Corporate boards may be overlooking critical information about emerging risks—in areas such as cybersecurity or workplace sexual harassment—by relying too heavily on information they receive from management, according to a recent survey of internal auditors.
The survey, conducted by the Institute of Internal Auditors, asked chief audit executives where directors at their companies get information about potential risks. Three-quarters of respondents said directors are “very likely” to rely on management. Just under half said directors are just as likely to rely on internal auditors or corporate risk executives.
That directors rely on CEOs and other senior leaders isn’t surprising. What worries auditors, however, is that directors, particularly on the audit committee, may be placing too much weight in assurances they receive from management, rather than corroborating information with internal auditors to make sure companies have necessary controls in place.
“I’m not sure that boards exercise the level of professional skepticism they need to to truly carry out their responsibilities, and that’s how they get in trouble,” said Richard Chambers, president and chief executive of the IIA, a professional association for internal auditors.
Mr. Chambers pointed to the fallout from the #MeToo movement as an example. When the movement was sparked in late 2017, empowering women to share stories of sexual harassment in the workplace, more companies should have checked with internal auditors to make sure they had proper reporting procedures in place, he said.
Many companies were caught off guard when credible allegations were made against senior executives, according to Mr. Chambers. It is the kind of risk that can catch companies by surprise if they don’t take steps ahead of time to prepare.
“Boards are looking around and saying, ‘How did we miss that?’” Mr. Chambers said.
The IIA also asked chief audit officers who they report to within their companies. Among publicly traded companies, 75% of chief audit executives said they report directly to the chief financial officer.
That is concerning because auditors who report directly to the CFO, rather than to the CEO, often spend a disproportionate amount of their time focusing on financial risks, and overlook areas such as reputational risk or data privacy, Mr. Chambers said.
The financial services sector, however, is a notable exception. After the financial crisis, regulators pushed banks to revamp their risk-management reporting structures. As a result, only 19% of chief auditors at financial institutions currently report to the CFO, while most report to the CEO or other executive leaders, according to the survey.