From time to time, there are surveys that offer encouraging statistics on the percentage of internal audit departments with a functional reporting relationship to the audit committee. The percentage is often 70 percent or more.
But, as with all things theoretical, reality brings us crashing back to earth.
The benefits of separate functional and administrative reporting lines are quickly diminished when boards and audit committees fail to support and nurture that separation, and nowhere is that more evident than when boards or audit committees sit on their hands when it comes to hiring and firing the CAE.
Having the right CAE in place is fundamental to an effective internal audit function. CAEs not only oversee the planning and execution of a risk-based audit plan, but ensure that the proper resources and staff are in place to get it done. They must have intimate knowledge of the organization’s operational capabilities and risk appetite, and they must be a trusted advisor to management and the board to engender credibility and respect. Above all, the CAE must have the courage to address delicate or difficult issues when warranted, and to call it like it is.
In a blog post several years ago, I commented extensively on the dangers of low pay for CAEs, and how such practices are more than just examples of short-sighted efforts to save money. I noted that, in some instances, it is a calculated and rather treacherous way to keep the internal audit function in check.
Readers of that post appropriately noted that such underhanded strategies are not limited to only CAE pay. Limited staff budgets, delaying or reducing internal audit’s scope of work, and delaying or rejecting necessary travel are other examples of ways management can undermine an internal audit function.
It is, therefore, imperative for audit committees and boards to remain closely involved and attuned to all functions and interactions between management and the CAE.
The IIA’s Common Body of Knowledge survey several years ago suggested that concerns about audit committee involvement in hiring CAEs were overblown. That data showed that the board, audit committee, or their respective chairs have the final say in hiring the CAE among more than 60 percent or respondents’ organizations. But, as I noted in the past, that figure can be misleading.
In many instances, the process for choosing a new CAE, including establishing job qualifications, salary, and benefits, are all determined by management, which then presents finalists — or worst, a single candidate — to the board for approval. Too many boards or audit committees, already overworked by growing responsibilities, regulatory pressures, and commitments outside the organization, are all too eager to rubber-stamp management’s choice.
There is also a reluctance to demonstrate skepticism and question management’s judgment, or to challenge a candidate who has been handpicked by the CEO or chief financial officer for the role of CAE. When this happens, the newly appointed CAE is often fully beholden to management and may view the functional reporting line to the audit committee or board as a hollow reporting relationship.
Ideally, the audit committee should take charge of the hiring process to ensure the CAE not only reports to it, but also has the qualifications and independent mindset necessary for the role.
Similarly, an audit committee must be heavily involved in any effort to fire or move the CAE into a different role within the organization. It must assure that any such move is truly in the best interest of the organization and not just for the convenience of management. I have been dismayed by cases in which management continuously rotated individuals out of the CAE role until it found someone it believed it could easily control. This, of course, renders the entire purpose behind separate reporting lines moot. A CAE who routinely carries management’s water is of little use to the board.
Boards and audit committees serve essential roles in good governance by providing direction and oversight on risk management and internal control. The role includes selecting and appointing the CAE, and that should never be delegated to management.
As always, I’m eager to hear your views on the subject.