The relationship a CAE maintains with the company’s audit committee is foundational to his or her success in that position, but that relationship doesn’t exist in a vacuum. The forces at play inside and external to that relationship can help improve it — or can sour it. But while there’s no recipe for developing a good audit committee relationship, there’s one simple strategy for overcoming the obstacles: communication. CAEs shouldn’t make assumptions about what the audit committee needs or wants, and shouldn’t let external influences exert undue control. They should simply state their case and listen when the audit committee responds.
Olivia Kirtley, president of the International Federation of Accountants and audit committee chair at Papa John’s International, ResCare Inc., and US Bancorp, points to two factors outside the CAE’s control that can dramatically affect his or her relationship with the audit committee: the professional maturity of the parties and the growing recognition of internal audit’s importance. “Every company is at a different state of maturity with regard to the relationship,” Kirtley says. “To the extent the CAE and the audit committee chair have more experience with what works well, you tend to see relationships that are strong and improving. Experience really plays a key role.” And when the culture of the company recognizes the critical functions performed by internal audit, the CAE’s relations with the committee tend to improve, as well.
Also central to a CAE’s relationship with the audit committee is the nature of the reporting relationship between them; and there’s an aspect of the reporting relationship that the CAE can’t always control: the audit committee’s trust. CAEs can’t simply will such trust to life, but they can communicate their concerns. “If I felt the committee chair didn’t trust me, I’d be open, honest, and candid,” says Marc Woodward, director of internal audit at Hallmark Cards Inc. in Kansas City, Mo. “I’d say, ‘Tell me what it takes for us to have an open, trusting relationship.’ If there’s no trust, I can’t be his eyes and ears.”
Christy Decker, vice president of internal audit services at Sharp HealthCare in San Diego, sets the tone for her reporting relationship with the audit committee from day one with orientation for each new member. The new member, the CEO, and Decker meet to review examples of the reports they’ll receive and walk through the meeting’s structure and time requirements. That orientation allows for input, feedback, and questions at the outset, which has eliminated push-back from committee members. After orientation, Decker resumes ad hoc meetings with the chair and with other members — including occasional lunches. “Members change, and new members have different levels of internal audit expertise,” she comments. “Listen to their feedback and help them as much as possible with questions along the way.”
Setting the Parameters
A challenge from within is the reality that there is no formula for calculating how much information the CAE should provide to the audit committee. In almost every instance, an organization’s audit committee looks to its CAE for interpretation of the data he or she presents to it. Serving as the committee’s eyes and ears often requires some analysis to make what’s seen and heard make sense.
But some CAEs get themselves in trouble by bringing too much opinion and too little data to enable the audit committee members to make their own decisions about the risks the organization faces. That can come off as abrasive and ego-driven. But there’s also the potential for too little opinion. “You do have to put some things in context,” so the committee knows whether an issue is a one-time concern or a structural matter that needs board-level attention, notes Melissa Frazier, vice president, audit and controls, at Comfort Systems USA in Houston. “I present the facts,” she says. “If they want to know my opinion, they ask. But I try to keep the discussion focused on the processes, whether they’re working or they’re broken.”
Absent a playbook for CAE–audit committee relationships, internal audit leaders need to provide enough information to facilitate the committee’s effective completion of its required tasks. If committee members want refinements to that information, they need to ask for it. Once the informational parameters are established, CAEs need to make sure they’re staying within them, and that requires precision in the delivery of internal audit services.
“Know what audit committee members expect and deliver,” says Kevin Cantrell, vice president, internal audit at Plains All American Pipeline, an oil and natural gas company based in Houston. “Not too much. Not too little. Be on target.” He accomplishes that by setting an agenda for each audit committee meeting — in consultation with the audit committee chair — that, at a minimum, includes updates from financial accounting, external auditors, internal audit, and risk management.
|An Uncomfortable Relationship|
For many CAEs, the external factor that has the most negative impact on relationships with the audit committee is management. And it’s not always because management and the audit committee have different expectations of internal audit. Many times CAEs find themselves in a difficult position when, for example, their CEO is uncomfortable with the CAE’s tight bonds with the audit committee chair or other board director.
