How Should Internal Audit Work With the Audit Committee?

The relationship between internal audit and the audit committee is the structural backbone of independent assurance. Get it right and the board sees risk clearly; get it wrong and internal audit becomes a tool of the very management it should be examining. This guide explains how the relationship should function and where it commonly breaks down.

What is the audit committee responsible for?

The audit committee oversees the integrity of financial reporting, the effectiveness of internal control and risk management, and the work of both internal and external audit. It is composed mainly of independent non-executive directors to ensure objectivity from the executive team.

For internal audit specifically, the committee approves the audit charter, the annual plan, and the budget; oversees the appointment and performance of the chief audit executive; and reviews audit results and the status of management actions. This oversight is what gives internal audit its authority, as explained in our guide on building the function.

Why must internal audit report functionally to the committee?

Functional reporting means the audit committee — not management — controls internal audit’s plan, budget, and leadership. This protects the function from being defunded, redirected, or silenced when it examines areas management would rather leave alone. It is the single most important safeguard of independence.

The administrative line to the CEO handles day-to-day matters like HR and logistics, but the substantive control rests with the committee. When this split is blurred — when the CFO effectively runs internal audit — the board is receiving filtered assurance and may not even know it. This is the failure mode we warn about throughout our internal auditing overview.

What should internal audit report to the committee?

Reporting should cover the status of the audit plan, significant findings and their risk ratings, the implementation status of agreed actions, emerging risks, and any restrictions on audit’s work. The committee needs a clear, prioritized picture — not a data dump of every observation.

Equally important is what gets escalated: serious control failures, suspected fraud, management override of controls, or any attempt to limit audit’s scope. The chief audit executive must feel safe raising these, which is why the relationship and the private session matter so much.

How do private sessions protect assurance?

A private session is a discussion between the audit committee and the chief audit executive with management absent. It lets the CAE raise concerns about management behavior, tone at the top, or pressure on the audit function that could never be voiced with executives in the room.

These sessions are the early-warning system for governance failures. Many corporate scandals featured an internal auditor who knew something was wrong but had no safe channel to escalate. A routine private session removes that excuse and that risk, strengthening the whole control environment.

How is the relationship measured and kept healthy?

A healthy relationship shows in concrete signs: the committee engages with audit reports rather than rubber-stamping them, challenges management on overdue actions, protects the audit budget, and gives the CAE direct access to the chair between meetings. Annual assessments of both the committee and the audit function reinforce accountability.

Warning signs include a committee that defers entirely to management, findings that are consistently downgraded, and a CAE who is excluded from key decisions. These point to captured assurance. Linking audit outcomes to the company’s broader performance metrics helps the committee treat assurance as integral to results rather than a compliance ritual.

What does best-practice oversight look like in a multinational group?

In a group operating across several countries, the audit committee must oversee assurance over subsidiaries with different regulators, currencies, and control maturity. This means a group audit plan that allocates coverage to higher-risk entities and clear escalation paths from local issues to the group committee.

The committee should also understand where local management incentives might conflict with group control standards — a recurring theme in cross-border operations. Coordinating internal audit with local statutory audit requirements, covered in our external versus internal audit guide, avoids gaps and duplicated effort across jurisdictions.

What financial expertise should the audit committee have?

At least one audit committee member should have recent and relevant financial expertise — the ability to read financial statements critically, understand accounting judgments, and challenge management’s estimates. Many governance codes and listing rules now make this a formal requirement.

Financial literacy across the whole committee matters too. Members need not be accountants, but they must be able to follow a discussion of revenue recognition, impairment, or going concern well enough to ask probing questions. Without this, the committee cannot meaningfully oversee either financial reporting or the audit work that assures it. For groups with complex cross-border operations, expertise in international finance and foreign-currency reporting is an increasingly valuable addition to the committee’s skill mix.

How does the committee oversee external audit too?

The audit committee oversees the external auditor as well as internal audit, and coordinating the two is part of its job. It approves the external audit fee, assesses auditor independence, reviews the external audit findings, and ensures internal and external audit do not duplicate effort or leave gaps between them.

A well-run committee encourages internal and external audit to share plans and rely on each other’s work where appropriate. External auditors can often rely on internal audit testing of controls, reducing fees, while internal audit can focus on areas external audit does not reach. The committee sits above both, ensuring the combined assurance covers the company’s real risks. This coordination is explored further in our guide to external versus internal audit.

What happens when the relationship breaks down?

When the internal audit–committee relationship fails, the warning signs are consistent: findings get softened before reaching the board, the audit budget is squeezed, the chief audit executive loses direct access to the chair, and private sessions quietly disappear. Each of these means the board is receiving filtered assurance.

Rebuilding requires the committee to reassert its authority — reclaiming control of the plan and budget, restoring private sessions, and signaling clearly that it wants unvarnished findings. Sometimes it requires changing the chief audit executive or strengthening the committee’s own independence. The cost of inaction is steep: most major governance failures involved assurance that had been captured long before the scandal surfaced. Protecting this relationship is, ultimately, protecting the board’s ability to see its own company clearly.

