To: The newly appointed audit committee member
From: IIA President and CEO Richard F. Chambers
Re: Preparing for your pending role on the audit committee
Congratulations on your appointment to the audit committee!
Your new position marks a professional milestone reflecting that you are a seasoned executive whose business and financial acumen places you among the elite members of your board. However, before you sit down at your first committee meeting, there are a number of things you should know and consider about the role you've taken on.
The role of the audit committee and its value to the organization have dramatically increased in importance in the past decade. Regulators, executive management, and shareholders are increasingly relying on the audit committee to provide significant direction and oversight, not just on financial controls and reporting, but also on a growing list of complex risks that challenge all modern businesses.
There are substantial resources available to help you thrive, including a number of scholarly examinations of the audit committee's role. I had the privilege to work on the NACD Blue Ribbon Commission on the Audit Committee, which produced a report that offers 10 principles to guide audit committees in their oversight of the financial reporting process and covers other key areas of oversight including risk management and external and internal auditors.
Your qualifications for this position likely include significant experience with, or knowledge of, financial controls and reporting. It is also likely that you are deeply familiar with the role the external auditor plays as the independent reviewer of financial statements.
It is less likely that you have a deep understanding of the internal audit function and the support it can provide to the audit committee, and management, and the value it brings to the organization. Seasoned audit committee members often describe internal audit as their "eyes and ears" in the organization, and they see the chief audit executive (CAE) as a trusted adviser who can be relied upon for valuable insight on the effectiveness of the organization's risk management and internal controls.
If your background does not involve extensive contact with strong internal audit functions, it might be useful to review the key roles the function plays and the value it can bring:
- Risk-based assurance on the effectiveness of internal controls to mitigate financial, operational, compliance, and strategic/business risks. Audit committee members often view this as the most critical service internal audit provides. At a minimum, any internal audit function worthy of the name should provide these services routinely and with excellence.
- Assurance on the effectiveness of risk management. Good internal auditing is based on an understanding of the organization's risks, risk management, risk appetite, and risk culture. In the post-global-financial-crisis era, corporate boards are expected to provide oversight of risk management in their companies. There is no more objective source of assurance on the effectiveness of risk management than a well-resourced, independent internal audit function.
- Insight and foresight. New audit committee members are sometimes inclined to think of internal auditors in a 20th century context — as bean-counters who are focused on the past (hindsight). However, 21st century internal auditors are equipped to provide insight and advice on risk management and control in the company. They also are increasingly able offer foresight — perspectives on strategic and business challenges the company could face if key risks are not effectively identified and managed.
- Assurance and insight on the health of the corporate culture. Some of the 21st century's biggest corporate scandals, from Enron and WorldCom to "Dieselgate" and Well Fargo's current woes, have been attributed to culture or, more specifically, the breakdown of organizational culture. Internal audit is positioned to keep its finger on the pulse of corporate culture and report problems before they grow into scandals.
Of course, these benefits and more can be realized only when the internal audit function is allowed to do its job. This will require a number of commitments from you and your fellow audit committee members. The audit committee must:
- Develop strong communications with the CAE. Frank and frequent communication with the CAE, including executive sessions free from management influence, are fundamental to a healthy and independent internal audit function.
- Demand and support a dual-reporting system. Internal audit's independence relies on being free from management pressures. That is why the CAE should report administratively to the highest levels of management (preferably the CEO) and functionally to the audit committee.
- Ensure adequate resources. The internal audit function can be muted or manipulated by management in a number of ways. One of the most insidious and effective ways is through the purse strings. The audit committee must ensure that internal audit has the budget to do its job.
- Ensure the company has a strong CAE. A good audit committee is intimately involved in the CAE's hiring, firing, performance review, and compensation. Those responsibilities cannot be handed over solely to management, as they can be used to manipulate the internal audit function through the assignment of CAEs who are not qualified or fully objective.
New board and committee members add value by asking probing questions. Not long ago, I authored a blog post on Five Probing Questions the Audit Committee Should Be Asking the CAE. I would encourage you to review that list before your first meeting. Don't be reluctant to raise these and other pertinent questions as you approach your new role with inquisitiveness and healthy skepticism.
I congratulate you again and offer the services of The Institute of Internal Auditors and myself to support your growth and success as an audit committee member.
Richard F. Chambers
President and CEO
The Institute of Internal Auditors