Position paper: The functional relationship between audit committee chairs and chief audit executives
May 2020
The chair of the audit committee is responsible for the line management, appointment/removal, remuneration and performance management of the chief audit executive (CAE). This is to ensure the independence and objectivity of the CAE, which are crucial elements to the effective delivery of internal audit activities.
In its review of the work of internal audit, the audit committee:
- Ensures that the CAE has direct access to the board chairman and to the audit committee and is accountable to the audit committee.
- Ensures that internal audit is appropriately tasked and resourced and has sufficient authority and standing to carry out its tasks effectively.
- Reviews and assesses the annual internal audit work plan.
- Receives a periodic report on the results of the internal auditors’ work.
- Reviews and monitors management’s responsiveness to the internal auditor’s findings and recommendations.
- Meets with the CAE at least once a year without the presence of management; and
- Monitors and assesses the quality and effectiveness of internal audit, and its role in the overall context of the company’s risk management system.
Independence and objectivity
Independence and objectivity are key principles for the internal audit function and audit committees/boards should manage the internal audit functions in ways that preserve and enhance these principles. The IIA Global Standard 1100 on independence and objectivity states:
“The internal audit activity must be independent, and internal auditors must be objective in performing their work.”
The interpretation of the Standard explains:
“Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner” and “Objectivity is an unbiased mental attitude that allows internal auditors to perform managements in such a manner that they believe in their work product and that no quality compromises are made.”
The interpretation of Standard 1110 on organisational independence then states:
“Organizational independence is effectively achieved when the chief audit executive reports functionally to the board[1]. Examples of functional reporting to the board involve the board…Approving decisions regarding the appointment and removal of the chief audit executive; Approving the remuneration of the chief audit executive.”
The appointment and removal of the CAE
Further to the IIA Global Standards, the Chartered IIA’s Financial Services Code “Guidance on effective internal audit in the financial services sector” and Internal Audit Code of Practice “Guidance on effective internal audit in the private and third sectors” recommend that:
“The audit committee should be responsible for appointing the chief internal auditor and removing him/her from post”.
The line management of the CAE
The Chartered IIA’s Financial Services Code and Internal Audit Code of Practice recommend that:
“The primary reporting line for the chief internal auditor should be to the chair of the audit committee."
The Codes also recommend that if there is a secondary reporting line, it should be to the Chief Executive Officer in order to preserve independence from any particular business area or function and to establish the standing of internal audit alongside the executive committee members.
According to most of the audit committee chairs we interviewed as part of research on the impact and implementation of the Financial Service Code that we published in March 2020, in practice the relationship between the audit committee chairs and the CAEs is a dynamic one. They communicate frequently via emails, video calls and face-to-face meetings. However, as non-executive directors, they only work a certain number of days, so it’s not a standard line management relationship. For example, the CAEs will not usually go to their audit committee chairs for day-to-day tactical decisions, but if they have any particular concerns (e.g. if working on an audit that is going to identify significant governance, risk management or control issues), they will contact their audit committee chair directly to discuss on an ad hoc basis and also to ensure that there are no surprises at the audit committee meeting.
The CAE usually meets, at least annually, in private with the members of the audit committee without the officers of the organisation present. This allows the CAE and the audit committee to discuss confidential matters such as the engagement with internal audit by senior management.
The management of the performance of the CAE
As part of the line management of the CAE, the audit committee chair is responsible for the management of the performance of the CAE. This is translated by a yearly appraisal of the CAE, as well as the review of the independence and objectivity of the CAE every seven years.
Monitoring the performance of the CAE is important because, if something goes wrong, the CAE will be able to demonstrate that their performance was reviewed and conformed with good practices as set by the Codes. Such regular monitoring is particularly important in times of crisis either organisational crisis or global crisis such as the COVID-19 pandemic. At such times, the role of the CAE may change with requirements from the audit committee to undertake specific engagements to provide additional assurance (e.g. in times of a merger or acquisition the CAE may be required to provide an assurance regarding due diligence).
Yearly appraisal of the CAE
The Chartered IIA’s Financial Services Code and Internal Audit Code of Practice recommend that:
“The chair of the audit committee should be accountable for setting the objectives of the chief internal auditor and appraising his/her performance at least annually. […] This appraisal should consider the independence, objectivity and tenure of the chief internal auditor.”
