Staying in sync with internal audit and the chief audit executive

Understanding a company’s strategic and operational risks in an increasingly complex  business environment is both a top priority and a top challenge—and internal audit has a vital role to play. Staying attuned to the company’s changing risk profile—including its control environment, culture, and crisis readiness—has put a premium on internal audit being in sync with the audit committee.

This year alone, major shifts in the regulatory and business landscape are demanding more agility from internal audit. New cybersecurity disclosure rules for public companies have arrived, and final climate disclosure rules and proposed human capital management disclosure rules could follow shortly. The use and experimentation with artificial intelligence is becoming pervasive as well.

The chief audit executive (CAE) can help audit committees monitor these trends, understand what’s happening at every level of the company (as the committee’s eyes and ears), and connect the dots.

As panel members suggested during the KPMG Audit Committee Leadership Forum in June, keys to the CAE’s value-add to the audit committee include the following:

• Recognizing how dramatically the business and risk landscape is changing and having a “healthy concern” about any claims of a static risk and internal control environment
• Understanding the importance of a robust, disciplined, process-oriented risk assessment that is not adversarial as the basis for the audit plan
• Developing an audit plan that is risk-based, adapts to the changing operating environment, and aligns with the organization’s strategy and risk profile
• Being objective, process-oriented, and disciplined
• Maintaining robust two-way communication with the audit committee and making executive sessions regular and structured

“Internal control is a team sport,” said one audit committee chair at a recent KPMG-sponsored event. “As an audit committee, you have to have a CAE whom you can rely on, who is agile, and who can adjust to changes in both reporting expectations and the risk environment.”

Given the increasingly complex risk environment and the intense focus of regulators, investors, and other stakeholders, the audit committee should closely monitor internal audit’s risk assessment process and its development of the audit plan. The committee should ask, for example, the following questions:

• To what extent does the CAE and internal audit participate in management committees responsible for the company’s various strategic initiatives, including the identification and management of risks and related controls associated with those initiatives? How does internal audit interact with the company’s risk management and compliance functions?
  
• As the company prepares to comply with new regulatory disclosure requirements for climate, cybersecurity, human capital management, and sustainability, does internal audit have a seat at the table? Does internal audit participate as a member of management’s disclosure committee?
• Does internal audit have the talent, resources, and expertise to conduct a robust risk assessment and to develop and execute an audit plan that aligns with the company’s risks?

Currently, CAEs view cyber, information technology, and sustainability risks at opposite ends of the risk spectrum in terms of the time and attention that internal audit devotes to them. According to the 2023 North American Pulse of Internal Audit, from the Institute of Internal Auditors, 78 percent of internal audit professionals viewed cybersecurity as a high or very high risk, with 57 percent responding the same for broader technology issues. By comparison, only 9 percent said the risk level for the range of sustainability risks was high or very high.

While climate and sustainability may be a long-tail or distant risk for some companies (and nearer for others), new regulatory mandates for climate disclosures both in the United States and globally—as well cybersecurity, human capital management, and other sustainability disclosures—will require an increased focus by internal audit.

“The chief audit executive needs to be comfortable with a risk environment that is rapidly changing,” said another audit committee chair. “When significant shifts are needed in the audit plan—for example, with new disclosure requirements—flexibility is key .”

This article originally appeared in the Fall 2023 issue of NACD Directorship magazine.