A Strategic Player

Hiring and inspiring a chief audit executive.
BY LARRY E. RITTENBERG AND RICHARD J. ANDERSON

EXECUTIVE SUMMARY
Many companies are raising the expectations for their chief audit executives (CAEs) to include operating at more strategic levels of risk management and corporate governance. Successful CAEs must partner effectively with the audit committee and other members of the senior management team to achieve their objectives.

To be effective, CAEs need to demonstrate a solid understanding of the company’s business, core strategies, risk appetite and risk tolerance. CAEs must be willing to raise difficult issues with senior management and the audit committee—even if such actions prove unpopular.

The CAE should maintain an ongoing dialogue with the audit committee. This will build a relationship and help the committee stay on top of significant risk and control issues.

One of the chief attributes of an effective CAE is the ability to attract and develop talent and build a high-quality staff. In many organizations internal audit is a source of management talent for other departments.

Larry E. Rittenberg, CPA, PhD, CIA, is chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Ernst & Young Professor of Accounting & Information Systems at the University of Wisconsin at Madison. His e-mail address is lrittenberg@bus.wisc.edu . Richard J. Anderson, CPA, is a partner, internal audit advisory services, PricewaterhouseCoopers LLP in Chicago. His e-mail address is dick.anderson@us.pwc.com .

nternal audit traditionally has been a behind-the-scenes player, helping audit committees perform their duties and serving as a management watchdog. But today it plays a vital role in efforts to improve corporate governance and internal controls. To fulfill this role, the chief audit executive (CAE) needs to provide assertive leadership that strengthens the organization’s commitment to tough internal controls. CAEs must partner with senior management and the audit committee to help them fulfill their broad responsibilities for effective governance, risk management and control. This article offers a broad view of the skills and qualifications CAEs need and information that management and audit committees will find useful when filling this critical position.

Audit committees, whose governance responsibilities have expanded significantly since the Sarbanes-Oxley Act, are turning to internal audit for strategic and tactical support. The same is true for senior management. PCAOB Auditing Standard no. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, has sharpened the focus on the internal audit function and its ability to help senior management, audit committees and external auditors achieve their reporting objectives. At the same time, internal audit cannot sacrifice its long-standing role in promoting risk management and using operational audits to improve organizational efficiency.

CAE Technical Qualifications
In addition to executive-level interpersonal skills and solid business judgment, most companies are looking for these qualifications in a CAE candidate:

At least 10 years of relevant management experience with an accounting firm and/or a similarly sized company.

CPA and/or CIA designation.

Strong technical accounting and auditing skills.

Internal audit expertise.

Knowledge of Sarbanes-Oxley and PCAOB, FASB and SEC pronouncements.

Deep understanding of the industry and related business risks.

Track record of leadership and ability to stand behind tough decisions.

T HE I DEAL C ANDIDATE
When hiring a CAE, companies should look for someone who combines strong management and leadership skills with solid technical expertise. This ideal candidate is more than just a technical auditor. When looking for a new audit chief—or evaluating the performance of an existing one—the audit committee and senior management should focus on three critical qualifications:

The candidate’s ability to earn the respect of the audit committee and senior management. Because internal auditors must be comfortable operating at a strategic level, a CAE must be perceived as a trusted adviser to both the audit committee and senior management. However, because internal control goes beyond financial reporting, operational managers need to accept internal audit as leaders in addressing risk and governance in a way that goes beyond mere policing and testing of internal controls. Sample questions to ask a candidate: In what kind of situations have you advised management or the audit committee on a strategic issue? How would you reconcile the sometimes divergent roles of auditor and adviser? What activities would you initiate to position yourself as an adviser to the audit committee?

The range of skills, including personal independence and objectivity. An effective CAE needs to demonstrate a solid understanding of the company’s business, core strategies, risk appetite and risk tolerances. He or she must be able to exercise sound business judgment and partner effectively with senior management while at the same time remaining both independent and objective. The need for independence and objectivity is fundamental. CAEs must be willing to raise difficult issues with both senior management and the audit committee, even if that proves unpopular. To gain management respect, CAEs must make tough calls and stand by them. However, CAEs who describe all issues as significant will quickly lose support.