Indeed, many CAEs have horror stories of meddling executives who seem to fear the CAE’s close relationship with the board. Of course, such meddling can negatively impact that relationship. “I’ve been flat out told that I had to tell management everything I was telling the audit committee,” says Cathy Young, who has served as CAE for five companies. “A CEO insisted I copy him on all correspondence with the audit committee. I said, ‘You’ve got to be kidding me.’”
CAEs can work around the problem by keeping the three-way lines of communication open among the CAE, the board, and management, and by shoring up the audit committee’s trust so that if things get ugly, the CAE knows the chair has his or her back. “At the end of the day, it’s important that the CAE consider both the CEO’s and the audit committee’s perspectives,” notes Alan Siegfried, an audit committee member at Mid-Atlantic Farm Credit in Westminster, Md., and an adjunct graduate professor at the University of Maryland. He says he’s aware of CEOs who require CAEs to rehearse their upcoming conversations with audit committees and cautions against letting that become the norm.
CAEs shouldn’t leave management out, though. Melissa Frazier, vice president, audit and controls, at Comfort Systems USA in Houston, assures audit committee members that “there’s nothing I’m going to tell you that I can’t talk to — or haven’t already talked to — management about.” In fact, when her committee asks her company’s external auditors whether they trust the internal audit function for the unvarnished truth, they always answer, “Absolutely.” When nobody’s talking behind anybody’s back, there’s no worry about superiors feeling they’ve been deceived or, perhaps worse, left out of the loop.
Audit committees generally know what they want from internal audit; their expectations aren’t always realistic, but committee members have an agenda they expect the CAE and his or her team to follow. That’s complicated by the fact that there’s an external force that bears on that relationship: The CAE also often reports to management, usually the CEO or chief financial officer. This executive also has specific, valid expectations of internal audit that often don’t resemble those of the audit committee (see “An Uncomfortable Relationship” at right).
In general, audit committees look for compliance with company policy, generally accepted accounting principles, and IT security mandates, among other areas, Woodward says. The audit committee, he explains, “has a fiduciary responsibility to make sure that the company’s exposure to risk is at an acceptable level, and that includes making sure i’s are dotted and t’s are crossed.” Toward that end, the committee seeks formal assurance of management’s skill at wielding controls to effectively manage risk. Management, in most cases, is much more focused on ways internal audit can add value to the business and help it grow revenues.
Each entity wants both functions to be carried out — management wants internal audit to cover compliance; the audit committee doesn’t want to snuff out the department’s value-added activities — but neither may be aware of how important the other’s preferred function is. “Most management, outside of executive-level management, does not know about the audit committee’s differing expectations,” Woodward explains, “because they don’t have much interaction with the committee.” At the same time, he adds, the audit committee “sees the value-added activity and may wonder why you spend so much time on it, so I explain that it’s also a part of our job. They’re all for that.”
Indeed, he says, when internal audit departments really try to serve both masters, relations between CAEs and audit committees tend to work out just fine. “Work hard to make sure compliance is where it needs to be, so the audit committee is comfortable, but remember that in every audit and in every interaction with other parts of the business, one goal is to add value,” Woodward comments.
Tips for Good Rapport
Communication underlies almost every aspect of the relationship between CAEs and their audit committees, and internal audit practitioners cite robust communication over and over as the key element to a good rapport between the two parties. “It keeps coming back to communication,” Decker says. “You have to keep in contact and allow for open, flowing communication. Be a great communicator. And keep smiling.”
Take the Initiative If CAEs want to know how to improve their relationship with the audit committee, they should ask. “Every quarter, when I have a session with the audit committee, I ask, ‘Am I giving you the information you need?’” Woodward says. “‘Too much? Too little? What can I do better to make your job easier and make you more effective?’ Don’t try to guess. Ask.”
Focus on Details as Needed CAEs should ask the committee if they’re sending too much information, or sending it in the wrong way. Do they send every audit report and expect board members to read all of them? That may be too much. Should the reports contain more graphics and more color? They may not be holding the committee members’ interest. “Develop a trusting relationship and they’ll tell you,” Woodward says. “I’m very open to that, and I ask for it.”
