Stock listing requirements together with the 2002 Sarbanes-Oxley legislation effectively mandate audit committees to provide meaningful oversight of internal audit department (IAD) activities to ensure that corporate risk management processes and systems of internal control are functioning effectively.
However, today’s dynamic business environment with its complex, speedy transactions and global merger and acquisition activity challenges audit committees as they attempt to monitor the effectiveness of their corporate IADs.
How can an audit committee be confident that its IAD is fulfilling its corporate governance responsibilities? What is the IAD doing to make sure the company behaves in an ethical, legal and well-governed manner?
The Internal Audit Department’s Vision Must Span the Enterprise
The first step in any IAD evaluation is defining exactly what an audit committee expects. Historically, most IADs conducted relatively narrow financial, operational, and regulatory audits to determine if select processes functioned according to established policies. These 20th century auditors devoted little attention to operating efficiencies or effectiveness.
In contrast, today’s IADs now examine entity-wide activities critical to a firm’s strategy, seeking ways to mitigate business risk and create value. So, an audit committee must decide exactly how it wants an IAD to operate.
Specifically, the audit committee must determine how the internal audit function will add value to the company. For example, to what extent will it participate in merger/acquisition evaluation and integration, business process improvement and enterprise risk management — in addition to its more traditional compliance duties?
Given recent financial reporting crises and external auditor lapses, does the audit committee require more IAD involvement to ensure that financial reports meet investor expectations of transparency and ethical reporting? If process outsourcing is a key driver of the company’s business model, will the IAD be used to provide oversight of contract compliance?
Then, there is information technology (IT). As the importance of IT to business effectiveness, innovation and competitive advantage grows, so does the IAD’s potential role in evaluating IT risks that impact strategy, process and cost. Does the audit committee recognize that an IT-focused IAD can create value by detecting risks and anomalies that actually improve managerial decision-making?
To summarize, the audit committee must address the following key questions in any IAD evaluation:
- Does the IAD focus on the “right” issues given the company’s current and future strategy? The IAD should help focus a company on the future by highlighting best practices.
- How does the IAD add value? In their role as independent advisors to management, IADs should actively participate in enterprise risk management activities including the creation and monitoring of controls to mitigate potential risks and their related impact.
Internal audit leadership needs big-picture, not big-company, corporate competence
Once an audit committee has evaluated the appropriateness of its IAD’s goals and objectives, it next must determine if competent leadership is in place given the market forces that continually impact this function. Boards can no longer simply staff the chief audit executive position with CPAs who worked in the Big Four audit firms. In fact, they may be exactly the “wrong” choice for this critical position for several reasons.
First, while these Big Four CPAs may be experts in the nuances of today’s global financial reporting, most do not really understand business. Their appreciation of strategy, value chain processes, nonfinancial metrics, and business risk is almost nonexistent.
Without a true appreciation of business, it is unlikely that today’s Big Four CPA can perform business-informed tests and collect business-informed evidence critical to an IAD. Equally troubling is the audit skills of these CPAs may no longer pass muster for what today’s audit committee needs.
How could this happen?
The nature of Big Four auditing has dramatically changed during the past decade, as the large global firms have culled small- and medium-sized businesses from their client lists. This means that Big Four accountants rarely see how all the pieces of a company fit together, and almost always are forced to specialize in narrow industry areas.
Moreover, their limited audit experience gives them a big-company perspective that can limit their vision, analytical abilities and audit technique. As a result, a financial services derivatives expert really may not be the right person to tackle the multitude of pressing issues the audit committee has in mind.
A better leadership choice may be a forensic accountant and auditor with at least a decade’s worth of experience with firms of all sizes, who appreciates the lessons-learned from the audit blunders of the recent past. Forensic accountants possess the skills historically expected from Big Four CPAs: the understanding of business information and financial reporting systems; accounting and auditing standards and procedures; and evidence gathering and investigative techniques.
Today’s dynamic business environment dictates ongoing internal audit evaluation
As the role of internal audit evolves in today’s challenging financial and legal environment, audit committees must continually evaluate their IADs given the critical role they play in corporate governance. Vision and leadership are particularly critical to such a review. Vision ensures that an IAD audits the “right” things, and leadership guarantees execution.
Audit committees must make sure their IADs not only have the appropriate accounting and audit skills, but also understand business strategy, market forces and the value-chain processes so critical to strategy execution, as well as the risks that threaten a firm’s purpose.
About the Author
Anthony H. Catanach Jr., Ph.D., is the first recipient of the Cary M. Maguire Fellowship in Applied Ethics offered through The American College Center for Ethics in Financial Services. He has previously served on the faculties of the University of Virginia and INSEAD. His professional experience includes five years as an audit manager with KPMG and six years in the financial services industry. Dr. Catanach has authored more than 60 articles on a variety of accounting, finance and management issues as well as several business education texts and blogs at “An Accounting Moral Compass.”