Relationship of Trust: The Audit Committee and Internal Audit

The Institute of Internal Auditors (IIA) published a position paper on September 19, 2019 about the importance of Relationships of Trust - Building Better Connections Between the Audit Committee and Internal Audit.

The position paper highlights the critical relationship between internal audit and the audit committee. A strong supportive relationship between these groups creates and enhances the independence and objectivity necessary for an effective internal audit function. To create such a relationship, it is imperative for internal audit and the audit committee to have a clear understanding of their roles, reporting responsibilities, and expectations.

What the Audit Committee Should Expect from Internal Audit

The audit committee should establish certain expectations for the internal audit function. At the minimum, these expectations should include:

• The internal audit function adheres to IIA Standards
• The internal audit staff obtain and maintain relevant professional certifications demonstrating professional acumen, knowledge, and competence
• The Chief Audit Executive’s (CAE) should:
  • Confirm that management’s actions/behaviors conform to its words. The CAE should ensure the internal audit function is an independent and reliable source for management representations and reports provided to the audit committee.
  • Define what support the audit committee can provide to the internal audit team to help them be more effective

The audit committee should set greater expectations for mature internal audit functions. These advanced expectations should include:

• Development of a formal “Internal Audit Strategic Plan” that sets the overall long-term vision and direction for the internal audit function
• Regular updates from internal audit about progress against the plan and any changes/ deviations from the plan
• Obtain feedback from management about the internal audit findings and CAE engagement
• An effective relationship between internal and external audit with evidence of synergistic benefits occurring
• A balance of traditional audit coverage and strategic objective reviews including new or emerging risk coverage
• The CAE compile periodic 360-degree feedback reports from his/her direct reports and from management and submit a comprehensive report to the audit committee

The audit committee should also expect the CAE, as the leader of the internal audit function, to be engaged in strategy and operations discussions at C-Level executive management meetings.

What Internal Audit Should Expect From the Audit Committee

Similarly, internal audit should be clear in their expectations from the audit committee in terms of support and direction. It is especially crucial for internal audit to know they have the audit committee’s solid support if any concerns over management retaliation or the CAE’s efforts to gain a seat at the management table arise.

The internal audit function should establish certain expectations for the audit committee. At the minimum, these expectations should include:

• The audit committee will be attentive to the needs of the internal audit function and provide guidance through the year (not just during quarterly audit committee meetings)
• A quarterly briefing session consisting of, at minimum, a 30-minute phone call between the internal audit function and the audit committee chair to discuss relevant items such as:
  • staff turnover
  • upcoming complex audits requiring co-sourcing support
  • new or upcoming regulations affecting the profession
  • feedback from the chair about what they hear from management or within the committee
  • emerging activities in the company that may impact the annual audit plan and audit coverage

Enhanced audit committee support should include meeting with the CAE and internal audit’s senior leaders on a regular basis to discuss:

• Audit strategy and methodology
• Internal audit’s use of data analytics
• Risks affecting organizational success
• Engagement in investigations of ethics and compliance matters
• Feedback from the audit committee about their views of risk
• Scope limitations and challenges from senior management

Conclusion

The relationship between the audit committee and the internal audit function is critical to establish and maintain good corporate governance. An open relationship helps build an effective and efficient internal audit activity that provides assurance to the audit committee and the Board of Directors about the organization’s risk management framework and internal controls and can help the organization reach its strategic goals and objectives. The commitment of both parties is essential to develop that relationship into a trusting and dynamic partnership.

Additional Resources

• 7 Vital Components of an Internal Audit Charter
• IIA Releases an Exposure Draft To Revise Their Three Lines of Defense Model