Let me start by saying, this is a touchy subject.
While there is very little debate that the head of internal audit, usually the chief audit executive (CAE), should report functionally to the board (usually the audit committee of the board), there are some strong opinions on where it should report for administrative purposes.
This is what the Institute of Internal Auditors’ Professional Standards have to say (with my emphasis): “The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.”
The Standards go on to say: “Organizational independence is effectively achieved when the chief audit executive reports functionally to the board.” Examples of functional reporting to the board involve the board:
- Approving the internal audit charter.
- Approving the risk-based internal audit plan.
- Approving the internal audit budget and resource plan.
- Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters.
- Approving decisions regarding the appointment and removal of the chief audit executive.
- Approving the remuneration of the chief audit executive.
- Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.
The IIA Standards also raise the idea of interference: “The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications.”
The IIA Standards, however, do not discuss what is included in administrative reporting. This is what I believe is included: 1) Reviewing and approving the expenses of the CAE, and 2) Performing other administrative functions that may be required by organizational policy. These vary from organization to organization but may include the approval of purchase orders that exceed the CAE’s authority level, approval of travel, and so on.
It is customary for the CAE to be able to attend the executive’s direct reports. It is also customary, but not always a given, that the executive will be a supporter and champion of internal audit. The CAE’s cost center may or may not roll up to that of the executive.
Still, somebody has to perform these administrative functions, and it is unrealistic (with rare exceptions) to expect the chair of the audit committee to do them. So, the debate is whether the CAE should report administratively to the CEO, the CFO, or another senior executive.
While it is possible for the CAE to report for administrative purposes at a lower level, for example to the corporate controller, this will generally create a perception that the CAE is middle management at best, rather than the senior executive he or she really is (or should be).
The Case for Reporting to the CEO
Some years ago, the IIA stated its preference that the administrative reporting should be to the CEO. Richard Chambers, former CEO of the IIA, repeated his strong preference for that reporting structure in a recent post, New Surveys Raise Alarm Bells for Internal Audit. In the article, Chambers cites what he calls a “jaw-dropping” statistic in the IIA’s recent 2022 North American Pulse of Internal Audit report: 76 percent of CAEs at publicly traded companies say they work administratively for the CFO.
“I have never been shy about sharing my views on this reporting relationship. While many CFOs fully respect the need for internal audit to remain independent, and for internal auditors to be objective, the optics indicate that CFOs who ‘own’ internal audit are more likely to use the function to focus on their own priorities,” Chambers writes. “Even more alarming is that only 4 percent of respondents say they are concerned about reporting lines. That is, by and large, a uniquely American problem, and fortunately it isn’t widespread in either the public or not-for-profit sectors [outside the United States]. But the number of internal audit functions reporting to the CEO in publicly traded companies appears to be retreating. That is not a good development.”
The Case for Reporting to the CFO
He has strong views on this and so do I. It could be that his many years as CAE in government service influenced his position. My many years as CAE in U.S. and global corporations led me to a totally different position.
First, administrative reporting does not confer, in any way, “ownership” of internal audit.
Second, I have seen CAEs who report administratively to the CEO forced to work on special projects for the CEO, even to the point of being sent to fire non-performing executives! In other words, the CEO thought he or she owned internal audit.
Third, the CEO is a busy individual and asking him or her to spend their valuable time on administrative duties like approving expense reports is absurd. In practice, the CEO will delegate those responsibilities to the CFO (at best) or an assistant (at worst, but more likely).
Fourth, you can report to the CFO and have free access to the CEO.
Fifth and extremely important, you are far more likely to be included in the CFO’s executive staff meetings than the CEO’s, even if you report administratively to the CEO. In fact, reporting to the CEO may make it harder to attend the CFO’s meetings. These meetings are very valuable sources of information about the strategies and activities of the organization.
Finally, the fact that 96 percent of CAEs are content with their administrative reporting should tell us something. These are smart people, and their opinion should be respected as being based on reality. Reporting to the CFO satisfies the intent of Standard 1110: “The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.”
How About Elsewhere?
Should the CAE report administratively to another senior executive? This will depend on the organization and on the individual executive. I can see a case being made for reporting to one of these titles:
- Chief Administrative Officer
- Chief Operating Officer
- General Counsel
In some cases, the CAE may report to the chief risk officer. I am, however, not a fan of the CAE reporting to a specialist CRO with whom there may be conflicts over the assessment of control deficiencies and the risk they represent.
Whoever the CAE reports to administratively must respect the fact that the reporting is purely administrative, they do not own internal audit, and their role is limited. But how does the CAE make this happen? Actually, this point is addressed by the IIA Professional Practice Standards in Standard 1000: Purpose, Authority, and Responsibility.
The Importance of the Internal Audit Charter
Here is what the standard says: “The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.”
“Interpretation: The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board.”
The value of the internal audit charter is not that the CAE can brandish his or her authority when management doesn’t allow internal audit necessary access to information and similar scenarios. The value is that it is discussed and reviewed by the board or its audit committee. That activity instructs whoever is administratively supporting the CAE where the boundaries of their role lie.
It is those boundaries that are most important, and what can make a difficult subject a little less touchy.
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
As usual – Norman makes eloquent arguments in support of his position. That doesn’t mean I agree with them. As he correctly pointed out, I spent many years in public service where the audit standards are much more prescriptive in prohibition of internal audit reporting to the CFO. What he didn’t mention, is that I subsequently spent several years as the national internal audit advisory practice leader of a U.S. Big 4 firm. I looked under the hood of countless Fortune 500 internal audit department. Most reported to the CFO, and I was more convinced than ever that such reporting relationships are suboptimal. Internal audit will never achieve its potential in terms of stature if it remains buried under and beholden to the CFO.
I have been a CAE for 30+ years — in small, 5 person shops to my current 100 person team. I have always reported functionally to the Audit Committee and administratively to the CFO. Never have I had a CFO try to control, direct, or limit my work, even when I have had to investigate fraud by a direct report of a former CFO. A key aspect is how the CAE and CFO relationship is built; the trust the two have for one another; and the attitude of the CAE in demonstrating leadership, business acumen, independence, objectivity, fairness, empathy, and so on. A one dimensional CAE will have a one dimensional relationship with the CFO. It takes work.
Internal audit plays a vital role in the day-to-day operations and functioning of the company. The primary reporting line for the chief internal auditor should be to the chair of the audit committee, and if there is to be a secondary executive reporting line, this should be to the CEO./ MD