The Role of the Audit Committee
Audit committees should see that internal auditors have not only appropriate independence but also stature in the organisation, and are visibly supported by senior management.
It is important for the audit committee to see that the internal auditors have not only appropriate independence but also stature in the organisation, and are visibly supported by senior management. They should support the CAE, providing guidance and assistance when he or she reports potential management lapses.
The internal audit function plays a critical role in organisations, perhaps even more so today given their broad business ecosystems, which can present a host of extended enterprise risks. For these and other reasons, the audit committee’s oversight of the internal audit function is as important as its role vis-à-vis the external auditor.
When the internal audit function reports to the audit committee, it allows the internal auditors to remain structurally separate from management and enhances objectivity. This reporting relationship also encourages the free flow of communication on issues and promotes direct feedback from the audit committee on the performance of the chief audit executive (CAE).
It is important for audit committees to assess whether internal audit’s priorities, such as monitoring critical controls and developing an audit plan focused on risks identified in the enterprise risk management program, are aligned with those of the audit committee, as discussed in Deloitte’s 2018 Audit Committee Resource Guide.
The specific expectations for internal audit functions vary by organisation, but may include:
• Objectively monitor the health of financial, operational, and compliance controls
• Provide insight into the effectiveness of
risk management
• Offer guidance regarding
internal/compliance controls
• Act as a catalyst for positive change in
processes and controls
• Coordinate activities with the independent auditor
In support of these expectations, the audit committee and the CAE should have a strong relationship characterised by open communication. The audit committee should challenge the CAE and the internal audit department by setting high expectations, expressing those expectations clearly, and holding the department accountable for meeting them. The CAE should be candid in raising concerns with the audit committee when they arise.
It is important for the audit committee to see that the internal auditors have not only appropriate independence but also stature in the organisation, and are visibly supported by senior management. They should support the CAE, providing guidance and assistance when he or she reports potential management lapses.
Members of the audit committee should engage with the CAE regularly to maintain a reporting relationship that is both substantive and communicative. Holding regular executive sessions with the CAE is common and is required for NYSE-listed companies. The audit committee should actively participate in discussing goals and evaluating the CAE’s performance; these responsibilities should not be delegated solely to the CFO or CEO.
The audit committee should understand and approve the annual internal audit plan and determine if the CAE has a sufficient budget and resources to execute against it. In determining that resources are adequate, audit committees often consider whether the CAE and his or her staff are adequately compensated. As part of this review, they should review and evaluate the status of the enterprise-wide risk management program and the alignment of risks to the internal audit plan. The audit committee should also evaluate the progress and results of the internal audit plan against the original plans and any significant changes made subsequently.
The International Standards for Profes- sional Practice of Internal Auditing established by the Institute of Internal Auditors (IIA) require internal auditors to maintain a certain level of independence from the work they audit. This means that an internal auditor should have no personal or professional involvement with the area being audited and should maintain an impartial perspective on all engagements. Internal auditors should have access to records and personnel when necessary, and they should be allowed to employ appropriate investigative techniques without impediment.
Internal audit departments should also employ quality processes with a focus on continuous improvement. These processes should be periodically reviewed through self-assessment and/or external reviews. The IIA’s standards require external assessments to be conducted by a qualified, independent party at least once every five years. The CAE should discuss the form and frequency of the external assessment, as well as the qualifications and independence of the external assessor, with the audit committee.
With respect to its interactions with internal audit, audit committees might give consideration to the following questions:
• Does internal audit have a clearly articulated strategy that is reviewed and approved by the audit committee periodically?
• Does internal audit have a clear set of
performance expectations that are measured and reported to the audit committee?
• Does internal audit have a charter that is periodically reviewed by the audit committee? Does internal audit operate in accordance with its charter?
• Is the internal audit plan aligned to the primary risks of the organisation and other assurance activities? Is internal audit’s risk assessment process appropriately linked to the company’s enterprise risk management activities?
• Is internal audit flexible in addressing new risks promptly and meeting the audit committee’s needs?
• Is internal audit effective in using advanced technologies, such as data analytics, to improve audit quality? • Does internal audit perform peer reviews or self-assessments of its performance and report the results to the audit committee?
• Is internal audit funded adequately
and staffed appropriately?
• Does internal audit’s reporting structure ensure sufficient independence and respect from management and other employees?
• Does internal audit meet with the independent auditor regularly to discuss risk assessments, the scope of procedures, or opportunities to achieve greater efficiencies in the company’s audit services?