When Internal Audit Is Impotent or Absent – What Is The Board’s Role?


On August 18, 2008, Edith Orenstein’s FEI Blog reported on actions by FEI’s Task Force on Monitoring (TFM). In a comment letter filed on Aug. 15, 2008, FEI urged the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to revise the proposed description of the role of the board of directors in its Exposure Draft entitled, “Guidance on Monitoring Internal Control Systems.”

FEI seeks to clearly state the role of the Board of Directors as one of oversight, and to better distinguish the Board’s role with respect to internal control from that of management.

“Companies should endeavor to establish controls that would prevent and detect potential fraud perpetrated by senior management, all the way up to the CEO,” said the FEI TFM letter on COSO’s ED. Additionally, “In conducting its oversight role, the board should be proactive in seeking information from management, particularly on critical matters, in considering management’s assertions, and seeking information from other sources as appropriate. Importantly, the board should review all such information with requisite skepticism,” noted the FEI TFM letter.

“However,” noted FEI TFM, “the wording in COSO’s ED as currently written implies that if internal audit is not present, or even potentially in situations when it is, that the board must directly engage in ‘monitoring’ senior management in the same manner that senior management monitors other functions at the company. We do not see this as practical or as being within the bounds of the oversight role of boards.”

It seems this approach is consistent with major listing standards, such as the NYSE Listed Company Manual.  Additionally, the FEI TFM had informal discussions with research staff at the National Association of Corporate Directors(NACD), citing usage from the NACD Blue Ribbon Commission series, as well as informal discussions with legal experts Marty Lipton of Wachtell, Lipton, Rosen & Katz and Ira Millstein of Weil, Gotshal & Manges LLP, they (NACD research staff, Lipton and Millstein) concurred that it would be preferable for COSO to retain use of the word ‘oversight’ to describe the role of the board within its monitoring guidance – consistent with COSO’s description of the role of the board in COSO’s 1992 framework as being ‘governance, guidance and oversight’ – vs. describing the role of the board as ‘monitoring,’ given the specificity with which ‘monitoring’ is described in this guidance.

Well, this may seem like a non-starter to you, but it sounded funny to me. In particular, I was struck by the language above that refers to the role of the Board when there is no internal audit function. I have seen situations where there is no internal audit function or when internal audit is a part of the problem (at a material weakness level,) and not part of the solution.

I have written about these cases extensively. They include Sirva, Ceridian, Navistar, and now Siemens, (although as I have written, Siemens has a general culture of corruption and their auditors, lawyers and consultants are no help.)  The granddaddy of all conflicted, non-helpful internal audit departments is Enron.  You may not realize it, but in addition to being their external auditor and chief consultant, Arthur Andersen was also Enron’s outsourced internal audit department.  How convenient…

And so I thought… If there’s no internal audit function or a corrupt, ineffective or impotent one, what should the role of the Board of Directors be?  Should they have to go beyond “oversight” and even monitoring and get their hands dirty if no one is reporting to them on risks, controls, and compliance with laws and regulations?  Should they be required to take a more active role because without an internal audit function, a basic NYSE required control function and a key component of the internal control environment, company management is free to run wild, with impunity?  Of course, the lawyers are interested in preserving the almost complete protection from legal liability, except in the most egregious cases, that Directors have.
So I asked someone who has been in the trenches, a friend of mine and former Chief Audit Executive who is now involved in a SOx whistle blower case because of these types of issues:

The question: Should the Board of Directors take a more active “management role” in insuring internal controls are in place when there is no internal audit or it is deficient such as in Siemens, Navistar, Ceridian, Sirva?

The answer:

Dear Francine,

More and more I’ve come to the conclusion that the current system just can’t work in those cases where senior company management may be involved in a fraud or other illegal activity and the Board of Directors have become impotent in their “oversight” and/or “monitoring” activities. 

