“IA has worked hard to build controls and a capacity to minimize potential financial fraud, following the implementation of Sarbanes-Oxley,” Ide said. “Initially the focus was on increased resources and more independence from management. We are now at a phase of evolution where IA is being asked not only to play the police role on assuring adequate controls and adherence, but also consulting as to how things can work better.”
Ide is a partner at the Atlanta-based law firm of McKenna Long & Aldridge specializing in governance and internal investigations. He serves as a member of the Board of Directors of AFC Enterprises Inc. and The Albemarle Co.
Previously, he served as senior vice president, general counsel and secretary of Monsanto Corporation, president of the American Bar Association and counselor to the United States Olympics Committee. Also, he was senior vice president and special counsel for E.F. Hutton & Co., and managing director and special counsel for Prescott, Ball & Turben.
He spent some time with me recently discussing the alignment of the IA function with the board and management. Below are some of his thoughts:
From what you have seen in the boardroom, what is going on with the Internal Audit function as far as its alignment with management and the board (specifically the audit committee)?
I think initially after Sarbanes-Oxley [Act] was implemented, there was concern that the Internal Audit function had failed. As part of the reform culture, IA was charged with setting up adequate internal controls and assuring adequate resourcing to provide independent oversight of financial reporting. That took a long time. That was a cycle that lasted five years [2002-2007]. Now some companies’ management and boards are exploring how IA can continue its oversight function while also providing more value-add through providing consulting services in assuring that things were working well.
Companies are asking internal audit to do more functions like consulting and dealing with strategies and efficiencies. IA can be helpful in reviewing management initiatives to see if they were working efficiently and effectively. The challenge is whether IA can work closely with management on consulting while also keeping its independence as it performs its traditional internal audit work.
Following the accounting fraud of the early 2000s and enactment of Sarbanes-Oxley, a big focus was put on the audit committee as well as internal audit. Where do you see the focus now some 10 years later? Has the financial crisis changed any of this?
We all are now hearing the word “risk” in much more of a macro sense then the initial audit risk discussions surrounding adequate controls. While there must be constant vigilance to assure controls are in place and not overridden by management, boards are getting to a comfort level that adequate internal audit resources are in place and working well. The issues from Sarbanes-Oxley, such as checks and balances, are being addressed. So IA can now play additional roles such as supporting enterprise risk management. I think IA is a given to provide oversight of controls over fraud. Many now see IA doing ERM and [strategic and operational] consulting. If there is a large critical mass, the company can divide the function within IA. However, if a company is smaller the IA function has to work hard to be able to perform the two different roles while assuring adequate independence from management.
Where do you see the internal audit function trending in the next couple of years? Do you see it more as a consulting function? If so, why?
They [internal auditors] are equipped to get into more sophisticated matters and look into whether or not departments, such as the Information Technology department, are operating the way they should. In the larger companies, IA is being asked to provide a consulting role as it fosters a more collaborative culture. The challenge is for IA to maintain its independent control oversight, while also playing the additional role of consultant. There is a natural tension between the two roles. When it is time to evaluate the performance of IA personnel, what is the proper role of the audit committee and of management? How does the audit committee assure that management is not compromising IA’s independence through the performance evaluation stick? That is the challenge if one chooses to expand the role of IA.
In a recent blog post, Richard Chambers, president of Institute of Internal Auditors, stressed the relationship between the chief accounting executive (“CAE”) and the many IA stakeholders. From what you have seen, who is nurturing this relationship in the companies where you sit on or work with boards?
It is a given that the CAE should have a strong relationship with the audit committee. In addition, management and the controller’s office have a real role and concern in working with the IA. Typically it is the CEO or other senior management that has the administrative oversight of the CAE; but the ultimate overseer for independence must be the audit committee chair. There’s a lot of burden on the IA function to make sure that these dual reporting relationships are carried out thoughtfully and with complete transparency.
How much should boards rely on “best practices” and literature on the IA function vs. doing their own legwork?
The audit committee, senior management and the CAE must have clarity as to how they are to work together. You don’t want ambiguity. The audit committee does not see the IA function perform every day and is not equipped to provide thoughtful administrative oversight. Management must respect the needed independence of the IA function. IA personnel must be accountable for quality performance and should not be allowed to sidestep oversight by management in the name of independence. It’s tricky because the performance metric for IA includes the independence features of the cop on the beat, but also the collaborative features of the cop gaining confidence of the community that it patrols.
How is the reporting function dealt with in audit committee charters?
I’ve seen in audit committee charters a statement on IA, where the head of internal audit cannot be replaced or have her compensation changed without the consent of the audit committee. I, personally, think it’s a bit of overkill. Charters should say that the audit committee will oversee the IA function to assure it is performing its specified duties. They should further provide that there are adequate resources plus independence from management. The audit committee has to be careful to ensure there is independence, but also respect the need for performance oversight. The main goal is to have clear communications so management, IA and the audit committee are aligned on the expectations, performance metrics and specific rationales behind performance evaluations management furnishes to the audit committee.
Nearly a decade after the Sarbanes-Oxley Act was signed into law, the internal audit (IA) function is facing new challenges as to what additional roles it should play and its interaction with the board.
R. William (Bill) Ide, chair of The Conference Board Governance Center Advisory Board, has seen this transition first-hand as a director on several boards and as governance counsel for public companies.
[caption id="attachment_1058" align="alignright" width="111" caption="William Ide, Chair of The Conference Board Governance Center Advisory Board"]