Internal audit reporting line to chief executive gains steam as US Fed weighs in

The idea of having the internal audit function report administratively to the CEO may be gaining steam in the United States.

The US Federal Reserve has issued guidance to encourage US banks with more than $10 billion in total assets to have their internal audit functions report to the chief executive – a move that could influence similar changes in other industries, observers of the profession say.

In a policy statement dated January 23rd, the Federal Reserve said the objectivity of the internal audit function is served best when the chief audit executive (CAE) reports administratively to the chief executive. While that relationship is encouraged by the Federal Reserve, it is not required. But if the CAE reports administratively to another executive, the statement requires the audit committee to document its rationale for the reporting structure.

The Federal Reserve created the guidance in response to the recent financial crisis in hopes of promoting objectivity in the internal audit function.

Although CAEs in the United States usually report functionally to the audit committee, they often report administratively to an executive in the C-suite. Traditionally, that executive has been the CFO, according to Institute of Internal Auditors (IIA) President and Chief Executive Richard Chambers.

Chambers, who said he isn’t impugning the integrity of CFOs, said there are risks involved with having internal audit report to the CFO.

“A lot of internal audit’s work is done looking at financial risks, financial controls and so forth,” Chambers said. “Even if you have an objective chief audit executive, how does that look to third parties that, in essence, that individual is leading audit work of their boss’s area of responsibility?”

Having internal audit report to the CEO is much more common in other parts of the world than in the United States. A majority of CAEs in Africa (55%), Europe-Central Asia (55%), Asia Pacific (53%) and Western Europe (51%) report administratively to the CEO, according to an IIA-sponsored survey of more than 13,500 internal auditors conducted in 2010.

In contrast, just 21% of respondents in the United States and Canada said CAEs in their organisations report administratively to the CEO. More respondents – 23% – in the United States and Canada said their CAEs report administratively to the CFO.

Globally, 43% of CAEs report to the CEO, according to the survey, while 34% report administratively to the audit committee. In the United States and Canada, 41% report administratively to the audit committee.

Internal auditors at an overwhelming majority of US companies also report functionally to the audit committee, Chambers said. A 2012 IIA survey showed that a majority of CAEs functionally report to the audit committee in North America (74%), Asia/Pacific (69%) and Europe (65%). Latin America (36%) trailed the other regions in the survey.

In this functional relationship, Chambers said, the audit committee typically:

• Approves internal audit’s charter and the annual internal audit plan.
• Has regular briefings and interactions with the CAE.
• Participates in executive sessions with the CAE.

Over the past ten years, the number of CAEs reporting administratively to the CFO has decreased as more CAEs have reported to chief executives, Chambers said. In some cases, the CAE reports administratively to the general counsel, chief risk officer or COO.

Chambers said the Federal Reserve’s guidance reflects the IIA’s position that the ideal administrative reporting relationship for the CAE is with the chief executive, although that position is not required in the IIA standards. He said he expects the CAE-to-CEO model to spread.

“My guess is, it won’t be long before you’re going to see some of these practices becoming commonplace in banks that are smaller,” Chambers said. “…I think you’re also going to see it in other industries.”

The Federal Reserve’s guidance for large banks also says internal auditors should:

• Analyse the effectiveness of all critical risk-management functions.
• Challenge management to adopt appropriate policies and procedures and effective controls.
• In cases where an institution enhances its infrastructure, review significant changes and notify management of potential internal control issues.
• Confirm that the board of directors and senior management are setting and monitoring compliance within an institution’s risk tolerance limits.
• Evaluate governance at all management levels within the institution.

In addition, the Federal Reserve said institutions should incorporate professional standards such as the IIA’s International Standards for the Professional Practice of Internal Auditing into their overall internal audit architecture. And it said institutions that outsource internal audit work should make sure the audit committee maintains ownership of the audit function.

“I think they realise that financial institutions have to have a very strong oversight function and a very strong corporate governance model and risk-management model,” Chambers said. “And they’re addressing some of the gaps that they saw leading up to the financial crisis, and I think they’ve made a very strong statement here.”

—Ken Tysiac (ktysiac@aicpa.org) is a CGMA Magazine senior editor.