May 2020
The chair of the audit committee is responsible for the line management, appointment/removal, remuneration and performance management of the chief audit executive (CAE). This is to ensure the independence and objectivity of the CAE, which are crucial elements to the effective delivery of internal audit activities.
In its review of the work of internal audit, the audit committee:
Independence and objectivity are key principles for the internal audit function and audit committees/boards should manage the internal audit functions in ways that preserve and enhance these principles. The IIA Global Standard 1100 on independence and objectivity states:
“The internal audit activity must be independent, and internal auditors must be objective in performing their work.”
The interpretation of the Standard explains:
“Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner” and “Objectivity is an unbiased mental attitude that allows internal auditors to perform managements in such a manner that they believe in their work product and that no quality compromises are made.”
The interpretation of Standard 1110 on organisational independence then states:
“Organizational independence is effectively achieved when the chief audit executive reports functionally to the board[1]. Examples of functional reporting to the board involve the board…Approving decisions regarding the appointment and removal of the chief audit executive; Approving the remuneration of the chief audit executive.”
Further to the IIA Global Standards, the Chartered IIA’s Financial Services Code “Guidance on effective internal audit in the financial services sector” and Internal Audit Code of Practice “Guidance on effective internal audit in the private and third sectors” recommend that:
“The audit committee should be responsible for appointing the chief internal auditor and removing him/her from post”.
The Chartered IIA’s Financial Services Code and Internal Audit Code of Practice recommend that:
“The primary reporting line for the chief internal auditor should be to the chair of the audit committee."
The Codes also recommend that if there is a secondary reporting line, it should be to the Chief Executive Officer in order to preserve independence from any particular business area or function and to establish the standing of internal audit alongside the executive committee members.
According to most of the audit committee chairs we interviewed as part of research on the impact and implementation of the Financial Service Code that we published in March 2020, in practice the relationship between the audit committee chairs and the CAEs is a dynamic one. They communicate frequently via emails, video calls and face-to-face meetings. However, as non-executive directors, they only work a certain number of days, so it’s not a standard line management relationship. For example, the CAEs will not usually go to their audit committee chairs for day-to-day tactical decisions, but if they have any particular concerns (e.g. if working on an audit that is going to identify significant governance, risk management or control issues), they will contact their audit committee chair directly to discuss on an ad hoc basis and also to ensure that there are no surprises at the audit committee meeting.
The CAE usually meets, at least annually, in private with the members of the audit committee without the officers of the organisation present. This allows the CAE and the audit committee to discuss confidential matters such as the engagement with internal audit by senior management.
As part of the line management of the CAE, the audit committee chair is responsible for the management of the performance of the CAE. This is translated by a yearly appraisal of the CAE, as well as the review of the independence and objectivity of the CAE every seven years.
Monitoring the performance of the CAE is important because, if something goes wrong, the CAE will be able to demonstrate that their performance was reviewed and conformed with good practices as set by the Codes. Such regular monitoring is particularly important in times of crisis either organisational crisis or global crisis such as the COVID-19 pandemic. At such times, the role of the CAE may change with requirements from the audit committee to undertake specific engagements to provide additional assurance (e.g. in times of a merger or acquisition the CAE may be required to provide an assurance regarding due diligence).
Yearly appraisal of the CAE
The Chartered IIA’s Financial Services Code and Internal Audit Code of Practice recommend that:
“The chair of the audit committee should be accountable for setting the objectives of the chief internal auditor and appraising his/her performance at least annually. […] This appraisal should consider the independence, objectivity and tenure of the chief internal auditor.”
In practice, the evaluation of the CAE’s performance should include criteria pertaining to the CAE’s attributes and skills. Also, as recommended by the IIA Global in a Practice Guide, the CAE may be required to review the criteria through a scoreboard, which should be linked to the internal audit charter and the CAE’s job description. The Practice Guide was published in 2010 but its recommendations are still relevant. The Chartered IIA UK & Ireland is currently drafting additional guidance on the yearly appraisal of the CAE and creating a template to support this requirement. These should be published later this year.
The Practice Guide explains that the CAE’s performance review should include evaluating criteria such as:
Review of the independence and objectivity of the CAE every seven years
The Chartered IIA’s Financial Services Code and Internal Audit Code of Practice recommend that:
“Where the tenure of the chief internal auditor exceeds seven years, the audit committee should explicitly discuss annually the chair’s assessment of the chief internal auditor’s independence and objectivity.”
The reason for this requirement is that if the CAE’s independence and objectivity has been compromised by the length of time in post. Often described as ‘going native’ it is possible that the rigour of the audit engagements may be weakened and the robustness of level of assurance provided compromised.
The role of the audit committee chair
The Chartered IIA’s Financial Services Code and Internal Audit Code of Practice recommend that:
“The chair of the audit committee should be responsible for recommending the remuneration of the chief internal auditor to the remuneration committee. The remuneration of the chief internal auditor and internal audit staff should be structured in a manner such that it avoids conflicts of interest, does not impair their independence and objectivity and should not be directly or exclusively linked to the short term performance of the organisation.”
On objectivity, the IIA Global Code of Ethics states:
“[Internal auditors] shall not accept anything that may impair or be presumed to impair their professional judgement.”
Further to this, the Chartered IIA also recommends that:
Determining the remuneration of the CAE
In considering the level of remuneration for the CAE, the Chartered IIA recommends that audit committee chairs should have regard to the level at which the CAE is required to operate in relation to others in the organisation. It should not be set lower than those in equivalent functions, notably in senior executive management. This will be particularly sensitive if the CAE position is staffed from within the organisation.
In addition, the remuneration of the CAE should form part of the conversation at the remuneration committee when they consider the remuneration of other senior managers along with the CEO.
CAEs should be remunerated according to the general principles of the organisation in which they work. Thus, where there are variable as well as fixed components to remuneration, consideration should be given to the CAE receiving a comparable package to roles at the same level, based on appropriate criteria.
Any variable remuneration component for the CAE should be decided on a basis that does not compromise internal audit’s independence or objectivity. In particular, the board should decide on a structure that does not undermine internal audit’s willingness or ability to advise on risk or make judgements based on promoting long term sustainability.
In practice, audit committee chairs may have to consider structuring the remuneration of the CAE differently to that of executive management. This may mean tying the variable component to different performance criteria to those for others, for example focusing on the performance of the internal audit team relative to the resources devoted to it or on the long-term performance of the organisation.
The audit committee chair will wish to consider the need for a different structure for the CAE’s remuneration against the risk of alienating internal audit from the rest of the organisation, possibly undermining its ability to recruit the best people or perform its roles effectively. This would be particularly sensitive if internal auditors were seen as being rewarded for actions that lead to others receiving a lower variable component.
Nevertheless, provided the remuneration process for internal audit is perceived as rational and fair, and appraisal is carried out at board or audit committee level, a different remuneration structure for internal audit could be presented positively as helping promote the right corporate culture.
The Chartered IIA’s report on the impact and implementation of the Financial Services Code (2020)
The IIA Global Standards (2017)
The IIA Global Code of Ethics (2009)
The IIA Global Internal Audit Competency Framework
[1] The term ‘board’ includes all supervisory committees including the audit committee.