a hand squeezing  a lemon over an  open flame
PHOTO: Christiann Koepke

Public accounting firms are recognizing the value that an effective internal audit team can provide an organization —  an encouraging sign.

In July 2020, PwC shared its views in "Getting the Most Out of Internal Audit: How Can the Audit Committee Help Maximize the Value of Internal Audit?" (PDF) The article makes a number of good points, but misses the most important issues in my opinion.

PwC's Take on Internal Audit

Let’s first look at a few of PwC's observations:

"Maximizing the value proposition of the internal audit group is an effective way to help audit committees address their risk oversight responsibilities. But getting internal audit’s full value requires focus and attention. It requires the audit committee to reflect on what it needs and to be direct with internal audit."

Internal audit can help with more than “risk oversight.” For example, at one company where I was chief audit executive (CAE), the board was concerned with the leadership of the CEO. The board chair asked for my insights on the executive team and whether they were effective as a team. I have also helped the audit committee with their oversight of the external auditors, gathering an assessment of their performance from the global management team.

I also find it frustrating to see surveys of audit committee members where they say they are disappointed in internal audit performance. They should remember that internal audit reports directly to them; they must, as PwC says, reflect on what they need and be direct with the CAE. If he or she is not responsive and performing, they should replace him or her.

"The audit committee needs robust and concise, yet impactful, reporting from internal audit."

Internal audit needs to provide the board and the audit committee (and others such as the governance, risk and compliance committees) the assurance, advice and insight they need, when they need it, in an actionable form. They need to stop giving them reports with information that doesn’t matter to the organization and the members of the board. They should respect the value of the audit committee’s time: they never have enough!

"The audit committee can empower internal audit by providing visible support, starting with the Chief Audit Executive (CAE) as the leader of the group …. An open and trusting relationship between the audit committee and the CAE is critical to help develop the CAE into a leader who can deliver value to the organization .… Internal audit often reports to both the audit committee and management. Regardless of the organizational structure, reporting lines that promote objectivity and effectiveness are critical to a high-performing internal audit function. It’s also important that the reporting lines are clearly defined and well-known in the organization."

Yes, and it's easy to say. But there is much more, as I will discuss later.

"The expertise and value of internal audit could be underutilized if its focus is not aligned to the company’s strategic objectives. Audit committees should expect internal audit to work with other risk and compliance functions in the company. Internal audit should clearly communicate how they work with these other groups to assess risk."

PwC simply fails to understand what agile and flexible internal auditing is about here. While it uses those terms, it also talks about an annual audit plan and audit projects that have multiple phases. Internal audit needs to be sufficiently agile and flexible to address the risks and opportunities of today and tomorrow. Annual audit plans are increasingly recognized as an obsolete practice. While PwC mentions rolling audit plans, this is not promoted as a necessary practice in its document.

Finally, it is management’s responsibility to identify and assess risk. It’s about time the audit firms understood this!

"Once internal audit has completed its work in an area, it issues the report to management and sometimes to the audit committee as well. Some audit committees rely on the CAE to report to them only on significant areas or significant findings. The CAE should provide a summary of all reports issued during the period, including the scope of the audit, the findings by risk level (if used), and whether or not the findings have been resolved."

The board should be concerned when there is disagreement on the severity of issues and opportunities between internal audit and management, or on the appropriate actions to be taken. This may be why management is not implementing the recommendations; they may not be justified on business grounds. Focusing on open items is good, but first there should be a discussion of whether internal audit is working with management to come to a constructive agreement on the issues and actions — and if not, why not. If internal audit is writing a report and expecting management to follow with a response, that is an indicator of not only poor internal audit practices but also a failure of both management and internal audit to partner with each other.

Also of note: Why should the audit committee need to know of ‘findings’ (such as negative word) that are less than significant? Why give them information and consume their time on trivia? It is far better to spend audit committee time on weighty matters and, if there are none, let the time be used for other reports.

The word ‘significant’ needs to be understood. It should refer to what would be significant to the audit committee members, not to the auditors or middle management.

"The audit committee should periodically assess the performance of the internal audit function as a whole and the CAE in particular. In doing so, the committee may consult with the external auditors, management, and individuals from third parties (e.g., firms that provide internal audit services) who regularly interact with internal audit."

While true and though PwC has asked some good questions, it didn't ask whether the members of the audit committee feel internal audit is helping them discharge their oversight and governance responsibilities.

As I will explain momentarily, it is the assessment of the audit committee that should drive the compensation of the CAE.

PwC also shared, in the Appendix, some interesting and colorful reporting suggestions. But I wonder how much of this information the committee members need to know.

I prided myself on telling them only:

  • What they needed to know as a management oversight function.
  • When they needed to know it.
  • In a way that enabled them to take appropriate actions.

Many of my reports to the audit committee were short (15 minutes) and to the point. They don’t really need to know all the trivia in the PwC suggested reports.

Related Article: Delivering Value From IT Audit

My Advice for Internal Audit

So what did PwC miss? What advice should have been clear? Here are my additions:

  1. The CAE should report solid line to the audit committee and its members. While there is usually a dotted line to a senior member of management, this is for administrative purposes such as approval of expenses. Talking about dual reporting, even with code words like functional, waters down the fact that management should not direct the activities of the internal audit function.
  2. The audit committee should act as the direct manager and supervisor of the CAE. This means that they determine who is hired and fired, compensation, budget and more. This they should make very clear to senior management. Talking about "empowering" the CAE is weak language when strength is needed.
  3. The members should all have a personal (preferably) as well as a professional relationship with the CAE and, if possible, with his or her direct reports. This is simply what good managers do!
  4. The audit committee should take an active role in ensuring that the internal audit function addresses what matters to the success of the organization (risks and opportunities) — and especially ensure they are not wasting time on issues that would never significantly affect its success.
  5. The audit committee should encourage the CAE to share insights not only on processes but on people. The CAE is usually going to be cautious about doing this, which the members should recognize, and where needed the members must be direct in their questioning.
  6. The confidential sessions with the internal auditor, typically held after the main business of the committee is concluded, are immensely valuable. The committee should ensure that there is sufficient time, that others are excluded (except where both the members and the CAE agree they are necessary), and that anything shared is kept confidential.
  7. The audit committee should consider whether the CAE has the ability to act as a senior executive and hold him or her to that standard.

I am sure there is more — and look forward to your comments.