Can an internal auditor examine a company’s books and controls with an objective eye if the person ultimately responsible for those books and controls is his or her boss? Increasingly, audit committees — whose job includes protecting the independence of internal auditors — are hearing that the answer to that question is no.
The majority of public companies’ top internal auditors split their reporting duties between the audit committee and the CFO, with their strategy and functionality falling under the committee’s purview and their administrative duties falling under the finance chief’s. While having direct access to the CFO exposes the head auditor to a company’s financial reporting process, it also can undermine that auditor’s independence, according to Moody’s Investors Service’s recently released best practices for audit committees’ oversight of internal auditors.
“It creates a potential conflict if the internal auditors report directly to the CFO,” says Dave Richards, president of the Institute of Internal Auditors and a member of the city of Orlando’s audit committee.
Moody’s recommends that the audit chief’s dual reporting relationship include the CEO, rather than the CFO, in order to empower the audit team and make it clear to the rest of the company that senior management considers the audit function a high priority.
This, of course, leaves audit executives still with the tough job of reporting to two bosses, one of whom reports to work only about six times a year during audit-committee meetings. Because of that, the audit-committee chairman should be readily available to the audit head by phone and at informal meetings, says Jim Key, principal partner of consultancy The Shenandoah Group and a member of two audit committees, including that of Coastal Banking Co. in South Carolina. The audit committee should be involved in the chief auditor’s performance evaluations and salary negotiations, he adds. At the same time, auditors’ compensation incentives should not be linked to corporate performance, says Moody’s.
In recent years, as audit committees’ prominence has risen and their importance emphasized by Sarbanes-Oxley regulations, “the heads of internal audit teams feel more accountability to audit committees than they ever have,” says Mark Watson, Moody’s senior vice president of corporate governance, who wrote the report. At the same time, because of Sarbox and pressures from investors wanting sound governance, companies are increasingly adding people to their audit teams, he adds.
The result has been audit-committee meetings that are more frequent, last longer, and are conducted more professionally, Moody’s says. In addition, audit committees have gained more control over relationships with both external and internal auditors.
Audit committees also should strengthen their relationship with executives by having frequent, off-the-record meetings, says the Moody’s report. That way, if a sensitive issue comes up, the executive involved can feel comfortable talking about it in a setting that has already been established.
Key, who once served as IBM’s director of internal audit, also emphasizes the importance of audit committees having routine one-on-one meetings with the CFO and other executives. These informal “executive sessions” give the audit committees an inside look into management’s concerns. “The executive sessions provide nuance that written reports can’t always capture,” says Key. Moody’s recommends that these meetings take place at least every quarter.