There’s a lot of talk these days about what’s important for CAEs to be doing and why. It’s always useful to exchange sound practical advice on how to do what needs to be done. So it was gratifying for me to be participate in a recent MIS Training Institute Masters Program dedicated to providing real world solutions through peer-to-peer discussion on many of the issues raised by audit committee members in The Institute of Internal Auditors’ CBOK Stakeholder Study, conducted by The IIA and Protiviti.
I led a session on best practices for dealing with audit committees, how CAEs should prepare to present to the audit committee, and what tactics they can use to engage audit committee members with internal audit teams and other stakeholders.
Primarily, this is about communications — the people side of our business. Effective audit committee relationships are not possible without effective communication skills. It is common to call communication a “soft skill,” which is ironic because many auditors find communication to be quite challenging. And while the basics of assurance will always remain at the core of what we do, adding value should be our ultimate goal. It doesn’t matter how well we plan, execute and report if we fumble the ball when it comes to communicating with the audit committee. Fair or not, what they see and hear in their interactions with the CAE is a primary source of their assessment of internal audit’s performance.
So how does a CAE best prepare for an audit committee meeting? Using an American football analogy, this is the point when the CAE is inside the 5-yard line, and his or her actions are critical to advancing the ball for a score. Keeping the director audience foremost in mind is key. With input from the participating CAEs at the MIS event and based on our own experience, here’s how to prepare and present:
- Appearances are everything. Make pre-reads and presentation materials visually appealing and focused on the key takeaways.
- Tell the story. Summarize key messages and encourage discussion; synthesize data into key themes, observations and action items.
- Keep it short. Be concise and to the point; distill the message into an elevator pitch and be ready to comment on specifics if asked (think 10 minutes, versus 30).
- Speak with authority. Look committee members in the eye, pause for questions but don’t linger, and speed up or slow down the presentation cadence based on director feedback.
- Respond to questions with direct responses. With respect to questions for which the answer isn’t known, take an action point to follow up to obtain the information. For questions that are or should be directed to management, pause to allow management to respond.
- Tell them something they don’t know. Positioning internal audit as the eyes and ears of the board and senior management is the key to adding value.
- Anticipate questions. One of the benefits of strong relationships is the insight that comes from ongoing dialogue. By the time you report to the audit committee, you should have a pretty good idea of what’s on their minds and have the answers ready.
- Be a team player. If executive management wants to own a particular issue and bring it up to the audit committee, let them. Consider having business stakeholders join the meeting to co-present on the findings of a particular review (e.g., have the CIO or CISO co-present on the results of a cyber audit).
- Keep management in the loop. Executive management should not be surprised by anything in your report. It’s a professional courtesy to vet its contents with management to help them prepare for any questions they might have to address later.
- Play defense as well as offense. Yes, everyone wants to focus on value creation and upside. But in Super Bowl LI, the Patriots’ vaunted offense never would have had a chance to win the game in the second half had their defense not stepped up. In a business, the “lines of defense” model helps focus the necessary blocking and tackling in creating a risk management infrastructure and is a model directors understand.
As a best practice, the CAE should meet with the audit committee in executive session from time to time. With this mechanism in place, the CAE is positioned to be candid when the big dilemmas come up.
Of course, good communication and successful relationships extend beyond audit committee meetings into all aspects of internal audit. Internal audit departments, especially CAEs, are often perceived as reservoirs of knowledge and insight to be tapped and deployed to improve risk culture and risk management capabilities to inform senior management and the board of up-and-coming risks. This underscores how critical it is for the internal audit function to demonstrate an understanding of strategic risk. A strong business context enables the CAE to be an engaged, familiar face around the company, particularly with its leaders, bolstering the audit committee’s confidence in the CAE’s effectiveness.
With expectations increasing, internal audit needs to up its game with early warnings on emerging risks. Effective audit teams “connect the dots” when considering the enterprisewide implications of audit findings and look beyond the scope of the audit plan to identify patterns, trends and issues meriting attention at the top as well as signs of a deteriorating risk culture. Along with effective communications, the CAE will have a combination of capabilities that will position him or her to succeed. Soft skills may be hard, but they are worth their weight in gold.