This issue of BoardroomDirect covers the fraud risk management expectation gap between internal audit and company stakeholders, which includes empowering the chief audit executive.
An audit committee can play a critical role in helping its company's chief audit executive achieve better alignment with management and the board, especially when it comes to mitigating important risks.
This role has become even more important as certain company stakeholders have elevated expectations about the ability of boards to reduce or eliminate one of the most critical risks -- fraud. These expectations can be so lofty there is inevitably a gap between them. In reality, it is impossible for a company to completely eliminate the risk of fraud.
If a chief audit executive (CAE) wants to help close this gap by enhancing the company's fraud prevention, internal audit (IA) should ensure it is doing everything it can to maximize its credibility, and brand across the enterprise and in the boardroom, according to Don Keller, a partner with PwC's Center for Board Governance.
Last month Keller told a gathering of internal audit professionals about ways in which the audit committee can leverage internal audit to narrow the fraud prevention expectation gap. He emphasized how important it is for internal audit to get visible support from the audit committee.
"Without empowerment from the audit committee and C-suite, internal auditors can have a very difficult job," he said. "Publicly recognizing the CAE as part of a leadership team is one way to empower the internal audit group and enhance its brand."
The internal auditor also can be empowered if the audit committee acts on its behalf.
"If the audit committee intervenes when management fails to respond to the recommendations of internal audit," Keller said, "it sends a strong message about the importance of the role of that department."
It is also helpful for the CAE if the audit committee chair maintains an informal relationship with the CAE outside formal meetings.
A recent PwC study confirms that there is a large gap between the perceptions of internal auditors, audit committee chairs, board members, and senior management regarding how their companies manage those fraud and ethical risks.
The PwC 2012 State of the internal audit profession study, Aligning internal audit: Are you on the right floor?, showed that 53% of audit committee chairs, board members and senior management thought fraud and ethics risks were well managed while only 35% of CAEs shared that sentiment.
The study, which is based on a survey of 660 certain stakeholders and 870 CAEs in 64 countries, focused on the rising importance of risk management in the internal audit profession. Some of the other risks with large differences in perception about how well they are managed are data privacy and security (58% stakeholders vs. 47% CAEs) and mergers, acquisitions and joint ventures (50% stakeholders vs. 33% CAEs).
So clearly an internal auditor has a different view as an "insider." He or she must take advantage of this perspective and leverage that knowledge to improve the company's ability to mitigate risks.
When you consider that the biennial 2012 Association of Certified Fraud Examiners Global Fraud Study released in May reports that the average company loses 5% of revenue to fraud annually, it is clear this is a risk that hits the bottom line. The role internal audit plays in detecting fraud in the workplace is still among the top three, behind only whistleblower tips and management review, the report states.
Many governance professionals have observed the phenomena related to the differing views of CAEs and stakeholders.
The differences are evident when questioning who takes responsibility for fraud deterrence and who is responsible for setting and assessing appropriate ethical culture, according to Peter Tickner, a UK-based consultant on corporate governance and fraud issues.
"Top management was convinced that one of the key roles of the chief audit executive was to deal proactively with the risks around fraud and corruption whereas generally the CAEs saw it as senior management’s problem and responsibility," Tickner said.
He made this observation when he was looking at the expectations of CAEs versus top government officials in London as part of his studies for a masters in internal audit and management at the City University Business School in London.
From what he has seen in England, Tickner believes internal auditors are becoming more "fraud savvy" yet many still view their role as "purely identification of what senior management would rather not face up to."
So how can audit committees and CAEs work together to narrow the expectation gap by better managing risks, such as fraud?
Keller suggests audit committees set up a "high bar" for CAE performance in the boardroom. He has offered up a tool that internal audit can use as its brand with the audit committee to garner and ensure its support.
"You need to be CRISP for board interaction," he said in referring to the tool. He stressed that there are relatively few hours spent in front of the audit committee each year and that CAEs should focus on enhancing the internal audit brand during these precious interactions.
CRISP describes five types of characteristics necessary for pushing the internal audit brand:
C - clear and concise, communicate and collaborate on tough issues with management;
R - ready to respond through proper preparation and rehearsal, reaching out to the audit committee and CEO informally whenever possible;
I - independent in your views, identify with your audience;
S - seize opportunities to impress, state your point of view; and
P - professional presentation skills, perspective-oriented toward the future.
There are some other actions audit committees can take, according to Keller, as discussed below.