Chief audit executive

Last updated

The chief audit executive (CAE), director of audit, director of internal audit, auditor general, or controller general is a high-level independent corporate executive with overall responsibility for internal audit.

Contents

Publicly traded corporations typically have an internal audit [1] department, led by a chief audit executive ("CAE") who reports functionally to the audit committee of the board of directors, with administrative reporting to the chief executive officer.

The profession is unregulated, though there are a number of international standard setting bodies, an example of which is the Institute of Internal Auditors ("IIA"). The IIA has established Standards for the Professional Practice of Internal Auditing [2] and has over 150,000 members representing 165 countries, including approximately 65,000 Certified Internal Auditors. [3]

The CAE is intrinsically an independent function; otherwise it may become dysfunctional and of low quality[ citation needed ] (but there are many degrees in the level of independence and efficiency). The CAE function exists only to constitute a third-level of control in the organisation, which must be independent from the first-level control (the first-level layer belongs to the management of an organisation, who is responsible in the first instance for acting in compliance with the organisation’s rules) and consecutively second-level (which are the supporting units i.e. legal, HR, risk function, financial control etc.). An effective independence is the result of both an attitude of CAE, and of prerogatives/guarantees conceded by the organisation or given by the organisation’s principals (e.g., the board of directors or audit committee).[ citation needed ]

Because the CAE understands risks and controls, company strategy and the regulatory environment the CAE may assume additional organizational responsibilities beyond traditional internal auditing. [4]

Independent attitude

The CAE should be independent in the performance of their duties, so that they can carry out their work freely without admitting interference, and as objectively as possible. Independence permits them to render impartial and unbiased judgements, which are essential to the proper evaluation of management and controls. It also allows them to view the financial actions, procedures and decisions in a detached way. This may become of an importance when providing objective assurance about the internal control framework.

Organizational independence

To perform their role effectively, CAEs require organizational independence from management, to enable unrestricted evaluation of management activities and personnel. This can be analysed in the different points below:

All the elements below should be granted to the CAE in the basic rules of the organisation, or stated in the charter of audit approved by the audit committee and promulgated in the organization (IIA Standard 1110 Organizational Independence, and standard 1000C1).

Independent function: no conflict of interest allowed

Even though the CAE may be formally part of the management structure of the organisation (among the “chief executives”), they do not participate in any management decision process or accept any responsibility in the execution of company activities.

CAEs may advise management (must, when it is about compliance, risk management, internal controls...) and the board of directors (or similar oversight body) regarding how to better execute their responsibilities. But they remain independent of the activities observes or audits.

Hierarchical independence

The primary customer of internal audit activity is the entity charged with oversight of management's activities. This is typically the audit committee, a sub-committee of the board of directors. To provide hierarchical independence, most chief audit executives report to the chairperson of the audit committee as to the performance of his/her duties.

The definition (and regular revision) of the scope of the function should be agreed between the CAE and the audit committee. The internal audit’s annual work plan, which for practical reasons must be discussed with the auditees, is subject to the approbation of the sole audit committee, board of directors, or other appropriate governing authority (IIA Standard 1110 Organizational Independence).

The internal rules and practices of the directorate of internal audit (audit manual) are of the responsibility of the CAE.

Independent status

The independence of the CAE in the performance of his duties should be guaranteed in the staff rules. The audit committee should have sole competence for the final decision on appointment and dismissal of the CAE”, and for his remuneration, activity appraisal and career advancement.

The CAE is liable to disciplinary action but only with the concurrence of the audit committee. This could happen if they are negligent in the performance of their duties.

Independent communication right

The CAE reports directly to the audit committee and the board. There should be a report from the CAE to each ordinary audit committee meeting and if deemed necessary to the board. Such reports should be addressed directly to the chairman of the audit committee with parallel copy to the director-general.

However, the CAE in the performance of his daily work communicates and liaises with the director-general and the staff of the organisation.