While auditing often is correctly viewed as a technical function, the softer audit skills are equally critical. Interpersonal skills are particularly important in building effective working relationships with management and the audit committee. CAEs must be able to think strategically about the internal audit function, its mission and its strategic resources, including attracting highly qualified staff. CAEs must have a vision for the internal audit function that accepts change as part of an ongoing process throughout the organization. Staffing must mirror the critical issues the organization faces and often requires sophisticated and knowledgeable audit staffs to address the company’s risks effectively.

One of the chief attributes of effective CAEs is the ability to attract and develop talent and to build a high-quality staff whose members can work effectively in teams. In many organizations internal audit also serves as a source of management talent for other departments. To help the CAE perform this sourcing role, it’s important to make it clear he or she functions as a member of top management. Sample questions to ask a candidate: What is internal audit’s role in an organization? Can you describe a situation where you raised a critical issue to management and how you handled it? How would you partner with management while maintaining your independence and objectivity? What approach would you take to attract and develop high-quality staff?

The right focus. The strategic CAE also must take the lead in advising the audit committee on emerging risk and control issues. In recent years two key factors—the passage of Sarbanes-Oxley and the implementation of reform legislation—have focused audit committee attention on financial risks. However companies face many additional risks and audit committees are becoming more sensitive to enterprise-wide risk. As a result, internal audit must look more broadly at risk to help the audit committee understand the risk-monitoring and mitigation activities the company already has in place and the effectiveness of its overall risk management processes. Sample questions to ask a candidate: How would you assess the risks the organization faces? Are you familiar with the COSO enterprise risk management framework and how would you apply it? How would you use technology to enhance your ability to monitor risks? How will you help the audit committee be aware of emerging risks?

In part, the CAE’s role is a balancing act: He or she must simultaneously serve as the eyes and ears of the audit committee as well as be a member of and partner to executive management. To serve both parties effectively, CAEs must be seen as business partners rather than “corporate cops.” To be an effective extension of the audit committee, CAEs need to maintain an open and objective view of management, be seen by it as fair and respect the opinions expressed. On the corporate side, CAEs need to gain the respect and confidence of executive and operational management as a prerequisite to being viewed internally as a member of senior management and being included in meetings that address risk and strategy across the organization.

 
AICPA RESOURCE

AICPA Audit Committee Toolkit
Guidelines for Hiring the Chief Audit Executive (CAE)
www.aicpa.org/audcommctr/toolkitsnpo/Hiring_CAE.htm .

A DDITIONAL T HINGS TO C ONSIDER
Here are some key questions to which management and audit committees need to get satisfactory answers when considering CAE candidates who can help the internal audit group adopt a more proactive role in risk management and governance. In candidate interviews and in discussions with their references, companies should use probing questions to develop an understanding of whether the candidates have

The presence and experience to fit into the management ranks at the appropriate level.

The knowledge and business sense required to serve as a trusted adviser to both senior management and the audit committee.

A track record of sound judgment and decision making.

A sufficient understanding of the business and its risks to ensure the audit process is properly focused and responsive to risk.

The personal strength and confidence to stand up to and earn the respect of senior management.

ONCE ON BOARD
After an organization has hired a high-caliber CAE, the audit committee and top management can do much to enhance his or her stature and effectiveness. Supportive steps for the audit committee chair, in particular, to consider are

Maintaining ongoing access and dialogue with the CAE outside audit committee meetings. Such communication strengthens the bond between the audit chair and the CAE and helps the committee stay on top of significant risk and control issues.

Asking senior management to attend an audit committee meeting to address issues the CAE raises. Such a request reinforces the significance of the issues and emphasizes that responsibility for resolving the issues lies with management, not the CAE.

Including the CAE in appropriate committee activities, such as training. In some organizations, audit committee members and the CAE attend joint training and conferences to identify new practices or approaches and to strengthen working relationships.

Periodically meeting with the CAE’s direct reports or the entire audit department. Such meetings give internal audit staffers first-hand exposure to audit-committee concerns and give audit committee members a better appreciation of staff quality.

Holding executive sessions with the CAE. Such interchange ensures an open exchange of views on issues and risks identified by the CAE and management’s response.

ADOPTING A STRATEGIC MIND-SET
Once a company has a CAE in place, it’s time for the CAE and the audit committee to make sure internal audit has adopted a strategic, high-level mind-set as opposed to a tactical orientation that focuses on basic transactional or compliance issues. To assure this is happening, there are some key questions the audit committee should ask, including

Does internal audit’s risk assessment include the significant risks the company faces and is the audit plan directly linked to those risks?