In practice, the evaluation of the CAE’s performance should include criteria pertaining to the CAE’s attributes and skills. Also, as recommended by the IIA Global in a Practice Guide, the CAE may be required to review the criteria through a scoreboard, which should be linked to the internal audit charter and the CAE’s job description. The Practice Guide was published in 2010 but its recommendations are still relevant. The Chartered IIA UK & Ireland is currently drafting additional guidance on the yearly appraisal of the CAE and creating a template to support this requirement. These should be published later this year.
The Practice Guide explains that the CAE’s performance review should include evaluating criteria such as:
- Independence and objectivity (e.g. the CAE demonstrates objectivity in his or her actions and provides verbal and written reports that are clear, complete, and free from bias).
- Intellectual curiosity (e.g. the CAE monitors the organisation and its surroundings regularly and provides proactive audit responses to changes in the risk environment).
- Quality focused (e.g. the CAE facilitates the monitoring of quality by both continuous and periodic internal and external quality assurance initiatives and addresses performance gaps through monitored action plans), in accordance with the requirements of IA Standards 1300 series.
- Solid business, technical and process knowledge. These competencies are further described in the IIA Global’s Internal Audit Competency Framework.
- Communication and listening skills.
- People management skills.
Review of the independence and objectivity of the CAE every seven years
The Chartered IIA’s Financial Services Code and Internal Audit Code of Practice recommend that:
“Where the tenure of the chief internal auditor exceeds seven years, the audit committee should explicitly discuss annually the chair’s assessment of the chief internal auditor’s independence and objectivity.”
The reason for this requirement is that if the CAE’s independence and objectivity has been compromised by the length of time in post. Often described as ‘going native’ it is possible that the rigour of the audit engagements may be weakened and the robustness of level of assurance provided compromised.
The remuneration of the CAE
The role of the audit committee chair
The Chartered IIA’s Financial Services Code and Internal Audit Code of Practice recommend that:
“The chair of the audit committee should be responsible for recommending the remuneration of the chief internal auditor to the remuneration committee. The remuneration of the chief internal auditor and internal audit staff should be structured in a manner such that it avoids conflicts of interest, does not impair their independence and objectivity and should not be directly or exclusively linked to the short term performance of the organisation.”
On objectivity, the IIA Global Code of Ethics states:
“[Internal auditors] shall not accept anything that may impair or be presumed to impair their professional judgement.”
Further to this, the Chartered IIA also recommends that:
- The level of remuneration of the CAE should reflect the level at which he/she is required to operate in the organisation.
- Where variable remuneration is the norm, CAEs need not be excluded. However, appropriate criteria should be chosen that do not undermine the CAE’s independence and objectivity.
Determining the remuneration of the CAE
In considering the level of remuneration for the CAE, the Chartered IIA recommends that audit committee chairs should have regard to the level at which the CAE is required to operate in relation to others in the organisation. It should not be set lower than those in equivalent functions, notably in senior executive management. This will be particularly sensitive if the CAE position is staffed from within the organisation.
In addition, the remuneration of the CAE should form part of the conversation at the remuneration committee when they consider the remuneration of other senior managers along with the CEO.
CAEs should be remunerated according to the general principles of the organisation in which they work. Thus, where there are variable as well as fixed components to remuneration, consideration should be given to the CAE receiving a comparable package to roles at the same level, based on appropriate criteria.
Any variable remuneration component for the CAE should be decided on a basis that does not compromise internal audit’s independence or objectivity. In particular, the board should decide on a structure that does not undermine internal audit’s willingness or ability to advise on risk or make judgements based on promoting long term sustainability.
In practice, audit committee chairs may have to consider structuring the remuneration of the CAE differently to that of executive management. This may mean tying the variable component to different performance criteria to those for others, for example focusing on the performance of the internal audit team relative to the resources devoted to it or on the long-term performance of the organisation.
The audit committee chair will wish to consider the need for a different structure for the CAE’s remuneration against the risk of alienating internal audit from the rest of the organisation, possibly undermining its ability to recruit the best people or perform its roles effectively. This would be particularly sensitive if internal auditors were seen as being rewarded for actions that lead to others receiving a lower variable component.
Nevertheless, provided the remuneration process for internal audit is perceived as rational and fair, and appraisal is carried out at board or audit committee level, a different remuneration structure for internal audit could be presented positively as helping promote the right corporate culture.
Appendix
The Chartered IIA’s report on the impact and implementation of the Financial Services Code (2020)
The IIA Global Standards (2017)
The IIA Global Code of Ethics (2009)
The IIA Global Internal Audit Competency Framework
[1] The term ‘board’ includes all supervisory committees including the audit committee.
