What information does the audit committee want from the CAE?
LINDSTROM First and foremost, the audit committee is looking for information, not data! CAEs should think about the top three to five “takeaways” they would like their directors to get from the audit committee meetings. The CAE also should ask the committee what its area of focus is, so the CAE can avoid guessing and instead concentrate on building a good relationship with the members. Potential areas of audit committee interest include: risk assessment results and trends; internal audit plan coverage and progress; audit results and trends; and remediation status and trends. I purposely repeat “trends,” because this is internal audit’s opportunity to provide information, not just data, by connecting the dots. An audit committee mantra may well be, “Tell me what I don’t already know.”
JOHNSON Questions audit committee members want answered include: What’s the state of the union for the organization in light of our charge as audit committee? What’s going well? What’s not? Why? Are there any concerns we haven’t asked about? If the organization is experiencing significant or unexpected change, what is internal audit’s role in understanding the changing risks and how they’re being managed? What should we be thinking about next? What are the issues the CAE is most focused on?
How do audit committees want that information presented?
JOHNSON Different committees want different levels of detail. Some are very detail oriented, while others are comfortable with a summarized reporting approach. The CAE should have an open dialogue with the audit committee and tailor presentations to the members.
LINDSTROM CAEs can make the audit committee’s risk-oversight role easier with their presentation format. The CAE should start by considering the audit committee’s expectations, its communication style, and the frequency of its meetings. Does it prefer a pre-read or a presentation? How much time has been allotted to the CAE on the agenda? Audit committee presentation materials should be visually appealing — verbiage or data-intensive presentations can lose the audience. Content should report on results and trends, not activities. Internal audit can effectively communicate department performance through the use of dashboards, metrics, and benchmarking.
What don’t audit committees want to see from the CAE?
LINDSTROM Committees don’t want to see an audit plan that is not aligned, or relevant, to the organization’s business objectives, strategy, and risks. From an audit execution standpoint, they also don’t want to see a lack of context for the severity of identified issues — the “so what” of findings — or recommendations that are not actionable.
JOHNSON A few things: lack of strategic focus, timidity in making tough calls, excessive detail without a clear message, and any sign that management is overriding or unnecessarily managing the CAE.
How should CAEs prepare for audit committee meetings?
JOHNSON CAEs should begin with the end in mind. They should think about the messages each member should walk away knowing. This can help the CAE prepare and help prioritize how the meeting is structured and how materials are organized. The CAE can make sure the key messages or learnings are clearly identified in materials or highlighted during the discussion time. The CAE also should spend time with the audit committee chair before meetings. The CAE has a chance to hear questions or perspective from the chair, allowing the CAE to better understand and address questions from a board member’s perspective based on other committees or board meeting discussions. Advance conversation can help the chair prioritize the agenda more effectively and provide the chair with better insight to manage meeting time with members. Advance time is critical when there is a very dense agenda, or when there may be controversial or tough messages to deliver — for example, repeated poor audit results or lack of business line focus on open internal audit issue resolution.
LINDSTROM The CAE should review the agenda with the audit committee chair before the meeting. For each topic, the CAE should determine the key points he or she wants to communicate instead of simply reading the slides. Also, executive sessions are standard operating procedures, so the CAE should prepare by considering what questions are likely to arise from members, and what “asks” internal audit has of the audit committee, if any.
What makes CAEs indispensable to audit committees?
LINDSTROM “Indispensable” is a measure of what’s valued by the audit committee. When I think of the auditor of the future, there are so many ways the CAE can create value for the audit committee and the organization. Think more strategically when analyzing risk and framing audit plans. Provide early warning signs of emerging risk. Broaden focus on operations, compliance, and nonfinancial reporting, and advise on improving and streamlining compliance management. Strengthen lines of defense that make risk management work. Improve information for decision-making across the organization. Watch for signs of a deteriorating risk culture. Expand the emphasis on assurance through effective communication. Collaborate more effectively with other independent functions. Leverage technology-enabled auditing. Improve the control structure, including use of automated controls. And, remain vigilant with respect to fraud.
JOHNSON The CAE should be indispensable to each audit committee member. There are four elements of the indispensable CAE. First, business acumen. Audit committee members want a high degree of confidence in the CAE’s knowledge of the organization and the industry in which it operates. This includes understanding the applicable regulatory environment. Second is vision. Audit committee members want to know the CAE will use that business knowledge to look at the organization and sift through noise to identify the important issues. Third is communication. When necessary, audit committee members want a CAE who can deliver a tough message to management with courage and credibility. Finally, transparency. Audit committee members want transparency from the CAE in their interactions. The previous elements are far less valuable if the audit committee isn’t getting direct insights from the CAE.
Why is it important for the CAE to develop a good relationship with the audit committee chair?
JOHNSON The chair can let the CAE know what’s working or what needs to be adjusted to meet the committee’s needs. The chair also can be a powerful ally if the CAE needs board-level support in the event of disagreements over identified results.
LINDSTROM The CAE’s direct reporting line is to the audit committee, so a clear and open line of communication builds a good relationship and helps support an independent and objective function. The committee chair can be an excellent sounding-board as well as an advocate. This relationship can be built through standing meetings in between committee meetings, such as a monthly 30-minute checkpoint. Also, consider periodic meetings between the chair and the internal audit team, even over breakfast or lunch, to engage both sides more fully.