Topics: Audit and Risk,Compliance,Corporate Governance,Risk Management
Topics: Audit and Risk,Compliance,Corporate Governance,Risk Management
October 30, 2018
October 30, 2018
Halloween costumes have become much more elaborate since I last personally went trick-or-treating for candy. The thin, molded-plastic Luke Skywalker mask and matching plastic bib that my mother tied in the back has been replaced by Black Panther chest plates and sturdy tiaras hardly different from an actual crown. However, what has not changed with the costumes are the judgments children place on the candy—good or bad, generous or stingy, a rich treat or a “healthy” treat.
Not all neighbors may care what trick-or-treaters think about their offerings, but for those who do, there are only two choices: (1) offer a portfolio of choices and hope one appeals, or (2) ask for feedback and let the visitor know early on what you intend to offer. The upshot is that it is often difficult to understand how others view and receive your intentions. This is an inherent challenge in every two-way interaction. And the interactions between the board’s audit committee and the chief audit executive (CAE) are no exception.
Last year the Institute of Internal Auditors (IIA) surveyed 636 CAEs to learn more about how internal audit views their interactions with the board’s audit committee. At most organizations, reporting on the state of internal controls is at the center of internal audit’s board reporting. Yet, just over half—56 percent of CAEs reporting to fully independent audit committees—strongly agree that, as a result of their discussions, the audit committee has a clear understanding of the strengths and weaknesses of the organization’s internal control and risk-management systems. And at 45 percent, CAEs with some nonindependent audit committee members are a bit worse.
One potential explanation—at least from the CAE perspective—is that audit committees could make their expectations of internal audit clearer. Just 41 percent of CAEs with independent audit committees strongly agree that the audit committee regularly communicates with the CAE about the current performance of the internal audit function and about areas where the committee would like to see improvement in the organization’s internal audit activity as a whole. That figure rises to 50 percent when CAEs are asked if the audit committee sets clear expectations for internal and external audit. Both of the numbers are slightly lower when the board has some nonindependent members.
Further, many CAEs do not see robust continuous improvement activity in the audit committee itself. Thirty-six percent of those reporting to independent audit committees strongly agree that those committees assess the effectiveness of its own role in the oversight of risk management, with an eye to clarifying the scope of its oversight activities.
Taken together, many CAEs perceive that audit committees
Now, it could be that CAEs have a limited perspective. It could be that audit committees are doing these things outside of the gaze of internal audit, leaving the CAE with a mistaken impression. However, that is the best-case scenario. At worst, audit committees are lax in their engagement with internal audit, creating a wrong impression.
Like assessing trick-or-treaters’ judgment of your candy options on Halloween, some audit committee members may not be interested in the opinions of internal audit. However, there is no doubt that many are making judgments.
Those audit committees that are interested in improving their relationship with internal audit might consider taking the following steps:
Although Halloween costumes have become more sophisticated, it’s still hard to tell whether the trick-or-treater would have preferred a full-size Zagnut candy bar to the four Jolly Ranchers you just dropped in their bag. Similarly, it may be difficult for the audit committee to understand whether or not the messages they give to internal audit are received as intended. Simply put, when directors engage with internal audit, they should work to ensure that their messages are properly understood. Nobody intends to give bad candy, but sometimes the neighborhood kids misinterpret your intention.