A simmering debate in the internal-audit community shows no signs of evaporating. It’s an important topic to many of the field’s practitioners, who perceive the profession’s very credibility and integrity to be at stake.
Many of the country’s largest and highest-profile companies include a stint running the internal-audit department as a component of executive-development programs for their highest-potential senior executives. The trouble that some have with that arrangement comes when the executive in question is a finance person — which is usually the case — and expects to rotate back into finance after three to five years as chief audit executive (CAE).
Nothing is more central to the identity of internal auditors than maintaining independence from company management — reporting to the audit committee on substantive matters and to the CFO or CEO only for administrative purposes — and carrying out their work with disciplined objectivity. But, the critics’ argument goes, how independent and objective can a person be when auditing financial controls, or anything finance-related, if he or she once reported to the CFO and presumably will again once the sojourn into internal audit is over?
It’s not hard to find career auditors who, to put it mildly, take a dim view of the practice. “There is nothing good about that kind of program,” says Joe Steakley, who was an auditor at Ernst & Young for 22 years and a partner at the firm when he left to take over the CAE role at HCA Holdings 16 years ago. “You show me any big company that does that, and I will tell them they are not independent, and they are not objective. If they audit their future bosses, they will be tainted, they won’t tell the truth, and they will write bad reports. It’s that simple.”
Steakley knows about big companies: HCA, a $33 billion, publicly traded hospital-systems operator, is in the Fortune 100.
A “litmus test,” he says, is the Big Four public accounting firms. For years, until the Arthur Andersen-Enron debacle exploded in 2001, the firms proclaimed themselves quite capable of policing themselves to make sure no conflicts of interest arose between their auditing and consulting practices. The next year, the Sarbanes-Oxley Act established the Public Company Accounting Oversight Board, installing the federal government as the police over the firms. “If the Big Four couldn’t do it, there’s no way industry can,” says Steakley.
Some companies, he suggests, may rotate finance executives into and out of the CAE chair because “they don’t want a strong internal-audit function.”
Maybe so. Maybe not. The list of companies that routinely have assigned finance executives to take over internal audit for a few years reads like a who’s who of those considered among the best-run American businesses: Caterpillar, General Electric, Honeywell, IBM, and Johnson Controls, among others.
“I know there are a lot of tenured CAEs who hold as a core belief” that having a finance person in the job on loan from finance, so to speak, equates to a weak internal-audit function, says Greg Grocholski. But, adds the 30-year veteran of Dow Chemical, who finished three years atop the internal-audit function just last month, “if that were the purest of recipes, maybe we wouldn’t have such frequent occurrence of financial malfeasance on the front pages.”
Grocholski served as an internal-audit staffer and director for eight years in the 1990s. He now reports to Dow’s CFO as finance director for the company’s corporate ventures and business development group, a role that’s roughly equivalent to divisional CFO at other companies. Asked if he ever felt any conflicts of interest while auditing finance-related activities, he says, “None whatsoever.”
Adds Grocholski: “Are there risks and concerns in taking that job? There are risks and concerns with everything. But if you take that job, you have to understand the risks to your personal career. And then you have to make the right calls, regardless. If you don’t understand that, don’t take the job. If you do take it, ask yourself every night how well you’re sleeping, and if you sleep well, you’re probably doing the right things.”
As with any risk-management program, the key is to mitigate risks, says Grocholski. In this case, mitigation can be achieved through the CAE selection process, the way the board monitors and supports that role, and establishing a corporate culture of “doing the right thing.” He observes, “I could suggest there are risks from having tenured auditors, like complacency, which is always a risk when someone is in a role for too long.”
Varun Laroyia, who last August wrapped up a three-year stint as Johnson Controls’ internal-audit leader, says most of the companies that use the rotational approach to filling the CAE role are well equipped to pull it off.
Hired seven years ago as vice president of finance and IT for the Europe/Africa division of Johnson Controls’ building-efficiency business, Laroyia currently is the worldwide group controller of that business, which generates $15 billion in annual revenue. For the most part, concerns over the independence and objectivity of CAEs serving in between finance roles are “irrelevant,” he says.
“Think of a progressive, sophisticated organization with a culture where internal audit is expected to be highly critical and to highlight improvement opportunities. There, you won’t face those problems,” Laroyia adds. “In businesses where that culture is not present, the CAE and the audit department may not be as independent as one would like them to be.”
At large, top-flight companies, says Laroyia, bringing in a finance operations executive as CAE “builds internal audit’s credibility with the business, gives that strong finance professional broader visibility into the enterprise, and is a critical stop in that person’s development.” At companies where there are objectivity issues with such a CAE, he wonders, “What kind of roles did those people end up rotating back into? If they were senior executives, I think the whole argument goes away.”
He notes that in 2012, Johnson Controls engaged the Institute of Internal Auditors (IIA) to perform the once-in-five-years external quality review of companies’ internal-audit functions that is required to comply with IIA standards. (Such other entities as public accounting firms can perform the reviews as well.) He says the review found no fault with the company’s rotational model, which includes bringing in staff below the CAE level and later sending them back to the business. The IIA confirms that it conducted the review but says it never comments on review findings.
The institute’s CEO, Richard Chambers, toes the line on the debate but ultimately leans to the view that rotating a finance executive in and out of the CAE role is generally not a good practice. The portion of a typical internal-audit department’s work that involves financial activities has waned in recent years but is still about 25% of the total, he says.
“I do believe there can be benefits,” Chambers says. “Some of these individuals have been tremendous change agents. Having not spent their careers in internal audit, they brought fresh and innovative perspectives to risk assessment and the audit-planning process.”
But Chambers says that what keeps him up at night is not “things like expanding IIA’s membership,” but the fear that a CAE on loan from a company’s finance department will make a catastrophic error influenced by his or her past and future relationships with the CFO. Indeed, like Grocholski, he suggests that may have happened in some high-profile cases in recent years. He doesn’t name names, but JPMorgan Chase’s infamous “London Whale” trading fiasco and some of the more egregious violations of the Foreign Corrupt Practices Act come to mind.
“I don’t want to be black and white about it and say that someone rotating from the CFO organization into internal audit is always a bad thing,” Chambers says. “What it does, though, is increase the risk” that the internal-audit department will be less than objective, to the company’s — and perhaps the CAE’s — ultimate detriment. “I can say pretty unequivocally that the model does not foster stronger internal-audit independence.”
Another potential problem, he notes, lies in the typical brevity of the foray into internal audit. “A strong CAE provides the audit committee with perspective on risks and controls, but what kind of long-term or even intermediate-term perspective can you provide if you’re sitting in that seat for only 36 months?”
Chambers puts forth some safeguards that companies could put in place to lessen the risk that a CAE who comes out of finance will not be objective: