Thechief audit executive (CAE),director of audit,director of internal audit,auditor general, orcontroller general is a high-level independent corporateexecutive with overall responsibility forinternal audit.
Publicly tradedcorporations typically have aninternal audit[1] department, led by a chief audit executive ("CAE") who reports functionally to theaudit committee of theboard of directors, with administrative reporting to thechief executive officer.
The profession is unregulated, though there are a number ofinternational standard setting bodies, an example of which is theInstitute of Internal Auditors ("IIA"). The IIA has established Standards for the Professional Practice of Internal Auditing[2] and has over 150,000 members representing 165 countries, including approximately 65,000Certified Internal Auditors.[3]
The CAE is intrinsically an independent function; otherwise it may become dysfunctional and of low quality[citation needed] (but there are many degrees in the level of independence and efficiency). The CAE function exists only to constitute a third-level of control in the organisation, which must be independent from the first-level control (the first-level layer belongs to the management of an organisation, who is responsible in the first instance for acting in compliance with the organisation’s rules) and consecutively second-level (which are the supporting units i.e. legal, HR, risk function, financial control etc.). An effective independence is the result of both an attitude of CAE, and of prerogatives/guarantees conceded by the organisation or given by the organisation’s principals (e.g., the board of directors or audit committee).[citation needed]
Because the CAE understands risks and controls, company strategy and the regulatory environment the CAE may assume additional organizational responsibilities beyond traditional internal auditing.[4]
The CAE should be independent in the performance of their duties, so that they can carry out their work freely without admitting interference, and as objectively as possible. Independence permits them to render impartial and unbiased judgements, which are essential to the proper evaluation of management and controls. It also allows them to view the financial actions, procedures and decisions in a detached way. This may become of an importance when providing objective assurance about the internal control framework.
To perform their role effectively, CAEs requireorganizational independence frommanagement, to enable unrestrictedevaluation ofmanagement activities and personnel. This can be analysed in the different points below:
All the elements below should be granted to the CAE in the basic rules of the organisation, or stated in thecharter of auditapproved by theaudit committee and promulgated in the organization (IIA Standard 1110 Organizational Independence, and standard 1000C1).
Even though the CAE may be formally part of themanagement structure of the organisation (among the “chief executives”), they do not participate in any management decision process or accept any responsibility in the execution of company activities.
CAEs may advise management (must, when it is aboutcompliance,risk management,internal controls...) and theboard of directors (or similaroversight body) regarding how to better execute their responsibilities. But they remain independent of the activities observes or audits.
The primary customer of internal audit activity is the entity charged withoversight of management's activities. This is typically theaudit committee, a sub-committee of theboard of directors. To provide hierarchical independence, most chief audit executives report to thechairperson of the audit committee as to the performance of his/her duties.
The definition (and regular revision) of the scope of the function should be agreed between the CAE and theaudit committee. The internal audit’s annualwork plan, which for practical reasons must be discussed with the auditees, is subject to the approbation of the soleaudit committee,board of directors, or other appropriate governing authority (IIA Standard 1110 Organizational Independence).
The internal rules and practices of the directorate of internal audit (audit manual) are of the responsibility of the CAE.
The independence of the CAE in the performance of his duties should be guaranteed in the staff rules. Theaudit committee should have solecompetence for the final decision on appointment anddismissal of the CAE”, and for his remuneration, activity appraisal andcareer advancement.
The CAE is liable todisciplinary action but only with the concurrence of theaudit committee. This could happen if they are negligent in the performance of their duties.
The CAE reports directly to theaudit committee and theboard. There should be a report from the CAE to each ordinaryaudit committee meeting and if deemed necessary to the board. Such reports should be addressed directly to the chairman of theaudit committee with parallel copy to thedirector-general.
However, the CAE in the performance of his daily work communicates and liaises with thedirector-general and the staff of the organisation.
Although CAEs andinternal auditors are paid by the company, thehuman resource budget of thedirectorate of internal audit, in particular, should be protected from interference from the audited organisation. The typical risk is that the audit's budget subject to the approval ofdirector of HR and of the DG is a source of potential interference or friendly pressure to self-limit the CAE’s critic exercise of an independent viewpoint. An appeal to the board, even expressly foreseen as part of thecommunication right of the CAE, is often ineffective on short-term imposed constraints, given the time constraints of thebudget process. The best practice is that theaudit committee's opinion is required on the CAE’s draft budget, well in advance of the normalbudgeting process of the organisation.
Information is of key importance to organize, prepare and perform internal audits. Independent auditors are generally granted full access to any and all information they require to discharge their responsibilities. Reasonable restrictions would be limited to things such as personal information in personnel records such as health information. Unduly restricted access to information is a major impediment to an independent auditor and indicates that an organization is not truly supportive of the auditor's mandate and its commitment to sound governance should be questioned.
Ensure that internal auditors have appropriate professional qualifications and skills, and opportunities for sufficient training and development to maintain and develop their internal auditing competence and to obtainCertified Internal Auditorcertification.
The CAE is responsible for assuring that appropriateengagement supervision is provided.Supervision is a process begins with planning and continues throughout theexamination,evaluation, communication, andfollow-up phases of the engagement.
NB:Generally accepted auditing standards andInternational Standards on Auditing areexternal audit standards.
Inform the Audit Committee without delay of any issue of risk,control ormanagement practice that may be of significance.The chief audit executive (CAE) reports the most critical issues to theaudit committee quarterly, along with management's progress towards resolving them. Critical issues typically have a reasonable likelihood of causing substantial financial or reputational damage to the company. For particularly complex issues, the responsible manager may participate in the discussion. Such reporting is critical to ensure the function is respected, that the proper "tone at the top" exists in the organization, and to expedite resolution of such issues. It is a matter of considerable judgement to select appropriate issues for the audit committee's attention and to describe them in the proper context.
Variousconsulting andpublic accounting firms perform research on audit committees, to providebenchmarking data.[5][6]Some results are identified below: