The audit committee is meant to be one of the key champions of internal audit in any organization, so chief audit executives (CAEs) look to it for input, guidance, expertise, and feedback. But many CAEs say the audit committee should be more proactive in ensuring that it gets the best out of the audit function.
To do that, these CAEs say audit chairs should make more time for questioning the audit plan, as well as challenging internal audit about how effectively it can do the work it has been mandated to carry out. Many audit heads also want audit committees to take more of a lead and bring more of their industry and boardroom experience into the meetings to make the audit process more robust.
Internal Auditor spoke to several current and former CAEs to find out which key questions they wish their audit committees would have asked them, but never — or rarely — did.
1. What can the audit committee do for you?
It sounds obvious, but CAEs say that in their experience, audit committee chairs rarely ask what they can do to support internal audit or make the function's job easier, such as requesting that senior management provide additional resources.
Liz Sandwith, chief professional practices adviser at the Chartered Institute of Internal Auditors in the U.K. and a former CAE, says, in her experience, audit committees are less challenging of internal audit's work than a CAE might expect.
"Audit committees don't always put themselves forward to champion internal audit within the organization, which is disappointing," Sandwith says. "They should be more proactive. Often, they just want the facts but don't ask any questions. A good audit chair will push to get more information and test the CAE by asking, 'Why aren't you looking at these areas?' and 'Why are you ignoring this?'" After all, if the CAE can't answer these types of questions, what level of assurance is the function really providing and how robust is the assurance the audit committee is receiving? she asks.
Sandwith also says that audit committees have been reluctant or slow to bring their outside experience and expertise to the table. "In the U.K., a lot of these people have either worked for or sat on the boards of FTSE100 companies, but they don't share that expertise," she explains. "None of them ever said to me, 'This is how our CAE used to manage internal audit' or 'In my previous company, internal audit did X, Y, and Z.'" Audit committee members usually have chief financial officer (CFO), CEO, external audit, and blue-chip corporate experience, but they don't use it to the committee's advantage, something Sandwith considers a wasted opportunity.
"The relationship between internal audit and the audit committee is a unique one," says Harold Silverman, managing director of CAE services at The IIA and a former vice president of internal audit at fast-food chain Wendy's. And that relationship often is one-sided: The CAE reports what is happening, and the audit committee listens and takes those views on board and perhaps asks management about some of the issues. Silverman says that he was rarely asked by the chair of the audit committee what he or she could do to help with internal audit's work, or how to improve its standing in the organization or with management. "Those attitudes are changing now," he adds.
2. Is the audit plan the right one, and can it be delivered?
CAEs say audit committees rarely question whether the approved audit plan is actually the right one for the business — even if the risk landscape or circumstances impacting the business have changed.
"Audit committee chairs do not see themselves as managers," Silverman says. "Instead, they see their role as reviewing and overseeing a process that has already been agreed on with management, and which, therefore, must presumably be the right one to satisfy the needs of the business."
He adds that audit committees rarely question management's thinking about the audit plan or ask internal audit whether the plan should change in light of new events or information. "Indeed, some chairs actually want internal audit to work out any problems with the plan before they take it to the audit committee because they don't want to second-guess management," he says.
Sandwith agrees. "It has always appeared to me that the audit committee has just presumed that, as the CAE, the budget and the audit plan as presented is the final version, it meets with the resources that we have, and doesn't need to be discussed," she says. "They simply don't question the process behind the audit plan." Sandwith says the audit committee should check whether the audit plan is going down the right path for the business and that internal audit can do the work effectively with its budget and resources.
Does internal audit have the necessary resources and skills to provide the required level of assurance?
CAEs say there also is a presumption that just because an audit plan spells out what an internal audit function is meant to do over the course of a year, such work will be carried out to the letter and to a high standard. Not so, experts say.
"Management may want internal audit to look at a range of areas to provide assurance, but it does not necessarily follow that the function is only capable of doing so within the budget and skills it currently has," Sandwith says. "A lot of the areas under review will be complex, such as cybersecurity, and while internal audit can check whether there are suitable processes and controls in place, many functions will not have the level of technical expertise to provide the kind of assurance that some organizations — particularly those in highly-regulated industries — will need." Additionally, if the audit plan is too optimistic and contains too much work for the function to realistically do well, it will lead to internal audit simply performing basic box-ticking compliance, which is of no use to anyone, she adds.
Bethmara Kessler, a former CAE and currently chair of the Association of Certified Fraud Examiners' Board of Regents, says a good way for audit chairs to test an audit plan's effectiveness — as well as the capabilities of the CAE and the audit function — is to ask two budgeting questions: 1) If the committee gave internal audit an additional 10% of its budget, how would the funds be used and why? And 2) If the committee cut 10% of the budget, where would the CAE make cuts and why?
"That kind of questioning focuses the CAE to explain where the key risk areas are, and what amount of resources need to be dedicated to them to ensure that the appropriate level of assurance is achieved," Kessler says. "It also can help open up a discussion about what issues keep the CAE awake at night, and how those concerns can be addressed."
Kessler says audit committees also should ask internal audit functions whether they have the technical skills to review emerging risks, particularly in fast-moving areas such as technology. "Blockchain, machine learning, and artificial intelligence present both risks and opportunities," she explains. "As a result, internal audit needs to keep pace with developments in these fields and look at what the organization is doing to leverage the benefits and identify and mitigate the risks. Audit committees, therefore, have a right — if not a duty — to question their competence."
How responsive is management in dealing with the risks that internal audit and other assurance functions flag to them?
