IIA POSITION PAPER
Relationships of Trust
Building Better Connections Between the Audit Committee and Internal Audit
Introduction
KEY TAKEAWAYS
Work relationships can sometimes be tricky. What one demands or expects
from a relationship can become complicated, and this can contribute to
The CAE and the audit
misunderstandings, inefficiency, and even resentment.
committee must have a clear
But a poor, strained, or superficial relationship between the audit committee and understanding of their reporting
the chief audit executive (CAE) does more than create uncertainty. It can become and alignment responsibilities,
a serious threat to good governance by contributing to misunderstandings, an including what they should
inadequately resourced internal audit activity, undermined independence, expect and demand from
superficial assurance provision, inefficiencies, missed opportunities, and less than each other.
optimal service to the detriment of the organization.
The audit committee should
Internal audit should report functionally to the chair of the audit committee (or
demand and empower the CAE
equivalent) and administratively to executive management, creating a direct line of
and internal audit to act
communications between the CAE and the governing body. This unique partnership
independently and be willing to
reflects the importance of proper management of the relationship. Indeed, this direct
“speak truth to power.”
channel to the governing body initiates and nurtures the entire concept of
independence and objectivity necessary for an effective internal audit activity.
The audit committee should be
It is imperative, therefore, for the CAE and the audit committee to have a clear prepared to challenge the CAE
understanding of their reporting and alignment responsibilities, including what they and internal audit but also be
should expect and demand from each other. How each party interacts with the willing to stand with them, rather
other also helps set baseline demands and expectations that are the building than behind them.
blocks of trust and support.
The CAE needs clarity when it comes to the demands and expectations among The audit committee should
the audit committee, the chief financial officer, CEO, and other key internal demand the CAE and internal
stakeholders. A clear and healthy relationship where trust, transparency, and truth audit activity meet IIA Standards,
prevail is ideal in terms of establishing the demands placed on each other. be trusted advisors, and
represent the audit committee in
With respect to the audit committee, its responsibilities should be detailed within their efforts.
an audit committee charter. Its primary duty is to oversee the quality and integrity
of the company’s internal control environment including operational, financial, IT,
The audit committee should
accounting, and reporting practices.
meet regularly with the CAE
Interestingly, numerous professional research papers eloquently describe best to discuss strategic and
practices in the audit committee’s oversight of the CAE and the internal audit operational activities.
activity. Yet there are relatively few that examine best practices of what the CAE
should expect or demand from the audit committee.
1
�The IIA’s position on the role of internal audit and, more specifically, the CAE is clear. Follow The IIA’s International Standards
for the Professional Practice of Internal Auditing. Be firm. Be strategic. Be courageous. Speak truth to power. Strive to become
a trusted advisor.
Surveys indicate that most audit committees have healthy relationships with internal audit. But The IIA believes there must
be more transparency in terms of open demands from each other if assurance and governance are to be
strengthened and improved. Demanding relationships built on mutual respect should be sought out where each side pushes
to improve performance.
What the Audit Committee Should Demand From Internal Audit
The Basics: Internal audit is most effective when it follows IIA Standards, and its resource level, competence, and structure are
aligned with organizational strategy and core business competencies. The audit committee entrusts the CAE to operate the
activity with integrity and competency to achieve its purpose.
The audit committee should demand:
Adherence to IIA Standards.
Internal audit staff obtain relevant certifications demonstrating professional acumen, knowledge, and competence.
The CAE answers two key questions in an executive session:
o Do management’s actions/behavior conform to its words?
o What should the audit committee do to help internal audit be more effective?
A Mature Internal Audit Activity: Mature internal audit activities should exhibit a high level of competency in data analytics,
sophisticated audit programs, continuous risk coverage agility, an audit rotational model to develop talent, and an automated
workpaper environment. Internal audit should be at the forefront of emerging risks, and have metrics that demonstrate the
value it contributes to its organization. All of these will enable optimal and efficient operations that deliver maximum value
to the organization.
The audit committee should demand:
Development of a formal “IA Strategic Plan.”
Regular updates from internal audit on progress and changes to the plan.
Feedback from executive management on internal audit findings and CAE engagement.
An effective relationship between internal and external audit with evidence of real synergistic benefits occurring.
A balance of traditional audit coverage and strategic objective reviews integrated with “new” coverage areas.
The CAE obtain periodic 360-degree feedback reports from his/her direct reports and from management and submit a
comprehensive report to the audit committee.
Lastly, the audit committee should expect the leader of a mature audit activity to be engaged in executive management meetings
in which strategy and operations are discussed by raising relevant questions and providing appropriate insights. In other words,
internal audit should have a seat at the table.
The audit committee should embrace the concept that its role is critical to the overall success of the organization’s governance
model. It must hold the CAE to account and expect the same performance of the CAE as it would from the CEO.
