Readers of my blog know there are a few things I have harped on over the years. One of them is what I consider to be the outdated practice of having internal audit report administratively to the chief financial officer (CFO).
For years, The IIA has conducted research on internal audit reporting relationships. The good news is our surveys have found a consistently high percentage of chief audit executives (CAEs) who say they report functionally to the audit committee. In fact, more than 80% of North American CAEs surveyed for The IIA's upcoming 2021 North American Pulse of Internal Audit report say they report functionally to the "audit committee, board, or equivalent." We see a similar trend globally.
But if an internal audit department suffers from even the appearance of an independence or objectivity impairment, it is not from the functional reporting relationship. Instead, the problem emanates from where it reports administratively. And the most controversial reporting relationship remains to the CFO. It is stunning how often CAEs in North America respond to IIA surveys that they report administratively to the CFO. In the soon-to-be-released Pulse report, we show 73% of internal audit departments in publicly traded organizations have this reporting line. For respondents overall, it is 36%.
Critics of this reporting relationship often contend internal audit could be steered away from auditing the CFO's area because the "boss" doesn't want the scrutiny. I actually haven't found that to be the biggest problem. Instead, statistics I have seen over the years indicate that CFOs are more likely to use internal audit to address key risks in their areas of responsibility at the potential exclusion of non-CFO risks in the organization.
I wrote about this in a 2015 blog post, "Internal Audit Should Never Belong to the CFO ," where I noted that internal audit functions that worked administratively for the CFO were dedicating over 60% more resources to assessing internal controls over financial reporting (ICFR) than those that reported to some other official in executive management. Are ICFR risks 60% greater in companies whose CFOs have oversight of internal audit? I don't think so. Rather, as I noted then, "I believe that many CFOs who have oversight of internal audit use it to address handiwork that otherwise would fall on other CFO functions. Such are the risks that materialize when internal audit 'belongs' to the CFO."
Before I expound further on what I realize is a controversial point of view, I acknowledge that The IIA's International Standards for the Professional Practice of Internal Auditing is flexible enough to permit a reporting relationship to the CFO. Standard 1110 states, in part, that the "chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities." Standard 1110.A1 goes a bit further, stating, "The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results."
So, if the Standards don't explicitly preclude a reporting relationship to the CFO, then why do I continue to express concern? The issue is not really to whom internal audit reports. Instead, it is the degree to which that individual exercises authority over internal audit and impairs its ability to "follow the risks" in the organization. Impairment of internal audit's independence occurs not only when responsible executives steer internal audit away from sensitive risks in their areas of responsibility. Impairment also occurs when the executives steer internal audit to address risks, or operational matters, of particular interest to them — at the expense of more significant risks to the organization.
I have been sharing my concerns on the inherent dangers of having the internal audit function report administratively to someone other than the CEO since as far back as 2012. In a blog post then, "It Is Time We Move Out From Under the CFO Shadow," I shared the opinion that:
"It is time for the remainder of internal audit functions to move out from under the CFO. We need strong working relationships with our CFOs, but we also need independence and flexibility to evaluate financial information and to establish audit plans without undue influence (or even the perception of influence). Most CAEs could probably establish a strong working relationship with any member of their executive management team, but the danger of undue influence is greater when internal audit answers to the finance function, either functionally or administratively."
I am not alone in recognizing the risks that emerge when internal audit reports administratively to executives with functional responsibilities. The Board of Governors of the U.S. Federal Reserve System issued a supplemental policy statement on the internal audit function in early 2013, part of which provided financial institutions additional clarification regarding internal audit independence. The part of the supplement relevant to this discussion directs audit committees to explain the rationale behind having internal audit report administratively to someone other than the CEO. It specifically states:
"If the CAE reports administratively to someone other than the CEO, the audit committee should document its rationale for this reporting structure, including mitigating controls available for situations that could adversely impact the objectivity of the CAE. In such instances, the audit committee should periodically (at least annually) evaluate whether the CAE is impartial and not unduly influenced by the administrative reporting line arrangement. Further, conflicts of interest for the CAE and all other audit staff should be monitored at least annually with appropriate restrictions placed on auditing areas where conflicts may occur."
The Fed's 2013 guidance continues to influence reporting relationship practices in the financial services industry, where only 18% of CAEs indicated they report to the CFO, according to the upcoming Pulse report. That is quite a contrast to the 73% of publicly traded company CAEs' reporting relationships.
Additionally, The IIA's International Professional Practices Framework addresses the issue of organizational independence in Implementation Guidance (IG) 1110. Specifically, the IG advises:
"The IIA recommends that the CAE report administratively to the Chief Executive Officer (CEO) so that the CAE is clearly in a senior position, with authority to perform duties unimpeded."
These important advisories strengthen the argument that the internal audit function must be positioned where it is most advantageous to enhancing true independence as it works to provide unbiased and objective assurance to management and the board.
The challenges facing businesses today are dynamic, global, complex, and emerging faster than at any time in our history. We must, then, do everything we can to protect our ability to enhance internal audit's independence. When you add to the key attributes of independence and objectivity the factors of perception and credibility, the price is simply too high to continue the practice of internal audit appearing to "belong" to the CFO.
Maybe it's high time for internal audit to report to the CEO.