What's Happening?
The practice of internal audit reporting administratively to the Chief Financial Officer (CFO) has been a subject of concern among industry experts. Despite warnings, a significant majority of publicly traded companies in the U.S. continue this arrangement, with 79% of them positioning their audit functions under the CFO. This setup is criticized for potentially steering internal audit focus towards financial controls, possibly neglecting nonfinancial risks such as cybersecurity and digital disruptions. The Institute of Internal Auditors' Pulse of Internal Audit survey highlights this trend, emphasizing the need for safeguards to maintain audit independence. Historical context shows that internal audit gained prominence post-1929 stock market crash, with legislation like the Securities Acts of 1933 and 1934, and later the Sarbanes-Oxley Act of 2002, reinforcing its role in financial reporting assurance.
Why It's Important?
The independence of internal audit is crucial for effective risk management across organizations. The current reporting structure may lead to an overemphasis on financial risks, potentially overlooking significant nonfinancial threats. This could impact investor confidence and the broader marketplace, as internal audit plays a key role in identifying and mitigating diverse risks. Ensuring audit independence is vital for maintaining comprehensive oversight and safeguarding against biases that may arise from administrative reporting to the CFO. The issue underscores the need for organizations to adapt their audit practices to address evolving risk landscapes, including cybersecurity and climate change.
What's Next?
To address these concerns, several safeguards have been proposed, including clear documentation of reporting relationships, CEO involvement in audit plan approvals, and audit committee oversight of risk assessments. These measures aim to ensure that internal audit remains unbiased and focused on a wide range of organizational risks. The Institute of Internal Auditors' new Global Internal Audit Standards also emphasize the need for annual confirmation of audit independence. As organizations continue to navigate complex risk environments, adapting audit practices to ensure comprehensive risk management will be essential.
