GUEST BLOG POST
Internal audit plays a unique role in the modern organization. While its leader, the chief audit executive, is usually part of the executive team, it is also expected to play an oversight role in assuring that functions and processes are performing as they should. That oversight role could involve scrutiny of those fellow executives or the departments they run. This complicated set of responsibilities has always raised questions about where internal audit should sit in the organization and to whom the CAE should report.
Internal audit has its roots in the accounting and finance functions, so it’s natural that many internal audit leaders report administratively to the Chief Financial Officer. Additionally, many companies have addressed that oversight role described above by also requiring the CAE to report functionally to its board of directors, usually through the audit committee. It is through that functional reporting relationship that internal audit gains its independence and stature. But, as we are now nearly halfway through the 2020s, is reporting administratively to the CFO still the right “dotted line” reporting relationship? Should the CAE report to the CEO? Someone else? Does it even matter whom the CAE reports to administratively?
According to the Institute of Internal Auditors’ 2024 North American Pulse of Internal Audit report, 41 percent of CAEs across all sectors report administratively to the CFO and 37 percent report to the CEO. (Reporting to the CEO was more common in Financial Services and Public Sector organization than in any other types of organizations.)
Surveys by Big Four firms and others have borne out year-after-year that the most common administrative reporting relationship for CAEs has been to the organization’s CFO. Yet, with calls from several global internal audit experts pressing the case for the elevation of that administrative reporting relationship to the CEO, a slow shift from CFO to CEO as the CAE’s boss is underway. Also, there is always a smattering of administrative reporting relationships to other departments or executives, including the general counsel or chief legal officer, the chief risk officer, or the chief administrative officer.
So what does the IIA’s new Global Internal Audit Standards, which take effect in January, have to say on the matter? While there is an espoused preference, there is no definitive requirement for the CAE to report to a specific title. The document simply states: the reporting relationship be to “the chief executive officer or equivalent, although reporting to another senior officer may achieve the same objective …” (Standard 7.1 – Organizational Independence, Considerations for Implementation.)
What My Experience Tells Me
In my career, I have been the CAE or CAE equivalent at three different organizations, all in the financial services sector. Depending on the organization, I have reported administratively to either the CFO or to the CEO at different times. Upon reflection, in each organization I was in it was always the right governance call for that particular situation.
So, that has left me to conclude that there is no ideal answer. The best administrative reporting relationship, be it to the CFO, CEO, or someone else, depends on the particular circumstances and context of the situation. It could be more a function of who are in these roles (CAE, CFO, and CEO), what their priorities are, how mature the internal audit department is, where the CAE will get the best day-to-day support, or several other factors. That’s the practical argument.
On the theoretical side, however, if the goal is to give the CAE the highest level of visibility, to minimize potential conflicts, and to enhance objectivity, then reporting to the CEO is clearly the best answer. But what makes the most sense theoretically may not be the best practical answer in many organizations. Depending on the priorities of the CEO and the needs of the CAE, the CEO may not be the right choice to oversee the CAE administratively in certain organizations.
As for other reporting relationships—where the CAE reports to the CRO, general counsel, COO, or other executive—I don’t think it’s a good idea. While each of these structures may make sense in some organizations, in general I am not in favor of these reporting lines, for reasons I will explain shortly.
Mutual Respect
For an administrative reporting relationship to work well, regardless of who’s the boss, both the CAE and the senior executive need to understand each other’s roles in relation to the other. A CAE should not be overly “needy,” requiring too much of that boss’s time. A CAE should add value to the boss’s job duties, and a CAE should get along well with that boss’s other direct reports. For the administrative boss, they need to appreciate and respect the CAE’s functional reporting relationship to the board and audit committee, be a source of confidential strategic and organizational insight for the CAE, and demonstrate respect for the role of internal audit in how they support and promote the function through both words and deeds.
Let’s look at some of the pros and cons of reporting to the four most common CAE administrative reporting relationships, starting with the best theoretical choice.
Reporting to the CEO
Reporting administratively to the CEO has its advantages, which is why some internal audit experts preach it as the ideal. For example, a reporting line to CEO will minimize the risk that the CAE will be overseeing several audits each year in a functional area that their boss is directly accountable for, such as finance or legal. This helps with the appearance of independence and minimizes the chance of undue influence, such as meddling in the scope, timing, or coverage of an audit. Reporting to the CEO sends a signal to the entire organization that internal audit is a highly important function and may enhance access to key information flows. With this structure, the hope is that fellow senior executives will view the CAE as a peer alongside the rest of the C-suite in all applicable meetings and interactions.
