What should the Audit Committee ask the head of Internal Audit?
In an April blog post on his new company’s web site, Richard Chambers writes about: 5 Questions the Audit Committee Should Ask Internal Audit – But Doesn’t.
It always surprises me, but perhaps it shouldn’t, that my friend and I (and we have known each other for a very, very long time) often have different views.
There are some issues on which we fiercely agree, such as the need to audit at the speed of risk. (We have both used that expression for a decade or more and written books about it. I claim, although Richard is not sure, to have used it first. But no matter, we both are ardent supporters of a continuously updated, enterprise risk-based audit plan.)
There are also areas where we disagree. For example, Richard believes strongly that the CAE should report administratively to the CEO because if he/she reports instead to the CFO that executive may try to own the function. I reported throughout my career as CAE to the audit committee and the CFO, and not once did the CFO interfere with my planning or reporting. However, I have personal experience at two different companies, one huge and one small, of a CEO owning and directing the CAE and his planning and reporting. (The first was a company that acquired mine, and the second was a company that mine acquired.)
In this blog post, there are topics that Richard suggests where I fiercely agree, and others where I disagree. No surprise.
Let’s start with where I fiercely agree.
The first and most important is his fifth question:
Based on internal audit coverage during the prior year, what is the CAE’s assessment of the overall effectiveness of the company’s internal controls and risk management?
As Richard says, this is:
…the most important question of all – the question that I often find is on virtually every audit committee member’s mind but is rarely asked. In seeking the answer to this question, the audit committee is asking the CAE to “connect the dots.”
However, I don’t accept that the CAE should ever answer the way Richard describes:
However, the committee must be prepared for an answer that it does not want to hear: that the body of internal audit’s work over the past year has not been adequate for an “unqualified” opinion or assessment on the adequacy of risk management and controls. In communicating any opinions, the CAE should be prepared to communicate qualifications based on the extent of internal audit’s coverage. If the audit committee is not comfortable with a qualified answer, then a discussion about internal audit’s resources needs to be back on the table.
No. The question is the right one. It asks for the CAE’s assessment, their assurance, based on the coverage during the year. How can any reasonable CAE say that they can’t provide an unqualified opinion? The question includes the only necessary qualifier: “based on the coverage during the year”.
As CAE, I started providing my opinion on the adequacy of internal controls to address the more significant risks more than 30 years ago! It had the necessary qualifier, that was based on the work performed. I was a member of the IIA team that developed their Practice Guide: Formulating and Expressing Internal Audit Opinions in 2009.
BUT: the audit plan was specifically designed, even back then, to address the more significant risks to the enterprise as a whole.
In other words, the audit plan was designed to deliver the necessary macro-level opinion at the end of the year!
The audit committee knew this, as did management, so there was no surprise, no question about the adequacy of coverage.
In fact, when I presented the plan for review and approval by the audit committee, I showed them what were the next most significant risks that I would not be able to address due to resource constraints.
That answered, at the beginning and not the end of the year, Richard’s excellent third question:
What are the top five risks that internal audit is not addressing due to a lack of resources or skills?
By the way, lack of skills is not an acceptable excuse, as those can be obtained by co-sourcing, the use of guest auditors, and/or training.
Moving on to Richard’s fourth question, it is again one with which I very strongly agree:
What strategies is internal audit deploying to ensure greater understanding of the business by audit staff?
My quibble is that the question should ask whether that understanding is sufficient, rather than greater.
I recently had a debate with the great Tom Peters. I first ran into him more than twenty years ago, when he started talking about WoW! Projects. I was so impressed I had each of my internal audit direct reports attend his WoW! seminars! You can see the slide deck of a presentation I made at MISTI’s SuperStrategies conference in 2001 that talks about a Wow! Internal audit department.
Have a look at slides 37 and on.
The debate with Tom (we follow each other on Twitter) was about Managing by Wandering Around (MBWA). He has been an advocate for this practice for a long time and writes about it here.
Check out the video linked in his article and ask whether you and your team are doing enough MBWA to understand the business.
MBWA is a great way of staying in touch with changes in the business (internal and external context) and changes in risks to the business so you can update the audit plan! That addresses Richard’s second question. Just remember that it is the responsibility of management to identify the risks; it is our responsibility to assess how well they do that and to make sure our audit plan is continuously updated so we audit what matters today and will matter in the future.
