After more than 10 years of sounding alarms about the dangers of having internal audit report administratively to the chief financial officer, I must grudgingly concede my warnings have fallen on deaf ears.
My firmly held belief is that internal audit should report administratively to the CEO and functionally to the audit committee of the board. But year after year, the
While most privately held companies also fall into this category (72%), my concern is with companies whose risk management practices most directly impact investors and the greater marketplace. For those who haven't read my previous cautionary missives on this topic, here's a brief synopsis of why I believe this practice is fundamentally dangerous and increasingly so in the modern risk landscape.
The most common critique of this reporting arrangement is that CFOs could steer internal audit scrutiny away from their areas of responsibility. But I haven't found that to be the biggest problem. Instead, statistics I have seen over the years indicate that CFOs are more likely to use internal audits to address key risks in their areas of responsibility, at the potential exclusion of non-CFO risks in the organization. Below, I share five safeguards for ensuring that reporting relationships to the CFO don't compromise internal audit's independence. But first, a brief history lesson might help shed additional light on why this should be of grave concern for any organization.
In the U.S., internal audit came into its own as a profession after passage of landmark legislation in the wake of the 1929 stock market crash, including the Securities Acts of 1933 and 1934. These acts created modern regulatory concepts for internal controls over financial reporting, and they fueled the need for effective assurance over ICFR that internal audit provides. Seven decades later, a series of financial scandals, most notably the collapse of WorldCom and Enron, led to passage of the Sarbanes-Oxley Act of 2002. The new legislation created even greater reporting requirements including mandates for annual assessments of ICFR effectiveness and independent external auditor attestations. From the CFO's perspective, it would seem obvious that effective ICFR and compliance with related reporting regulations should be a top priority for publicly traded companies and that independent and unbiased assurance from internal audit should be part of the process. Anyone reading that might reasonably ask, "So what's the problem, Richard?"
The answer is that, while financial controls and related reporting regulations represent a significant risk area for many organizations, today's complex and volatile risk environment contains substantial nonfinancial risks, including cybersecurity and digital disruptions such as AI, supply chain, business resilience, climate change and others. Simply stated, under the CFO's leadership, there is inherent risk in overemphasizing the need for internal audit services on ICFR while minimizing its value in combating nonfinancial risks.
To be clear, I am not accusing any CFO of deliberately ignoring nonfinancial risks. On the contrary, I believe CFOs generally are well-informed and well-intentioned risk management partners. But I also believe subconscious bias and blind spots are part of human nature.
Five safeguards to ensure at least the appearance of internal audit's independence
Because I see little chance of changing the CFO/internal audit paradigm on the horizon, I'd like to offer five safeguards to help ensure internal audit services are not swayed to the detriment of nonfinancial risk.
1. Internal audit's charter must reference the administrative reporting line to the CFO. There should be no ambiguity in the charter's language, such as saying internal audit reports to a member of management.
2. Corporate minutes should document that the reporting relationship was discussed with and approved by the board and/or audit committee. While I won't go as far as saying the audit committee must document its decision-making process, documenting the discussion acts as a safeguard to ensure the audit committee understands the reporting relationship and has explored its risks and advantages before approving the charter.
3. The CEO should review and approve any proposed audit plan before submitting it to the audit committee for approval. This ensures the CEO's involvement and reflects that the CEO agrees with the priorities established in the audit plan. This mitigates any perception that the CEO is unaware of internal audit's focus.
4. The audit committee should be informed of any deviation between the risk assessment and where the audit plan addresses the CFO's areas of coverage. This will make the committee aware of any lower CFO risk areas that are in the audit plan or any higher non-CFO risk areas that are not.
5. Audit committees should insist on being informed about disagreements between the CFO and internal audit over audit recommendations. This provides an additional safeguard that may alert the audit committee to any trends in disagreements that might reflect undue influence or bias from the CFO.
I should mention that the IIA's new Global Internal Audit Standards also reflect this reality. Standard 7.1 Organizational Independence Requirements requires the chief audit executive to annually confirm to the board the internal audit function's organizational independence, including any incidents where its independence might have been impaired. It also requires the CAE to document within the internal audit charter internal audit's reporting relationships and organizational positioning.
In its Considerations for Implementations, Standard 7.1 notes, "While the chief audit executive reports functionally to the board, the administrative reporting relationship is often to a member of management. This enables access to senior management and the authority to challenge management's perspectives. To achieve this authority, it is leading practice for the chief audit executive to report administratively to the chief executive officer or equivalent, although reporting to another senior officer may achieve the same objective if appropriate safeguards are implemented."
The precautions outlined above should not be taken as me changing my views about internal audit's reporting relationship. Instead, it is an acknowledgement that I can read the writing on the wall. I still believe it benefits the organization overall for the CEO to have internal audit as a direct report, despite the reluctance of U.S. publicly traded companies to join the rest of the world in having internal audit report to the CEO. The latest global data on the topic, from the Internal Audit Foundation's
I can only surmise there must be some legacy holdover to that long-ago time when internal auditing was viewed as a finance-related function instead of a key risk management player. But that was the era of the bean counter, when we were primarily concentrated on financial controls and the overall accuracy of financial information. Internal audit functions began to engage more in operational risks as far back as the 1960s. By the 1970s and 1980s, it was quite common for internal audit to be looking at more than just financial risks. Indeed, we're more than a half century beyond the time when internal auditors finally took off their green eye shades. That important evolution should be reflected in a direct reporting line between the CEO and the CAE.
