If you want an easy life, the role of CAE is not for you. While the move from a Senior Manager role to CAE might seem a small step from a career perspective, in fact it is likely to feel like a substantial step change. Although you are not (and cannot be) a member of the executive management team (e.g. CFO), or board, the position should be seen to be closely equivalent, and you will need to feel comfortable to operate at that level.

With this step up you will need a deep understanding of the strategy and organisation you are in, strong analytical and critical thinking skills and great influencing and political savvy skills since the very best CAEs will invariably be dealing with sensitive matters. As an illustration of this point, Audit Committee Chairs in an ACCA roundtable event cited gravitas and credibility as essential attributes for a CAE to be successful and respected.

A role with breadth well beyond strictly financial matters

All this said, becoming a CAE is one of the most incredible jobs you can do, because of the breadth and depth of issues that may come across your desk: 

  • A major system is progressing towards a ‘go live’ decision, but the COO wants additional assurance that it will be implemented without significant issues – you are asked if internal audit can give a perspective
  • There have been some data privacy breaches in the recent past that the Data Privacy Officer has stated were just a one off, but the Audit Committee is not so sure – they want you to advise if this is right
  • The construction of a new £5m factory is £250k over budget three-quarters of the way through. The Project Manager says no further additional spend is likely to be needed. However, the Project steering group think more contingency is needed but don’t know how much would be prudent to allow – they want internal audit to get involved. 

To help you consider further what this role entails, and whether you are likely to be suited to it, read on. 

Relationships across senior leader groups and externally

  • Your stakeholders will include the CEO, CFO, the Board, Non-executive Directors, the Chair of the Audit Committee, heads of risk, compliance and heads of other key functions. They may want different things, and your challenge will be to balance competing demands – for example to carry out audit engagements or offer advisory services instead (an Audit Committee might prefer the former and senior management the latter)
  • You will also have dealings with the external auditors and, depending on the industry, regulators. If you aim to be a CAE in Financial Services in the UK this is a regulated role, covered by the Senior Manager and Conduct Regime, which demands both responsibilities but gives significant authority to the CAE. 
  • You will commission and then liaise with consultants who will do out-sourced or co-sourced tasks for you. But you and your team may also deal with consultants working on projects and programmes so you can understand what they have and have not done, so any internal audit work is ‘joined up’ with theirs. 
  • Its good practice to arrange private one to one meetings with Senior Executives and - from time to time - with the Chair of the Audit Committee. Here you will discuss the most delicate matters involving individuals, cultural challenges the organisation is facing (e.g., getting managers to take their responsibilities to monitor their work seriously), or that involve difficult resourcing choices (e.g., between short term cost pressures and longer term demands to improve systems and processes). 
  • Engage with industry peers, so you learn about effective governance, risk and control/compliance (GRC) practices and understand hot topics and good practices elsewhere that will ensure your organisation doesn’t miss anything important. 

Not just a checking function 

One of the common misconceptions about the role of internal audit is that it is a checking function; i.e., Senior managers or the board are unsure whether something is OK and ask internal audit to check. This reflects a part of what some internal audit teams do, but – in fact – modern internal audit does not principally have this role. 

Here CAEs need to remember that it’s a business responsibility for staff, managers (in ‘the first line’) and support functions (e.g., Finance, HR, IT, Procurement – in ‘the second line’) to deliver objectives and run processes and systems and to check things are going according to plan, taking corrective action if not and reporting progress to senior managers on regular occasions. So, a modern internal audit function operates ‘in the third line’ to selectively check or advise whether the first line and second line are adequately monitoring their own work and keeping things on track. This is set out in the attached diagram, promoted by the Institute of Internal Auditors. 

Select image to enlarge (opens in a new tab)

Planning work on the issues that matter the most and that will add value

Given that internal audit cannot be a checking function for everything there are a number of good practices for internal audit plans: 

  • Be risk-based – so the audit team looks at what matters the most
  • Be aligned with the strategies, objectives and key programmes/projects – thus modern internal audit looks at issues of real business importance
  • Co-ordinate with other control and assurance functions in the organisation, after all, what is the point of just repeating checks already carried out by other functions or external consultants? 
  • Seek to deliver value to the organisation through insight and foresight – there is no point in an internal audit function telling the board and senior management what they already know, rather they need to spot emerging risks or establish root causes of recurring problems; 

Be flexible in the sorts of assignments you carry out; audits and investigations are one option, but assurance reviews (of governance arrangements, process design choices or project health checks) are also a choice as well. 