I suggested to Tom, and after he thought about it, he agreed that instead of MBWA, we should be talking about MBLA: managing by wandering and listening around. The focus is on listening, making sure that you are not talking more than 40% of the time.
I have not addressed Richard’s very first question:
Is internal audit following the International Standards for the Professional Practice of Internal Auditing (Standards), and what were the results of the last external quality assessment?
With all respect to Richard, The IIA, and all CIAs, I have a hard time believing that the Standards are a guide to quality auditing. There are too many issues with them (which I have shared with IIA leadership and hope they are considering as they work towards upgrading them) and adhering to the Standards is not a guarantee of excellence.
Sometimes, you need to go your own way and design an internal audit program that meets the assurance needs of the organization at that time and in your specific circumstances. I admire what Chris Keller did at Apple when he was CAE there, moving from static internal auditing per the Standards to more continuous risk and control monitoring of the various projects at the company.
So – are there questions that Richard has not included in his top five?
My top five are different and include some he did not.
- Based on internal audit coverage during the prior year, what is your assessment of the overall effectiveness of the company’s internal controls and risk management? (This assumes that there is a continuously updated, enterprise risk-based audit plan.)
- Describe your relationships with management. Is there inappropriate pressure on you to change your audit plan or your reporting? Do you get the support you need from all levels of management? Does management work with you when it comes to assessing and acting on the need for change?
- What, if anything, is holding you back from excellence? Are there sources of risk that you wish to address but cannot due to resource limitations – other than those we previously decided not to fund? Are you satisfied with the quality and performance of your staff?
- What should we and the board be focused on?
- How can we help you?
Somewhere in here, but I hate to remove any of the above, is the set of questions that the committee should ask around the effectiveness of the management team (individually and as a team). In my top ten is also the question of whether the external audit team is effective, including the level of communication and collaboration with internal audit.
There are just so many questions the audit committee should ask!
What have Richard and I missed?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Both of you have suggested good questions. The best AC Chair that I worked for used to ask me what questions he should be asking management directly. So I would feed him the tough questions which he presented as his own at the AC. It worked very well.
I am not going to flatter myself to think that I am in the same intellectual or experience company as Norman and Richard to be able to add to this debate.
But may I add one humble observation.
Societies – professions – grow when divergents of view are expressed in a manner civil in nature; respectful in approach and insightful in construction.
That two titans of what we hold dear are engaged in this fascinating and calm discourse is EXACTLY what will move this thing we call internal audit forward.
If I had a magic wand at every professional conference I would not only schedule such debates but have them as the primary sessions (no more big names outside of the profession talking about tangential issues).
And I would instigate a new annual global award – the Marks Chambers Medallion – for that person that made us imagine a future yet unknown.
You flatter both Richard and I with such comments. I hold you and your achievements in high esteem, Tom! You have been a great example for internal auditors and their leaders in Australia and around the world.
Richard – I love your questions. That’s certainly the type of discussion I had with my A.C. members. Your post is very insightful. Between your list and Richard’s, I sense two (very general) types of questions. One seems to be probing the CAE to find out what’s holding them back from doing a better professional job (internal audit performance). The other seems to be asking what the board/A.C./executives should be doing to support the CAE and create stronger organizational effectiveness. I wonder if the respective CAE’s experience and executive presence might have an impact on which questions are more applicable.
Sorry, Norman. I did this before, too. I know you were referring to Richard’s earlier post and that just stuck in my head. My apologies.
It’s always great to learn about different opinions and how Internal Audit is shaping up in the Western hemisphere. I think all questions are important in different contexts and one question that’s useful for Audit Committees and CAEs as well is whether “Internal Audit is aligned with the strategy of the organization” and a follow-up query could be “What’s being done to bridge the gap.”
This question may be asked in different expressions but the gist is to understand if we are auditing what the organization really needs as opposed to what we feel the organization needs. There are some areas where the CAE will fight for inclusion in the audit plan, but most audits are based on the organization’s intrinsic needs and changing strategy. This requires fluidity and a greater level of trust with Senior Management & BoD if we consistently target the areas they feel are important.
Great article, posing quick question that open auditing mind.
Thanks! Riccardo