Internal Audit departments have a unique position within an organization. Audit is one of the only groups in any organization with direct access to the board, and in particular to the audit committee. A good internal audit department is one that can effectively work with the audit committee as a partner in enterprise governance. A world-class internal audit department goes much further. As a best practice the audit committee should be educated on the state of the organization and the work performed by audit. The Institute of Internal Auditors (The IIA)1 even states that “the critical connection between audit committee effectiveness and internal auditing mandates that committee members maintain an in-depth understanding of internal audit best practices and how their internal audit activity is functioning”.
Unfortunately, internal audit leaders often struggle when it comes to sharing information with the audit committee. By focusing on the information that is presented and the manner in which data is presented, we can elevate internal audit’s value to the committee and thereby the audit committee’s value to the organization.
A recent research paper titled Strengthen Audit Committee Value: A 10-step Approach2 , explains several best practices related to the information that should be presented to the audit committee. One of the most important factors in helping the audit committee focus and set priorities for the organization is the amount of information we present. We must be careful not to overwhelm the committee with endless information. Always present summary information and provide any details as an appendix to the summary. Remember that these are regular people with a very limited amount of time to dedicate to your data, so be succinct and provide your reports well in advance of any meetings.
In line with our basic audit process, we should provide more risk information to the audit committee. You should feel free to have open, risk-based discussions with the audit committee during the annual risk assessment. Changes to the organization’s risk profile should also be revisited throughout the year.
Instead of getting mired in the details, provide more trending information related to audit results. Showing trends is more illustrative of the organization’s overall status. Examples could be trending by types of audit findings, audit results by business unit, or trends in the status of different control classifications. The type of information you choose to capture and report on will differ by industry and company. You should have open discussions with the committee members to determine if the information you are capturing is relevant to the committee, and find out if they have any concerns that could be addressed with information you should be trending. The time spent on gathering this data can be reduced drastically using an Audit Management tool. All too often, audit management teams spend days or weeks compiling results manually, which leads to the possibility of missing or skewing the trending data.
You should determine what types of internal audit opinions (or selective assurance), if any, are valued by the audit committee. Most committees welcome “an opinion on a specific area or process rather than an overall blanket opinion2”. Your reports could include a judgment on the adequacy of financial control, risk management processes, governance processes, or regulatory compliance. Consider combined reporting with other risk-and-control functions like an Enterprise Risk Management (ERM) team, Compliance departments, Fraud Investigators, SOX and Control groups, Legal, or Health and Safety.
Audit committee reports should also include an assessment of the internal audit department’s quality and performance. The reporting should go beyond basic statistics on the audit staff (e.g. experience and certifications) and external quality assessment reviews, and include information on the specific KPIs from interaction with stakeholders, possibly even employing Balanced Scorecard techniques.
Audit committee presentations are a formal method of communication, typically held quarterly. Since the organization’s operations and risk profile are fluid, audit management should feel free to engage the audit committee chair person more frequently and less formally with phone calls or emails. There is no reason why the Chief Audit Executive (CAE) should limit communications with the Audit Committee Chair to four (or fewer) times each year.
During the formal presentation, always make sure the materials meet audit committee needs. If using a slide deck, the slides should be to the point and look interesting. Again, the amount of information should not be overwhelming, but should cover what they need to know, want to know, and should know. Remembering the basics of any presentation should help. Slides should have summary data in an easy-to-read bullet format with color coded charts, dashboards, and heatmaps. No one wants to read slides full of text.
When we talk about audit committee presentations, we are generally discussing a presentation made by the CAE to a subset of the Board of Directors. Audit management stresses over the presentations made each quarter, and often agitates the entire audit staff. Then the meeting is held in private and not discussed for another quarter, which further rattles the staff. In doing so, we create a division between the audit staff and the audit committee. The audit committee takes on a mysterious tone, even becoming a seemingly hostile watchdog group to the audit staff. In reality, the audit committee is a natural extension of the audit department. Consider breaking down these walls. Involve the staff in preparing the audit committee presentation, and if possible, allow the staff to observe the inner workings of an audit committee meeting with web meeting tools or invite one or two to attend and observe in person each time. By bringing the entire staff deeper into the reporting and presentation process, we can remove the mystery and earn more dedication from the audit team. We can also further improve the overall presentation by spreading the preparation workload, and by bringing in fresh ideas from the team.
1Taken from the Audit Committee Resource website (6/26/2015)2Strengthen Audit Committee Value: A 10-Step Approach
Toby is a Certified Internal Auditor (CIA) who holds an MBA with an Internal Audit specialization from Louisiana State University. He is also certified in Control Self-Assessment (CCSA), Risk Management Assurance (CRMA), Internal Control (CICA), and Fraud Examination (CFE). His professional background includes identification and documentation of weaknesses that result in heightened business risk, while recommending solutions to such situations. Toby began his career in internal audit with Macy's Inc. He then worked as an implementation and training consultant for Wolters Kluwer. As a Senior Market Development Consultant at Wolters Kluwer, Toby works with organizations that are looking for software solutions to their audit, risk and compliance needs.
Throughout his career, Toby has assisted numerous internal audit departments create, perform, and supervise financial, operational, and compliance audits to evaluate control frameworks, financial systems and operating procedures.