Independent budgeting

Although CAEs and internal auditors are paid by the company, the human resource budget of the directorate of internal audit, in particular, should be protected from interference from the audited organisation. The typical risk is that the audit's budget subject to the approval of director of HR and of the DG is a source of potential interference or friendly pressure to self-limit the CAE’s critic exercise of an independent viewpoint. An appeal to the board, even expressly foreseen as part of the communication right of the CAE, is often ineffective on short-term imposed constraints, given the time constraints of the budget process. The best practice is that the audit committee's opinion is required on the CAE’s draft budget, well in advance of the normal budgeting process of the organisation.

Access to information

Information is of key importance to organize, prepare and perform internal audits. Independent auditors are generally granted full access to any and all information they require to discharge their responsibilities. Reasonable restrictions would be limited to things such as personal information in personnel records such as health information. Unduly restricted access to information is a major impediment to an independent auditor and indicates that an organization is not truly supportive of the auditor's mandate and its commitment to sound governance should be questioned.

Typical duties

Status, strategy and organisation of the internal audit department

Management, supervision of the internal audit activity

Ensure that internal auditors have appropriate professional qualifications and skills, and opportunities for sufficient training and development to maintain and develop their internal auditing competence and to obtain Certified Internal Auditor certification.

Quality management

The CAE is responsible for assuring that appropriate engagement supervision is provided. Supervision is a process begins with planning and continues throughout the examination, evaluation, communication, and follow-up phases of the engagement.

NB: Generally accepted auditing standards and International Standards on Auditing are external audit standards.

Reporting of critical findings

Inform the Audit Committee without delay of any issue of risk, control or management practice that may be of significance. The chief audit executive (CAE) reports the most critical issues to the audit committee quarterly, along with management's progress towards resolving them. Critical issues typically have a reasonable likelihood of causing substantial financial or reputational damage to the company. For particularly complex issues, the responsible manager may participate in the discussion. Such reporting is critical to ensure the function is respected, that the proper "tone at the top" exists in the organization, and to expedite resolution of such issues. It is a matter of considerable judgement to select appropriate issues for the audit committee's attention and to describe them in the proper context.

Survey results

Various consulting and public accounting firms perform research on audit committees, to provide benchmarking data. [5] [6] Some results are identified below:

See also

External audit

Related Research Articles

<span class="mw-page-title-main">Audit</span> Systematic and independent examination of books, accounts, documents and vouchers of an organization

An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon." Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, and evaluate the propositions in their auditing report.

<span class="mw-page-title-main">Financial audit</span> Type of audit

A financial audit is conducted to provide an opinion whether "financial statements" are stated in accordance with specified criteria. Normally, the criteria are international accounting standards, although auditors may conduct audits of financial statements prepared using the cash basis or some other basis of accounting appropriate for the organization. In providing an opinion whether financial statements are fairly stated in accordance with accounting standards, the auditor gathers evidence to determine whether the statements contain material errors or other misstatements.

An auditor is a person or a firm appointed by a company to execute an audit. To act as an auditor, a person should be certified by the regulatory authority of accounting and auditing or possess certain specified qualifications. Generally, to act as an external auditor of the company, a person should have a certificate of practice from the regulatory authority.

An audit committee is a committee of an organisation's board of directors which is responsible for oversight of the financial reporting process, selection of the independent auditor, and receipt of audit results both internal and external.

In business and accounting, information technology controls are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise's internal control. IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC includes controls over the Information Technology (IT) environment, computer operations, access to programs and data, program development and program changes. IT application controls refer to transaction processing controls, sometimes called "input-processing-output" controls. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches. IT departments in organizations are often led by a chief information officer (CIO), who is responsible for ensuring effective information technology controls are utilized.