Internal audit, risk management, compliance, and in-house legal may be great at highlighting problem areas and emerging risks that need to be controlled, but if management — which is ultimately responsible for managing risk — does not follow through with the recommendations from assurance functions, then the whole exercise can be pointless. However, CAEs say that audit committees do not always ask how responsive management is about putting these recommendations into action, or how effectively they do it.
"Internal audit can make as many recommendations as it likes to implement controls, but if management does nothing, it is a wasted exercise," says Sarah Blackburn, a former CAE at several FTSE100 companies and now a nonexecutive director at U.K.-based RAC Pension Fund Trustee. "Similarly, it is equally a waste of time if internal audit overwhelms management with dozens and dozens of actions to be taken."
Blackburn says audit committees need to ensure that internal audit is clearly prioritizing key actions for management to implement, and that management duly does its part. This means audit committees need to raise questions about management's responsiveness, and CAEs need to be prepared to give an objective account of management's actions.
Kessler adds that "internal audit is the third line of defense and it is in a unique position to provide a clear and objective assessment of how well management accepts its role as being ultimately responsible for risk management within the organization." As such, she says, the audit committee should be asking internal audit to report regularly on the status of actions that management has and has not implemented as a result of audit's work.
What is internal audit's view of external audit and other assurance functions?
Internal audit is just one of the functions reporting to the audit committee. Others include risk management, compliance, in-house legal, and external audit. Yet, CAEs say that they are rarely asked whether they work alongside these functions, and if so, how frequently they might share information and ideas, or if there is any overlap in work. Nor is internal audit asked to give an opinion on these functions' effectiveness, though audit committees often ask external auditors to provide an opinion on the organization's in-house functions.
"I don't think in my time as a CAE I have ever been asked by an audit committee chair whether we regularly meet or work alongside the other assurance functions or discuss risks with them," Sandwith says. For example, she might tell the audit committee that internal audit met quarterly with the head of risk management and spoke often with other assurance functions, but the conversation ends there. "I've never been asked to explain what our relationship is like with them, or whether it can be improved, enhanced, or encouraged further," she explains.
Kessler agrees that audit committees need to ask for internal audit's perspective on external audit, in particular. "Audit committees should consider internal audit an expert on audit in general and should ask for its opinion on external audit's work," she says. "There is no harm — but potentially enormous benefits — in asking the CAE whether the external audit firm is delivering a quality audit."
Blackburn also says that audit committees need to ask more questions around the quality of risk reporting by assurance functions. "Audit committees need to make sure that internal audit provides them with a professional opinion about how risks are reported and controlled across the organization," she says. For example, audit committees need to ask whether these functions see risk in the same way. Do they report, identify, and manage risk in the same way? Does the organization understand and evaluate risk in the same way across all its operations? Audit committees need to be satisfied that there is consistency in risk understanding and risk reporting, she adds.
How can internal audit add value? What is your vision for the function?
Internal audit's workload entails more than agreeing on an audit plan and completing it. The profession has made enormous strides in demonstrating it can be a value-adding function, and CAEs say that audit committees should encourage this further.
Bryant Richards, an associate professor of Accounting and Finance at Nichols College in Dudley, Mass., and former director of corporate governance at the Mohegan Tribe, which owns casinos and other organizations, says that it would have sent a powerful message if the audit committee had asked him, "How can you go out there and add more value?"
Rather than focusing largely on compliance and areas such as Sarbanes-Oxley controls, Richards says, "If the audit committee had pushed internal audit to get more involved in supporting business strategy, that would have sent a very powerful message to management that the board trusted us and that our skills were being underused." It also would have moved internal audit from defense to offense and would have increased its credibility and value within the organization. That kind of backing may have prompted other functions to engage with them more, too, he adds.
Richards explains that audit committees also should ask CAEs to explain what their vision is for the audit function for five or 10 years. There is a real opportunity for the audit committee to work with the CAE and find out what his or her vision is for the department — how internal audit can expand its role; provide wider, deeper, and better assurance; help support the overall strategy implementation; and get involved in new areas. It would help transform internal audit into a much more proactive and strategic force within the organization, he says.
Would you like to have a coffee off-site?
Asking questions unofficially can be a more effective way of finding out information than asking CAEs to provide answers in a forum with tight time constraints. Some CAEs say that audit committee chairs should approach them separately to establish an informal relationship where they can talk openly and raise concerns and ideas in a more relaxed setting.
"Audit chairs need to encourage CAEs to speak freely about any concerns they may have about the audit plan, risk management, and any other business," Blackburn says. "Even though internal audit is supposed to be independent and objective, it can still be difficult for CAEs to talk through their concerns in an audit committee meeting with limited time and where key executives — especially the CFO — also may be in attendance."
An off-site meeting may encourage the CAE to speak more openly, and it may provide a useful opportunity for both parties to get a better understanding of each other's priorities and key concerns, she adds. Alternatively, a virtual one-on-one discussion may suffice.
Don't Ask, Do Tell
The experts agree that audit committees are getting better at asking more questions around the topic of internal audit — but they add that more can still be done.
Yet, CAEs also can take better charge of the situation. If they think that the audit committee has missed an opportunity to ask deeper or more pertinent questions, there is an obvious course of action — give them a prompt. To do this, CAEs should act as if they've been asked the question they think should have been asked, supply the answers or follow-up, and make clear what recommendations they feel the audit function should act upon to address the key issues. At best, the inclusion of such details will force the audit committee to discuss the issues being raised. At worst, the committee will think the points raised are part of "business as usual" and will agree with the proposals.