Managing internal audit is one of the most critical functions of the audit committee. The audit committee not only oversees the internal audit function of an organization, but often recruits and hires the director of internal audit, who reports directly to the audit committee. The committee must take care to ensure the audit function’s independence from management and make decisions about how to handle whistleblower complaints and internal investigations. A best practice is to have an executive session during every audit committee meeting to allow the director of internal audit to discuss issues privately with the committee. The audit committee chairman also should have a trusting relationship with the director of internal audit that is based on open communication.
The Importance of Independence from Management
The director of internal audit must have free and open access to the board-level audit committee in order to ensure that he/she has total independence and the freedom to take whatever steps are deemed appropriate to investigate audit matters. Accordingly, the director of internal audit (DIA) reports directly to the audit committee, which is generally represented by the chairman. In fact, it works best when the audit committee assumes responsibility for recruiting and hiring the DIA. While bank management (via its human resources department) might assist in such matters, it is the audit committee that oversees the process and makes the hiring decision.
Because the audit committee chairman is not on-site on a regular basis, the DIA often reports administratively (represented by a dotted line on the organizational chart) to an executive level bank manager. This might be the chief risk officer, the chief financial officer, the president, or the chief executive officer. The level at which the DIA reports administratively can be reflective of the organization’s tone regarding the importance of the internal audit function and of protecting its independence. It is often therefore recommended that the DIA report administratively to the CEO unless there is strong justification for doing otherwise. This administrative oversight might include matters such as approving vacation absences and coordination of other, internal management functions. This management-led administrative oversight does not, however, extend to the performance of internal audit duties.
In the event bank management has an issue with or concern about the performance of the DIA, management should communicate such issues and concerns directly to the audit committee chairman. For example, if management observes that the DIA is not effectively managing his or her staff or that the manner in which audits are being conducted is overly confrontational and/or ineffective, management would discuss such matters with the audit committee chairman (and not with the DIA directly). The audit committee then has direct responsibility for investigating and discussing such matters with the DIA.
Management must take care to respect the DIA’s independence and not take any actions that might impair the DIA’s independent judgment. It is the audit committee’s duty to ensure this.
The DIA and the audit department staff work very closely with the audit committee, often functioning as the committee’s staff. It should be noted that this role is unchanged when some or all of the internal audit functions are out-sourced to private vendors. In such event, the DIA still reports to the audit committee and he/she supervises the vendors. The audit committee is responsible for reviewing and approving all outsourced audit vendor engagements.
Now let’s talk about how this works in real life.
How to Handle Audit Meetings
Who is generally invited/present at audit committee meetings? And how might the presence of senior level bank management impact the DIA’s independence or opportunity to speak freely to members of the audit committee? How should the audit committee handle concerns raised by the DIA or by bank management?
Different boards function differently. There is no carved in granite rule about who should be invited to attend audit committee meetings. Often the CFO, the CEO, the chief risk officer, the chief credit officer, and/or representatives from the external audit firm are in attendance at audit committee meetings. Some banks invite management representatives from the areas that have been audited to attend the meeting when that audit is being reviewed. Who attends is not important?but it’s important to make sure that whoever is in attendance does not interfere with the DIA’s independence. To ensure that the DIA has free and open communication with the committee, the audit committee chairman should schedule an executive session at the end of each audit committee meeting. Do not wait until the end of the meeting to ask if there is anything that the DIA would like to discuss in executive session. Instead, schedule an executive session as part of the agenda for every single meeting. If there is nothing to discuss, the executive session will simply adjourn. An executive session can take place in multiple parts. First, all bank management is excused and the DIA is invited to stay with the committee. Once everyone but the DIA has been excused, the committee chairman should ask the DIA to discuss any concerns he or she has. The audit committee chairman might ask the DIA to confirm that staffing is adequate (to ensure that budgetary limitations are not resulting in inadequate staffing); or whether bank management is appropriately responding to and following-up on all audit matters.
In the event that the DIA comes forward with a concern of such nature, the audit committee is then responsible for addressing those concerns and for giving direction to management. The audit committee must do so in a constructive manner, so that it does not reflect negatively on the DIA.
For example, let’s say that the DIA does not feel that he or she has adequate staff. The committee’s minutes might reflect that a discussion took place about the number of audit hours that are required to adequately address the bank’s internal audit schedule, and the committee concluded that the current staffing level is not adequate. The committee, therefore, recommends either the addition of another member to the internal audit team, or that the DIA engage an external vendor to perform portions of the internal audit work. Addressing it in that manner makes it the committee’s recommendation.
Similarly, if there are a number of open audit findings – matters that have been open for some time – and the DIA does not feel that management is taking appropriate steps to resolve them; the DIA might bring that to the committee. The committee’s minutes could reflect that a discussion took place about the large number of open audit matters that appear to have been open for too long a period of time and the committee will discuss such concerns with the president or CEO to ensure that they are being given appropriate attention by the responsible manager. Again, addressing it in that manner makes it the committee’s recommendation.
Whistleblower issues are generally directed to the audit committee chairman and/or to the director of internal audit. When the audit committee chairman receives notice of a perceived whistleblower issue, the audit committee chairman should immediately contact the director of internal audit so that the two of them can discuss and determine how best to investigate the matter. Whistleblower matters require confidentiality and trust. When requested, care must be taken to protect and ensure the anonymity of the reporting party. When deemed appropriate, the DIA and audit committee chairman may engage external, third-party professionals to help investigate whistleblower matters.
Performance Problems – Performance Evaluation
The audit committee, generally via its chairman, completes the formal performance evaluation of the director of internal audit. The audit committee chairman may solicit input from other bank management and from other committee members, as appropriate. While the bank executive manager who supervises the DIA for administrative purposes participates in this process, it is the audit committee chairman who takes the lead. This confirms that the DIA reports directly to the audit committee.
The relationship between the director of internal audit and the chairman of the audit committee should be one of openness and trust. These two individuals both tasked with the independent oversight of internal audit matters must be free to communicate with one another and they must trust one another to protect the confidentiality of such communications at all times.