<span class="mw-page-title-main">External auditor</span> Person who audits an entitys financial statements and is independent of that entity

An external auditor performs an audit, in accordance with specific laws or rules, of the financial statements of a company, government entity, other legal entity, or organization, and is independent of the entity being audited. Users of these entities' financial information, such as investors, government agencies, and the general public, rely on the external auditor to present an unbiased and independent audit report.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

A non-executive director, independent director or external director is a member of the board of directors of a corporation, such as a company, cooperative or non-government organization, but not a member of the executive management team. They are not employees of the corporation or affiliated with it in any other way and are differentiated from executive directors, who are members of the board who also serve, or previously served, as executive managers of the corporation. However they do have the same legal duties, responsibilities and potential liabilities as their executive counterparts.

The Institute of Internal Auditors (IIA) is an international professional association. The IIA provides educational conferences and develops standards, guidance, and certifications for the internal audit profession.

<span class="mw-page-title-main">Internal audit</span> Independent, objective assurance and consulting activity

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing might achieve this goal by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.

<span class="mw-page-title-main">Internal Audit Service (European Commission)</span>

The Internal Audit Service or IAS is a Directorate-General (DG) of the European Commission that was established in 2001 to provide an increased accountability of the Commission.

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

<span class="mw-page-title-main">State auditor</span> Executive officer of a U.S. state

State auditors are fiscal officers lodged in the executive or legislative branches of U.S. state governments who serve as external auditors, financial controllers, bookkeepers, or inspectors general of public funds. The office of state auditor may be a creature of the state constitution or one created by statutory law.

Fraud deterrence has gained public recognition and spotlight since the 2002 inception of the Sarbanes-Oxley Act. Of the many reforms enacted through Sarbanes-Oxley, one major goal was to regain public confidence in the reliability of financial markets in the wake of corporate scandals such as Enron, WorldCom and Waste Management. Section 404 of Sarbanes Oxley mandated that public companies have an independent Audit of internal controls over financial reporting. In essence, the intent of the U.S. Congress in passing the Sarbanes Oxley Act was attempting to proactively deter financial misrepresentation (Fraud) in order to ensure more accurate financial reporting to increase investor confidence. This same concept is applied in the discussion of fraud deterrence.

<span class="mw-page-title-main">International Organization of Supreme Audit Institutions</span> Worldwide affiliation of governmental entities

The International Organization of Supreme Audit Institutions (INTOSAI) is an intergovernmental organization whose members are supreme audit institutions. Nearly every supreme audit institution in the world is a member of INTOSAI. Depending on the type of system used in their home country, the members of INTOSAI may be variously titled the Chief Financial Controller, the Office of the Comptroller General, the Office of the Auditor General, the Court of Accounts, or the Board of Audit.

<span class="mw-page-title-main">Entity-level controls</span>

Entity-level controls are controls that help to ensure that management directives pertaining to the entire entity are carried out. They are the second level of a to understanding the risks of an organization. Generally, entity refers to the entire company.

MS 1722:2011 – Occupational Safety and Health Management Systems – Requirements is a Malaysian Standard that provides requirements on Occupational Safety and Health Management Systems (OSHMS) and basis for the development OSH systems in an organisation. The MS 1722 standard enable an organization to manage its OHS risks and improve its OHS performance. The requirements of the standard are intended to address OHS for employees, temporary employees, contractors and other personnel on site rather than the safety of products and services. The standards provide a more effective method of protecting employees and others from workplace injuries and illnesses and demonstrate management commitment in meeting OHS requirements.

References

  1. "Unexpected Error". Archived from the original on 2014-02-21. Retrieved 2014-02-03.
  2. "Pages - Guidance Topics". www.theiia.org. Archived from the original on 2010-07-22. Retrieved 2010-04-11.
  3. "The Institute of Internal Auditors". www.theiia.org.
  4. Christ, Margaret; Ricci, Michael (2015). The Evolving Role of the CAE: Taking on Compliance and ERM. Institute of Internal Auditors Research Foundation. Archived from the original on May 7, 2016. Retrieved June 19, 2017.
  5. KPMG AC Survey 2007
  6. "KPMG AC Study 2008" (PDF). Archived from the original (PDF) on 2008-12-07. Retrieved 2010-04-11.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.