Sarah Johnson, CFO.com | US
October 13, 2006
1. I believe the question should first be "What is the role of internal audit?", i.e. where should it report is secondary, and that should be based on what is needed to achieve its role.
2. This year, the IIA issued a landmark position statement regarding organizational goverance which discusses the potential roles of internal audit in governance.
3. This paper is available at:
http://www.theiia. org/?doc_ id=126
Enjoy.
Dan Swanson
Compliance Week columnist, & former Director of Professional Practices at the IIA.
Posted by dan swanson | Oct 31, 2006 11:52 AM ET
Yes, internal audit should report to the CEO. Independence in fact and appearance must be upheld.
Posted by Hal Meyer | Oct 26, 2006 4:17 PM ET
Having IA report to the CFO would be a dreadful mistake.
The whistle blower cases at Enron and Worldcom patently demonstrated that. The internal auditors that suspected malfeasance and tried to report to the CFO were tried to be hushed.
The only time when such might be feasible is if a company has a very strong and encompassing Chief Compliance Officer's (CCO) function that would have direct access to the Board. (See, "Establishing a Compliance Office for Sarbanes-Oxley, Other Laws and Corporate Governance" ISBN 0-940706-67-9, www.masp.com)
Even then, having the Internal Auditor report to the CFO would compromise its independence since the CFO function is and operational activity that has to also be audited by the IA department. Auditing and reporting on your boss's activities is just not an effective approach, period.
Posted by jay kuong | Oct 20, 2006 8:03 AM ET
The consultants present a case that excludes the most knowledgable and experienced Accountant in the company from managing the IA function. It also creates a competative/ adversarial relationaship between these two functions. If the head of IA wants the CFO position it would be easy for them to take out the CFO with a bad report to the audit committe. It would be better if the head of IA was structured so that the CEO and the Audit committe were the Internal Audit departments customer and their compensation and performance reviews were based on how happy the customers were with the services provided. This allows every one under the CFO to work as a team, which means recommendations from the IA department can be implemented by the time the audit reports are presented to the Audit committe. This is win win.
Posted by Mark Steppell | Oct 19, 2006 12:08 PM ET
Being a former internal auditor, I believe that IA should only report to the Board appointed Audit Committee and no one else.
Posted by Jason Dixon | Oct 19, 2006 11:45 AM ET
On my point of view, the internal Audit should report to CEO,the internal Audit committee, and the Board audit Committee.
Regards
Jos?
Posted by JOSE HABIMANA | Oct 19, 2006 5:12 AM ET
I disagree with Jim Key when he states that the audit committee should "be involved" in the chief auditor's performance evaluations and salary negotiations. The board appointed audit committee should be the only party involved in evaluating the internal audit unit's performance and should be totally responsible for all salary negotiations.
The internal auditor must be totally independent, and total independence cannot be achieved with any management involvement in internal audit's performance reviews or salary negotiations.
I have seen first hand how a powerful CEO can negatively influence the work of an internal auditor. Therefore, the internal auditor should report directly to the board appointed audit committee but should also have a direct communication channel to the CEO and CFO.
Posted by E B Whitaker | Oct 18, 2006 3:32 PM ET
Most of the firms we work with have an audit committee that issues a report card to the CFO. To directly report to the CFO would be detrimental to the overall effectiveness of the objectivity of the audit. In sum, Internal Audit should report to the Audit Committee.
John Whisman :1st Search Group financial recruiters.
Posted by J Whisman | Oct 17, 2006 1:02 PM ET
An excellent article about a very important topic - i.e. ensuring the independence and objectivity of the internal audit function.
The IIA's (Institute of Internal Auditors)International Standards for the Professional Practice of Internal Audit indicates that the Internal Audit function needs to have the organizational "status" required to complete its mandate but does not dictate the actual reporting lines (to allow organization to decide what works for them).
In today's challenging business environment having internal audit report to the most senior executive within the organization AND directly to the audit committee is the way to go, i.e. it sends a clear message to all stakeholders.
The IIA has published a wide variety of papers on this subject and related topics (i.e. to support the implementation of an effective internal audit function).
I have provided a summary (below) of the leading papers plus links to the entire series of position papers that have been published by the IIA.
