The audit committee typically has oversight responsibility for the internal audit function and, conversely, relies on internal audit to aid the committee in fulfilling its responsibilities. In Getting the most out of internal audit: How can the audit committee help maximize the value of internal audit?, PwC’s Governance Insights Center (PGI Center) outlines how audit committees can help ensure that internal audit is effective and provides maximum benefit to the committee. The PGI Center’s theme is that the audit committee and the internal audit function both benefit from a mutually supportive relationship.
To foster that type of relationship, the PGI Center recommends that the audit committee focus on five issues:
Empowering the Chief Audit Executive and the internal audit team. Communications between the chief audit executive (CAE) and the audit committee are important in building audit committee support for internal audit’s priorities and findings. The report cites these leading practices:
Ensure that the CAE is a regular attendee at all audit committee meetings.
Hold a private session with the CAE as part of the regular audit committee meeting schedule.
Have regular one-on-one meetings between the audit committee chair and the CAE between audit committee meetings.
Ensure that reporting lines for internal audit, the audit committee, and senior management promote objectivity and the success of the function.
Support having the CAE be part of the appropriate management leadership committees.
Hold management accountable for implementing internal audit recommendations according to the agreed-upon timetable.
Periodically have the audit committee chair attend an internal audit team meeting to reinforce the importance of the team.
Having a team with the right structure and skills. The audit committee should understand the staffing levels and skills mix of the internal audit function. To meet the need for IT sophistication, companies should consider training existing staff, new hiring profiles, and outsourcing. The audit committees should ask the following questions:
Are resources competent, qualified, objective, and are they able to perform the work effectively?
How are skills in the group assessed and gaps identified and resolved?
How is internal audit using technology to make the audit more efficient and to capture and share broader insights on the company’s risks and activities?
What percentage of the group is credentialed (e.g., Certified Internal Auditor, Certified Information Systems Auditor, Certified Public Accountant)?
In addition, audit committees should understand internal audit’s budget and to be alert for situations in which “spending pressures may prevent the group from meeting its key objectives.”
Defining and monitoring internal audit’s mission. The audit committee should promote agreement across the enterprise about internal audit’s priorities and scope of responsibility. “[I]t is important for the audit committee to help the team define its mission, considering what it can and should be able to accomplish given staffing and budgetary concerns, and maintain its objectivity.” The PGI Center also points out that, in many cases, internal audit’s role is evolving beyond the traditional focus of controls and financial reporting to encompass more forward-looking issues. Examples of these non-traditional areas include:
Assessing culture.
Assessing non-GAAP, environmental, social and governance (ESG) matters, or other metric disclosure controls.
Review of specified cyber areas (e.g., benchmarking processes, cyber crisis plan).
Review of controls involved in system implementations.
Review of data governance programs and procedures against recognized frameworks and regulations.
Review of the company’s third-party risk management processes and procedures.
Review of employee health and safety programs.
Holding management accountable for responding to findings and implementing recommendations. The CAE should provide the audit committee with summaries of its reports, including the scope of the audit, the findings by risk level, and whether the findings have been resolved. Unresolved findings should be of concern to the committee. “An effective way for audit committees to support the resolution of internal audit findings is to request that members of management with significant findings or findings that have not been resolved in a reasonable period of time to personally attend audit committee meetings and explain any root causes of the findings and commit to a plan of resolution.” The audit committee should also ask internal audit to report any trends or themes it sees as a result of its work.
Assessing performance. The audit committee should periodically assess the performance of the internal audit function and of the CAE. As part of its assessment process, the committee may want to consult with the external auditors, management, and third parties that interact with internal audit. The report includes a series of questions that the audit committee could ask in assessing both the internal audit function as a whole and the CAE.
Appendices to the PGI Center report include examples of an executive summary of an internal audit reporting package and of internal audit quarterly dashboards.
Comment: As the PGI Center report emphasizes, the relationship between the audit committee and internal audit is a two-way street. The audit committee is key to ensuring that internal audit performs effectively and is respected within the company. At the same time, internal audit can be an important tool for the audit committee in discharging its responsibilities, particularly in the area of risk oversight. As the report states, “Internal audit (IA) can be viewed by committee members as an objective insider—one that can serve as their eyes and ears. Maximizing the value proposition of the internal audit group is an effective way to help audit committees address their risk oversight responsibilities.” The PGI Center’s suggestions are a useful blueprint for strengthening the audit committee/internal audit relationship.