Unleashing the potential of internal audit

As executives and directors rethink their corporate governance procedures, the authors offer a four step approach to strengthening corporate assurance.

Enron’s collapse and the serious corporate control implications that accompanied it are having a profound impact on how organizations view their corporate governance and control environments. Directors and senior executives are rethinking governance processes with heightened zeal, spurred by massive pressure from lawmakers, regulators, the investment community and legions of unhappy investors.

Within audit circles, external auditors have borne the most heat from the post-Enron backlash. But major changes are occurring in risk assurance, corporate governance and internal audit practices, as well – changes with significant import for audit committee members and senior management alike. Indeed, many boards and senior management groups are just beginning to get their arms around the ramifications of the recently enacted Sarbanes-Oxley Act, as well as a series of far-reaching proposals from the New York Stock Exchange that are awaiting approval from the Securities and Exchange Commission

What is clear is the following:

–  Audit committees will need to expand their oversight of audit processes, including internal audit.
–  Ineffective risk assurance and corporate governance efforts can produce catastrophic results.
–  New governance procedures will evolve, reflecting stepped-up legislative and stock exchange activity.
–  Assurance is the primary value driver for audit functions.

Responding to these forces, top management and directors must work together to ensure that their organizations have the risk management and control resources they need to meet heightened scrutiny of their risk assurance procedures. To this end, the four steps outlined below can lay the groundwork to more fully leverage the potential of their internal audit functions to strengthen corporate assurance:

Step 1: Elevate Ownership of Internal Audit at the Board and Senior Management Level. Serving as a director or top executive is a high-risk activity these days. It is important that organizations fully utilize all available resources to fulfill their assurance responsibilities. Within many organizations, internal audit represents an untapped resource.

Key managers need to understand the objectives of internal audit and how they relate to its performance. A November 2001 survey by FEI and PricewaterhouseCoopers of participants in a Web teleconference found that more than 68 percent of respondents said their internal audit departments failed to inform senior management and the board about how internal audit can add organizational value. Directors and management need to actively set and support objectives for internal audit. The performance bar for the function is rising quickly. Although the brightest spotlights have been focused on external audit, the internal audit function needs to be challenged with similar levels of intensity.

Step 2: Foster a Strategic Mindset Integrating Internal Audit with Corporate Strategy and Risk Management. Internal audit contributes to better governance when it takes a strategic orientation, with the audit committee and senior management, to address enterprisewide risk and control issues. To optimize its potential, internal audit must have “a seat at the table.”

To be effective, internal audit groups need to move beyond the tactical to the strategic, aligning their resources in support of audit committee and senior management objectives. This won’t happen without clear direction from their two corporate masters – the audit committee and senior management.

In providing this much-needed direction, senior executives and directors need to provide a strategic framework for internal audit. The chief audit executive (CAE) should work with senior management and the audit committee to articulate the mission and role for the function. Spell out the needs and expectations of both the audit committee and senior management, especially with respect to the focus and resource allocation needed. Then, make sure your internal audit staff members understand the importance of their role and the value placed on their activities.

Internal audit departments must have an organizational posture that allows them to operate successfully on strategic issues. The kind of independence needed will require proactive audit committee oversight over the scope, budget and resources identified for the internal audit function, as well as ensuring that operational management does not unduly influence the internal audit function.

Step 3: Ensure that the Governance Process Identifies an Executive Champion for the Internal Audit Function. Good governance begins at the top. Internal auditing can contribute most effectively when there is an executive champion who ensures complete objectivity in all audit work. This is best accomplished with oversight of the internal audit budget and scope at the audit committee level with administrative support at the CEO level.

Administratively, the internal audit function typically reports to a member of senior management. On a functional basis, internal audit also reports to the audit committee. Not surprisingly, this dual reporting relationship can cause conflict.

Compounding this problem is a widening organizational gap between internal audit and executive management, according to the 2001 teleconference survey by FEI and PricewaterhouseCoopers. Of the organizations surveyed, the chief audit executive reports administratively to either the CEO or COO in only 19 percent of the cases. In most situations (57 percent), audit heads report to CFOs.

Is there a “correct” reporting scenario? Good governance requires that an assurance function be free to comment objectively on controls at all levels of the organization. The answer is not simply a matter of a reporting line. Directors should insist that the function is reporting to a “champion” who will actively assist internal audit to both adopt a strategic focus and to address stakeholders’ priorities, including the audit committee’s. If internal audit is buried at a low level administratively, the function cannot gain the independence and objectivity it needs to meet rising expectations of internal audit practitioners.

Step 4: Staff Internal Audit with High Quality Human Resources. Good governance requires strong individuals with a wide perspective. Internal auditors ought to be among the more talented individuals in the organization. To attain specialized skills or broader coverage, senior management and the audit committee should not hesitate to call on outside resources.

There is often either a real or perceived reporting distance between internal audit and top executive and operational managers. This gap suggests an immediate need for internal audit departments to step up their efforts to inform senior management about how internal audit adds value, and how it plans to do so in the future. However, in order to function at the top level, internal audit must have sufficient resources.

Above all, internal audit needs top-level personnel, preferably people with graduate degrees who have the skills to be promoted to executive levels of the organization. For specialized work, the function needs either internal staff or access to outside personnel who can address risks associated with such key areas as information technology, financial instruments or off-shore operations. Also, internal audit needs sufficient resources to conduct a systematic and timely review of the risks and controls needed to provide assurance to top organizational levels.

As recent events have shown, internal controls left untended at executive and board levels can damage. the reputation and viability of the organization. As directors and management rethink corporate governance and control, internal audit should receive both the scrutiny and attention necessary to properly posture internal audit to unleash its full potential to provide higher levels of corporate assurance that will be even more critical in the future.

Congress, NYSE Focus on Governance

The recently enacted Sarbanes-Oxley Act of 2002 and proposed rules from the New York Stock Exchange are ushering in sweeping changes with major impacts on securities law, corporate governance and the regulation of auditors. A significant aspect of enhanced corporate governance in both the Act and proposed rules is that audit committees are required to increase their oversight and reporting activities with an organization’s external auditors.

Among other matters, these far-reaching rules for corporate governance would:

–  Increase the authority and responsibility of the audit committee, granting it sole authority to hire and fire independent auditors, approve any significant non-audit relationship with independent auditors and oversee policymaking for risk assessment and risk management.

–  Require NYSE-listed companies to have internal audit functions.

–  Require firms to adopt corporate governance guidelines and a code of business conduct and ethics.
Larry Rittenberg is Ernst & Young Professor of Accounting at the University of Wisconsin (Irittenberg@us.wisc.edu). Dick Anderson is a Partner in the Global Risk Management Solutions group at PricewaterhouseCoopers LLP (dick.anderson@us.pwcglobal.com)