How can this happen? Well, lets look at the players in such a situation, their level of independence and their true motivations: 

Chief Audit Executives (CAE) – Regardless of their ethics, and particularly in a poor economy, CAE’s have careers to safeguard and families to feed.  As a result of SOx, most CAE’s officially report to the Audit Committee.  However, in most cases, there is a “not so dotted” line to the CFO who, more likely than not, is responsible for the CAE’s annual performance appraisal. 


If a CAE loses his/her job as the result of whistle blowing or otherwise pushing management to “do what’s right”, what opportunities are there? The corporate board community is very small. In my own case, I have eliminated almost a dozen local public companies from my job search because of direct connections between the CEO’s, CFO’s and/or Board Members of potential target employers and those of my previous employer.   Continuing a career as a CAE in the same geographic market, or in another market where those board members reside, is unlikely.

The Big 4 – Given the immense pressure that Big 4 partners are under to produce, no Big 4 partner wants to be the one to lose a Fortune 100/500/1000 client, whether it is an audit client, tax client, or consulting client (internal audit, SOX, etc.) over a “silly thing” like internal controls.  Of course, no partner wants to be held accountable for a re-statement, so firms have been more willing to put their foot down in this arena post-SOx.

The Audit Committee and the Board – Board member oversight usually consists of 4-10 meetings per year with management to review rehearsed, often sanitized, presentations prepared by management to accomplish two things: a) to get Board approval for any items requiring Board approval b) to keep the board happy and not “rock the boat” or upset the board in any way. In addition, the Board meets with the external auditors (Big 4 partners from above), and the CAE (above).

Over the past few years various changes in the environment post-Enron have increased Board Member liability and the overall “Fear Factor”, but what is really at risk?  Most board members don’t really need the income from their participation in boards.  It’s primarily a power and prestige ego trip.  Board members are covered by various insurance policies and Corporate SEC counsels are careful to make sure each Board and Committee complies with all their legal requirements to avoid being considered negligent, which is the only time an insurance policy might not pay.

SOx made some effort to limit the extent to which corporate senior executives and the external audit partners became less than independent by requiring the rotation of audit partners, but it did no such thing to prevent the same thing from occurring on corporate boards and audit committees. Perhaps such a requirement would help reduce this possibility. 


The definition of a financial expert for purposes of Audit Committee requirements could also be re-visited. Audit Committee Chairs I’ve met who come from the independent auditor environment tend to see their primary role on the Board as an Audit Committee Chair and have more compliance and control oriented perspectives, while Audit Committee Chairs with a pure financial reporting background (ex-CFO’s, etc.) tend to be more “all around” Board Members (which certainly has some benefits), but are less compliance and internal control oriented and may tend to excuse weaknesses more easily for “business reasons”.

So back to your original question – I believe Boards and Audit Committee’s need to take a more active role, but may often lack the independence, determination or reliable means to do so.

9 replies
  1. Chicago Accountant
    Chicago Accountant says:

    CAE reporting lines need to be reviewed and regulation needs to be inacted. I am just waiting for a scandal to make it happen. It’s not a question of if, but when.

Trackbacks & Pingbacks

  1. […] and see heroes. But let’s look at what I think may have actually happened. Lehman’s Internal Audit department “naturally” asked their trusted, all-things-to-all-people advisor, EY, to help with the […]

  2. […] and disciplinary actions against their former CFO and current CEO, internal investigations, restructuring, and delisting and eventual re-listing on the New York Stock Exchange, the company admitted as […]

  3. […] issues which were barely touched on, the impact on the other large audit firms, the role of Lehman’s internal audit function, the specific  accounting for the Repo 105 transactions, the relationship of this […]

  4. […] more deeply into the valuation issues, the impact on the other large audit firms, the role of Lehman's internal audit function, the specific accounting for the Repo 105 transactions, the relationship of this bankruptcy […]

  5. […] more deeply into the valuation issues, the impact on the other large audit firms, the role of Lehman's internal audit function, the specific accounting for the Repo 105 transactions, the relationship of this bankruptcy […]

  6. […] more deeply into the valuation issues, the impact on the other large audit firms, the role of Lehman’s internal audit function, the specific  accounting for the Repo 105 transactions, the relationship of this […]

Comments are closed.