CHAPTER 23

“INTERNAL AUDIT AND ENTERPRISE GOVERNANCE”

A. Role of the Audit Committee

Audit committees have expanded responsibilities and internal audit has a greater
responsibility to best serve its audit committee. Although an audit committee typically has
regular contacts primarily with the CAE, all internal auditors should have an understanding of
this very important relationship. We discuss heightened audit committee responsibilities and how
internal audit can better work with an audit committee under SOx rules.

B. Audit CommitteeOrganization and Charters

An audit committee is an operating component of the board of directors with
responsibility for internal controls and financial reporting oversight. Because of this oversight
responsibility, audit committee members must be independent directors with no connection to
enterprise management
The purpose of a board audit committee charter is to define the audit committee’s responsibilities
regarding:
-Identification, assessment, and management of financial risks and uncertainties
-Continuous improvement of financial systems
-Integrity of financial statements and financial disclosures
- Compliance with legal and regulatory requirements
- Qualifications, independence, and performance of independent outside auditors
-Capabilities, resources, and performance of the internal audit department
-Full and open communication with and among the independent accountants, management,
internal auditors, counsel, employees, the audit committee, and the board
Formats vary from one enterprise to another, but audit committee charters generally include:
1. Purpose and power of audit committee
2. Audit committee composition
3. Meetings schedule
4. Audit committee procedures
5. Audit committee primary activities
a. Corporate governance
b. Public reporting
c. Independent accountants
d. Audits and accounting
e. Other activities
6. Discretionary activities
a. Independent accountants
b. Internal audits
c. Accounting
d. Controls and systems
e. Public reporting
f. Compliance oversight responsibilities
g. Risk assessments
h. Financial oversight responsibilities
i. Employee benefit plans investment fiduciary responsibilities
7. Audit committee limitations

C. Audit Committee Responsibilities for Internal Audit

These charters are often very specific regarding relationships with internal audit and
typically require the audit committee to:
-Review the resources, plans, activities, staffing, and organizational structure of internal audit.
These areas are discussed in Chapters 12 and 13.
-Review the appointment, performance, and replacement of the CAE.
-Review all audits and reports prepared by internal audit together with management’s response.
Audit reports and communications are discussed in Chapter 17.
-Review with management, the CAE, and the independent accountants the adequacy of financial
reporting and internal control systems. The review should include the scope and results of the
internal audit program and the cooperation afforded or limitations, if any, imposed by
management on the conduct of the internal audit program.
 Even when internal audit generates a large number of audit reports, such as for a retail
enterprise with audits of many smaller store units that often have few significant findings, the
audit committee should receive detailed information on all audits performed. Summary reports
can be provided, but complete reports for all audits must be provided as well
(a) Appointment of the Chief Audit Executive
The overall issue here is that the audit committee has the ability to hire or fire the
CAE, but there must be an ongoing level of cooperation. The audit committee generally is
not on-site on a daily basis to provide detailed internal audit supervision and must rely on
management for some detailed support. The CAE or any member of internal audit cannot just
ignore an appropriate management request by claiming he or she reports only to the audit
committee and is not responsible to enterprise line management. Similarly, enterprise
management must make certain that internal audit is part of the enterprise, not some almost
outsider.
(b) Approval of Internal Audit Charter
It is here that the mission of internal audit must clearly provide for service to the audit
committee as well as to senior management. An internal audit charter is a broad but
general document that defines the responsibilities of internal audit within the enterprise,
describes the standards followed, and defines the relationship between the audit
committee and internal audit. The latter point is particularly important as it sends a
special message to senior management that the CAE can go to a higher authority—the
audit committee—in the event of a significant controversy or internal controls issue.
(c) Approval of Internal Audit Plans and Budgets
Ideally, the audit committee should have developed an overall understanding of the total
internal audit needs of the enterprise. This high-level appraisal covers various special
control and financial-reporting issues, allowing the audit committee to determine the
portion of audit or risk assessment needs to be performed by either internal audit or other
providers
(d) Audit Committee Review and Action on Significant Audit Findings
An audit committee’s most important responsibility is to review and take action on
significant audit findings reported to it by the internal and external auditors, management,
and others.
 D. Audit Committee and Its External Auditors
The audit committee has a major responsibility for hiring the external audit firm,
approving its proposed budget and audit plan, and releasing the audited financial statements. SOx
requires that the audit committee approve all external audit services, including comfort letters, as
well as any nonaudit services provided by the external auditors. External auditors are still
allowed to provide tax services as well as certain de minimis service exceptions, but they are
prohibited from providing these nonaudit services contemporaneously with their financial
statement audits:
-Bookkeeping and other services related to the accounting records or financial statements of the
audit client
-Financial information technology design and implementation
- Appraisal or valuation services, fairness opinions, or contribution-in-kind reports
-Internal audit outsourcing services
-Management function or human resource support activities
-Broker or dealer, investment advisor, or investment banking services
-Legal services and other expert services unrelated to the audit
-Any other services that the Public Company Accounting Oversight Board determines to be not
permitted

E. Whistleblower Programs and Codes of Conduct

The CAE as well as the legal counsel often are the only non-CEO and CFO links between
the audit committee and the corporation. Internal audit should offer its services to the audit
committee—often to the designated financial expert—to establish documentation and
communication procedures in these areas:
-Documentation logging whistleblower calls.
SOx mandates that the audit committee establish a formal whistleblower program where
employees can raise their concerns regarding improper audit and controls matters with no fear of
retribution. A larger enterprise may already have an ethics function, as discussed in Chapter 24,
where these matters can be handled in a secure manner. When a smaller enterprise does not have
such a resource, internal audit should offer its facilities to log in such whistleblower
communications, recording the date, time, and name of the caller for investigation and
disposition. With a heritage of handling secure internal audit reports, internal audit is often the
best resource in an enterprise to handle such matters. In all instances, SOx gives the audit
committee the responsibility for launching and administering such a whistleblower program.
-Disposition of whistleblower matters.
Even more important than logging in initial whistleblower calls, documentation must be
maintained to record the nature of any follow-up investigations and related dispositions.
Although the SOx-mandated whistleblower program does not have any cash reward program,
complete documentation covering actions taken as well as any net savings should be maintained.
Again, with its tradition of handling confidential matters, internal audit should offer to provide
secure, confidential services here. This can be a very important activity. Reporting employees
can bring legal action against the corporation if the information they report was leaked and the
whistleblowers were retaliated against.
-Codes of ethics.
SOx makes the audit committee responsible for implementing a code of ethics or
conduct for a corporation’s senior officers (CEO and CFO). The audit committee must to outline
a set of rules for proper conduct and have these senior officers acknowledge that they have read
and understand and agree to abide by them. Chapter 24 discusses these ethics and whistleblower
programs. Internal audit should play a leading role in helping the audit committee to implement
these programs, not just for a limited set of senior officers but for the entire enterprise.

F. Other Audit Committee Roles

The audit committee and certainly its designated financial expert now have a whole series
of new responsibilities. Internal audit is an excellent source to help audit committee members to
fulfill their SOx-related responsibilities through close communications as well as by offering to
take on certain audit committee documentation tasks. The broad acceleration of social
expectations, their impact on the areas of enterprise responsibility, and the related growth of
audit committees have generated new needs for the enterprise. As a result, new and expanding
requirements for internal audit services constitute both challenges and opportunities. SOx has
changed much here, and the modern internal auditor should be aware of this expanded level of
audit committee importance. Internal auditors should both understand these SOx-mandated
service needs and actively serve and work with their audit committees as part of an overall
objective to provide maximum service to the enterprise.