EXECUTIVE
SUMMARY | Many companies are
raising the expectations for
their chief audit executives (CAEs) to
include operating at more strategic levels
of risk management and corporate
governance. Successful CAEs must partner
effectively with the audit committee and
other members of the senior management
team to achieve their objectives.
To be effective,
CAEs need to demonstrate a
solid understanding of the company’s
business, core strategies, risk appetite
and risk tolerance. CAEs must be willing
to raise difficult issues with senior
management and the audit committee—even
if such actions prove unpopular.
The CAE should
maintain an ongoing dialogue
with the audit committee. This
will build a relationship and help the
committee stay on top of significant
risk and control issues.
One of the chief
attributes of an effective CAE
is the ability to attract and
develop talent and build a high-quality
staff. In many organizations internal
audit is a source of management talent
for other departments.
Larry E. Rittenberg,
CPA, PhD, CIA, is chairman of the
Committee of Sponsoring Organizations
of the Treadway Commission (COSO) and
Ernst & Young Professor of
Accounting & Information Systems
at the University of Wisconsin at
Madison. His e-mail address is
lrittenberg@bus.wisc.edu
.
Richard J. Anderson,
CPA, is a partner, internal audit
advisory services,
PricewaterhouseCoopers LLP in Chicago.
His e-mail address is
dick.anderson@us.pwc.com
.
|
nternal audit
traditionally has been a behind-the-scenes player,
helping audit committees perform their duties and
serving as a management watchdog. But today it
plays a vital role in efforts to improve corporate
governance and internal controls. To fulfill this
role, the chief audit executive (CAE) needs to
provide assertive leadership that strengthens the
organization’s commitment to tough internal
controls. CAEs must partner with senior management
and the audit committee to help them fulfill their
broad responsibilities for effective governance,
risk management and control. This article offers a
broad view of the skills and qualifications CAEs
need and information that management and audit
committees will find useful when filling this
critical position. Audit committees, whose
governance responsibilities have expanded
significantly since the Sarbanes-Oxley Act, are
turning to internal audit for strategic and
tactical support. The same is true for senior
management. PCAOB Auditing Standard no. 2, An
Audit of Internal Control Over Financial
Reporting Performed in Conjunction with An Audit
of Financial Statements, has sharpened the
focus on the internal audit function and its
ability to help senior management, audit
committees and external auditors achieve their
reporting objectives. At the same time, internal
audit cannot sacrifice its long-standing role in
promoting risk management and using operational
audits to improve organizational efficiency.
CAE Technical Qualifications
In addition to executive-level
interpersonal skills and solid business
judgment, most companies are looking for
these qualifications in a CAE candidate:
At least 10 years of
relevant management experience with an
accounting firm and/or a similarly
sized company.
CPA and/or CIA
designation.
Strong technical
accounting and auditing skills.
Internal audit expertise.
Knowledge of
Sarbanes-Oxley and PCAOB, FASB and SEC
pronouncements.
Deep understanding of the
industry and related business risks.
Track record of
leadership and ability to stand behind
tough decisions.
| T
HE I DEAL C ANDIDATE When hiring a CAE,
companies should look for someone who combines
strong management and leadership skills with solid
technical expertise. This ideal candidate is more
than just a technical auditor. When looking for a
new audit chief—or evaluating the performance of
an existing one—the audit committee and senior
management should focus on three critical
qualifications:
The candidate’s ability to earn the
respect of the audit committee and senior
management. Because internal
auditors must be comfortable operating at a
strategic level, a CAE must be perceived as a
trusted adviser to both the audit committee and
senior management. However, because internal
control goes beyond financial reporting,
operational managers need to accept internal audit
as leaders in addressing risk and governance in a
way that goes beyond mere policing and testing of
internal controls. Sample questions to ask a
candidate: In what kind of situations have you
advised management or the audit committee on a
strategic issue? How would you reconcile the
sometimes divergent roles of auditor and adviser?
What activities would you initiate to position
yourself as an adviser to the audit committee?
The range of skills, including personal
independence and objectivity. An
effective CAE needs to demonstrate a solid
understanding of the company’s business, core
strategies, risk appetite and risk tolerances. He
or she must be able to exercise sound business
judgment and partner effectively with senior
management while at the same time remaining both
independent and objective. The need for
independence and objectivity is fundamental. CAEs
must be willing to raise difficult issues with
both senior management and the audit committee,
even if that proves unpopular. To gain management
respect, CAEs must make tough calls and stand by
them. However, CAEs who describe all issues as
significant will quickly lose support.
