No relationship for a chief audit executive (CAE) has been transformed more over the past decade than that with the audit committee. According to The IIA's Audit Executive Center, more than 75 percent of internal audit departments in North America report functionally to the audit committee. And in many companies, the audit committee holds a discussion session with the CAE at every meeting.
The audit committee's success is tied to the effectiveness of the internal audit department. Accordingly, audit committee members must have complete confidence in the internal audit function and its CAE. This confidence can only be achieved with a strong, continuous, and open dialogue between the CAE and the audit committee. Of course, dialogue is a two-way street; it's as much the responsibility of the CAE as the committee members themselves. But the committee must be willing to drive that dialogue in a way that provides evidence of internal audit's professionalism, business knowledge, and risk acumen.
I recently addressed a roundtable of audit committee members in Finland. There I was asked the age-old question: "What should the audit committee be asking the CAE?" The topics of conversation between the CAE and the audit committee are too numerous and variable to list in a single blog. However, there are five probing questions that, as an audit committee member, I would want the CAE to answer. These answers (as well as the resulting conversation) should not only provide the audit committee with enhanced confidence in the audit department, but should also foster trust and candor in the important relationship between the audit committee and CAE.
1. Is internal audit following the International Standards for the Professional Practice of Internal Auditing (Standards), and what were the results of the last external quality assessment?
To be able to rely on information from the audit department, the first step is to ensure the department understands what practicing as a "professional internal auditor" means. The Standards provide that guidance. And by verifying that the department understands and applies them, as well as employs methods that will ensure adherence to the Standards, the audit committee can have a high level of confidence in the assurance that internal audit is providing on the adequacy and effectiveness of risk management and internal controls.
2. How is internal audit monitoring risks on a periodic or continuous basis and revising the audit plan accordingly?
Once there is assurance that the department understands professionalism as it relates to internal auditing, the next step is to ensure that the department is achieving the crucial tasks it has been assigned. The most fundamental of these tasks is the establishment of an effective method for addressing organizational risks. The CAE should be able to articulate the risk assessment method and demonstrate how this is effective in identifying the critical and important risks, as well as showing how audit responds to those risks.
3. What are the top five risks that internal audit is not addressing due to a lack of resources or skills?
Too often, the only question that is asked about internal audit's resources is: "Are they adequate?" As an audit committee member, I would ask more than that. I would want to know whether the resources are adequate to address the company's key risks. One means of answering that question is to understand what is not getting done. If there are key risks that are not being addressed due to internal audit's resource constraints, the audit committee should know what they are, and be comfortable with the fact that they will not have assurance from internal audit that the risks are being addressed adequately by management.
4. What strategies is internal audit deploying to ensure greater understanding of the business by audit staff?
One key to the success of an audit department is how well it understands the organization's business. Without a strong understanding of the company's business strategies, organization, and processes, internal audit will struggle to assess risks adequately and to provide assurance and insight into the effectiveness of operations. This does not mean all auditors have to be experts. But it does mean that the department should have plans in place to ensure all staff are continuously learning about how the business operates.
5. Based on internal audit coverage during the prior year, what is the CAE's assessment of the overall effectiveness of the company's internal controls and risk management?
And now we come to the most important question of all – the question that I often find is on every audit committee member's mind, but is rarely asked. In seeking the answer to this question, the audit committee is asking the CAE to "connect the dots." However, the committee must be prepared for an answer that it does not want to hear: that the body of internal audit's work over the past year has not been adequate for an "unqualified" opinion or assessment on the adequacy of risk management and controls. In communicating any opinions, the CAE should be prepared to communicate qualifications based on the extent of internal audit's coverage. If the audit committee is not comfortable with a qualified answer, then a discussion about internal audit's resources needs to be back on the table.
I suspect that these questions will generate some discomfort (and maybe even controversy). Sometimes, it is easier to engage in conversations with the audit committee in a "don't ask – don't tell" environment. Tough questions, such as those I pose above, will invariably elicit some uncomfortable answers. However, these questions drive to the heart of what we do in internal auditing. If they are troublesome, if they cannot be answered, if they represent areas where you fall short, then start taking the steps necessary to make changes in your operations. And, even if you have all the answers, find ways to make those answers even better.
I welcome your thoughts on these five questions or any that I have left off of the list.