The downside of reporting to the CEO, though, is that the chief executive may not have the time to truly nourish the relationship. He or she may have other pressures, priorities, or fires to put out, leaving the CAE to figure things out for themselves more often than they may like. The CEO may also not have the time needed to coach the CAE as an emerging executive. Further, the CAE may risk the ability to have candid information exchanges with other C-suite executives given their fear that the CAE may not keep confidential conversations as confidential when they meet alone with the CEO.
Reporting to the CFO
Historically, the administrative reporting relationship of the CAE to the CFO is the most common and is consistent with internal audit’s roots being in the more generalized accounting profession. While not as large a percentage as in the past, a lot of internal audit work either is directly in areas of a CFOs purview or tangential to it. Never wanting the CFO to exert undue influence on what internal audit does and what it prioritizes, there is certainly a benefit that can be derived from a close, collaborative relationship between the CFO and the CAE. Many CEOs tend to prefer this administrative reporting relationship between CFO and CAE, given that the external audit relationship and the audit committee facilitation typically fall within a CFOs oversight.
The downside of reporting to the CFO comes into play when the CFO begins to blur the administrative reporting line and begins to directly, or indirectly, influence what internal audit does, what it prioritizes, and how information flows. The influence might not be overt, although it can be, and might be more subtle in the way the CFO interacts with the CAE, what information the CFO shares and doesn’t share, and what the CFO wants to know first before anyone else is told. The CFO may also want to function as a filter between the CAE and the audit committee in a way that can be overly intrusive, especially if something may put any activities under the CFOs purview in a less than favorable light.
Reporting to the CRO
The Chief Risk Officer title is not a new one, but is also not a role with decades of tenure either. Banks and other financial services firms more typically have CRO positions as compared to other industry sectors. Given that internal audit deals in risk and risk assessments, it is logical that if the CAE is not a direct administrative report to and organization’s CEO, then perhaps reporting to the CRO might make sense. When the CRO brings together several second line (in the three lines model) functions under one executive, having the third line leader, the CAE, among that group can bring some constructive collaboration to the group.
The downside most often surfaces when the CRO has a view of organizational risks that is materially different from the CAE. In such situations, the CRO may want to exert influence on the CAE to conform to their view of risk and risk assessment. Some CROs also, either by choice or by organizational mandate, expand beyond facilitating risk management activities to managing risk directly, as opposed to operating managers, and view internal audit resources as available for meeting their needs rather than leaving them to conduct their independent duties.
Reporting the General Counsel or Chief Legal Officer
There is some logic in having the CAE report, administratively, to the GC or CLO, especially when the internal audit group performs, or is viewed as primarily doing, a lot of compliance work. In some organizations, the legal function oversees Compliance and compliance matters, so, by extension, including internal audit can bring some constructive collaboration.
The problems with this reporting relationship can arise when there is a difference of opinion on how matters should be managed and escalated. Both the general counsel and the CAE have dissimilar roles when it comes to “protecting” the organization and different mindsets. While the CAE will want to be sure matters are elevated and addressed, and the board advised accordingly, the general counsel will want to take steps to protect the organization, its leaders, and its board from legal exposure. Which may mean controlling information, not necessarily sharing it. Neither are wrong; both are “just doing their jobs.” But this can be a source of conflict when serious organizational matters arise.
Bringing It all Together
We internal auditors like things to be black and white. In that world of limited ambiguity, we want to report functionally to the board or audit committee and administratively to the highest level in the organization possible, typically the CEO. If we were to draw up the hypothetical reporting relationship that would be ideal, that would be it. But life isn’t that easy, and what’s best theoretically might not be what makes the most sense practically.
In the messy world of business, people fulfill these roles. And, focusing on the administrative reporting relationship, in some organizations the person filling the CAE role and the person filling the CEO role in any given organization might result in a CAE to CEO administrative reporting relationship being the absolutely wrong situation. Oil and water, perhaps, as an analogy.
In the end, it is a combination of the organization’s culture, its internal politics, and the people filling the roles that matter. A great, synergistic relationship of mutual respect and clear role delineation can and does result in CAE reporting administrative relationships to a CFO, a CRO, a CLO, a GC, or any other C-suite executive that might be best.
So, if it works in your organization, whoever the CAE reports to, then enjoy the stars aligning, and worry about other things. And, if it isn’t working well now, the people fulfilling roles eventually do change, and things usually work out if you are patient enough. 
Hal Garyn is Contributing Editor at Internal Audit 360°, and Managing Director and Owner of Audit Executive Advisory Services, LLC based in FL.