Part 3 in a Series Exploring the “Auditor of the Future”
In this series, Protiviti’s Jim DeLoach and Brian Christensen have put forth 20 potential ways the Chief Audit Executive or internal audit lead can advance his or her relationship with the audit committee. Parts 1 and 2 focused on risk and value, respectively; this installment details strategies for making the most of communications.
with co-author Brian Christensen
In this three-part series, we have explained our vision of the future auditor, or the CAE who takes definitive steps to apply the full scope of The IIA’s definition of internal auditing. We have elaborated on the future auditor’s advancement of the relationship with the audit committee of the board of directors (or its equivalent) on three distinctive but interrelated fronts – risk, value and communications.
Two weeks ago, we focused on risk, advancing six ideas on how the CAE could enhance the audit committee relationship. Last week, we focused on value, advancing nine more ideas. Below, we address the focus on communications. Our thinking is derived from our various client experiences as well as from roundtables we have facilitated with seasoned CAEs. Of necessity, the interrelated nature of the three fronts gives rise to ideas that overlap to some extent.
The Focus on Communications
According to the CBOK study, board members generally rate the quality and frequency of internal audit’s level of communication at a high level. For example, a strong majority of board members give high scores for the quality (83 percent) and frequency (81 percent) of internal audit’s communications. That’s a great foundation on which to build.[1]
In sustaining effective communications, the future auditor focuses on communications with the audit committee and the enterprise’s information for decision-making. Below, we discuss how.
An optimally effective “auditor of the future” will:
Report directly to the audit committee. The future auditor’s positioning within the organization is vitally important to his or her delivery against elevating expectations. Access to senior management and the board, stature within the organization and effective escalation protocols have always been keys to positioning. It is vital that the CAE report directly to the audit committee.
Interact with directors outside of customary settings. The future auditor seeks opportunities to participate in board settings beyond the traditional audit committee meetings. Which board settings are “relevant” in this context must be defined by directors to fit the organization’s specific needs and may vary in different countries and regions due to different board structures, cultures and internal audit skill sets. For example, the CAE can:
- Proactively engage the audit committee chair, as necessary, throughout the year to deepen the relationship. Lunch or dinner once or twice a year, a standing monthly call and inviting the chair (or the full committee) to meet the internal audit team in an informal setting are all ways to facilitate engagement.
- Invite the chair to meet with the audit team and present his or her view of the company, current developments, the critical risks, the role of internal audit and the audit committee’s oversight role.
- Seek opportunities to serve as a channel for knowledge and insight to the audit committee on hot topics.
- Be aware of the key responsibilities of the audit committee as set forth in the committee charter and offer input, when appropriate, to help the committee complete its annual responsibilities.
Increased access to, and more frequent interaction with, the board broadens the CAE’s perspective and elevates the stature and visibility of internal audit.
Expand the emphasis on assurance. There are different sources of assurance available to the audit committee. Accordingly, the future auditor distinguishes and draws upon the sources of assurance provided by those who report to management and/or are part of management; those who report to the board (including internal audit); and those whose reports are directed to external stakeholders (e.g., the external auditor). Audit committees value being educated as to the available sources of assurance.
Prepare effectively for meetings. The future auditor conducts pre-meetings to set the agenda in advance of every audit committee meeting with the chair (and other directors, if appropriate) and to ascertain directors’ expectations and direct “asks” of the committee (e.g., incorporate suitable pre-reads in the audit committee package distributed in advance of the meeting). In addition, a walkthrough of the meeting agenda with appropriate executives and, if necessary, the external auditor presents an opportunity to vet issues and potential sources of disagreement before discussion with the committee. As a professional courtesy, this process helps management prepare for any questions they might have to address later, strengthens relationships and ensures that audit findings are presented constructively. Simply stated, executive management should not be surprised by anything in the auditor’s reports or presentations to the committee.
Preparation also entails anticipating questions in advance and formulating responses to those questions. To that end:
- Some companies have the business owners responsible for audited areas attend the audit committee meeting to respond to audit observations, in which case managers speak for themselves rather than the CAE responding on their behalf.
- Often, questions arise in executive session related to the evaluation and competence of key personnel; in such instances, the CAE should consider whether there is a basis to respond and, if so, be prepared to deliver the appropriate response in a professional, substantiated manner.
Other aspects of preparation include isolating any new risks and other issues that have come up internally or externally and considering how those items might be introduced if significant. In addition, it is wise for the CAE to be well-versed in the other agenda item topics being covered by the committee when he or she is expected to be present.
Apply best practices to maximize the effectiveness of presentations. The future auditor gets to the point, focuses on what directors need and want to know, provides relevant results and covers other matters if requested. He/she presents audit findings as if the responsible business owner were in the room (and, optimally, they would be). The public domain is replete with many ideas for effective presentations to directors; the following are six of our favorites:
- Appearances are everything – Make pre-reads and presentation materials visually appealing and focused on the key takeaways.
- Tell the story – Summarize key messages and encourage discussion; synthesize data into key themes, observations and action items.
- Keep it short – Be concise and to the point; distill the message into an elevator pitch and be ready to comment on specifics if asked.
- Speak with authority – Look committee members in the eye, pause for questions but don’t linger and speed up or slow down the presentation cadence based on director feedback.
- Respond to questions with direct responses – With respect to questions for which the answer isn’t known, take an action point to follow up to obtain the information; for questions that are or should be directed to management, pause to allow management to respond.
- Be a team player – If executive management wants to own a particular issue and bring it up to the audit committee, let them; as noted earlier, consider having business stakeholders join the meeting to co-present on the findings of a particular review (e.g., have the CIO or CISO co-present on the results of a cyber audit).
The experienced CAE knows that any board presentation may need to be curtailed due to time limitations, so he or she should be prepared for that.
Summary: Time to Raise the Bar
In this three-part series, we have advanced 20 ideas for the CAE to advance his/her relationship with the audit committee. Because audit committees are different from organization to organization, not all of the points we suggest may be relevant to a specific committee’s needs. However, we believe that the future auditor’s three-pronged focus on risk, value and communications applies to almost any audit committee. As executive management and board expectations of the internal audit function continue to rise, progressive CAEs must adapt and continuously upgrade the capabilities of their functions to keep pace.
The 20 ideas presented during this series on how the future auditor considers risk, contributes value and maximizes the effectiveness of communications represent definitive steps forward for any CAE. As noted several times during the series, our suggested focus on risk, value and communications of necessity overlaps. Accordingly, it is not surprising that some of the various ideas serve multiple purposes. While not intended to be all-inclusive, these 20 suggestions could be used to benchmark a CAE’s and internal audit function’s modus operandi. Any gaps should be carefully considered by the CAE as a potential enhancement opportunity.
We believe that CAEs who embrace the future auditor vision as explained in the first installment of our series are better positioned to serve the needs of executive management and the board through their comprehensive risk-focus, forward-looking emphasis on value and crisp, targeted communications. As progressive CAEs take the lead to up their game, they pave the way toward realizing the internal audit profession’s full potential.
This article is based on information detailed in The Bulletin (Volume 6, Issue 7), available at www.protiviti.com.
[1] Six Audit Committee Imperatives: Enabling Internal Audit to Make a Difference, by Jim DeLoach and Charlotta Löfstrand Hjelm, A CBOK Stakeholder Report, a study conducted by The Institute of Internal Auditors and Protiviti, 2016, available at https://na.theiia.org/iiarf/Pages/Common-Body-of-Knowledge-CBOK.aspx.