While auditing often is correctly viewed as
a technical function, the softer audit skills are
equally critical. Interpersonal skills are
particularly important in building effective
working relationships with management and the
audit committee. CAEs must be able to think
strategically about the internal audit function,
its mission and its strategic resources, including
attracting highly qualified staff. CAEs must have
a vision for the internal audit function that
accepts change as part of an ongoing process
throughout the organization. Staffing must mirror
the critical issues the organization faces and
often requires sophisticated and knowledgeable
audit staffs to address the company’s risks
effectively. One of the chief attributes
of effective CAEs is the ability to attract and
develop talent and to build a high-quality staff
whose members can work effectively in teams. In
many organizations internal audit also serves as a
source of management talent for other departments.
To help the CAE perform this sourcing role, it’s
important to make it clear he or she functions as
a member of top management. Sample questions to
ask a candidate: What is internal audit’s role in
an organization? Can you describe a situation
where you raised a critical issue to management
and how you handled it? How would you partner with
management while maintaining your independence and
objectivity? What approach would you take to
attract and develop high-quality staff?
The right focus. The
strategic CAE also must take the lead in advising
the audit committee on emerging risk and control
issues. In recent years two key factors—the
passage of Sarbanes-Oxley and the implementation
of reform legislation—have focused audit committee
attention on financial risks. However companies
face many additional risks and audit committees
are becoming more sensitive to enterprise-wide
risk. As a result, internal audit must look more
broadly at risk to help the audit committee
understand the risk-monitoring and mitigation
activities the company already has in place and
the effectiveness of its overall risk management
processes. Sample questions to ask a candidate:
How would you assess the risks the organization
faces? Are you familiar with the COSO enterprise
risk management framework and how would you apply
it? How would you use technology to enhance your
ability to monitor risks? How will you help the
audit committee be aware of emerging risks?
In part, the CAE’s role is a balancing act: He
or she must simultaneously serve as the eyes and
ears of the audit committee as well as be a member
of and partner to executive management. To serve
both parties effectively, CAEs must be seen as
business partners rather than “corporate cops.” To
be an effective extension of the audit committee,
CAEs need to maintain an open and objective view
of management, be seen by it as fair and respect
the opinions expressed. On the corporate side,
CAEs need to gain the respect and confidence of
executive and operational management as a
prerequisite to being viewed internally as a
member of senior management and being included in
meetings that address risk and strategy across the
organization.
A DDITIONAL T HINGS TO C ONSIDER Here are
some key questions to which management and audit
committees need to get satisfactory answers when
considering CAE candidates who can help the
internal audit group adopt a more proactive role
in risk management and governance. In candidate
interviews and in discussions with their
references, companies should use probing questions
to develop an understanding of whether the
candidates have
The presence and experience to fit
into the management ranks at the appropriate
level.
The knowledge and business sense
required to serve as a trusted adviser to both
senior management and the audit committee.
A track record of sound judgment and
decision making.
A sufficient understanding of the
business and its risks to ensure the audit process
is properly focused and responsive to risk.
The personal strength and confidence
to stand up to and earn the respect of senior
management.
ONCE ON BOARD
After an organization has hired a
high-caliber CAE, the audit committee and top
management can do much to enhance his or her
stature and effectiveness. Supportive steps for
the audit committee chair, in particular, to
consider are
Maintaining ongoing access and dialogue
with the CAE outside audit committee meetings.
Such communication strengthens the
bond between the audit chair and the CAE and helps
the committee stay on top of significant risk and
control issues.
Asking senior management to attend an
audit committee meeting to address issues the
CAE raises. Such a request
reinforces the significance of the issues and
emphasizes that responsibility for resolving the
issues lies with management, not the CAE.
Including the CAE in appropriate
committee activities, such as training.
In some organizations, audit
committee members and the CAE attend joint
training and conferences to identify new practices
or approaches and to strengthen working
relationships.
Periodically meeting with the CAE’s
direct reports or the entire audit department.
Such meetings give internal audit
staffers first-hand exposure to audit-committee
concerns and give audit committee members a better
appreciation of staff quality.
Holding executive sessions with the CAE.
Such interchange ensures an open
exchange of views on issues and risks identified
by the CAE and management’s response.
ADOPTING A STRATEGIC MIND-SET
Once a company has a CAE in place, it’s time
for the CAE and the audit committee to make sure
internal audit has adopted a strategic, high-level
mind-set as opposed to a tactical orientation that
focuses on basic transactional or compliance
issues. To assure this is happening, there are
some key questions the audit committee should ask,
including
Does internal audit’s risk assessment
include the significant risks the company faces
and is the audit plan directly linked to those
risks?