How should the committee handle a whistleblower or fraud report?

When a credible fraud allegation or whistleblower report reaches the audit committee, it must ensure an independent, properly resourced investigation — often using internal audit or forensic specialists — while protecting the whistleblower and preserving evidence. The committee oversees the investigation rather than running it, maintaining objectivity.

Speed and independence are critical. Allegations involving senior management cannot be investigated by those same managers, which is exactly why the committee’s independence and internal audit’s direct reporting line matter. The committee should also review what the allegation reveals about control weaknesses, so the underlying gap is fixed, not just the individual case resolved. This investigative work draws on the same techniques covered in our guide to forensic auditing and fraud detection.

What questions should audit committee members ask internal audit?

Sharp committees ask questions that test both the findings and the function: What risks are you not covering, and why? Where did management push back, and how did you respond? Which recommendations are overdue, and what is the consequence? Is there anything you have been discouraged from looking at?

These questions surface the issues that polished reporting can hide. Asking what is not on the plan is often more revealing than reviewing what is. Asking about overdue actions holds management accountable for fixing problems, not just acknowledging them. And asking, in private session, whether the chief audit executive has faced any pressure is the single most important governance question a committee can pose — because the answer reveals whether the company’s assurance is truly independent.

How does the committee evaluate internal audit’s own performance?

The audit committee should formally assess the internal audit function each year, looking at coverage of key risks, quality and timeliness of reports, the implementation rate of recommendations, and the results of any external quality assessment. This closes the accountability loop — the function that assures everyone else is itself assured.

The evaluation should also gauge less tangible factors: does internal audit challenge management constructively, is the chief audit executive a credible voice in the boardroom, and does the function add insight beyond compliance? Feedback from across the business helps, but the committee’s own judgment is decisive. A rigorous annual assessment signals that the committee takes assurance seriously, and it gives the chief audit executive a clear mandate to keep raising the function’s standard rather than coasting on a quiet year.

What documentation should support the committee’s oversight?

Effective oversight is documented oversight. The committee should maintain a record of approved charters and plans, minutes capturing the challenges it raised, a tracked register of audit findings and overdue actions, and evidence that private sessions occurred. This paper trail demonstrates that oversight was real, not ceremonial.

Good documentation protects everyone. It shows regulators and external auditors that governance functioned, it holds management accountable for committed actions, and it gives successive committee members continuity. It also protects directors personally: if a control failure is later scrutinized, the record of probing questions and tracked actions shows the committee discharged its duties. Pairing this discipline with the financial expertise and private-session practices discussed throughout this guide gives a company the independent, well-evidenced assurance that strong governance ultimately depends on.

How can a chief audit executive strengthen the relationship?

The chief audit executive shapes the relationship as much as the committee does. Strengthening it means reporting with clarity and candor, never surprising the committee, raising difficult issues early, and being a credible, calm voice when tensions rise between audit and management. Trust is built through consistent honesty over many meetings.

Practical habits help: a concise dashboard the committee can absorb quickly, plain-language explanations of technical findings, proactive flagging of emerging risks, and honest acknowledgment of the function’s own limitations. A chief audit executive who tells the committee what it needs to hear — not what is comfortable — becomes the trusted advisor the board relies on, and that trust is the foundation of genuinely independent assurance across the whole organization.

How does the committee evaluate internal audit’s effectiveness?

The audit committee should formally assess internal audit’s effectiveness at least annually, reviewing whether the plan covered the right risks, whether findings drove real change, whether the function is adequately resourced, and whether its independence was respected. This assessment often draws on external quality reviews and feedback from across the business.

A meaningful evaluation goes beyond counting completed audits. It examines the implementation rate of recommendations, the incidence of repeat findings, and whether the function surfaced the risks that actually materialized. The committee also considers whether the chief audit executive has the standing, access, and resources to do the job. Where the assessment reveals gaps — thin coverage, weak follow-up, eroded independence — the committee owns the responsibility to fix them, since it controls the plan and budget that shape the function.

What role does the committee play in tone at the top?

The audit committee both observes and shapes the tone at the top — the ethical climate set by leadership that determines whether controls are respected or routinely overridden. Through its questions, its insistence on accountability, and its protection of independent assurance, the committee signals that integrity is non-negotiable.

Internal audit is the committee’s primary window into this tone, reporting not just on control mechanics but on behaviors: management override, pressure on the audit function, and whether issues are addressed or buried. When the committee acts decisively on what audit reports — holding executives accountable for overdue fixes, investigating allegations independently — it reinforces a culture where controls matter. When it defers and rubber-stamps, it signals the opposite. In this sense the committee’s conduct is itself one of the most important controls in the company, anchoring the independence that the entire internal audit discipline depends on.

Frequently Asked Questions