The audit committee is charged with oversight of financial reporting, the external auditor, other financial risks, and sometimes but not always enterprise risk management.
But the internal audit function should not limit itself to the remit of the audit committee.
It should be concerned with risks that are overseen by other committees or the full board - including governance failures, inadequate risk management, compliance risks, operational effectiveness as well as efficiency, and so on.
I think it's time for internal audit to graduate.
It was in kindergarten when it reported to the finance controller.
It moved to junior high when it moved to the CFO.
A college degree was earned when direct reporting went to the audit committee.
Now it is time to graduate and report to the lead independent director and participate in most if not all board committees, including governance, compliance, and risk.
Do you agree?