Chief audit executives are in a unique position. As the head of a critical independent oversight function of an organization, the CAE operates within the typical leadership structure of the organization, but reports directly to the audit committee.
Maintaining strong organizational governance requires the CAE and the audit committee to work in sync. There are helpful expectations the audit committee should have for the CAE, and the CAE works with the audit committee during their meetings to meet those expectations. This article and downloadable PDF will provide advice and a checklist the CAE can use as a participant in audit committee meetings to make sure they focus on areas of risk and governance involving internal audit that matter to the organization.
Four Ways CAEs Can Promote a Risk-Based Audit Committee Meeting
Each topic on the audit committee meeting agenda must connect back to organizational risks or other explicit responsibilities of the audit committee. Audit Committee meetings generally have four distinct topics focusing on internal audit:
1. Highlight Current Risk Exposures
When you are presenting to the audit committee, you should not be presenting the results of audits — you should be discussing how well management is addressing risks that impact the organization’s ability to meet its objectives. Presenting “audit issues” sounds much like simplistic compliance checklist auditing. Instead, discuss whether significant risks are being managed appropriately and where there are opportunities for management to improve. Keep the conversation in terms of business objectives and related risks. This approach will provide better insights to the audit committee.
Standardize risks to increase collaboration and create a common language for risk across the organization. Gain combined assurance and save time copying changes throughout documentation by linking risks, controls, and mitigating activities across your connected risk platform.
2. Discuss Emerging and Changing Risks
Risks are never static and the conversation with the audit committee should address emerging and changing risks likely to substantively impact the organization’s ability to achieve and exceed its objectives. The CAE should be aggressively working to identify emerging risks throughout all of their work.
Internal audit is well positioned to see emerging and changing risks more quickly than most other parties. Even though an audit plan may have been approved by the audit committee based on prior discussions of risk, the CAE should consistently refresh and revisit risks with the audit committee. The CAE’s responsibility is to ensure the committee discussion is robust in addressing emerging risks, and providing insight and education when needed.
Drive key decisions and inform audit, risk, and compliance programs with dashboards and heatmaps that visualize top risks. Gain risk coverage by easily linking controls and mitigating activities being performed by audit or compliance.
3. Establish Expectations for Communication
Communication with the audit committee can take many forms and differing frequencies. Once the audit plan is set, establish clear expectations with the audit committee for follow-up communication on the work outlined in the plan. Considerations for scheduled communications include how often the CAE will produce formal reports, the style and depth of formal communications, how far in advance of audit committee meetings to provide reports (e.g., number of days in advance or on a regular basis), and whether the chair wishes to review any reports before distribution to the whole committee.
In addition, unscheduled and often less formal communications with the audit committee chair are critical. The CAE should establish clear expectations as to the nature and level of ad hoc communications with the audit committee chair between full committee meetings. Considerations include which topics should be brought up to the chair between meetings and the timing of those discussions. In particular, set expectations for escalation plans in case of emergent risk events.
4. Build Your Business Case
Managing the internal audit department requires a tremendous amount of skill, time, and effort to ensure resources are deployed in the right place at the right time with the right tools. The audit committee must be certain of your ability to obtain and manage these resources to deliver on your promises. The business case you make for your staffing, technology, and other resource needs is based in a large part on the audit plan. You must assess your department’s abilities, available technology, and other resources, and show the connections to the planned audit work. Discussions with the audit committee should highlight additional skills needed, either through hiring or training, improvements in audit management technology the team needs to conduct audits effectively, and other budget needed for the department.
CAE Toolkit: Questions to Ask When Preparing for the Audit Committee
Time with the audit committee is extremely valuable, but limited. To help you prepare for audit committee meetings, we created the following checklist as a guide to ensure the four topics discussed above are addressed. These do not represent all of the topics an audit committee may discuss with internal audit, but will help ensure critical items are addressed and the time together is best wisely.
- What weak spots can we infer in the organization’s risk management efforts based on issue trending data?
- How does the picture of the adequacy of the organization’s management of risk change when combining internal audit data with ERM, compliance, etc.?
- What is your opinion on the trending of your organization’s risk management performance over the past 4-6 quarters based on risk assessments and results of audits?
- What emerging or significantly changing risks have you identified based on research and assessment of the organization?
- Are you prepared to explain the nature, importance, and significance of these emerging and changing risks with the audit committee?
- Can you defend how the audit plan addresses emerging and changing risks?
- How are you ensuring the internal audit team has the appropriate skills and tools to address emerging risks?
- Have you established clear expectations with the audit committee as to the information and opinions they want to receive from internal audit?
- Are you actively exploring new methods to provide more insightful and frequent updates to the audit committee?
- Have you established a clear understanding with the audit committee chair for the frequency and nature of ad hoc updates?
- Do you reflect into your communications results from other risk-related functions such as ERM, SOX, and compliance teams?
- Do you provide the audit committee with a compelling story that you are managing the existing resources of internal audit with excellence, delivering value to the organization?
- Do budget requests for personnel, technology, and training tie directly to the organization’s risks and resultant audit plan?
- Are technology requests in line with the department’s technology strategy?
- Based on a skills assessment, what are the gaps within the internal audit department that the CAE must address to successfully audit the risks covered in the audit plan? What are the specific steps to be taken to fill these gaps?
- What is the training plan for the department concerning relevant risk topics, current trends, and departmental weaknesses?
- Have you articulated departmental needs in terms of the business case for internal audit? Have you identified alternative solutions and associated costs?
CAE and Audit Committee Alignment Leads to Better Decision-Making
In the end, time spent with the audit committee is critical to the success of the internal audit department. The CAE and the audit committee are working toward the same goal: providing the right governance for the organization to achieve or exceed its goals. As the CAE, you are the audit committee’s most direct line of insight into the organization — how it works and how it could be improved. By ensuring their meetings focus on the information the audit committee needs to govern and make the best risk-informed decisions, you will be meeting their expectations, making the best use of the time together, and ensuring the department is working toward the right goals.
Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.
Jason Sechrist is the Director of Compliance Solutions at AuditBoard, where he works with CIOs, CISOs, and IT compliance teams to help automate the administrative tasks of governance, risk, and compliance activities. He previously was the Global Head of Internal Audit and IT Compliance at Rackspace Managed Cloud Company, and started his GRC career with PwC in Silicon Valley. Connect with Jason on LinkedIn.