Does management view the issues
internal audit is raising as significant and give
them proper attention?
Is the CAE conversant and involved
with the company’s developing business issues and
initiatives?
Does the CAE understand our business,
its strategies, our expectations and those of
senior management, so internal audit can respond
effectively?
Is the audit plan sufficiently
responsive to emerging risks and changes in the
organization’s risk profile?
Are the company’s internal audit
activities being conducted in accordance with the
Institute of Internal Auditor’s International
Standards for the Professional Practice of
Internal Audit? If the answer to any of
these questions is “no,” the CAE, the audit
committee chair and top management should meet to
make sure all parties understand what the company
expects and come to an agreement on a strategy for
meeting these expectations. |
Make sure the CAE
candidate you hire fits into the
management ranks at the
appropriate senior level and has
the necessary high-level
knowledge to be a trusted
adviser to both senior
management and the audit
committee.
Maintain ongoing
communications with the CAE,
including activities outside
normal meeting such as joint
training sessions with audit
committee members.
Have the audit
committee meet regularly with
the CAE’s direct reports and
hold executive sessions with
the CAE to ensure an open
assessment of issues and
risks.
| |
THE RIGHT PERSON FOR THE JOB
Audit committees and senior management can
optimize the value a company gets from internal
audit by putting a well-qualified CAE at the helm.
Recent regulatory changes have focused some
internal audit functions on narrower
compliance-oriented activities, endangering their
ability to contribute to effective governance and
risk management. Organizations must make sure they
have a clear, strategic vision of internal audit
and a CAE with the right skills and stature to
implement that vision. They need to consider a
CAE’s qualifications carefully, paying particular
attention to skills beyond just technical ones.
The organization also must evaluate the
effectiveness of the CAE and the audit function in
a manner consistent with its strategic
expectations. The exhibit below provides an
example of a framework companies can use as a
starting point to develop their own expectations.
|
Key Performance Criteria for
CAEs
The audit committee
and executive management
should make certain they
have a common view of the
criteria for evaluating the
CAE’s performance. While
each company’s list will be
customized, here are some
key areas to consider in
developing a framework.
Stature and presence
The CAE must
have the professional presence
and stature to function as a
trusted adviser. The CAE
should develop and maintain
strong relationships
internally with executive and
senior management, and
externally with the audit
committee, board, regulators
and external auditors. The CAE
must maintain continuous and
proactive communication with
all key constituents while
keeping an appropriate level
of objectivity and
independence. The CAE also
must have the personal
strength to make tough calls
and stick by them.
Strategic audit focus
The CAE should
develop a vision for a
strategic internal audit
process, addressing the key
business strategies and risks
to the organization.
Strategies should align the
audit coverage with risks,
including identifying and
reacting to emerging risks and
issues. The CAE should have a
strong knowledge of
industry/peer audit practices.
The CAE must be capable of
operating and viewing issues
at a strategic level.
Ability to exercise
sound judgment and
communicate clearly on audit
issues The
CAE should exercise sound
business judgment, prioritize
issues and make sure they are
handled at the appropriate
level. The CAE should raise
and communicate in a timely
and clear manner significant
issues to the audit committee
and management with
recommendations as to which
deserve their immediate
attention. The CAE should
maintain an appropriate
process to ensure the company
takes corrective actions in a
timely manner.
Development of human
resources The
CAE should attract and develop
talent for the internal audit
function and the organization
as a whole, and create an
environment in which internal
audit is viewed as a desirable
assignment for the long term.
Internal audit’s activities
should be aligned with the
organization’s overall human
resources strategies to
optimize the employees’
experiences. The environment
also should foster a culture
that enables the internal
audit function to fulfill its
role and add value to the
organization.
Management of
technical auditing
activities
The CAE should
ensure the company’s audit
plan and other critical audit
initiatives are being
conducted in accordance with
applicable professional
standards and reflect current
business risks and audit
requirements as well as
emerging industry trends. For
critical transactions and
initiatives, the CAE should
ensure the financials properly
reflect the economic substance
of the activity. The CAE
should ensure the internal
audit function has access to
appropriate resources and
technical skills to execute
its mandate.
Understanding of the
organization’s strategy
The CAE should
make sure the organization
understands and addresses its
risks. Sometimes the biggest
risk is the failure to
innovate. A CAE must
understand the organization’s
strategy, how it will measure
performance in following those
strategies and how to overcome
any roadblocks. | | |