Risk Management

Internal Auditor Reports Getting ‘Sanitized’

But one audit committee chair knows how to get a fuller picture from internal auditors.
David KatzApril 9, 2014
Internal Auditor Reports Getting ‘Sanitized’

Reports by internal auditors to board audit committees are often “sanitized” during prior interactions between senior management and internal audit, the audit committee chair of two different companies acknowledged last week.

Speaking during a PwC webcast, John Fazio, the audit committee chair of Sequenom, a life sciences company, as well as Heidrick & Struggles International, an executive search firm, said that although he formally gets only terse reports from internal audit, he gets a much fuller picture of what’s really going on via frequent, informal meetings with internal auditors.

“A lot of times when reports are getting sanitized, I will find that out through the communications process,” he said, noting that sometimes such discussions prepare him to probe more deeply at audit committee meetings. “I know some of the questions to ask during audit committee meetings to bring out some of the points that have been reduced because of management’s sensitivity to them,” Fazio said.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Management, too, tends to have a whole lot more exposure to the internal auditor’s work than the audit committee does.  Normally, all Fazio gets is “a very concise report from internal audit. They explain a little bit about the area they’re auditing, their processes of auditing and their findings. And that’s all,” he added. “So our view of the work being done by internal audit is [at a less detailed level] than management’s.” And from management’s perspective, familiarity may breed contempt.

CFO, Audit Committees Disagree

Indeed, there is a wide rift between the perceptions of finance chiefs and boards of how well internal auditors perform. Just 34 percent of 114 CFOs say their companies’ internal auditors are doing a good job as providers of “timely proactive advice to senior management on both current and future problems,” according to recently released PwC survey on the state of the internal audit profession. Almost 80 percent of the finance chiefs expected internal audit to perform in that advisory role.

Further, the CFOs were part of a broader senior management group (including chief executive officers, legal chiefs, chief risk officers and chief compliance officers), 55 percent of which reported that they don’t believe that internal audit adds significant value to their organizations, according to the survey. The research drew responses from 1,900 chief audit executives (CAEs), internal audit managers and board members in addition to senior management. The respondents represented 24 industries across 37 countries.

In contrast to the views of finance chiefs, only about 30 percent of the board members surveyed felt that internal audit adds less than significant value.

To be sure, CFOs feel that internal auditors are doing a better job of meeting finance’s expectations. In 2013, just 37 percent of finance chiefs participating in the PwC survey rated the value received from internal audit as “significant.” In 2014, this number increased to 49 percent of CFOs.

Still, that leaves more than half of CFOs regarding internal-audit teams as providing less than significant value.

The reasons that finance chiefs rate internal auditors so much lower than boards and board audit committees do are that CFOs have much more daily exposure to them and their foibles – and want entirely different things from them, experts say.

“The audit committee is typically looking to internal audit for assurance around the overall effectiveness of controls – in many cases controls over financial reporting and financial-related controls,” Richard Chambers, president and CEO of the Institute of Internal Auditors (IIA), told CFO last week.

In contrast, senior executives are more likely to say to internal auditors that although assurance is necessary, “what we really need is advice, your perspectives on risks,” he said. Unlike the perspective of audit committees, management’s point of view is one that involves “not looking backward, but looking at the present.”

Chambers also noted that IIA’s position is that internal auditors who report to management should report to CEOs rather than CFOs. CEOs have less of an “inclination” than CFOs to urge internal auditors not to criticize a company’s internal controls over financial reporting, he said.

“But I’ve seen a lot of internal auditors work for some outstanding CFOs, and they’ve done so without any interference,” Chambers added.