Audit committee members have oversight of internal audit, but time together is often limited to just four meetings each year. During those meetings, the audit committee needs to digest a great deal of information related to trends and risk exposures that are occurring, the organization’s performance in managing risk, and internal audit strategies to improve their focus on risk, as well as to review the structure and composition of the department’s resources.
We’ve drawn upon our experience as former CAEs and, in Jason’s case, the current audit committee chair for the University of Texas at San Antonio, to put together some guidance for designing risk-based audit committee meetings. Read on and download the PDF below for a checklist of questions for audit committee members to ask the CAE to set expectations, drive meaningful communication, and dig deeper into organizational risks.
Four Ways Audit Committees Maximize Value From Internal Audit
As audit committees review past interactions with the CAE, specific areas for improvement will surface. Some of the most meaningful actions you can take with the CAE are those that direct the conversation toward a forward-looking perspective on risk. Here are four areas that add significant value:
1. Reframe the Interaction Around Risks
One of the main conversation points with the CAE should be on the organization’s performance in managing risks — although many CAEs spend the bulk of the meeting focusing on charts and graphs of the number of issues found by audit, usually grouped by priority. Have the CAE reframe “audit findings” as “risk observations” with categorizations tied to specific risks significant to the organization. In this way, the presentation will highlight which risks management is not appropriately managing. For example, management may not be identifying all pertinent risks, assessing and prioritizing risks properly, considering all possible responses to risks, or ensuring the chosen risk responses are implemented.
Now that the conversation focuses on the management of significant risks, the audit committee can direct the conversation on how observations and opinions of internal audit fit into the overall risk management environment. The CAE should work closely with the other risk-related functions like Enterprise Risk Management (ERM) and compliance so they can present a more collaborative and complete picture of risk management. A part of this broader view, trending risk information can also be illuminating. Putting recent observations from internal audit and others into context of the past six to twelve months (or more) helps understand the direction of the company.
Leverage real-time information about the organization’s performance in managing risks in a centralized dashboard. Quickly view remediation status and track progress to gain greater confidence in the achievement of strategic objectives, as well as improved compliance with legal, regulatory, and reporting requirements.
2. Address Emerging Risks with Agility
So much of the traditional internal audit function is a review of past events based on an assessment of past risks. This might have been acceptable in stable environments, but not today. The audit committee should expect internal audit to focus more on emerging risks.
For a successful audit function to address emerging risks, several key changes need to occur. First, the audit committee should have an open discussion with the CAE about their expectations to focus on emerging risks. Second, the audit committee should freely discuss their views on potential risks on the horizon. As audit committee members, you often have an outside perspective with exposure to other organizations, and are in a great position to share what you are seeing elsewhere and hearing from other leaders. Third, have the CAE explain their strategy for identifying, defining, and addressing emerging risks in the next quarter.
By focusing on the most critical risks, and rearranging audit effort quickly as risks change and emerge, the CAE moves the internal audit function into an agile approach — one that addresses risk based on priority to the organization, not entity coverage or other backward-looking approaches. Since this change could be a major shift in the audit approach, the audit committee and CAE should discuss it in detail, as alterations to internal audit processes, training, and tools may be needed.
Gain visibility into risk trends to drive key decisions and inform audit, risk, and compliance programs. Leverage risk management technology to perform trend analysis through real-time visualizations that measure the effectiveness of your efforts, and proactively manage risk by monitoring key risk indicators.
3. Open Communication With Real-Time Reporting
A typical venue for communication between the audit committee and internal audit is a scheduled presentation at a quarterly audit committee meeting. Consider increasing the availability of information coming from the internal audit team. Are you comfortable relying solely on a polished slide presentation with no time for questions, or would you prefer an easily understandable pre-read document with most audit committee time reserved for discussion? Are you comfortable with a quarterly presentation, or would you prefer access to real-time data from internal audit?
When internal audit employs cloud-based audit management software, they can access real-time dashboards that summarize audit results, issues, and mitigation efforts, and risk trends for the audit committee — who can expect more timely and relevant updates. It will be important to set expectations as to whether or not an internal audit’s interpretation of this data would be required more frequently than quarterly. On many areas, data can provide valuable information, but it may not be enough to completely replace the CAE’s judgment and opinion.