Does management view the issues internal audit is raising as significant and give them proper attention?

Is the CAE conversant and involved with the company’s developing business issues and initiatives?

Does the CAE understand our business, its strategies, our expectations and those of senior management, so internal audit can respond effectively?

Is the audit plan sufficiently responsive to emerging risks and changes in the organization’s risk profile?

Are the company’s internal audit activities being conducted in accordance with the Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Audit?

If the answer to any of these questions is “no,” the CAE, the audit committee chair and top management should meet to make sure all parties understand what the company expects and come to an agreement on a strategy for meeting these expectations.

Practical Tips
Make sure the CAE candidate you hire fits into the management ranks at the appropriate senior level and has the necessary high-level knowledge to be a trusted adviser to both senior management and the audit committee.

Maintain ongoing communications with the CAE, including activities outside normal meeting such as joint training sessions with audit committee members.

Have the audit committee meet regularly with the CAE’s direct reports and hold executive sessions with the CAE to ensure an open assessment of issues and risks.

THE RIGHT PERSON FOR THE JOB
Audit committees and senior management can optimize the value a company gets from internal audit by putting a well-qualified CAE at the helm. Recent regulatory changes have focused some internal audit functions on narrower compliance-oriented activities, endangering their ability to contribute to effective governance and risk management. Organizations must make sure they have a clear, strategic vision of internal audit and a CAE with the right skills and stature to implement that vision. They need to consider a CAE’s qualifications carefully, paying particular attention to skills beyond just technical ones. The organization also must evaluate the effectiveness of the CAE and the audit function in a manner consistent with its strategic expectations. The exhibit below provides an example of a framework companies can use as a starting point to develop their own expectations.

  Key Performance Criteria for CAEs

The audit committee and executive management should make certain they have a common view of the criteria for evaluating the CAE’s performance. While each company’s list will be customized, here are some key areas to consider in developing a framework.

Stature and presence
The CAE must have the professional presence and stature to function as a trusted adviser. The CAE should develop and maintain strong relationships internally with executive and senior management, and externally with the audit committee, board, regulators and external auditors. The CAE must maintain continuous and proactive communication with all key constituents while keeping an appropriate level of objectivity and independence. The CAE also must have the personal strength to make tough calls and stick by them.

Strategic audit focus
The CAE should develop a vision for a strategic internal audit process, addressing the key business strategies and risks to the organization. Strategies should align the audit coverage with risks, including identifying and reacting to emerging risks and issues. The CAE should have a strong knowledge of industry/peer audit practices. The CAE must be capable of operating and viewing issues at a strategic level.

Ability to exercise sound judgment and communicate clearly on audit issues
The CAE should exercise sound business judgment, prioritize issues and make sure they are handled at the appropriate level. The CAE should raise and communicate in a timely and clear manner significant issues to the audit committee and management with recommendations as to which deserve their immediate attention. The CAE should maintain an appropriate process to ensure the company takes corrective actions in a timely manner.

Development of human resources
The CAE should attract and develop talent for the internal audit function and the organization as a whole, and create an environment in which internal audit is viewed as a desirable assignment for the long term. Internal audit’s activities should be aligned with the organization’s overall human resources strategies to optimize the employees’ experiences. The environment also should foster a culture that enables the internal audit function to fulfill its role and add value to the organization.

Management of technical auditing activities
The CAE should ensure the company’s audit plan and other critical audit initiatives are being conducted in accordance with applicable professional standards and reflect current business risks and audit requirements as well as emerging industry trends. For critical transactions and initiatives, the CAE should ensure the financials properly reflect the economic substance of the activity. The CAE should ensure the internal audit function has access to appropriate resources and technical skills to execute its mandate.

Understanding of the organization’s strategy
The CAE should make sure the organization understands and addresses its risks. Sometimes the biggest risk is the failure to innovate. A CAE must understand the organization’s strategy, how it will measure performance in following those strategies and how to overcome any roadblocks.

SPONSORED REPORT

Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.

QUIZ

News quiz: IRS warning on cyberattacks and a change in pension rules

Once again, the IRS sounds the alarm about a threat from cyberthieves. See how much you know about this and other recent news with this short quiz.

CHECKLIST

Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.