If the full board has responsibility for oversight of risk management, shouldn't internal audit review its audit plan and the results of its work with the full board, rather than an audit committee that may only be focused on financial risks?
If the board has established a risk committee, shouldn't we report to them in some way?
Should the CAE Report to the Audit Committee of the Board?
I have been a chief internal audit executive (CAE) since 1990 and have firmly believed that the CAE should report functionally to the chair of the audit committee and administratively to a top executive, such as the chief financial officer (CFO). But, I am no longer sure that is optimal.
The first signal came soon after I became CAE of a global business and we investigated suspected inappropriate activities in our China division. At first, the only unusual aspect of the case was that the individual involved (the China CFO, who approved a facilitating payment to a customer so he would pay our bills) had only just moved into the position after a stint in internal audit. But while this was troubling on a number of levels, it was easily handled. The more difficult aspect was that the governance committee of the board wanted to be briefed on the results of the investigation and its implications for the success of our U.S. Foreign Corrupt Practices Act (FCPA) compliance program.
The Governance committee believed they were responsible for oversight of compliance and adherence to the corporate code of conduct. The company had hired a chief compliance officer, in the office of the general counsel. He reported his program's progress to the governance committee and was reluctant to share with the audit committee. Similarly, general counsel and the chief compliance officer were not receptive to the idea that I should be appearing before 'their' committee to talk about any of the internal audit work. Curiously, both committees' charters included oversight of compliance and ethics.
We worked it out. I was able to persuade the chair of the audit committee to invite the governance committee members to the first part of the audit committee meeting. In what was essentially a joint session, we discussed the results of my investigations, heard a report from the chief compliance officer, and I reported on issues of interest to both committees.
A conversation with Professor Andrew Chambers during an IIA meeting stimulated additional reflection. He spoke about the board's assurance void, referring to its need to know that the information it receives is reliable. That assurance can and I believe should be provided by the internal audit function — through its assurance of governance and risk management processes and related internal controls. The point is that the customer is the full board, not just the audit committee. Andrew makes a cogent argument that the CAE should not only report functionally, but administratively to the board's lead independent director — and the internal audit budget should be part of the board's budget!
This line of thought continued as the failure of risk management and its impact on the recent financial collapse came to light. Not only were there gaps in risk management processes, but in the quality of board oversight of management's risk management capability. A key question is whether oversight of risk management is a responsibility that has to be discharged by the full board, or whether it can be delegated to a risk committee or the audit committee.
The U.S. Securities and Exchange Commission has issued new disclosure rules that require filers to "disclose the extent of the board's role in the risk oversight of the registrant, such as how the board administers its oversight function, and the effect that this has on the board's leadership structure." While it puts a measure of pressure on boards to address their risk oversight obligations, it does not provide any guidance on whether this should be done by the board or one or more committees.
More guidance is provided by the New York Stock Exchange's Listed Company Manual. Applicable to all companies with securities listed on the Exchange, the Manual has a section on "Audit Committee Additional Requirements." One of the specified duties of the audit committee is (the commentary is included in the Manual):
"(D) discuss policies with respect to risk assessment and risk management;
"Commentary: While it is the job of the CEO and senior management to assess and manage the listed company's exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the listed company's major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee."
This is not clear guidance on who should provide risk oversight. While the audit committee is instructed to discuss the risk management process (because of its relevance to the management of financial risks) it "is not required to be the sole body responsible for risk assessment and management."
The Bank of New York Mellon Corporation (which is listed on the New York Exchange and subject to the requirements of the Listed Company Manual) has established a risk committee of the board. According to its charter: "The purpose of the Risk Committee (the "Committee") is to assist the Board of Directors in fulfilling its oversight responsibilities with regard to (a) the risks inherent in the business of the Corporation and the control processes with respect to such risks, (b) the assessment and review of credit, market, fiduciary, liquidity, reputational, operational, fraud, strategic, technology, data-security and business-continuity risks, (c) the risk management activities of the Corporation and its subsidiaries, and (d) fiduciary activities of the Corporation's subsidiaries."
In its 2009 publication Effective Enterprise Risk Management Oversight: The Role of the Board of Directors, COSO recognized that board oversight of risk needs to be tailored to fit the needs and capabilities of the board and the organization.
"Boards of directors often use board committees in carrying out certain of their risk oversight duties. The use and focus of committees vary from one entity to another, although common committees are the audit committee, nominating/governance committees, compensation committees, with each focusing attention on elements of enterprise risk management. While risk oversight, like strategy, is a full board responsibility, some companies may choose to start the process by asking the relevant committees to address risk oversight in their areas while focusing on strategic risk issues in the full board discussion."
Many believe, and I agree, that the board should take ownership of risk management oversight. It may delegate certain aspects to specialized committees, and could ask a risk committee to manage the details. But, each of these committees should report to the full board who should have a meaningful discussion about risk as part of strategy sessions, etc.
This new and appropriate emphasis on risk oversight comes at a time when many forward-looking internal audit departments are refocusing their work around risk. They have taken to heart the mandate in IIA Standards that calls for internal audit functions to provide assurance and consulting services to improve the effectiveness of governance and risk management processes and related internal controls.
Who is the customer for internal audit's assurance and consulting services? Shouldn't the CAE report to that customer? Should they still report to the audit committee or, as Professor Chambers suggests, should they report to the board in the person of the lead independent director?
The correct answer is "it depends." The CAE should report where the organization will obtain best value for internal audit assurance and consulting services.
I believe this question should be addressed by the governance committee or equivalent, as that committee is generally responsible for determining board and committee performance, updating charters, etc. They should consider:
Who are the primary customers of the internal audit function? Who needs to provide input into their planning process and receive reports after they complete engagements?
Can internal audit interact effectively with multiple committees, if each is a customer?
Does the full board need to obtain reports from the CAE?
Which committee would provide the most effective direction to and oversight of the internal audit function?
Is there value in having the internal audit function report both functionally and administratively to the board or committee of the board? Does the audit committee chairman or lead independent director have the time to perform the administrative function? Can some of those administrative actions (such as approving expenses, promotions, etc.) be delegated to management without compromising the independence of the CAE and his team?
It will be interesting to see whether CAE reporting relationships change as boards address their risk oversight responsibilities, especially as they consider the value that internal audit can provide in filling the "assurance void."