When it comes to improving internal audit performance, the things that audit committee chairs hesitate to say are often the things that audit executives most need to hear. For most audit committee members, it’s easy to talk about risks and controls. Discussing sensitive subjects such as fraud and theft are a normal part of the job.
But even for the most experienced audit committee members, some subjects are problematic, and, surprisingly, some of the most challenging subjects seem to involve feedback about internal audit performance. “Relationships between audit committees and their chief audit executives (CAEs) are often complicated by personal dynamics and the awkwardness that comes with constructive feedback,” says Institute of Internal Auditors President and CEO Richard Chambers, CIA, QIAL, CGAP, CCSA, CRMA.
“As a result, I often find that audit committees are uncomfortable pointing out to the CAE what internal audit could do better. Instead, they leave it to management to deliver the news, and the translation isn’t always pure.” Whose Job Is It? It’s no wonder that many audit committee chairs tend to want to defer internal audit performance feedback to someone in management.
Most CAEs report to the audit committee functionally, but to the CEO or another executive administratively, and it’s not always clear who should be responsible for pointing out opportunities for improvement. Administrative and functional reporting lines for CAEs are often blurred, and responsibilities regarding performance management are not necessarily specified. It’s tempting to defer feedback responsibility to management, but a failure to provide ongoing performance feedback to internal audit may be one of the biggest potential “oversights in our oversight.”
Recent studies of matrix management organizations indicate that when dual reporting lines are implemented, performance is improved when regular feedback is received from both reporting lines. Because the audit committee’s needs are different from those of management, having regular, future-focused check-ins and giving frequent feedback can greatly enhance internal audit effectiveness. What We Don’t Want to Say Regardless of how hard we work at fostering an atmosphere of openness and honesty, we are not always comfortable telling people everything that is on our minds. But when it comes to improving internal audit performance, the things that audit committee chairs hesitate to say are often the things that audit executives most need to hear.
Chambers has worked with numerous audit committee members in an advisory capacity, and he points out that there are several things audit committees have frequently said to him that they hadn’t said to their own internal auditors. In some cases, they might have been trying to spare the CAE’s feelings. But in each case, these were messages that the CAE should have received.
1. You send us too much information.
Unfortunately some audit executives seem to believe that audit committees grade by volume. It is essential for internal audit to keep the committee informed, but even the most important messages can become lost in the flood of details that emerge during internal audits. “I have seen well-intentioned CAEs send as many as 40 internal audit reports a year to their overwhelmed audit committee members,” says Chambers. “Beyond that, I have seen internal audit reports running more than 200 pages that were distributed unabridged to their audit committee members. Is it any wonder that audit committees feel overwhelmed with paper?” Audit committees should never need to struggle to focus on the most important issues.
Nobody wants to admit they can’t keep up, but committee members have multiple responsibilities and limited time. The audit committee doesn’t necessarily have the same information requirements as the managers who need to address audit issues, so the committee must let internal audit know how they feel about the amount of information and level of detail provided by internal audit.
There are times when synthesizing results and signaling the most critical issues will not only save time, it will also make audit committee meetings more effective.
2. We don’t always get the full picture because you don’t “connect the dots.”
Information does not always equal insight. Even if internal audit communicates essential information about risks and controls with crystal-clear synopses that are free of nonessential detail, there still might be times when the big picture is unclear.
Is the organization and its individual business units well-controlled? Are risks well-managed overall? According to Chambers, every internal audit report should provide context that answers the essential “So what?” question. If that context is not provided succinctly by the internal auditors, the committee may need to communicate the need for the information. Otherwise, the committee might end up spending a lot of time asking questions such as, “Why are you telling me this? Why is it important?” And, “What are the potential consequences?” Audit committees must also be prepared to ask for opinions and ratings if they are needed but are not being provided. Ratings systems can be controversial, and management and the audit committee may or may not agree on the need for specific ratings, so it’s up to the committee to ensure their requirements are understood.
3. We want you to focus on more than just financial controls, but we’re not sure you have the skills.
A 2017 survey from KPMG’s Audit Committee Institute found that 82 percent of audit committee members believe internal audit’s role/responsibilities should extend beyond the adequacy of financial reporting and controls to include other major risks and challenges facing the company. Unfortunately, only half of surveyed audit committee members stated that they believed their own internal audit function had the skills and resources to be effective in the roles they envisioned. It’s a significant disconnect.
