Cfo.com ran an article this week entitled, "Should Internal Audit Report to the CFO?" This is an important issue because of the widely held view that having the internal audit department report to the company's CFO is tantamount to having the fox watch the henhouse. If the CFO is cooking the books, then arguably the internal auditors whose salaries and terms of employment are set by the CFO have a conflict of interest that may persuade them to overlook the CFO's shenanigans.
Other possible reporting relationships include having the internal audit department report directly to the CEO or having a dotted-line reporting relationship to the head of the company's audit committee. If the internal audit head reports to the CEO, this sends a message to the entire company about the importance of the internal audit function. Whether internal audit reports to the CEO or CFO, the "tone at the top" is extremely important in assuring that the organization views the function as critical to internal controls and accurate financial reporting.
Whether internal audit reports to the CEO or the CFO, though, there should be a strong relationship with the audit committee and, particularly, the chair of the audit committee. At every audit committee meeting, both the internal audit head and the outside auditors should have opportunities to meet separately with the audit committee. These executive sessions should be conducted without management's presence.
It's also a good practice for the head of the internal audit department to have a relationship with the chair of the audit committee. Regular phone calls regarding important issues can keep the audit committee chairman in the loop and will assure that the internal audit department has the leeway it needs to complete its job effectively.
For more information on this topic, see "Internal Audit Reporting Relationships: Serving Two Masters" from The Institute of Internal Auditors. The IIA report notes that internal audit departments have different relationships with different constituents. Internal audit reports up to either the CEO or CFO, provides consultation to operational managers, and provides assurance to the audit committee.