAEs are finding a voice beyond the audit committee. As risk board subcommittees have emerged, auditors have been invited to contribute their expertise. Others have found a voice at other board subcommittees and, less frequently, in full board meetings. For those who have built up the credibility and clout, the opportunities to add value to their organizations have never been greater.