Dan Swanson, CIA, CMA, CISA, CISSP
Former Director of Professional Practices for the IIA, monthly columnist for Compliance Week, and President and CEO of Dan Swanson & Associates.
www.securitybenchmark.com
http://www.complianceweek.com/
1. Board & Audit Committee resources
http://www.theiia.org/?doc_id=4667
2. Audit Committee Briefing - Internal Audit Standards: Why They Matter - http://www.theiia.org/download.cfm?file=83632
3. Resourcing Alternatives for the Internal Audit Function
http://www.theiia.org/download.cfm?file=82544
4. 20 Questions Directors Should Ask about Internal Audit
www.theiia.org/bookstore.cfm?fuseactionfiltered=product_detail&order_num=519
5. Finally, numerous other IIA resources (below).
note: the very last resource item listed below takes you to all the various IIA position papers.
"Quality is never an accident; it is always the result of high intention, sincere effort, intelligent direction, and skillful execution; it presents the wise choice of many alternatives. " - W. Foster.
The IIA's bookstore, research foundation, and guidance effort is truly extensive and all the key "entry points" (i.e. web links) are provided below.
1. Editorial Summaries.
www.theiia.org/ bookstore.cfm?fuseactionfiltered=edsumlist
2. IIA Bookstore (by topic)
http://www.theiia. org/bookstore. cfm?fuseactionfiltered= topic_list
3. The IIA Research Foundation publishes NUMEROUS reports.
http://www.theiia. org/index. cfm?doc_id= 285
4. The IIA Position Papers & Responses (i.e. Advocacy for the Profession).
As part of The IIA's role as advocate for the profession, The Institute provides the latest position papers and responses to exposure drafts from other organizations related to internal auditing.
Over the past 4 years more than 60 papers have been issued including some very significant papers regarding Internal Auditing's role in Governance, ERM, 404 efforts, etc, etc. (i.e. this link is well worth a "visit").
http://www.theiia. org/index. cfm?doc_id= 122
Posted by dan swanson | Oct 17, 2006 9:01 AM ET
I have been in IT Audit and Consulting for many years and have worked for some of the largest companies and entities in the country/world. I have always recommended to Audit Committees, Directors, CEO's and CFO's that Audit should NOT report to the CFO.
This is not to say that the reporting structure does not work, I have seen it be successful and I have seen it compromised.
It is the the appearance of undue influence and potential conflict of interest that I always pointed out to the Companies and CFO's; this is what they should seek to avoid.
When the Audit team has to present a potentially material and embarrassing finding to the CFO who is incharge of the Area where the finding exists or may even be the source of the finding, what is a CFO and Audit Director to do?
That is the question.
Reporting to the CEO or only the audit committee relieves the tension and also promotes the level of respect for the internal audit teams which too many times is relegated to second rate whereas the Finance Team/CFO are always first tier.
Of course most companies do not want to follow that reporting suggestion, maybe now they will or at least they may take a look at it.
Posted by Robert Greene | Oct 16, 2006 2:17 PM ET
On balance, this is a very good article. Thank you for writing it. The objectivity of internal auditors is critical to their overall effectiveness. Proper reporting to and support by the Audit Committee is critical.
I feel that the comments from Moody's on internal audit outsourcing are wrong and do not reflect the current reality. Outsourcing of internal audit activity (along with all forms of co-sourcing) is a PROVEN tactic that adds value many times above and beyond an internally sourced function. Just ask the companies and Audit Committee that employ this tactic.
The specific falsehoods in this article related to this are:
"Outsourced auditors do not have enough access to the Audit Committee"- This is completely false. Outsourcing or insourcing has nothing to do with the amount of access to the Audit Committee. I can cite literally hundreds of examples where outsourced internal audit functions substantially increased the amount of interaction with the Audit Committee as compared to the insourced function the company may have had previously. The Moody's comment here is simply not true.
"They have less stature within the company to do their job effectively"- Again, this is not true at all. Companies sometimes outsource internal audit to actually raise the stature of the function within their organization. Again, I can cite many examples where outsourced internal audit functions got the attention of senior management and made more positive change happen when this was not happening in the past.
" Their work may be cut back because of budget constraints as they are paid on an hourly basis"- this is not true in my experience. Though outsourcing turns a primarily fixed cost in to more of a variable one, being paid on an hourly basis is not in itself a reason why internal budgets might be reduced. In the final analysis, one could argue that internally employed internal auditors are paid by the hour.
And finally, "Outsourced (internal) auditors will likely miss connecting the dots between the many issues and risks that can pop up at a company...Internal auditors who actually work inside the company day-to-day are more aware of the inner workings and see interrelationships between processes and departments, therefore strengthening an organization's risk management strategy.." - Here the commenter does not have the experience to know that, in many situations, outsourced internal audit functions can be even more plugged in to a company than an employee based function. In most situations, outsourced internal audit functions have offices at the company and are there everyday. They attend internal staff meetings and are privy to the "water cooler" talk that goes on. In fact, with their greater level of objectivity, they can sometimes connect the dots even better than an employee based internal audit function.
Perhaps the best way to end this is to state that it's not about insourcing or outsourcing. It's about getting the best people and skills to do the job in order to help and protect the company and its shareholders. If the company can do that with employees, fine. If they can do that with an outsourcing arrangement- that's fine too.
I would be very pleased to provide CFO Magazine or Moody's with further information.
Robert Hirth
Managing Director and Global Internal Audit Leader
Protiviti, Inc.
Posted by robert hirth | Oct 16, 2006 12:12 PM ET
I am a strong supporter of the idea of the internal auditors reporting only to thr audit committee.They should not report to any one who they audit.
Wa'el Bibi,CPA,CIA
Bibi Consulting,Inc.
Internal Audit Consultants
Posted by Wael Bibi | Oct 16, 2006 11:40 AM ET
I think it is not a problem to have the Internal Audit Function administratively report to the CFO. Auditors independence will not be breached and the CFO and Internal Audit function need to coomuunicate effectively. At the end of the day who is signing off on internal controls, the "CFO".
Posted by Stephen Tisdell | Oct 16, 2006 10:56 AM ET
The IIA president is Dave Richards, not "Roberts".
Many CFO's lost functional control over the internal and external audit(or) relationship decades ago to the audit committees of the external board of directors. Administrative reporting occasionally is at the audit committe level but typically ranges from CFO, CEO, COO and/or CLO.
Nothing new here. But what is new is CFOs have invented a new function, the function frequently called "internal control". And this function has some overlapping responsibilities that the internal auditors used to have. And it gets the CFO back into "operations".
And since they invented it, they own it and it typically reports to them. CFOs are using that function to not only rein-in auditor 404 compliance expenses but also address current SOX financial reporting issues with an ultimate goal to expand into enterprise-wide risk management.
This function also provides a "buffer" between internal control failures and the CFO. The first to go will be the internal control management, not the CFO.
Don Sparks
Vice President
Audimation Services
A Caseware IDEA partner
Posted by Donald Sparks | Oct 16, 2006 9:15 AM ET
Internal Auditors need to go about their duties with independence and objectivity. This will be possible only if they are not in any way dependent on the CFO or the CEO - senior executives whom they are supposed to be reporting on in matters relating to Finance, Operations and Compliance. The Chief Audit Executives should report to the Chair of the Audit Committee who will also decide on their terms of appointment.
Posted by Chandrasekar Venkataraman | Oct 14, 2006 11:43 PM ET
I believe this idea of having the internal auditors not report to the CFO is sound. However, as a former CFO (who participated in the Crazy Eddie fraud with my CEO ? Eddie Antar) I believe we should take it a step further and have the internal auditors report directly only to the Audit Committee of the Board of Directors and not the CEO too.
In addition I believe that similar to the way States certify and license CPA?s, we must have a similar accreditation of internal auditors. They must be licensed. The effect would be to raise the level of professional responsibility and stature for this very important profession.
Furthermore, the certification of financial reports by CEO?s and CFO?s should be expanded in that any person in the corporate hierarchy that makes representations to the external auditors must certify their information in some form.
If for example, internal auditors were licensed by the states they practiced in and certified their reports to external auditors it would raise by default their level of responsibility, accountability, and create greater awareness of the serious work they perform.
Posted by Sam Antar | Oct 13, 2006 8:02 PM ET
Internal audit reporting to the CEO; not CFO is not all that new. There was a movement to this org alignment back in the early and mid-1990s' as part of the quality movement. By having IA seems to make audit more of an enterprise value proposition to the corporation.
Posted by david yake | Oct 13, 2006 7:31 PM ET
An internal auditor cannot be deemed to be independent if that auditor reports to the CFO. The internal auditor should report to the audit committee. Interestly, the external auditor could perceived not to be independent if they are dependent on the auditee for their billings. In essence, the external auditor is then influenced by the auditee performance since the external auditor is dependent on the auditee for their livelihood through economic billings to the auditee and that same auditee's ability to pay the external auditor. The external auditor at the Big Four accounting firms hold the philosophy of maximizing the contribution margin on audit billings by minimizing both audit time and audit staff allocated. Minimized audit time takes the form of working the fewest staff in the smallest amount of time possible such that inhumance work hours are conducted on the audits. In turn, the likelihood of an external audit failure is heightened.
Posted by David Newman | Oct 13, 2006 6:30 PM ET
Copyright 2011 © CFO Acquisitions LLC. All rights reserved Privacy Policy Site Map
