Executive sessions should be on the agenda of every audit committee meeting. This means that all members of management leave the room, and the chief audit executive (CAE) has time alone with audit committee members. Executive sessions enable the committee to share risk concerns candidly. Scheduling an executive session at every meeting makes it less unusual when the CAE needs to ask for a session to discuss a specific concern.
While audit committee agendas can be routine and well-defined, executive session agendas normally are less clear. Although the CAE may have a few prepared remarks, theses sessions typically revolve around one question asked by the audit committee: “Is there anything we need to talk about this time?” Yet, CAEs can make these executive sessions more valuable by engaging committee members in a dialogue about the organization’s risk culture.
Set the Agenda
As with the full audit committee meeting, having an agenda for the executive session is helpful. This should be a casual agenda that is not distributed; instead, the CAE should use it to ensure the session covers all topics of interest. The executive session agenda can include standard updates and risk topics specific to committee member concerns.
Because committee members may not know what to ask CAEs during executive sessions, CAEs can engage the audit committee in a variety of topics, including risk culture — how the business understands and manages risk.
In preparing for executive sessions, CAEs can create a list of ongoing and meeting-specific topics that address risk culture. Examples include tone at the top, corporate culture, governance, or overall risk monitoring. CAEs can provide insight into these areas without the committee having to ask for it, while hearing committee members’ perspectives.
Share Risk Perspectives
Communication in executive sessions is a two-way street. The committee can provide valuable information to the CAE, while the CAE can share risk information and preferred action steps. During the session, the CAE can ask:
- What decisions is the board contemplating that may represent a strategy change?
- What concerns do audit committee members have about specific strategies or risks?
- What risks should internal audit prioritize?
Additionally, listening to committee member concerns is valuable for understanding what they view as important.
For CAEs, targeted questions can yield details that may lead them to update the audit plan or add a project to ensure risk coverage is timely and relevant. For the committee, discussing a specific concern or question can prompt the CAE to share white papers or training information in the materials for future meetings. The better the committee understands risk and its true impact, the better it can influence the risk culture with the board and management.
Request Focus or Action
Because some topics can be politically charged, executive sessions exclude management to ensure open communication about sensitive topics. In the confidential environment of the session, CAEs can discuss risks that are not receiving necessary management focus along with recommended actions. For example, a change in privacy laws may require specific action by the organization. If the organization is not acting swiftly enough to comply, the CAE can alert the committee.
CAEs should share the specific requirements or a summary of the risk topic as background information for the committee, along with the potential impact and likelihood of occurrence. They should state whether the discussion is for the committee’s awareness only or if they are asking for action.
These situations require tact. Unless the CAE is using the executive session to disclose fraud or wrongdoing by management, a no-surprises approach is best. In the privacy law example, the CAE should exhaust efforts to influence management to take appropriate action before bringing it up to the audit committee. As a courtesy, the CAE should inform management of plans to discuss the matter with the committee.
Collaborate for Success
Sharing risk culture successes with the audit committee during executive sessions can help it better understand how internal audit impacts the organization’s risk culture. For example, sharing ways that internal audit provided consulting or assurance services to a system implementation demonstrates the function’s key role and proactive risk approach. Moreover, these examples can help committee members see future anomalies with how internal audit may be positioned or used.