4. Ensure Adequate Resources to Address Risks
The audit committee is responsible for oversight of the internal audit function. Most CAEs will provide summary statistics regarding the resources, performance, and efficiency of internal audit (e.g., number of staff by role, training hours provided to the team, count of certifications held by the auditors). However, these statistics can have little value if not put within the context of the CAE’s strategy for managing internal audit.
A more meaningful conversation with the CAE would include a holistic view of resources and processes, specifically including people and technology. For people resources, set the expectation that the CAE will discuss upcoming training programs that pertain to emerging risks and areas of concern for the organization. Regarding technology, have the CAE explain the department’s use of risk assessment tools, audit management software, data analytics, and other automation tools within the context of current and future audit plans. Throughout these discussions, have the CAE explain their overarching strategies as to how changes in people, processes, and technology will ensure internal audit can perform as expected by the audit committee. Understanding these strategies and their resource needs will help with setting the department’s budget and challenging potential stagnation within the department.
Audit Committee Toolkit: Questions to Consider Asking the CAE
When setting expectations with the CAE regarding the type of information discussed in the update meetings, consider using the questions in the following checklist as a guide to ensure everyone makes the best use of the time together.
- What is the CAE’s opinion on the organization’s management of significant risks?
- What are the incidents of inadequate risk management uncovered by internal audit in the last quarter?
- Is management reacting appropriately to the issues and prioritizing corrective efforts?
- Is internal audit appropriately collaborating with ERM and other risk functions?
- Do risk trends point to a larger issue within the organization, a weak spot in the management of risk, or the need for additional oversight and training in a specific area?
- Have key risk indicators been mapped to auditable activities to help measure the performance of key metrics or identify areas of focus during the audits?
- Has the CAE identified and assessed emerging risks that could be significant for the organization? Have these been communicated to management?
- Are there other emerging risks that should be discussed amongst the audit committee and risk-related function leaders?
- Does the audit plan address emerging risks sufficiently?
- Does the internal audit team possess an appropriate level of business acumen, agility, and skill to react to emerging risks?
- Has the CAE obtained or arranged for training on emerging risk, agile auditing and assimilated an agile mindset into the team?
- Does the internal audit team have the necessary resources to provide sufficiently frequent updates to the audit committee?
- Does internal audit have a way to quickly communicate to the audit committee reporting on risk trends, issues, correction progress, and other relevant information?
- Does the audit committee chair and the CAE have a fluid mechanism for ad hoc updates?
- Has the CAE collaborated with the heads of other risk-related functions such as ERM, SOX, and compliance teams?
- Does the CAE have established strategies addressing the people, processes, and technology needed for internal audit to accomplish its objectives?
- Is the audit department staffed appropriately relative to the size and complexity of the organization?
- Do the internal audit team members have the requisite level of training, education, relevant skill sets, and budget to successfully achieve their objectives?
- Does the CAE have a training plan in place for the department in relation to relevant risk topics, current trends, and departmental weaknesses?
- Does the audit department share its perspective on risk management with the rest of the organization?
- Is there an opportunity to combine training with other risk-related functions for mutual benefit?
The Value of Risk-Based Audit Committee Meetings
Following the suggestions outlined in this article and checklist will lead to more effective audit committee meetings that add value to the organization by gathering insights into the risk the organization faces and how well they are managed. The audit committee’s time with the CAE focusing on risks to the organization comes from several angles: current risk exposure, future risk events, and the risk of audit missing something. If you are not engaging with internal audit in this way, it is time to reset expectations with the CAE, reorient the audit committee meetings to address your needs, and then support the internal audit department as they continue to mature in providing dynamic risk insights.
Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.
Jason Sechrist is the Director of Compliance Solutions at AuditBoard, where he works with CIOs, CISOs, and IT compliance teams to help automate the administrative tasks of governance, risk, and compliance activities. He previously was the Global Head of Internal Audit and IT Compliance at Rackspace Managed Cloud Company, and started his GRC career with PwC in Silicon Valley. Connect with Jason on LinkedIn.