Mind the Gap: CAE Strategies for Fortifying Audit Committee Relationships

For audit committees to perform their oversight responsibilities effectively in an age of permacrisis, they need internal audit’s risk-based assurance, insight, and foresight more than ever. At the same time, these oversight responsibilities continue to expand and deepen. In particular, CAEs should be mindful of how The Institute of Internal Auditors’ (IIA’s) new Global Internal Audit Standards give audit committees a yet stronger mandate to oversee internal audit. 

Domain III of the Standards spells out “essential conditions” describing board activities that enable internal audit to fulfill its purpose. While the wording is new, the underlying truth has long been in place: Strong relationships and open, transparent communication between the CAE and audit committee are critical to both parties’ success.

There is, however, another underlying truth that bears acknowledging. There is often an “unfortunate” gap between audit committee expectations and internal audit’s performance — particularly that of the chief audit executive (CAE). I have surfaced this topic repeatedly over the years, such as in this 2017 roll call of the five things audit committees are often reluctant to tell the CAE. The topic has only grown in importance. One of my presentations at The IIA’s recent GAM conference focused on “Fortifying Audit Committee Relationships: CAE Strategies for Success.” 

To prepare for my session, I sat down for one-on-one conversations with the audit committee chairs of 15 different organizations. We talked about their expectations for internal audit and any gaps they saw. Their expectations were clear and their candor remarkable. But it was also clear that there remains in many organizations a sizable gap between expectations and performance in several areas. It is imperative that CAEs bridge this gap. The good news is that much of the bridge can be built through more effective communication — by CAEs making sure they’re heard, and bringing their own voices and perspectives. While my GAM talk focused on seven strategies to help CAEs strengthen audit committee relationships, the two strategies below are foundational. 

Foster Clear and Open Communication

Many of the audit committee chairs I interviewed expressed frustration with internal audit communications — both formal and informal. Key themes in their feedback included:

• Too much information. Excessive and overly detailed information is dumped on the audit committee, often in the form of last-minute board packs. Audit committee members lamented the receipt of copies or synopses of reports featuring mountains of narrative and few graphics or analytics. They also noted the CAEs’ failure to aggregate or summarize results.
• Insufficient interpretation. Audit committee chairs noted that their CAEs often communicate without regard to risk, leaving the audit committee struggling to understand what truly matters. 
• Lack of context and connection. The chairs complained of inadequate communication of overall risk universe or context surrounding key risks. They observed that too often the CAE fails to connect the dots, leaving them wondering what the overall body of internal audit’s work means for organizational risk management and controls. They feel like there is a disconnect between risk assessments/planning and the company’s strategic plan.
• Ineffective presentations. More than one audit committee chair complained of CAEs who appear to be “reading their slides.”
• Lack of dialogue. Perhaps most discouraging was the complaint that CAEs don’t consistently know their work, leaving them unable to respond meaningfully to audit committee questions. 

If internal audit fails to support audit committees in gaining a clear, timely, and connected understanding of the risks that matter most, audit committees can’t be effective in providing oversight. It’s high time to banish long-winded reports and presentations that say too much and too little simultaneously. CAEs must be prepared, concise, clear, and timely, focusing on key risks, providing appropriate context, and sharing the right information in the right ways at the right times. Instead of “reading slides,” CAEs should seamlessly convey relevant, risk-informed insight that engenders discussion and connects with strategy. 

As I wrote in my 2024 New Year’s resolutions for internal audit, creating more dynamic, high-impact communications should be a top priority for every internal audit function. It’s also a key way CAEs will strengthen their audit committee relationships.

Demonstrate Independence and Objectivity 

Another common concern cited by audit committee chairs was that CAEs may lack the courage to communicate with them in a frank, candid manner. Even in executive sessions without management present, they worried that CAEs may be holding back — unwilling to bring matters to their attention if management may disapprove.

Core to internal audit’s purpose is acting as an independent, risk-based, and objective source of assurance on risk management and controls. Audit committees want to be confident that they can rely on internal audit to speak up on important risk and control matters, bringing an objective, independent perspective and voice. I was amazed to hear how many audit committee chairs worry that this is not happening in their own organizations. 

CAEs must ensure that internal audit demonstrates its independence and objectivity through its:

• Structure, with reporting lines supporting independence and objectivity and an internal audit charter and policies clearly articulating independence and an objective mindset.
• Behavior, exercising an appropriate degree of professional skepticism and demonstrating a commitment to unbiased reporting. 
• Communications, ensuring transparency and continuity and holding executive sessions without management present.

CAEs are charged to build trusted relationships with both management and the audit committee. This is admittedly a balancing act. CAEs, however, must not simply be mouthpieces for management, saying only what management wants them to say. The integrity of our profession can only be built on a foundation of true independence and objectivity. That’s why it all comes back to courage — the very thing these audit committee chairs say they expect from their CAEs. Their definition of trusted advisor means getting comfortable sharing perspectives and advice both formally and informally, even when they’re not what everyone wants to hear. Of course, the inconvenient truth is that audit committees often fail to have the CAE’s back when push comes to shove with management. If audit committees want a more courageous CAE, they must be prepared to enable that courage. 

Mind the Gap to Begin Building a Bridge 

As I shared with GAM attendees, fortifying relationships is a journey, not a destination. You’ll always have work to do on your relationships with your audit committee and other key stakeholders. But deploying these strategies can help you move several steps forward on your journey. Be bold, candid, and courageous. Offer insights, advice, and education, and encourage dialogue. Ask how you can do better, and be accountable for taking action on any feedback. Most of all, bring your own voice — and make sure you’re doing all you can to help your voice be heard.