Great internal audit functions are noted for their organizational
independence, and the professional men and women who lead them are noted for
their objectivity. It’s for these reasons that the establishment of separate
functional and administrative reporting lines that foster that independence and
impartiality is so critical.
As I first noted in a 2016 blog, I often observe that chief audit executives
(CAEs) are less likely to be unduly influenced by management when they have a
strong functional reporting relationship to the board or audit committee.
Without such a relationship, it is very easy for management to confine the
scope of internal audit’s work and to suppress unfavorable results.
From time to time, there are surveys that offer encouraging statistics on
the percentage of internal audit departments with a functional reporting
relationship to the audit committee. The percentage is often 70 percent or more.
But, as with all things theoretical, reality brings us crashing back to
The benefits of separate functional and administrative reporting lines are
quickly diminished when boards and audit committees fail to support and nurture
that separation, and nowhere is that more evident than when boards or audit
committees sit on their hands when it comes to hiring and firing the CAE.
Having the right CAE in place is fundamental to an effective internal audit
function. CAEs not only oversee the planning and execution of a risk-based
audit plan, but ensure that the proper resources and staff are in place to get
it done. They must have intimate knowledge of the organization’s operational
capabilities and risk appetite, and they must be a trusted advisor to management
and the board to engender credibility and respect. Above all, the CAE must have
the courage to address delicate or difficult issues when warranted, and to call
it like it is.
In a blog
post several years ago, I commented extensively on the dangers of low pay
for CAEs, and how such practices are more than just examples of short-sighted
efforts to save money. I noted that, in some instances, it is a calculated and
rather treacherous way to keep the internal audit function in check.
Readers of that post appropriately noted that such underhanded strategies
are not limited to only CAE pay. Limited staff budgets, delaying or reducing
internal audit’s scope of work, and delaying or rejecting necessary travel are other
examples of ways management can undermine an internal audit function.
It is, therefore, imperative for audit committees and boards to remain
closely involved and attuned to all functions and interactions between
management and the CAE.
The IIA’s Common Body of Knowledge survey several years ago suggested that
concerns about audit committee involvement in hiring CAEs were overblown. That
data showed that the board, audit committee, or their respective chairs have
the final say in hiring the CAE among more than 60 percent or respondents’
organizations. But, as I noted in the past, that figure can be misleading.
In many instances, the process for choosing a new CAE, including
establishing job qualifications, salary, and benefits, are all determined by
management, which then presents finalists — or worst, a single candidate
— to the board for approval. Too many boards or audit committees, already
overworked by growing responsibilities, regulatory pressures, and commitments
outside the organization, are all too eager to rubber-stamp management’s
There is also a reluctance to demonstrate skepticism and question
management’s judgment, or to challenge a candidate who has been handpicked by
the CEO or chief financial officer for the role of CAE. When this happens, the
newly appointed CAE is often fully beholden to management and may view the
functional reporting line to the audit committee or board as a hollow reporting
Ideally, the audit committee should take charge of the hiring process to
ensure the CAE not only reports to it, but also has the qualifications and
independent mindset necessary for the role.
Similarly, an audit committee must be heavily involved in any effort to fire
or move the CAE into a different role within the organization. It must assure
that any such move is truly in the best interest of the organization and not
just for the convenience of management. I have been dismayed by cases in which
management continuously rotated individuals out of the CAE role until it found
someone it believed it could easily control. This, of course, renders the
entire purpose behind separate reporting lines moot. A CAE who routinely
carries management’s water is of little use to the board.
Boards and audit committees serve essential roles in good governance by
providing direction and oversight on risk management and internal control. The
role includes selecting and appointing the CAE, and that should never be
delegated to management.
As always, I’m eager to hear your views on the subject.