With lots of variations and often duel reporting lines, CAEs must serve many masters
That structure gives internal audit more clout, but it doesn't solve the problem of the need for internal audit leaders to have complete independence to elevate concerns directly to the board. The result is a muddy, duel-reporting structure that can pull internal audit executives in different directions and create plenty of angst.
A recent study, released last month by the Internal Audit Foundation—the research unit of the Institute of Internal Auditors—finds that reporting structures for chief audit executives still vary widely from company to company and region to region. Nearly half (49 percent) of the CAEs survived said they report to the CEO on an administrative basis; more than a quarter (26 percent) report directly to the audit committee chair or in some way to the board of directors; another 15 percent report to the chief financial officer; and 10 percent to the lead counsel or other executive.
"CAEs often have dual reporting lines that are divided between administrative reporting and functional reporting," writes Larry Rittenberg, who authored the report. "Internal audit administrative reporting generally focuses on the day-today and month-to-month activities of the internal audit function. Functional reporting focuses on the ultimate responsibility of the internal audit function. That ultimate responsibility includes the approval of the audit plan and the audit budget, and the responsibility of appointing or retaining the CAE."
Elevating the position to the C-Suite and having the chief audit executive report to the CEO, as many companies have done, gives the department more influence and the proverbial "seat at the table." However, when the CAE reports to the CEO both administratively and functionally, as is likely the case at about one-fifth of respondents, the internal audit leader doesn't have a good outlet to raise concerns to the board. Since those concerns can often revolve around accounting or financial matters, having the CAE report to the CFO is probably the least ideal reporting structure.
On a functional basis, the CAE generally reports to the audit committee chair or equivalent member of the board. Indeed, 72 percent of the global CAE respondents said they reported to the audit committee on a functional basis. Another 19 percent reported functionally to the CEO, and just 9 percent reported to the CFO, legal counsel, or other non-CEO executive. Those numbers are a dramatic improvement to the pre Sarbanes-Oxley days when the CAE had little access to the audit committee or board. Retaining day-to-day reporting with the CEO keeps internal audit leaders plugged into the organization and provides some constant oversight, since board members only meet periodically and can be far removed from the day-to-day running of the company.
Still, this duel reporting structure can cause problems. Critics of it say that since the CEO holds the strings on raises and promotions, CAEs are less likely to want to rock the boat and raise matters that could cast the CEO in a poor light. In fact, the same IIA study that provided the data on reporting structures finds that audit executives often feel pressure to suppress or modify a legitimate audit finding. About a quarter of respondents say they were pressured to alter an audit report by the CEO or other executive, and some say it occurs with regularity.
Good and Bad
In North America, CAEs tend to have more access to the audit committee and the board, but are also still more likely to report administratively to a lower-level officer. A robust 80 percent of North American CAE respondents say they report functionally to the audit committee chair or board equivalent, which is the highest rate of any region, with the exception of sub-Saharan Africa. Yet, 36 percent of North American CAEs say they report administratively to the CFO, and 19 percent to the chief counsel or other non-CEO executive. Both of those figures are far above the average for other regions of the globe.