How the Audit Committee Should Assess Internal Audit

By Norman Marks, Published on September 17, 2012

Deloitte has provided us with some useful information on this topic in their latest Audit Committee Brief, Harnessing the Full Potential of Internal Audit.

For example, they say:

“In many organizations, audit committees and management have differing expectations of internal audit. An optimized internal audit function can provide a balance between protecting and enhancing enterprise value by taking a holistic approach to risk management across the enterprise and providing independent and objective assurance with value-added advice”.

The paper has some useful questions for the members of the audit committee to ask the chief audit executive (CAE). I would ask these:

  • Is the internal audit function focused on the issues that matter to the organization? Are they aware of the topics of discussion at executive management and board level? Are they looking at those areas? If not, why not? Why are they looking at areas that are not on our agenda? [Note: there may be good reason for internal audit to look at other issues; the key is that they can explain why.]
  • Is internal audit satisfying our need for assurance that the people, organizations, processes, systems, and relationships within and across the extended enterprise are effectively managing the risks of significance to achieving or surpassing our objectives? Do they provide us with a formal opinion on the adequacy of risk management, governance processes, and related controls? If not, why not?
  • How much insight does internal audit provide us? How valuable is it to us? Does it help us govern the organization?
  • How valuable is internal audit to management? How often are their insight, assurance, and recommendations sought out by executive management?
  • Are we assured that we are hearing the complete, unvarnished truth from internal audit – unaffected by management influence?
  • Does internal audit have the professional, competent, and objective resources and organizational stature to be effective?
  • Do we have sufficient influence in the selection, assessment, compensation, and career of the CAE? Or, are we dependent on the CFO or other management to provide us with carefully chosen candidates to hire; do we decide how the CAE should be compensated or simply apply the stamp of approval to the CFO’s decision? Is the CAE overly influenced by the potential for a career move into management?
  • Is the CAE proactive in suggesting changes to the role of internal audit, or is he passive and reactive to our expectations?
  • Is the CAE a change agent, bringing ideas to management and the board to improve corporate effectiveness, for example by improving risk management programs or the use of radical technology?
  • Does the CAE demonstrate appropriate courage and perseverance when confronted with challenges with management? Does the CAE navigate those challenges with tact and diplomacy, achieving results without unnecessarily alienating management?
  • How does the CAE know whether internal audit provides the value to the organization it is capable of and should provide? Is he satisfied, and why?

I welcome your comments on the above. Do you like them? How would you change them?