Do top executives and board members understand the role of internal audit and the capabilities it offers?
This question was prompted by a post that a valued member of my network, Alfred Rodas, brought to my attention, "Internal Audit and it's enhanced role in the future"(sic). The author, Drew Stein, wrote, “I have been both privileged and fortunate to have lived and worked as Chairman, Managing Director and CEO for a number of diverse organisations in various countries around the world.”
The Full Picture
Reading the views of an experienced board member and former CEO offers an interesting perspective.
As such, Stein professes to understand the role of internal audit.
But a distinction should be made between understanding how internal audit functions in practice, and understanding how they should operate. Does Stein understand the desired role — as expressed by guidance such as the new Mission and Core Principles from The IIA — or only what far too many internal auditors are limited to performing (whether because their resources , the vision of the CAE, or due to the limited vision of the board and top management)?
It's notable that Stein values internal audit — but if he understood its full capabilities, wouldn’t he be even more passionate and change his views on its reporting line and mission?
Stein limits the scope of IA's function with the following statement:
“It's generally accepted, that the base function of IA is one of reviewing, monitoring and ensuring that company financial, regulatory and operating systems are adhered to while also providing guidance for improvement in company monitoring and reporting functions.”
The new IIA Mission statement defines it as, “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” Stein's approach reflects a common perception I've seen, that internal audit is a compliance monitoring activity, rather than one that provides assurance and insight on the management of risks to the achievement of corporate objectives.
His acknowledgement of the role IA should take is commendable, “There is no argument that corporate entities must have a strong IA function which in some jurisdictions is mandatory by regulation.” Yet he follows up with statements like, “Almost all of IA findings are mundane operational compliance issues which management can rectify immediately.”
If this is his perception (and I take him at his word), then either the internal auditors have failed to audit areas of risk that matter, have found nothing worth mentioning, or they have been unable to explain and communicate how the issues they raise might affect the achievement of corporate objectives — and matter to the board.
Another example of seeing IA through a limited view can be found in, “Major financial or compliance issues are reasonably rare but require a separate and confidential IA reporting line through the audit committee chairman.” Internal audit should not be limited to financial and compliance issues. They should be looking at controls over all significant risks to the achievement of corporate objectives.
Stein and I differ on who IA should report to. Whereas Stein writes, “… a reporting line function which I've successfully worked with is that organizationally IA report to the CFO and sit on the board audit committee with the absolute right to report confidently to the Chairman of the committee on any issues which in warrant special attention,” I feel internal audit should report functionally to the board or a committee of the board, and administratively to a senior officer of the company, preferably the CEO or a business-oriented CFO (in other words, someone who will not constrain internal audit to financial and compliance issues).
“In my opinion IA functions can’t survive in their currently accepted structure. They will need to raise their corporate involvement and expanded their functionality to cover a far greater business horizon and as a result will be required to work closely and cooperatively with other organizational groups within the business. This will force a significant change in attitude and understanding of their place and function within the organization.”
On the main point we agree, but not necessarily in the vision Stein shares. Internal audit should provide insight, assurance and advice to the board and top management on the management of significant risks to the enterprise. They will need to cooperate with management, while retaining their objectivity and independence (please note the order of these words). The change in attitude should include all stakeholders as well as internal auditors.
To return to the question of reporting, Stein reiterates, “The key point to this enlarged IA responsibility is that they must be seen to be part of the organization and report to the CFO but still retain the absolute right to communicate directly with the committee chairman should the need arise.” On this I strongly disagree. IA reports to the CFO (CEO or other executive) for administrative purposes only. As expressed in the IIA’s core principles, internal audit should be able to provide the services the audit committee and the board need, free from undue influence from management.
Stein wraps up with a prediction: “I know there will be many who disagree with my next comment but gazing into my crystal ball I predict that within 20 years you won't be able to recognize today’s so called IA function. The word 'audit' with all its negative connotations will be dropped and the function and responsibilities will be morphed into a far more inclusive group involving a greater intensity around analytical in-depth reviews of key operational drivers and strategic risk elements with more focus on compliance but still responsible for identifying major financial misdemeanors.”
Internal audit is already in the midst of a transformation to enterprise risk-based auditing. The idea that it should be compliance oriented and act as the corporate police needs to be dampened down. While that remains a part of its role, it misses the essence of what the mission of the internal audit function should be today and in the future.
What do you think? What needs to be done to change the perception by board members and top executives so that internal audit can deliver the services it can and should?