According to Chambers, often the only question asked about internal audit’s resources is: “Are they adequate?”He believes audit committee members need more information. “I would want to know whether the resources are adequate to address the company’s key risks,”he says. “One means of answering that question is to understand what is not getting done. If there are key risks that are not being addressed due to internal audit’s resource constraints, the audit committee should know what they are and be comfortable with the fact that they will not have assurance from internal audit that the risks are being addressed adequately by management.”
If you are not sure that the internal audit function has the requisite skills and resources to address your organization’s risks effectively, it’s time to find out. You might discover that there are significant opportunities for performance enhancement simply by asking questions such as: What are the top five risks that internal audit is not addressing due to a lack of resources or skills? What strategies are you using to ensure internal audit has the correct mix of skills for addressing our specific risks?
What methods do you use to enhance understanding of the business by audit staff? 4. We need you to bring us an independent view- not to be a “mouthpiece”for management. Ac cording to the 2016–2017 Nationa l Association of Corporate Directors Public Company Governance Survey, many board members have significant concerns regarding the quality of information received from management.
About half of respondents “noted a glaring need for improvement in the quality of information provided by management.” The CAE is a part of the management team, and there are times when it might seem like a good idea to show a united front with management.
But one of the primary strengths of internal auditing is its independence, and if the audit committee has doubts about information received from management, a second opinion can be invaluable. Management is almost always capable of speaking for itself, so CAEs can best add value by being transparent and candid, even when their opinions differ from those of management. In some organizations, management is uncomfortable with an independent internal audit function that provides different perspectives on the effectiveness of risk management and internal controls.
That is why this is another area in which performance feedback from the audit committee can be indispensable. Obviously internal audit should not be encouraged to go out of their way to contradict management. But occasionally, there are times when it might be more productive for the CAE to concentrate more on audit results and less on representing management’s point of view. The Performance Disconnect There is no doubt about the value that can be created by a fully resourced, professionally staffed internal audit function.
But, dismayingly, recent surveys by KPMG and PwC indicate that about half of internal audit’s key stakeholders (board members and senior executives) believe their own internal audit function is not delivering the value it should. That is a significant Many of those opportunities lie within the internal audit function itself, but feedback from the internal audit function’s stakeholders is also essential.
“My opinion is that while the audit committee members may be assessing internal audit performance as ‘needs improvement,’ they should be looking in the mirror,” writes former CAE and author Norman Marks. “Internal audit reports to them; if it is not performing to their satisfaction, they are either failing to communicate expectations clearly, not demanding the necessary improvements, not providing the critical support they need when management is pulling them in a different direction, not taking actions (such as replacing the CAE) to effect change, or all of the above.” The Executive Session Audit Committee Executive session with the CAE (but without the presence of management) often provide important opportunities for sharing information and improving internal audit performance. Rather than asking the CAE whether or not there is a need for an executive session, the session should be a regular agenda item, preferably at each in-person audit Committee meeting, because regular session: ¦ Strengthen auditor independence – and the appearance of independence.
¦Enhance oversight and improve communication.
Reduce the appearance that the CAE “requested” a special session, potentially averting a conflict or misunderstanding with management. Because executive sessions facilitate candid discussion, they can be particularly effective for surfacing issues related to working relationships, auditor independence, and the ethical environment.
If your Audit Committee has not discussed each of these issues in a recent Executive session following are some questions that can be used to get the conservation started. Working Relationships Has management provided full cooperation, both during audits and relative to recommendations? Does management provide adequate administrative support? Are you satisfied with the level of support provided by/to the external auditors and other assurance providers? Auditor Independence Do you have sufficient organizational independence to achieve your objectives? Are you free from undue influence in the audit selection process? Do you have any scope limitations? Have changes been made to internal audit reports that might dilute the message? Ethical Environment What are your primary concerns about the company’s ethical culture? Are you aware of any actions inconsistent with our values that have not been reported? Is there anything that troubles you about the organization? Are they any specific areas where you believe organizational culture needs to be improved?