Having a diverse skill set in the audit team and attracting talent

Long gone are the days when internal audit teams just comprised finance staff or qualified internal auditors. Since the scope of internal audit is so much broader nowadays you will need a team with a broad and diverse range of skills. This may include IT and data analytics capabilities as well as team members who understand how regulatory compliance works. It may also help to have team members with deep project and programme management expertise or other relevant specialist skills sets, depending on the organisation involved. 

Skill requirements for the IA team won’t always remain static so the CAE will need to think ahead what skills are going to be needed, training the internal audit team but also hiring new staff or selecting support from consultants or guest auditors and guest advisors from within the organisation. 

The technology used by the internal audit team will need to be kept under review and ideally reflect industry best practice in terms of data and document analysis but also easy manipulation and storage of working papers. The most progressive audit teams are looking at automated tools for reporting, thematic analysis and the tracking of remediation. 

Succession planning for all key roles in the team, including the CAE role, should be kept up to date. Consider the exposure audit team members have to the Chair of the Audit Committee, or how often they attend the Committee alongside you. If there has been a particularly topical piece of work it may be appropriate for the relevant audit team member to attend the meeting with you and answer any questions (and receive praise in person).

Effective Reporting and working with Committees and Boards 

The reports produced by internal audit represent your ‘shop window,’ so you will find all sorts of innovative practices being adopted to make audit reports shorter and more impactful. This extends to the summary reports presented to senior managers and the board, with the best audit teams able to present outputs graphically, highlighting key themes, their root causes and good practices that will address common concerns. The hallmark of a modern internal audit team is that it will deliver insight and foresight and add value to the organisation. 

In person communication skills are key at audit closing meetings and meetings with senior managers and the board. Working at the CAE level will push you to think carefully about what you say and how you say it (hence the gravitas comment made earlier) and be able to gauge how to ‘play’ points, so you neither cry wolf, nor dilute issues of real importance.  

Be prepared for probing questions and ‘left of field’ points from senior managers and the board. If you take the many ‘high stakes’ meetings you will participate in as an opportunity to learn and grow, you will find you gain a fresh perspective on your organisation, the mindset of key stakeholders and how to hold your ground appropriately in these situations. There are few other finance roles, apart from being CFO, that will give you this level of experience and practice at such a senior level. 

Operating effectively in the context of relevant laws and regulations 

The profile of internal audit work has continued to grow in importance in the eyes of senior management and the board. It is also seen to be increasingly important by external auditors and other regulators, including the professional body for internal auditors – the Institute of Internal Auditors (IIA). 

The IIA has just issued a set of standards that govern internal audit work called the Global Internal Audit Standards (GIAS). These standards cover: 

  • The purpose and role of Internal Audit 
  • Ethics and professionalism requirements 
  • The Governance of internal audit (including the need for senior management and board support) 
  • Managing the internal audit team (covering the need to plan effectively and develop a robust internal audit strategy) and 
  • Delivering Internal Audit services 

CAEs will need to be familiar with the IIA GIAS (and IIA UK & Ireland Code of Practice, of appropriate) and be able to demonstrate on an annual basis that the internal audit team is complying with these requirements, or where it is not, it has clear plans to make improvements. 

Every five years there is a requirement for the internal audit team to receive an external quality assessment (EQA) – this provides an excellent opportunity to showcase internal audit strengths but also highlight that even internal audit is subject to independent review from time to time and should always be improving what it does.

Each industry will have its own applicable laws and regulations, and a good CAE should be familiar with these and remain up to date with current and proposed requirements. 

 

In summary, the role of a CAE is one of the most interesting – but overlooked - roles you can do. That said, it is not the job for someone who wants an easy life. However, if you approach the role with the right mindset it will give you 5-10+ years of amazing experiences and equip you for similar roles in other organisations or other senior roles in your own organisation. 

 

J C Paterson, former Chief Audit Executive of AstraZeneca. Provides training, coaching and consulting services in Europe and works with numerous IIA organisations in Europe and the US. James is the author of “Lean Auditing,” and “Beyond the Five whys: Root cause analysis and systems thinking,” both published by Wiley.