Reports by internal auditors to board audit committees are often “sanitized” during prior interactions between senior management and internal audit, the audit committee chair of two different companies acknowledged last week.

Speaking during a PwC webcast, John Fazio, the audit committee chair of Sequenom, a life sciences company, as well as Heidrick & Struggles International, an executive search firm, said that although he formally gets only terse reports from internal audit, he gets a much fuller picture of what’s really going on via frequent, informal meetings with internal auditors.

“A lot of times when reports are getting sanitized, I will find that out through the communications process,” he said, noting that sometimes such discussions prepare him to probe more deeply at audit committee meetings. “I know some of the questions to ask during audit committee meetings to bring out some of the points that have been reduced because of management’s sensitivity to them,” Fazio said.

Management, too, tends to have a whole lot more exposure to the internal auditor’s work than the audit committee does.  Normally, all Fazio gets is “a very concise report from internal audit. They explain a little bit about the area they’re auditing, their processes of auditing and their findings. And that’s all,” he added. “So our view of the work being done by internal audit is [at a less detailed level] than management’s.” And from management’s perspective, familiarity may breed contempt.

CFO, Audit Committees Disagree

Indeed, there is a wide rift between the perceptions of finance chiefs and boards of how well internal auditors perform. Just 34 percent of 114 CFOs say their companies’ internal auditors are doing a good job as providers of “timely proactive advice to senior management on both current and future problems,” according to recently released PwC survey on the state of the internal audit profession. Almost 80 percent of the finance chiefs expected internal audit to perform in that advisory role.

Further, the CFOs were part of a broader senior management group (including chief executive officers, legal chiefs, chief risk officers and chief compliance officers), 55 percent of which reported that they don’t believe that internal audit adds significant value to their organizations, according to the survey. The research drew responses from 1,900 chief audit executives (CAEs), internal audit managers and board members in addition to senior management. The respondents represented 24 industries across 37 countries.

In contrast to the views of finance chiefs, only about 30 percent of the board members surveyed felt that internal audit adds less than significant value.

To be sure, CFOs feel that internal auditors are doing a better job of meeting finance’s expectations. In 2013, just 37 percent of finance chiefs participating in the PwC survey rated the value received from internal audit as “significant.” In 2014, this number increased to 49 percent of CFOs.

Still, that leaves more than half of CFOs regarding internal-audit teams as providing less than significant value.

The reasons that finance chiefs rate internal auditors so much lower than boards and board audit committees do are that CFOs have much more daily exposure to them and their foibles – and want entirely different things from them, experts say.

“The audit committee is typically looking to internal audit for assurance around the overall effectiveness of controls – in many cases controls over financial reporting and financial-related controls,” Richard Chambers, president and CEO of the Institute of Internal Auditors (IIA), told CFO last week.

In contrast, senior executives are more likely to say to internal auditors that although assurance is necessary, “what we really need is advice, your perspectives on risks,” he said. Unlike the perspective of audit committees, management’s point of view is one that involves “not looking backward, but looking at the present.”

Chambers also noted that IIA’s position is that internal auditors who report to management should report to CEOs rather than CFOs. CEOs have less of an “inclination” than CFOs to urge internal auditors not to criticize a company’s internal controls over financial reporting, he said.

“But I’ve seen a lot of internal auditors work for some outstanding CFOs, and they’ve done so without any interference,” Chambers added.

, , , , , , ,

4 responses to “Internal Auditor Reports Getting ‘Sanitized’”

  1. There is an underlying question of the extent to which management is helping the auditor “sanitize”. I think it’s important that the auditor present his/her findings and recommendations in the audit report so that they are properly interpreted by a third party who may not be familiar with the details. Management can help the auditor identify instances where particular phrases, while factually correct, may lead to inaccurate conclusions by the reader. If this is what’s meant by sanitizing, then this doesn’t seem to be a problem … it’s akin to mentoring. On the other hand, if management is “sanitizing” to the extent that the auditor no longer feels that it’s fairly presenting his/her views, then that’s a problem. In either case, it’s good for the Audit Committee Chair to regularly meet with the CAE to get the auditor’s gut-level view on issues without any filtering or sanitizing.

  2. It is true that IA reports are ‘sanitized’ prior to being delivered to company leadership and audit committees. Some of the prevalent reasons are the risk to overall company, the materiality of the control deficiency and the existence of additional compensating controls that decrease both initial two items. Many board members or even company leaders do not read the details of the reports (nor should they) and measure control environment by the quantity of failures (a.k.a. thickness of the reports). Therefore reports are edited for content, leaving the most relevant, important and material topics.

    Does it mean companies are out of control? Not necessarily. Control failures fall in the following categories: internal compliance (company policies), operations (and their impact in asset utilization, profitability) and external compliance (SEC, FCPA). Many of the failures fall in the first two categories which (without any intention to minimize their impact; on the contrary, they are extremely important) is more concerning to audit committees and company leadership.

    As long as IA maintain the objectivity, and provides an un-compromised view of the status of the control environment, is adequate the sanitation of IA reports.

  3. Does sanitization mean hiding the internal audit observations from the Audit Committee? I feel that the approach of the senior management, audit committee and the Internal auditors should be to resolve the concerns expressed by the internal auditors in their internal audit reports. If these concerns are taken care of or assured to be taken care of within a reasonable time frame, the Internal auditor need not carry such observations to the audit committee, unless they definitely need the attention of the audit committee. However, the senior management fails on its assurances, the internal auditor should definitely highlight such failures, if they are material.
    If the internal auditor is satisfied that the concerns are resolved or being addressed suitably, there is no need to make the audit reports bulky and place them before the audit committee. Ultimately, the objective of every stakeholder in the audit reports is to ensure that the audit concerns are properly addressed and resolved.

Leave a Reply

Your email address will not be published. Required fields are marked *