Internal Audit Shines Brighter with Boards

New studies show that while the role of internal audit still needs to evolve, corporate boards hold the profession and the chief audit executive in...
Kathy HoffelderMarch 22, 2013

Internal audit is moving closer to the board of directors, a sign that the function is becoming more independent and objective, and free of the potential for improper influence from the CFO.

Two surveys released this week confirm the trend. An Institute of Internal Auditors’s (IIA) survey of 554 chief audit and other executives in the United States and Canada found that more than 75% of CAEs report functionally (for their main responsibilities) to a corporation’s full board or audit committee. The results were even higher (80%) among the Fortune 500 companies that responded.

Similarly, a PricewaterhouseCoopers internal-auditor survey of 630 executives showed that the link between a company’s board and its internal audit department is strong. Seventy-nine percent of board members polled said internal audit contributes significant value to a company, compared with 44% of executive management who thought so.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

The findings are notable, since the closer a CAE is aligned to a company’s board or audit committee, the more internal audit will be objective and independent in its analysis of a company’s internal controls, at least according to the IIA. The association maintains that independence “can best be achieved through a dual CAE reporting relationship — functionally to the board of directors and administratively to senior management.”

In the IIA study, 70% of respondents said their CAE reports administratively to the CEO or CFO, with an increasing shift from the CFO to the CEO. Recent Federal Reserve guidelines on internal-auditor effectiveness for banks also favor this reporting structure.

“Historically, internal audit has been viewed as part of the financial area of most companies. By virtue of that, it would administratively report to the CFO in most organizations,” says Hal Garyn, vice president of IIA North American Services. Seeing a healthy number of firms reporting functionally to the board or audit committee and administratively to the CEO shows the “tone at the top” of organizations is changing, he says. “It signals to the organization the importance of the audit-executive position.”

But that dual reporting structure continues to be a touchy subject for auditors, regulators, and corporations, since a firm’s size or its location often influences whether the internal-audit function reports more directly into the CEO, the CFO, or the board of directors — or even if it has an internal-audit function at all.

The IIA’s suggested CAE reporting structure may work for the average business, Garyn notes, but it may not work for all sizes and types. If a company’s CEO is too busy to care about communication with internal audit, for example, having an administrative reporting line between internal audit and the CEO may be ineffective. Also, adds Garyn, having a CAE reporting only to a CEO or board “might take the CAE away from information flows that they might need.”

Some companies still openly choose not to have internal-audit functionally report into the board. “CAE functional reporting to the board or one of its committees is not yet a universal practice,” according to the IIA. A quarter of the respondents in the IIA survey (and 20% of those from Fortune 500 firms) said their organization’s CAE reported to an executive inside the company.

That executive may still be the finance chief. Mike Bechara, a former internal auditor and currently managing director of Granite Consulting Group, says companies that have an internal-audit reporting structure with a “dotted line to the CFO” are common.

Companies outside the United States tend to be a bit ahead of the game when it comes to CAE lines of reporting, because regulators there have put emphasis on having internal audit report to the chief executive. This is partly out of necessity in countries where there is a high degree of corruption, notes Bechara.

If not mandated by a regulator, altering an established internal-audit reporting structure can be difficult, he says. “Nobody wants to take it on themselves to really push for the changes.” In Fortune 500 companies, he adds, “there are lots of ways to run an audit department and lots of variations.”

But U.S. regulators and quasi-regulatory bodies are gaining interest in improving internal-auditor effectiveness. Earlier this month, Nasdaq filed a proposal with the Securities and Exchange Commission to make an internal-audit function a requirement for companies that list on its exchange. The New York Stock Exchange, which caters predominantly to larger firms, already has the requirement in place.

To the IIA’s Garyn, Nasdaq’s move is a clear elevation of the internal-audit function and gives further support to the association’s findings that interest in internal audit is growing in importance among companies. Some of the smallest firms on Nasdaq, he notes, may not have internal-audit functions at all.