Should Internal Audit Report to the CFO?

Moody's recommends that the chief internal auditor report to the CEO and the audit committee, not the CFO.

Although Coastal Banking has these meetings, conducted around the same time as the regular audit-committee meetings, many companies do not, says Watson, because of scheduling conflicts, among other reasons.

The following are some additional highlights from Moody’s best practices for audit committees, based on interviews with more than 400 audit-committee chairmen of large U.S. and Canadian companies, along with internal audit professionals.

The auditing strategy should be timely and comprehensive, covering all auditable units. Moody’s agrees with companies that categorize their auditable areas by level of risk (such as high, medium, low) to decide how often to conduct an audit (high-risk areas should be audited at least annually). At the same time, companies need to audit their low-risk areas at least once within a four-year period, Moody’s recommends, to avoid any problems. For example, many companies figured their process of administering stock-options grants was a low-risk area, although it turned out not to be: in the past year, questionable grant dates of stock options have resulted in financial restatements and dozens of investigations by the Securities and Exchange Commission.

The audit plan should be holistic and risk-based. The audit team needs to go beyond focusing solely on financial reporting risks, the main concern of external auditors, Moody’s says. Audit committees should evaluate current and prospective risks, including reputational, operational, financial, legal, IT, and compliance risks. From executives, audit committees need an inventory of all risks, Key says, as they need to consider the risk areas no one is considering, such as how a health pandemic would affect a company.

Audit committees should make sure audit reports are followed up on effectively and in a timely way. Moody’s recommends that executives’ pay be docked if they take too long to respond to an audit evaluation that is critical of their department.

Companies should keep their internal audit function in-house. While acknowledging that using third-party audit professionals can have its benefits, such as ensuring the auditors’ independence within the organization, Moody’s believes doing so brings up too many corporate-governance issues: outsourced auditors do not have enough access to the audit committee, they have less stature within the company to do their job effectively, and their work may be cut back because of budget constraints since they are paid on an hourly basis, Moody’s says.

In addition, outsourced auditors will likely miss connecting the dots between the many issues and risks that can pop up at a company, according to Richards. Internal auditors who actually work inside the company day-to-day are more aware of the inner-workings and see the interrelationships between processes and departments, therefore strengthening an organization’s risk-management strategy, he says.

Audit committees should agree on the audit function’s role with regard to Sarbanes-Oxley’s Section 404. Audit teams, warns Moody’s, should not be so entrenched in 404 that they are not concentrating on their traditional duties, and they should not play a role in designing controls or becoming part of the control process.


Your email address will not be published. Required fields are marked *