Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​Are Boards Negligent When Internal Audit Heads Are Hired and Fired?

Comments Views

Great internal audit functions are noted for their organizational independence, and the professional men and women who lead them are noted for their objectivity. It’s for these reasons that the establishment of separate functional and administrative reporting lines that foster that independence and impartiality is so critical.

As I first noted in a 2016 blog, I often observe that chief audit executives (CAEs) are less likely to be unduly influenced by management when they have a strong functional reporting relationship to the board or audit committee. Without such a relationship, it is very easy for management to confine the scope of internal audit’s work and to suppress unfavorable results.

From time to time, there are surveys that offer encouraging statistics on the percentage of internal audit departments with a functional reporting relationship to the audit committee. The percentage is often 70 percent or more.

But, as with all things theoretical, reality brings us crashing back to earth.

The benefits of separate functional and administrative reporting lines are quickly diminished when boards and audit committees fail to support and nurture that separation, and nowhere is that more evident than when boards or audit committees sit on their hands when it comes to hiring and firing the CAE.

Having the right CAE in place is fundamental to an effective internal audit function. CAEs not only oversee the planning and execution of a risk-based audit plan, but ensure that the proper resources and staff are in place to get it done. They must have intimate knowledge of the organization’s operational capabilities and risk appetite, and they must be a trusted advisor to management and the board to engender credibility and respect. Above all, the CAE must have the courage to address delicate or difficult issues when warranted, and to call it like it is.

In a blog post several years ago, I commented extensively on the dangers of low pay for CAEs, and how such practices are more than just examples of short-sighted efforts to save money. I noted that, in some instances, it is a calculated and rather treacherous way to keep the internal audit function in check.

Readers of that post appropriately noted that such underhanded strategies are not limited to only CAE pay. Limited staff budgets, delaying or reducing internal audit’s scope of work, and delaying or rejecting necessary travel are other examples of ways management can undermine an internal audit function.

It is, therefore, imperative for audit committees and boards to remain closely involved and attuned to all functions and interactions between management and the CAE.

The IIA’s Common Body of Knowledge survey several years ago suggested that concerns about audit committee involvement in hiring CAEs were overblown. That data showed that the board, audit committee, or their respective chairs have the final say in hiring the CAE among more than 60 percent or respondents’ organizations. But, as I noted in the past, that figure can be misleading.

In many instances, the process for choosing a new CAE, including establishing job qualifications, salary, and benefits, are all determined by management, which then presents finalists — or worst, a single candidate —​ to the board for approval. Too many boards or audit committees, already overworked by growing responsibilities, regulatory pressures, and commitments outside the organization, are all too eager to rubber-stamp management’s choice.

There is also a reluctance to demonstrate skepticism and question management’s judgment, or to challenge a candidate who has been handpicked by the CEO or chief financial officer for the role of CAE. When this happens, the newly appointed CAE is often fully beholden to management and may view the functional reporting line to the audit committee or board as a hollow reporting relationship.

Ideally, the audit committee should take charge of the hiring process to ensure the CAE not only reports to it, but also has the qualifications and independent mindset necessary for the role.

Similarly, an audit committee must be heavily involved in any effort to fire or move the CAE into a different role within the organization. It must assure that any such move is truly in the best interest of the organization and not just for the convenience of management. I have been dismayed by cases in which management continuously rotated individuals out of the CAE role until it found someone it believed it could easily control. This, of course, renders the entire purpose behind separate reporting lines moot. A CAE who routinely carries management’s water is of little use to the board.

Boards and audit committees serve essential roles in good governance by providing direction and oversight on risk management and internal control. The role includes selecting and appointing the CAE, and that should never be delegated to management.

As always, I’m eager to hear your views on the subject.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  •  	Galvanize-July-2021-Blog-1
  • CRMA-July-2021-Blog-2
  • Bookstore-July-2021-Blog-3