BusinessPostCorner.com
No Result
View All Result
Thursday, July 16, 2026
  • Home
  • Business
  • Finance
  • Accounting
  • Tax
  • Management
  • Marketing
  • Crypto News
  • Human Resources
BusinessPostCorner.com
  • Home
  • Business
  • Finance
  • Accounting
  • Tax
  • Management
  • Marketing
  • Crypto News
  • Human Resources
No Result
View All Result
BusinessPostCorner.com
No Result
View All Result

Internal audit reporting to the CFO: 5 safeguards to independence

September 15, 2025
in Accounting
Reading Time: 5 mins read
A A
0
Internal audit reporting to the CFO: 5 safeguards to independence
ShareShareShareShareShare

Enjoy complimentary access to top ideas and insights — selected by our editors.

After more than 10 years of sounding alarms about the dangers of having internal audit report administratively to the chief financial officer, I must grudgingly concede my warnings have fallen on deaf ears. 

My firmly held belief is that internal audit should report administratively to the CEO and functionally to the audit committee of the board. But year after year, the Pulse of Internal Audit survey reflects that the distinct majority of publicly traded companies in the U.S. position their audit functions administratively under the CFO. The most recent annual Pulse survey and report — the flagship report from the Institute of Internal Auditors  — found 79% of publicly traded companies have this arrangement.

While most privately held companies also fall into this category (72%), my concern is with companies whose risk management practices most directly impact investors and the greater marketplace. For those who haven’t read my previous cautionary missives on this topic, here’s a brief synopsis of why I believe this practice is fundamentally dangerous and increasingly so in the modern risk landscape.

The most common critique of this reporting arrangement is that CFOs could steer internal audit scrutiny away from their areas of responsibility. But I haven’t found that to be the biggest problem. Instead, statistics I have seen over the years indicate that CFOs are more likely to use internal audits to address key risks in their areas of responsibility, at the potential exclusion of non-CFO risks in the organization. Below, I share five safeguards for ensuring that reporting relationships to the CFO don’t compromise internal audit’s independence. But first, a brief history lesson might help shed additional light on why this should be of grave concern for any organization.

In the U.S., internal audit came into its own as a profession after passage of landmark legislation in the wake of the 1929 stock market crash, including the Securities Acts of 1933 and 1934. These acts created modern regulatory concepts for internal controls over financial reporting, and they fueled the need for effective assurance over ICFR that internal audit provides. Seven decades later, a series of financial scandals, most notably the collapse of WorldCom and Enron, led to passage of the Sarbanes-Oxley Act of 2002. The new legislation created even greater reporting requirements including mandates for annual assessments of ICFR effectiveness and independent external auditor attestations. From the CFO’s perspective, it would seem obvious that effective ICFR and compliance with related reporting regulations should be a top priority for publicly traded companies and that independent and unbiased assurance from internal audit should be part of the process. Anyone reading that might reasonably ask, “So what’s the problem, Richard?”

The answer is that, while financial controls and related reporting regulations represent a significant risk area for many organizations, today’s complex and volatile risk environment contains substantial nonfinancial risks, including cybersecurity and digital disruptions such as AI, supply chain,  business resilience, climate change and others. Simply stated, under the CFO’s leadership, there is inherent risk in overemphasizing the need for internal audit services on ICFR while minimizing its value in combating nonfinancial risks.

To be clear, I am not accusing any CFO of deliberately ignoring nonfinancial risks. On the contrary, I believe CFOs generally are well-informed and well-intentioned risk management partners. But I also believe subconscious bias and blind spots are part of human nature.

Five safeguards to ensure at least the appearance of internal audit’s independence

Because I see little chance of changing the CFO/internal audit paradigm on the horizon, I’d like to offer five safeguards to help ensure internal audit services are not swayed to the detriment of nonfinancial risk.

1. Internal audit’s charter must reference the administrative reporting line to the CFO. There should be no ambiguity in the charter’s language, such as saying internal audit reports to a member of management. 
2. Corporate minutes should document that the reporting relationship was discussed with and approved by the board and/or audit committee. While I won’t go as far as saying the audit committee must document its decision-making process, documenting the discussion acts as a safeguard to ensure the audit committee understands the reporting relationship and has explored its risks and advantages before approving the charter.
3. The CEO should review and approve any proposed audit plan before submitting it to the audit committee for approval. This ensures the CEO’s involvement and reflects that the CEO agrees with the priorities established in the audit plan. This mitigates any perception that the CEO is unaware of internal audit’s focus.
4. The audit committee should be informed of any deviation between the risk assessment and where the audit plan addresses the CFO’s areas of coverage. This will make the committee aware of any lower CFO risk areas that are in the audit plan or any higher non-CFO risk areas that are not. 
5. Audit committees should insist on being informed about disagreements between the CFO and internal audit over audit recommendations. This provides an additional safeguard that may alert the audit committee to any trends in disagreements that might reflect undue influence or bias from the CFO.

