The critical role of the audit committee for internal audit oversight

Highlights, best practices, and challenges for audit committee oversight on internal audit and how it can impact operations when done right

The role of internal audit (IA) in any organization is a vitally important one. In the complex landscape of modern business, effective governance structures which include internal audit are especially crucial to guide ethical, transparent, and compliant operations.

Establishing independence and objectivity is a primary undertaking for internal auditors and the audit committee’s role is to support IA to deliver value and insights in a constructive and practical way.

But how should IA and audit committees operate in tandem? Here are a few guiding principles that can ensure a smooth process while maintaining the highest levels of professionalism and responsibility.

Internal Audit Charter

In his three-part book series “The Handbook of Board Governance”, Dr. Richard Leblanc, the keynote speaker of a 2023 event hosted by the Institute of Internal Auditors and the Institute of Corporate Directors in Saskatchewan, outlines the importance of an established IA charter.

There are several specific requirements an IA charter should have, as it relates to the function of audit committees. Here are a few of these requirements, among many others:

• Purpose
  • The purpose of internal audit is to provide reasonable assurance to the audit committee – among other groups, including the president and CEO – in achieving internal control effectiveness over material business risks. This will come in the form of independent and objective analyses, appraisals, reports, and recommendations.
• Authority
  • The authority of the audit committee should include annual approval of the independence, mandate, resources, work plans, and budget of IA within the organization. The audit committee is also responsible for appointment and removal, performance reviews, compensation, and succession of the head of IA (Chief Audit Executive).
  • Any audit committee meetings should be attended by IA and both parties should participate in an in-camera session without the presence of management.
• Accountability of audit committee
  • The audit committee is responsible for appointing the head of internal audit, setting objectives and appraising their performance, and only the audit committee can remove the individual from that post. The chair of the audit committee is also responsible for approving the IA head’s remuneration to the human resources committee.
• Reporting
  • The audit committee should review and discuss reports produced by IA and raise any concerns of findings and management’s response to those findings.
  • The annual plan should be presented to the audit committee at the beginning of each year for approval. In addition, a written report on IA’s scope, activities, and findings should be presented to and approved by the audit committee quarterly.
  • Internal control weakness and unresolved issues must be presented by the head of IA to the audit committee at least semi-annually to ensure risks can be reviewed and appropriate action taken.

Independence of IA

When it comes to IA independence, the role the audit committee is critical to demonstrate good governance.

For example, in-camera meetings between IA and the audit committee should not have any management present and diversity of skillset and experience within the committee is encouraged to prevent groupthink.

Internal audit can provide advisory and consulting services to management to improve risk management, governance, and other control processes, as long as they are not assuming any kind of management responsibility or function in doing so.

Assessing the effectiveness of IA

To help audit committees operate efficiently and effectively, Dr. Leblanc outlines the following areas for the committee to assess as part of a holistic approach to assessing IA:

• Accountability
• Anti-fraud
• Budget
• Charter
• Compensation
• Competencies, skills
• Conflict resolution
• Coordination, coverage
• Communication
• Ethical standards
• Financial
• Independence
• Project management
• Professional development
• Quality assurance
• Recommendations
• Reporting protocols
• Resources, staffing
• Strategic
• Succession planning
• Technical acumen
• Work plan

The five main elements for success for IA working with the audit committee

• Independence/ objectivity
  • Internal auditors must operate with impartiality, free from undue influence, to provide unbiased assessments of an organization's operations. The audit committee plays a pivotal role in safeguarding this independence by championing a culture that encourages open communication and shields internal auditors from external pressures.
• Organizational structure
  • A well-defined and strategically aligned structure ensures that IA processes are streamlined and can adapt to the organization's evolving needs. The audit committee collaborates with the IA function to establish a structure that facilitates efficient communication, delineates reporting lines, and promotes agility in responding to emerging risks, while ensuring IA is positioned at an appropriate level of authority within the organization.
• Adequate resources
  • The audit committee plays a crucial role in advocating for and allocating the necessary resources to empower IA. This includes financial resources, personnel, and other tools needed to develop an effective IA function.
• Management support
  • The audit committee collaborates with organizational leadership to cultivate a supportive environment for IA initiatives. Management support involves recognizing the value of IA findings, acting upon recommendations, and integrating IA insights into strategic decision-making. The audit committee serves as the principal liaison.
• Accountability and performance in accordance with charter
  • A well-defined charter serves as a guiding document for IA, outlining its purpose, responsibilities, and scope of work. The audit committee plays a key role in holding IA accountable for adhering to the charter and delivering on its objectives. Regular evaluations and assessments, conducted in collaboration with the audit committee, ensure that the IA function is aligned with organizational goals.

Resources and compensation

Compensation for the Chief Audit Executive (CAE)

Audit committee chairs might be well advised to consider structuring the compensation of the CAE differently than that of other executive management. Performance objectives might include metrics on the performance of the IA team relative to the resources devoted to it and their alignment with organizational goals.

It’s important to keep in mind here that audit committees should consider the need for a different CAE pay structure while guarding against the risk of alienating IA from the rest of the organization. This could lead to problems if internal audit was seen as being rewarded for actions that lead to others receiving lower compensation.

Execution challenges and opportunities

There will inevitably be challenges for an organization when it comes to installing and operating the IA function. It is not uncommon for management to anticipate IA will act in one way only to be surprised and disappointed when they do not. Rest assured; this means that IA is working correctly. There needs to be a healthy level of tension between internal audit and management.

Here are a few challenges an organization might encounter:

• Misalignment of objectives: Management may have specific expectations from IA that do not align with the broader objectives of the organization or the intended purpose of IA.
• Resource constraints: Both in terms of personnel and technology, limited resources can pose challenges. Management or audit committee expectations may not always be feasible with the existing resource allocation.
• Resistance to change: There may be resistance in adopting recommendations made by IA, especially if they require significant changes in processes or operations.

There are also several opportunities that can be realized with an effective and high-functioning IA team:

• Strategic alignment: Appropriate collaboration between IA, the audit committee, and management provides numerous opportunities to align IA objectives with strategic organizational goals.
• Enhanced communication: Effective communication channels between IA, the audit committee, and management fosters transparency and a shared understanding of expectations.
• Culture of improvement: Management’s engagement with IA recommendations provides opportunities to cultivate a culture of continuous improvement within the organization.
• Increased stakeholder confidence: When management actively supports and values the contributions of IA, stakeholders gain confidence in the organization’s commitment to strong governance and risk management practices.
• Balanced independence: The audit committee can play a crucial role in ensuring that while IA collaborates with management, it maintains its independence and objectivity.

To learn more about what a properly functioning internal audit team looks like, and how audit committees contribute to that effectiveness, contact Robert Kuling, Partner, Enterprise Risk Services, at or Richard Arthurs, Partner, National Leader – Internal Audit, Enterprise Risk Services.