Where should internal audit report?
This is a touchy subject.
While there is very little debate that the head of internal audit, the chief audit executive or CAE, should report functionally to the board (usually the audit committee of the board), there are some strong opinions on whether it should report for administrative purposes.
This is what the IIA’s Standards have to say (with my emphasis):
1110 – Organizational Independence
The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.
Interpretation:
Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board:
- Approving the internal audit charter.
- Approving the risk-based internal audit plan.
- Approving the internal audit budget and resource plan.
- Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters.
- Approving decisions regarding the appointment and removal of the chief audit executive. Approving the remuneration of the chief audit executive.
- Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.
1110.A1 – The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications.
The Standards do not discuss what is included in administrative reporting. This is what I believe is included:
- Reviewing and approving the expenses of the CAE
- Performing other administrative functions that may be required by organizational policy. These vary from organization to organization but may include the approval of purchase orders that exceed the CAE’s authority level, approval of travel, and so on.
There’s little else that I can think of today.
It is customary for the CAE to be able to attend the executive’s direct reports.
It is also customary, but not always a given, that the executive will be a supporter and champion of internal audit.
The CAE’s cost center may or may not roll up to that of the executive.
X
Somebody has to perform these administrative functions, and it is unrealistic (with rare exceptions) to expect the chair of the audit committee to do them.
The debate is whether the CAE should report administratively to the CEO, the CFO, or another senior executive.
While it is possible for the CAE to report for administrative purposes at a lower level, for example to the Corporate Controller, this will generally create a perception that the CAE is middle management at best – rather than the senior executive he or she really is (or should be).
X
Some years ago, the IIA stated its preference (my guess is that this was influenced by its CEO) that the administrative reporting should be to the CEO.
Richard Chambers repeated his strong preference for that in a recent post, New Surveys Raise Alarm Bells for Internal Audit. He tells us:
One of the most jaw-dropping statistics in the IIA’s recent 2022 North American Pulse of Internal Audit report is that 76% of CAEs at publicly traded companies say they work administratively for the CFO! I have never been shy about sharing my views on this reporting relationship. While many CFOs fully respect the need for internal audit to remain independent, and for internal auditors to be objective, the optics indicate that CFOs who “own” internal audit are more likely to use the function to focus on their own priorities. Even more alarming is that only 4% of respondents are concerned about reporting lines. That is, by and large, a uniquely American problem, and fortunately it isn’t widespread in either the public or not-for-profit sectors. But the number of internal audit functions reporting to the CEO in publicly traded companies appears to be retreating. That is not a good development.
He has strong views on this and so do I.
It could be that his many years as CAE in government service influenced his position. My many years as CAE in US and global corporations led me to a totally different position.
First, administrative reporting does not confer, in any way, “ownership” of internal audit.
Second, I have seen CAEs who report administratively to the CEO forced to work on special projects for the CEO, even to the point of being sent to fire non-performing executives! In other words, the CEO thought he owned internal audit.
Third, the CEO is a busy individual and asking him or her to spend their valuable time on administrative duties like approving expense reports is absurd. In practice, the CEO will delegate those responsibilities to the CFO (at best) or an assistant (at worst, but more likely).
Fourth, you can report to the CFO and have free access to the CEO.
Fifth and extremely important, you are far more likely to be included in the CFO’s executive staff meetings than the CEO’s, even if you report administratively to the CEO. In fact, reporting to the CEO may make it harder to attend the CFO’s meetings. These meetings are very valuable sources of information about the strategies and activities of the organization.
Finally, the fact that 96% of CAEs are content with their administrative reporting should tell us something. These are smart people, and their opinion should be respected as being based on reality. Reporting to the CFO satisfies the intent of Standard 1110: “The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.”
X
Should the CAE report administratively to another senior executive?
This will depend on the organization and on the individual executive.
I can see a case being made for reporting to one of these people:
- Chief Administrative Officer
- Chief Operating Officer
- General Counsel
I am not a fan of the CAE reporting to a specialist CRO with whom there may be conflict over the assessment of control deficiencies and the risk they represent.
X
Whoever the CAE reports to administratively must respect the fact that the reporting is purely administrative, they do not own internal audit, and their role is limited.
X
How does the CAE make this happen?
That is covered by Standard 1000: Purpose, Authority, and Responsibility.
The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.
Interpretation:
The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board.
The value of the Charter is not that the CAE can brandish its authority when management doesn’t allow internal audit necessary access to information, etc.
The value is that it is discussed and reviewed by the board or its audit committee. That activity instructs whoever is administratively supporting the CAE where the boundaries of their role lie.
X
What do you think?
X
By the way, I am not commenting today on the other alarm bells that Richard says are ringing except to say that I disagree on SOX and do not agree with his logic on cyber. (I would point you to an IIA webinar we did together, but the IIA has removed it for some reason. In it, he agreed with my position that IA delivers great value if it is given the necessary resources to fulfil its primary mission as well as test controls for SOX.)
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Totally agree with your perspective. Having held positions as CAE in both corporate and public sector I think there are benefits from different reporting lines in each.
My experience in corporate setting was reporting administratively to CFO for the basic administrative requirements you set out and otherwise independence to run the IA function as I saw fit. In public sector I experienced both reporting to CFO and CEO with the latter arrangement being, in my view, much better for the organisation. CFO wanted to direct any activity reporting to her rather than allowing IA to function independently, which I believe was a reflection of the organisational structure. CEO assumed any direct reports would take responsibility for their respective functions.
Also agree with respect to option of reporting to CRO – creates inherent conflict when IA attempts to provide independent perspective on risk management.
I think the reporting channel depends upon individual organizations and how they are structured. I currently report to our CRO, which assumed that role from me. Internal Audit responsibilities grew so I gave up the risk management duties. We currently work very well together and there has been no conflicts when I have reported independently on risk management. Of course, this relationship could be unique to our organization and may not work in others.
Thank you for sharing. Rather than depending on the organization, I suggest that it depends more on the individuals involved. If your CRO were replaced, your feelings about reporting to the CRO might change.