One of the most significant developments of the internal audit profession in the past decade has been its rise in stature relative to audit committees. A decade ago, a chief audit executive (CAE) with a functional reporting relationship to the audit committee was considered a "leading practice." Today, it's the norm.
Along with enhanced reporting relationships have come a number of other practices reinforcing the value audit committees place on a strong, independent, and effective internal audit function. One of these practices has been regular and frequent "executive sessions" between the audit committee and CAE. The IIA has long recognized and advocated the value of executive sessions. The IIA's Practice Advisory (PA) 1110-1 on organizational independence states that, "Functional reporting to the board typically involves … communications from the CAE on the results of the internal audit activities or other matters that the CAE determines are necessary, including private meetings with the CAE without management present …"
A November 2009 IIA Audit Executive Center Knowledge Report, Audit Committee Trends and Activities (PDF) (available to AEC members), went even further in asserting:
Presence of executive sessions with the audit committee. CAEs can increase the lines of communications with the audit committee by holding executive sessions. These sessions should be held at least quarterly or as needed to discuss items of importance between regularly scheduled meetings and to keep the audit committee apprised of issues as they occur. CAEs also can hold executive sessions during every regularly scheduled meeting to allow for an open discussion of management issues without the presence of other senior managers.
With the apparent universal recognition of the value of executive sessions, one would naturally conclude that these sessions are widely conducted in an appropriate manner. However, I am becoming increasingly concerned that this is not the case. I have spoken with several CAEs in recent months who have shared some troubling examples of abuses in the way executive sessions are actually conducted. The most alarming trend is the frequency with which other executives are being invited (or simply electing) to sit in on the CAE's executive sessions with the audit committee. It is difficult to determine how widespread the practice of "executive session crashing" really is; however, even one is too many from my vantage point.
The most commonly cited executive session intruder is the chief financial officer (CFO). I am fairly certain that very few CFOs sit in on CAE executive sessions. However, I have heard enough examples cited in recent months to conclude that it is worth addressing. When these abuses occur, it would be easy to place all of the blame on CFOs. After all, they should know better, and would certainly not sit in on the executive session between the external auditor and the audit committee. However, I also have to question the logic of the audit committee in permitting outsiders to sit in on these sessions. Why host an executive session at all if there is not going to be an expectation of confidentiality or privacy associated with the discussions that unfold? As an audit committee member, are you willing to assume the risk that the CAE may possess knowledge or insights on risks and controls, or the behavior and practices of corporate executives, that the CAE is unwilling to discuss in their presence?
Ultimately, however, I also have to assess some blame on the CAE for permitting the faulty executive sessions to take place. I recognize that some CAEs are often caught in difficult situations. To object to the CFO or other executive(s) presence in the room during an executive session may be awkward or appear accusatory or defensive. In many instances, the practice of expanded executive sessions may have already been in place prior to the CAE assuming his or her role. However, holding executive sessions with other executives in the room serves no real useful purpose in my opinion. In fact, I believe it's a dangerous practice that engenders a false sense of security.
If you are a CAE facing the challenge of reversing this practice, I suggest that you share a link to IIA Practice Advisory (PA) 1110-1 or this blog with your audit committee chairman immediately. Schedule a private conversation with the chairman and share some of The IIA's guidance and thought leadership on this important topic. You will be doing your audit committee a valuable service if you point out to its members the risk they assume by not holding genuine executive sessions with you.