This article is US focussed in its' reference to SOX compliance. However the underlying point still stands, do those Internal Audit teams that report to the CFO really focus on the appropriate areas of risk?
Many would agree that this does create a bias towards focussing on financial risk. This therefore leads to the question who should Audit report to?
This article has been taken from The Institute of Internal Auditors (iaonline.theiia.org) and was written by Richard Chambers, 29th June 2015....
One of the most revealing statistics to come out of a recent IIA Audit Executive Center survey is the fact that internal audit functions that work administratively for the chief financial officer (CFO) dedicate in excess of 60 percent more resources to U.S. Sarbanes-Oxley Act of 2002 compliance than their counterparts in the profession who report administratively to other executives. Are Sarbanes-Oxley risks 60 percent greater in companies whose CFOs have oversight of internal audit? I don't think so. Rather, I believe that many CFOs who have oversight of internal audit use it to address handiwork that otherwise would fall on other CFO functions. Such are the risks that materialize when internal audit "belongs" to the CFO.
Before I get too deep in what I am certain will be a controversial point of view, I will acknowledge that The IIA's International Standards for the Professional Practice of Internal Auditing are flexible enough to permit a reporting relationship to the CFO. Standard 1110 states in part that the "chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities." Standard 1110.A1 goes a bit further by stating "The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results."
So, if the standards do not explicitly preclude a reporting relationship to the CFO, then why am I concerned? My concern is not to whom internal audit reports. Instead, I am concerned with the degree with which that individual exercises authority over internal audit and impairs its ability to "follow the risks" in the organization. I believe impairment of internal audit's independence occurs not only when responsible executives steer internal audit away from sensitive risks in their areas of responsibility. Impairment also occurs when the executives steer internal audit to address risks, or operational matters, of particular interest to them at the expense of more significant risks to the organization — such as Sarbanes-Oxley compliance.
On more than one occasion I have used this blog and other venues to suggest the inherent dangers of having the internal audit function report administratively to someone other than the CEO — specifically the CFO. In a 2012 blog post, "It Is Time We Moved Out From Under the CFO's Shadow," I shared the opinion that:
"it is time for the remainder of internal audit functions to move out from under the CFO. We need strong working relationships with our CFOs, but we also need independence and flexibility to evaluate financial information and to establish audit plans without undue influence (or even the perception of influence). Most CAEs could probably establish a strong working relationship with any member of their executive management team, but the danger of undue influence is greater when internal audit answers to the finance function, either functionally or administratively."
CAEs who report to the CFO are still fairly common. According to the Audit Executive Center, about 40 percent of North American CAEs still report administratively to the CFO. As a result, there remains a widespread perception that internal audit is a CFO function.
A recent Wall Street Journal article about potential labor shortages in our profession quoted CFOs about the challenges they face in finding qualified internal auditors. The story left me ill at ease because it leaves the impression that the CFO has hiring authority over the CAE. Let me be clear. The article was accurate and did a good job of exposing the challenges that an internal audit labor shortage might create. However, the fact that CFOs believe that they have hiring authority (and, by extension firing authority) over the CAE left a bad taste in my mouth.
I am not alone in recognizing the risks that emerge when internal audit reports administratively to executives with functional responsibilities. The Board of Governors of the Federal Reserve System issued a supplemental policy statement in early 2013 on the internal audit function, part of which provided financial institutions additional clarification regarding internal audit independence. The part of the supplement relevant to this discussion directs audit committees to explain the rationale behind having internal audit report administratively to someone other than the CEO. It specifically states:
"If the CAE reports administratively to someone other than the CEO, the audit committee should document its rationale for this reporting structure, including mitigating controls available for situations that could adversely impact the objectivity of the CAE. In such instances, the audit committee should periodically (at least annually) evaluate whether the CAE is impartial and not unduly influenced by the administrative reporting line arrangement. Further, conflicts of interest for the CAE and all other audit staff should be monitored at least annually with appropriate restrictions placed on auditing areas where conflicts may occur."
Additionally, The IIA's International Professional Practices Framework addresses the issue of organizational independence in Practice Advisory 1110-1. Specifically paragraph two advises:
"The chief audit executive (CAE), reporting functionally to the board and administratively to the organization's chief executive officer, facilitates organizational independence. At a minimum the CAE needs to report to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of engagement communications, and appropriate action on engagement recommendations."
These important advisories strengthen the argument that the internal audit function must be placed in the position that is most advantageous to enhancing true independence as it works to provide unbiased and objective assurance to management and the board.
The challenges facing businesses today are dynamic, global, complex, and emerging faster than at any time in our history. We must then do everything we can to protect the ability to enhance internal audit's independence. When you add to the key attributes of independence and objectivity the factors of perception and credibility, the price is simply too high to continue the practice of internal audit appearing to "belong" to the CFO.
Maybe it's high time for internal audit to report to the CEO.