I should mention that the IIA’s new Global Internal Audit Standards also reflect this reality. Standard 7.1 Organizational Independence Requirements requires the chief audit executive to annually confirm to the board the internal audit function’s organizational independence, including any incidents where its independence might have been impaired. It also requires the CAE to document within the internal audit charter internal audit’s reporting relationships and organizational positioning.

In its Considerations for Implementations, Standard 7.1 notes, “While the chief audit executive reports functionally to the board, the administrative reporting relationship is often to a member of management. This enables access to senior management and the authority to challenge management’s perspectives. To achieve this authority, it is leading practice for the chief audit executive to report administratively to the chief executive officer or equivalent, although reporting to another senior officer may achieve the same objective if appropriate safeguards are implemented.”

The precautions outlined above should not be taken as me changing my views about internal audit’s reporting relationship. Instead, it is an acknowledgement that I can read the writing on the wall. I still believe it benefits the organization overall for the CEO to have internal audit as a direct report, despite the reluctance of U.S. publicly traded companies to join the rest of the world in having internal audit report to the CEO. The latest global data on the topic, from the Internal Audit Foundation’s 2022 Global View Report, found that globally 65% of publicly traded companies have internal audit reporting directly to the CEO.

I can only surmise there must be some legacy holdover to that long-ago time when internal auditing was viewed as a finance-related function instead of a key risk management player. But that was the era of the bean counter, when we were primarily concentrated on financial controls and the overall accuracy of financial information. Internal audit functions began to engage more in operational risks as far back as the 1960s. By the 1970s and 1980s, it was quite common for internal audit to be looking at more than just financial risks. Indeed, we’re more than a half century beyond the time when internal auditors finally took off their green eye shades. That important evolution should be reflected in a direct reporting line between the CEO and the CAE.

Credit: Source link

ShareTweetSendPinShare
Previous Post

Trump says companies should report earnings every six months

Next Post

For the first time since 2019, the Fed could split both ways on a rate decision

Next Post
For the first time since 2019, the Fed could split both ways on a rate decision

For the first time since 2019, the Fed could split both ways on a rate decision

Judge says Donald Trump’s IRS lawsuit had no ‘basis in law or fact’

Judge says Donald Trump’s IRS lawsuit had no ‘basis in law or fact’

July 13, 2026
AI won’t kill offshoring; it will supercharge it

AI won’t kill offshoring; it will supercharge it

July 16, 2026
June CPI Beat Lifts Bitcoin — Fed’s Next Move Matters

June CPI Beat Lifts Bitcoin — Fed’s Next Move Matters

July 14, 2026
Claude AI Model Fable 5 Predicts Bitcoin Price Target For 2026

Claude AI Model Fable 5 Predicts Bitcoin Price Target For 2026

July 14, 2026
Elon Musk and Sam Altman accuse each other of scamming investors as each pitches their AI vision

Elon Musk and Sam Altman accuse each other of scamming investors as each pitches their AI vision

July 13, 2026
Midnight social media curfew proposed for older UK teens

Midnight social media curfew proposed for older UK teens

July 14, 2026
BusinessPostCorner.com

BusinessPostCorner.com is an online news portal that aims to share the latest news about following topics: Accounting, Tax, Business, Finance, Crypto, Management, Human resources and Marketing. Feel free to get in touch with us!

Recent News

Kalshi pulls plug on flight cancellation contracts

Kalshi pulls plug on flight cancellation contracts

July 16, 2026
AI won’t kill offshoring; it will supercharge it

AI won’t kill offshoring; it will supercharge it

July 16, 2026

Our Newsletter!

Loading
  • Contact Us
  • Privacy Policy
  • Terms of Use
  • DMCA

© 2023 businesspostcorner.com - All Rights Reserved!

No Result
View All Result
  • Home
  • Business
  • Finance
  • Accounting
  • Tax
  • Management
  • Marketing
  • Crypto News
  • Human Resources

© 2023 businesspostcorner.com - All Rights Reserved!