2
�What Internal Audit Should Expect From the Audit
Committee
FIVE QUESTIONS
The best relationships are partnerships, and the CAE must be equally open
and clear with the audit committee about ways to enhance or improve its support
Building the right relationship
of internal audit activities.
between the audit committee and
internal audit can make a
Internal audit activities should be clear in what they need and expect from the audit
significant difference in internal
committee in terms of support and direction. This is especially crucial regarding
audit’s ability to provide the best
concerns over management retaliatory overtures and the CAE’s efforts to gain a
assurance and advisory services.
seat at the management table. The CAE and internal audit should demand audit
committees stand with them, rather than behind them. Here are five key questions the
governing body should be asking:
The Basics: A CAE should expect to have the audit committee’s time and
attentiveness, just as it would from any superior guiding and leading staff 1.
development and success. What often works against such interaction is that audit Does the CAE have unfettered
committee members typically have limited time due to their other commitments. access to the audit committee?
Despite such time restraints, supervisory oversight should not be limited to time
allocated during audit committee meetings four to six times a year. Consistent and 2.
open dialogue is imperative. Does the CAE seek opportunities
to strengthen his/her relationship
The CAE should reach out quarterly for a minimum 30-minute phone call with the with the audit committee?
audit committee chair to discuss relevant items such as staff turnover, upcoming
complex audits requiring cosourcing support, new or upcoming regulations 3.
affecting the profession, feedback from the chair on what they hear from Does internal audit have the
management or within the committee, and emerging activities in the company that ability to meet with the audit
may impact the audit plan. committee outside the presence
of executive management?
Time demands on the audit committee also can create the temptation to turn over
to management its responsibilities for CAE review, remunerations, firing, and 4.
hiring. This practice in effect abandons much of the audit committee’s oversight of Is the CAE being held to account
the CAE and could jeopardize the integrity, independence, objectivity, and to deliver the highest level of
effectiveness of the CAE role. internal audit services that
comply with IIA Standards and
Enhanced Audit Committee Support: Encourage the audit committee to commit promote certification of staff?
to meeting on a regular basis — e.g., annually — with the CAE and internal audit’s
senior leaders to discuss: 5.
What obstacles are keeping the
Audit strategy and methodology. CAE from earning a seat at the
management table?
Demonstrations of how internal audit performs data analytics.
Risks affecting organizational success.
Engagement in investigations of ethics and compliance matters.
Feedback from the audit committee on their views of risk.
Scope limitations and challenges faced with senior management.
Most importantly, take the time to further forge the strong relationship that
must exist.
3
�The CAE, using video conferencing or other technology, may invite audit
committee members to be available for questions during internal audit training or
communication days. Visible engagement sets an immensely different tone within The best relationships are
internal audit when the audit committee is approachable and available to the partnerships, and the CAE
entire staff.
must be equally open and
The audit committee also should demonstrate support for the internal audit staff. clear with the audit committee
While there always will be a natural contention between internal audit and about ways to enhance or
executive management, the audit committee should convey clearly that internal
improve its support of internal
audit’s role is critical to good governance. No member of the audit team should
ever be penalized (in their career or otherwise) for asking the tough questions or
audit activities.
approaching a sensitive topic in an audit.
Conclusion
The relationship between the audit committee and internal audit is critical to good governance. An open relationship that
pushes to improve communication and performance helps build an effective and efficient internal audit activity that is best
positioned to help the organization reach its goals. But it requires the commitment of both parties to build that relationship into a
trusting and dynamic partnership.
About Position Papers
The IIA promulgates Position Papers on key issues of interest to stakeholders and practitioners with the aim of advocating for sound governance and educating
those involved in it. The positions outlined offer insights into various aspects of the governance process and internal audit’s vital role in improving governance at all
levels and adding value to the organization. Position Papers are developed and reviewed through a rigorous process that solicits input and critique from practicing
internal audit professionals and other IIA volunteers who serve on The IIA’s Global Advocacy Committee, IIA Standards Board, and The IIA’s Professional
Responsibility and Ethics Committee.
About The IIA
The IIA is the internal audit profession’s most widely recognized advocate, educator, and provider of standards, guidance, and certifications. Established in 1941,
The IIA today serves more than 190,000 members from more than 170 countries and territories. The IIA’s global headquarters are in Lake Mary, Fla. For more
information, visit www.globaliia.org.
Disclaimer
The IIA publishes this document for informational and educational purposes. This material is not intended to provide definitive answers to specific individual
circumstances and as such is only intended to be used as a guide. The IIA recommends seeking independent expert advice relating directly to any specific
situation. The IIA accepts no responsibility for anyone placing sole reliance on this material.
Copyright
Copyright © 2019 by The Institute of Internal Auditors, Inc. All rights reserved.
January 2019
Global Headquarters
The Institute of Internal Auditors
1035 Greenwood Blvd., Suite 401
Lake Mary, FL 32746, USA
Phone: +1-407-937-1111
Fax: +1-407-937-1101
www.globaliia.org
