When (and Why) the CAE Reporting Structure Breaks Down

Broken Reporting structure

GUEST BLOG POST
At well-governed public companies, the decision to remove a chief audit executive (CAE) is ideally made by the audit committee of the board of directors, especially if the removal is “for cause” or performance. In the real world, though, that’s rarely the case. In practice, CAEs are often removed unilaterally by management without audit committee involvement. The audit committee members often become involved only after the fact.

To provide independence, internal audit standards recommend a CAE reporting structure where the internal audit head reports functionally to the board’s audit committee and administratively to the CEO, CFO, or other management executive. Many ask, if that’s that case, why isn’t the audit committee involved upfront in the important decision of whether or not to remove the CAE?

In my experience the following factors contribute to the degradation of the construct:

Management Often Dominates the CAE Relationship

First, many companies do not follow the recommended reporting structure and have the CAE reporting functionally, as well as administratively, to management.

Second, even when the CAE does functionally report to the audit committee, the reporting often lacks authenticity. This could be because the audit committee desires not to be “hands-on” with internal audit. It can also happen when the audit committee lacks the requisite expertise to functionally manage internal audit, or delegates the responsibility to management because it lacks the time or desire to fulfill this responsibility. There are also instances where aggressive senior management (CEO, CFO, general counsel or other management executives) deliberately circumvent the construct, dominate the relationship, and assert control over the CAE.

Third, even when the CAE reports to the audit committee functionally, conflicts can still arise since management manages the CAE administratively, often making decisions about financial resources, staffing decisions, investment decisions, and day-to-day duties. Therefore, management can still dominate the relationship.

Lastly, despite the common rhetoric about how public companies embrace internal audit and compliance, the reality is that many simply do not. Many consider them to be non-value-add functions and a financially burdensome “cost center.” This is not surprising. In tough and highly competitive economic conditions, only value-generating functions are sought and nurtured, particularly at short-sighted organizations.

Does Internal Audit Really Add Value?

Sure, most of the internal audit literature—articles, position papers, press releases, and social media posts from internal audit influencers claim that it creates lots of corporate value and enjoys corporate gravitas, but the reality, at least in my opinion, is that we have not really seen a lot of evidence of internal audit generating value.

When major corporate failures and frauds occur, one often wonders where was internal audit? Bank failures, Theranos, and Wirecard are all recent examples of corporate failures where internal audit missed the boat. In my view, WorldCom’s Cynthia Cooper is the only exception. I can’t think of any other instance where internal audit was at the forefront of uncovering a large-scale fraud.

Sure, there are those who would argue that behind the corporate scenes internal audit does so much great work and adds so much value! That is true, but it’s not enough to convince senior management to invest in internal audit and view it as a true partner in value creation.

Elevating Internal Audit

As I write this, the Institute of Internal Auditors continues to issue standards and white papers that are helping guide the internal audit profession. I wish the IIA would spend as much of its energy working closely with the accounting firms and regulators to elevate the profession; make it a true partner in the annual corporate audit process; help increase awareness of the issues internal auditors and CAEs face; advocate for the exchanges to enact requirements and standards relating to internal audit reporting lines; advocate for more protections for CAEs; and other more useful initiatives.

I also wish that internal audit social media influencers (many of which have never held an internal audit leadership position) would help a little more too. Instead of pushing unrealistic views about internal audit, let’s call things as they are. Let’s bring internal audit issues to the fore, such as: What constructs are needed to provide true internal audit independence; how can we set standards related to the size of internal audit for public companies; how can we make the best use of technology; how to maintain balanced assurance and internal audit consulting, and many other issues.

I am sure that this opinion piece may not be received well by many, but I remain a true believer in the profession. It is a good and rewarding profession. It can grow to become an equal partner to management and add immense value, not just aspirationally, but in reality.   Internal audit end slug

(Author’s Note: This article was inspired by an article published by Richard Chambers on Audit Beacon, “Where is the Audit Committee when the Head of Internal Audit Is Being Fired?” I agreed with that thought-provoking piece and wanted to add my take on this complex topic. Also, the opinions expressed here are mine and do not necessarily reflect those of Internal Audit 360 or any other entity.)


Chris Dogas, CPA, CFE, CRMA is the founder of AS GRC Consultants LLP, which provides corporate governance services. Contact him at chrisdogas@asmgtc.com.

12 Replies to “When (and Why) the CAE Reporting Structure Breaks Down”

  1. Your submission is on point! The Management dominance on CAE still remain a serious issue if Internal Audit Independence is truly expected. In practice, independence is more pronounced in the charters rather than in the function . In most cases that I’ve seen, the committee members are in alignment with the CEO due to the perks of their office thereby failing to protect the interest of the CAE. Come to think of it, it is the case of ‘he who pays the piper dictates the tune’! I agree that the Institute needs to have a shift in her approach to support the CAE .

    1. Could not agree more. Internal Audit has become writers of our own press releases, and we confuse absolute adherence to IIA standards set-on-high with actually adding value to the businesses we are supposed to partner with.

  2. Thank you for your sharing your thoughts on this! I think you’re highlighting a common issue with IA and its place in the organisation, to which I do agree. To fix this, I would argue re-arranging the reporting lines will only be of use if you have the right level of audit committee engagement (and quality) and culture around governance in general. I therefore don’t believe in more regulation and standards. In my view, the more you position IA as an independent – rather external – body, the more likely it will be regarded as a threat affecting the sought-after partnership with management and a compliance ‘thing’.. That will not help the CAE’s effectiveness.

  3. While things are not ideal in certain organizations, things are not as bleak as you make them out to be with the vast majority of CAEs I interact with. I could pick at a number of things, but in the spirit of brevity, you can add value without generating value. If you read the new Purpose Statement in the Standards, which is just an enhance version of the Mission that existed since 2007, it states, “Internal auditing strengthens the organization’s ability to create, protect, and sustain value …” So, doing that alone is value added to what would exist without internal audit, even though many functions add value beyond that “purpose.”

  4. This is a good article. As you’ve succinctly put it, in reality, management doesn’t seem to care much about Internal Audit; they can’t even grasp what we do or how we add value.

    1. Omotolani, I think in most cases management cares about IA. The idea is to enhance governance and provide some safety to the CAE and the IA team that has a difficult job to do, balancing providing adequate assurance and adding value.

  5. IA is what? INTERNAL auditor, it’s part of the company so technically it’s always part of the management of the company. The reality is IA is never independent. It’s just a separate group from operation and finance/accounting and a different communication channel. I always ask people who say IA is independent a question: Where would IA go if the company goes down? The answer is: IA lose their jobs when the company goes down. On the other side, external auditor won’t lose their jobs if one of their clients goes down. So how independent can IA be?
    Functional reporting line is always overwritten by administrative report. That’s why it’s called administratively in the first place.

    1. Wayne, you are right! IA is a company organization, BUT its remit IS to provide assurance to the BOD and senior leadership – ultimately benefiting all the shareholders and stakeholders! If the CAE (and the IA function in general) is not independent, it will not be able to provide assurance.

      If you happened to read the 2024 ACFE Report to the Nations, which reports that fraud losses for schemes committed by owners and executives are seven times more expensive than those committed by lower-level employees. So, independence is important and can be maintained if the company has good governance.

Leave a Reply

Your email address will not be published. Required fields are marked *