Most chief audit executives (CAEs) in North America report their findings to the organizations audit committee. The IIA recommends this practice, held globally to be part of the gold standard enshrined in the three lines of defense model of corporate governance. Per the model's logic, CAEs sitting on the metaphorical third line have free reign to go anywhere and suggest organizational improvements, without fear of restriction or recrimination.
Getting to this position has been a fight for many CAEs, and some have still not achieved it. But The IIA's recent research, OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk, has questioned whether reporting to the audit committee potentially constricts the value internal audit can add to some organizations. As businesses face a growing range of external threats, so internal audit's remit has expanded. Financial risk, once the mainstay of audit departments, today typically occupies only 20% of their time. Practitioners expend the rest of their effort on a diverse range of issues including cyber risk, disaster recovery, culture risk, climate change, and social responsibility, to name only a few.
This broadening of internal audit's remit raises the question of the extent to which a CAE should report to other board committees, and in what circumstances he or she should report to the full board. And, for those wishing to explore that route, how can they get the audience and credibility to play this enhanced role?
EXPANDING AUDIT INFLUENCE
Internal auditors are spreading their influence beyond the audit committee via other conduits to the full board, says Jenitha John, former CAE at First Rand Bank in Sandton, South Africa, member ofThe IIA's global board of directors, and former nonexecutive director on several boards. "The heartening aspect is that you see internal audit now not just serving the audit committee but also making submissions to other board committees," she explains. John has seen internal audit increasingly called on to submit reports and present to risk committees, social and ethics committees, and even remuneration committees. "These meetings pertain to strategic issues that the company faces with regard to such topics as risk data aggregations, cybersecurity, information governance, the veracity of social matters (nonfinancial indicators), risk management, process maturity that influences bonus pool allocations, and so on," she says.
Part of the reason for this trend has been the way businesses have approached tackling new guidance, such as sustainability reporting standards issued by the Global Reporting Initiative, and new regulation, such as the European Union's General Data Protection Regulation (GDPR). "Regulation is causing various disciplines in organizations, which didn't necessarily work together because they were operating in silos, to now actually converge," John says. GDPR, for instance, has drawn together a whole range of corporate disciplines--from finance, audit, governance, compliance, risk management, and fraud to human resources...