Discover Their Needs CAEs should remember that reports are designed for committee members to use, not for CAEs to show their expertise and comfort with details. That disconnect may explain part of audit committees’ frequent complaint about internal audit failing to meet their information and assurance needs. “It’s good to ask the committee members if you’re meeting their needs and if there’s anything you can do to improve their understanding of the information,” Kirtley suggests. “When you ask for input like that, you’re showing that you’re there to service them with what’s best for them — rather than just giving them what you think they want you to produce.”
Make Things Easy If audit executives follow the business maxim “Service your boss,” then making the audit committee’s job easier should be the CAE’s main goal. “Everyone always hears about the workload of the audit committee, how much members are expected to do, and the amount of material they’re expected to cover,” Kirtley says. “Anything you can do to make their job easier is a way to enhance that relationship.”
It’s All About Risk CAEs need to ask audit committees which risks they’re most worried about and how they want to see those risks addressed in the reports they receive. “Risks change, and new ones arise, like cyberrisks,” Frazier says. “Let the committee know we see there’s something there to address.”
Moreover, CAEs should work to continuously educate committee members on risks they may not be aware of. “One thing the CAE can do is help the audit committee understand the key risks — including the emerging risks — in the organization and thus better understand the company’s risk profile,” says Alan Siegfried, an audit committee member at Mid-Atlantic Farm Credit in Westminster, Md., and an adjunct graduate professor at the University of Maryland.
Training Is Key Audit committee members are chosen for attributes other than their expertise with the fine points of internal audit, so CAEs should respond accordingly. “Usually the members of the audit committee are not experts in governance, risk management, compliance, and internal controls,” Siegfried says. “The CAE really needs to be an educator in that regard.”
CAEs should educate newer audit committee members on general governance topics such as how controls are developed, audited, and improved, says Rick Wright, director, internal audit, at YRC Worldwide Inc., a global shipping company based in Overland Park, Kan. Moreover, he says “some general training sessions on emerging issues and hot topics would be valuable.” It behooves CAEs to ensure audit committees understand the entire palette of services internal audit provides, including those services management may focus on more than the department’s financial and compliance activities.
Practice Humility as Appropriate “If the committee says something’s not working, the CAE needs to be big enough and professional enough to say, ‘That’s my fault,’” Woodward advises. “The CAE needs to own up to it, always.” It’s okay for CAEs to note that they were trying to make a positive change, but if the chairman wants something done differently, they need to do it. “I want the chair to be efficient in his job,” he adds.
Communicate Regularly CAEs should ensure their audit committee “face time” isn’t confined to audit committee meetings. “You’ve got to have some kind of regular communication set aside beyond what’s part of the audit committee meeting schedule,” Wright urges. “Organizations where there hasn’t been that kind of access seem to have less functional and positive relationships.”
Consider Bringing Staff When they can, CAEs should make their own choice about bringing a staff member along to an audit committee meeting. Some firms just say no — the CAE doesn’t have a choice. Other CAEs choose not to bring a staff member. “I always do the presentation myself,” Woodward says. “Meetings are pretty compact, and having a second person can add complication and take time off the agenda.” Instead, his managers meet with the committee chair once a year, just so he knows who they are and they know him.
Other CAEs are accompanied by staff members as appropriate. For example, bringing staffers is helpful for committee members when “someone is the lead internal auditor in the IT area, and the audit committee has an interest in an IT audit,” Kirtley notes. Interaction with committee members also might facilitate succession planning in the internal audit department by grooming a candidate for future advancement.
Commit to Basic Tasks
CAEs and audit committees don’t conduct their business together in a vacuum. Outside parties actually have an enormous impact on their relationships, especially the outside parties who can hire and fire the CAE. Moreover, external forces beyond anyone’s control, such as the experience of the committee members at working together with internal audit, may determine the productivity of the relationship more than the simple determination of the CAE and the audit committee members to make the relationship work.
Still, as with most professional relationships, strengthening the ties between CAEs and audit committees requires commitment to three basic tasks, Cantrell notes. “Ask questions,” he advises. “Understand and address their concerns. Do outstanding work.” It’s that simple.