5 Ways Internal Audit Can Improve Relations With the C-Suite

Michael P. Cangemi is a former CAE, CFO & CEO and Senior Fellow and Advisory Board Member of the Rutgers Continuous Auditing and Reporting Lab.


As business ecosystems grow more complex – driven in large part by expanded use of technology – risk continues to grow in complexity. As a result, internal audit’s role in the organization becomes even more critical.


A well-organized and effectively operated internal audit function is essential to a well-balanced system of internal control. To optimize the IA function, we need a smooth interface between it and the Board’s Audit Committee. However, for internal audit leaders, many challenges arise when interacting with C-Suite management as well as audit committee directors who provide oversight and support.


The CAE is part of the senior management team. But are they independent? They report to the Board, but what does this mean in actual real-life interactions? I shared my thoughts and real-life experiences in a recent CaseWare Webinar and what follows are some highlights.


I learned auditing in public accounting and was hired away from Ernst and Young to lead Internal Audit at a large Fortune 500 company. I was interviewed by almost everyone in senior management and they all impressed on me their importance within the company.


At the time, the C-Suite perceived their internal audit function as ineffective. Some organizations still lack a basic structured internal audit process. I was to report to the Chair of the Audit Committee with a dotted line to the company Vice Chairman of the Board, who was also the CFO.


Based on these reporting relationships, the CAE is in a very powerful position. But how they are perceived by others in senior management – divisional presidents, for example – can be critically important. These are very difficult job relationships to manage: You serve as part of management, but you also need to provide independent assessments of the team you are a part of.


Here’s what I did to ensure relations between internal audit and the executive were effective and mutually beneficial:


1. Establish a broad audit charter that goes beyond IA


One of the first things I tackled was creating a broad audit charter with very defined audit policies and operating procedures. Critically, I ensured the charter was very broad in scope and not limited simply to internal control. As a result, we looked for more than internal control weaknesses; we sought to discover things that improve the company’s internal controls as well as business processes.


2. Define structured processes


As I suggested above, companies sometimes lack structured internal audit procedures and processes, and the situation I was dealing with was no different. Define and document every process, procedure, and policy and ensure your entire audit team is on board. It sounds simple, but you’d be amazed at how often it is overlooked.


3. Focus on positive deliverables


In this field, we’re used to uncovering findings that are generally negative, and that can sometimes paint our profession, our processes, and our people unfavourably. In cultivating better relations with the C-Suite, it is important to communicate positive accomplishments. For me, one positive was our people – my people became one of my positive deliverables, and I ensured IA staff were developed, valued, transferred, and promoted according to their strengths. As you define the deliverables you will present to the executive team, think about the positive things you can share.


4. Lobby hard for tech


In this day in age, audit technology is not just a nice to have – it’s essential to stay competitive. And as I discussed in my recent webinar, it’s one thing to have it and another thing to use it effectively. In my career, I have had to lobby persistently for technological solutions to help automate many aspects of the auditing process. It’s remarkable to me that technology is so well suited to the audit profession, yet the internal audit function can be slow to adopt solutions like advanced data analytics tools that can really take their game to the next level. In my journey, I have implemented automated auditing wherever applicable and lobbied for more tech solutions in operations and finance for business process improvements, to great effect. Every IA function needs audit technology. It’s that simple.


5. Establish and retain independence


For me, independence as a state of mind is very important. When I had to make difficult calls, I would do it, and I would take the heat accordingly. However, I gained the respect of senior managers and we were all able to work together to improve the organization. In the end our Board and C-Level managers recommended our IA approach and offered to arrange discussions with me, to their colleagues outside the company.


Some tactics in all this included:


  • Maintaining a close relationship with the Chair of the Audit Committee (who only wanted to meet privately the day before an AC meeting).
  • Always addressing audit and operational improvement concerns directly to senior mangers involved.
  • Establishing the goal of making the IA function better and not about catching and embarrassing people.
  • Quickly resolving problems, and then toning down the audit reports. Later I would confirm my accomplishments discretely to the AC Chair and the CEO.


Advancing tech in a well-controlled process was a ticket to a successful IA function and the C-Suite. As CAE I was invited to join the company’s IT steering committee and eventually became the chair. Later in my career, I wrote a book called Managing the Audit Function and moved on to become the company’s CIO and later a CFO and CEO.


Learn more about the delicate yet often interesting relationship between the IA function and the C-Suite in my recent CaseWare webinar presentation with Brian Element for more.


Michael P. Cangemi is a former CAE, CFO & CEO and Senior Fellow and Advisory Board Member of the Rutgers Continuous Auditing and Reporting Lab.


Note: The opinions expressed in this article are solely those of the author.