New reports suggest internal audit isn't providing boards with the intelligence they really seek
Chief audit executives know the feeling of having to serve many masters. They have several constituencies they must answer to or advise—including management, business lines, regulators, and shareholders—all while retaining their independence to provide clear and objective views.
The most important overseer of internal audit is the audit committee and the audit committee chair (at least at companies that care about governance). Generally, the audit committee helps set the agenda for the internal audit department, oversees and provides support, and intervenes on disputes or conflicts with management.
Audit committees expect internal audit, conversely, to provide an unvarnished take on how the company is meeting its financial reporting and regulatory obligations, as well as views on risks, controls, data security, and other areas.
Some evidence is now emerging that internal audit may not be doing such a hot job of meeting the needs of the audit committee. KPMG issued a report last week, for example, that goes as far as to say that there is a "knowledge gap" between what audit committees are looking for and what internal audit is giving them.
Some of the top areas where audit committee chairs and finance executives (the survey also polled CFOs) said internal audit could deliver more value are on risk assessment and risk management practices, especially on emerging risks. According to the survey, just 22 percent of audit committee chairs and CFOs said internal audit is delivering good value on risk assessment, while 57 percent of them said more insight on risk would be of most value to the organization.
"The biggest gaps in the findings were related to risk and sustainable profit generation. A surprisingly low percentage of those polled currently receive—as a component of their IA function—informed perspectives on risk, but when asked what insights they would most like to start receiving, these insights into risk ranked highest," the report states.
What Worries the Board?
A separate survey of board directors by accounting firm Eisner Amper found similar results: that boards want more input on the organization's top risks, particularly cyber-security, reputational risk, and regulatory compliance risk. Indeed, these comprised the top three biggest concerns related to risk for boards of public companies. While these are all areas that internal audit should be assessing closely, and most do, the survey found that nearly a third of board respondents said internal audit is either "not helpful" or just "slightly helpful" at identifying risks in these areas.
With the role of internal audit if flux, however, not everyone agrees on just how internal audit should go about meeting the needs of the audit committee or even what those needs are. While the board calls for more insight on data security and compliance risks, management is pushing internal auditors to provide more value and advisory services on operations and strategy.
There is another factor at work here. Audit committee chairs aren't full time, don't work in the office, and may not be familiar with the daily to and fro of internal politics. This can make life difficult for internal audit leaders pulled in different directions and cause problems in communicating and delivering value to the audit committee. It's true too that internal audit can struggle when overseen by an ineffective audit committee.
This view is bolstered by results of a survey by The Institute of Internal Auditors' Common Body of Knowledge study. A report titled "Interacting with Audit Committees," based on the study and authored by Larry Rittenberg, found uneven support for internal audit from audit committees. "There are still too many organizations without effective audit committees," Rittenberg wrote. "The opportunity for internal audit to meet the board and audit committee in executive sessions without management present is quite low in some regions and needs to be improved," he continued.
Serving many masters is one thing, serving one of them well without communicating on a regular basis is quite another. Without the support and the ear of the audit committee, it will be more difficult for internal audit to provide value. It will also be difficult for internal audit to justify its agenda to the other constituencies it serves. And then everyone suffers.