A strong relationship between internal audit leaders and the board and audit committee is essential for the department to accomplish its objectives and provide value to the organization. Yet, so many internal audit leaders don’t work at improving communications with the board or make it a point to build strong relationships with directors.
The Basel Committee on Banking Supervision states that for an internal audit function to be effective, it must provide independent assurance to the board of directors and senior management on the quality and effectiveness of internal control, risk management, and governance systems and processes. This will facilitate the board and senior management’s efforts to protect the organization and its reputation.
Effective communication with the board and audit committee facilitates better accountability, transparency, and informed decision-making within an organization. Just about any corporate governance expert would recommend that the chief audit executive (CAE) should meet regularly with audit committee members and agree on expectations for the internal audit function.
According to Wiley’s Handbook of Board Governance, a weak internal audit department can sometimes be attributed to instances when audit committees do not properly clarify what they expect from the internal audit department. It’s sometimes the case that the audit committee members may not even properly recognize their responsibility to oversee internal audit or just leave this task to management.
Strategies for Improving Communication with the Board and Audit Committee
In such situations, it’s the internal audit leaders that must take a central role in establishing a good working relationship with members of the audit committee and the full board and ensure open lines of communications. Here are some things to consider in building those relationships:
1. Set Expectations with Board and Audit Committee Members: It is critical for internal audit to set expectations in advance on the nature, mode, and frequency of information. Besides formal communication, informal chats with the board or audit committee members could facilitate setting clear expectations.
2. Set Frequency of Meetings and Expected Correspondence: The CAE should meet the audit committee (or the full board) at an agreed-upon frequency. Quarterly meetings are a common industry practice that provides updates on controls, key risks, and governance issues, with off-cycle meetings if required. The audit committee should meet regularly with the CAE in camera (without the management team) to discuss sensitive matters.
IIA Standard 11.3 states that the CAE must communicate the results of the services to the board and senior management, periodically and for each engagement as appropriate.
The CAE must also provide information that the board and audit committee may require in their oversight role (IIA Standard 8.1).
IIA standard 15.1 states that internal auditors must develop a final communication on the engagement, scope, recommendations, and management action plans.
The information could comprise of the following:
- Internal audit plans are often presented annually, with some updates through the year. The trend however, has been to update audit plans more frequently, such as quarterly to respond to faster risk cycles and rapidly changing environments.
- Risk landscape: The focus should be on key strategic risks and new emerging risks and how internal audit envisions to help. Organizations typically provide this information at intermittent periods, such as quarterly; however, some are moving to continuous risk assessment models.
- Opinion on the overall condition of the organization’s controls could likely be an annual exercise.
- Internal Audit budget. This is usually a yearly report; however, it could be on an agreed-upon basis.
- Any conflicts of interest that may impede the work should be reported immediately.
- The quarterly updates should include internal audit departmental updates, such as the status of past findings, team size or composition, and other initiatives.
- Internal audit metrics should be reported at least every quarter.
- Information on coordination and oversight of control and monitoring functions such as risk management, compliance, and security. (Second Line under the three lines model).
- The internal audit charter should be reviewed by the audit committee or the board yearly or when key changes occur in the internal audit department’s operation, responsibilities, and reporting structure.
- Internal audit engagement reports should include a detailed report, including the audit results and detailed findings, significance and prioritization, scope limitations, overall conclusion, and an executive summary of the findings.
3. Provide Clear and Concise Reporting: IIA Standard 11.2 emphasizes that the CAE must ensure accurate, objective, concise, constructive, complete, and timely internal audit communication.
The internal audit department should avoid providing excessive details. Board members have voiced concerns that they are overloaded with overly detailed reports and insufficient visual aids to explain the context better. The internal audit team should provide an executive summary along with more details in the appendices. The summary should provide the board and the audit committee with insights and action plans.
Communication needs to be unambiguous. Write in an active tone and avoid technical jargon by using everyday language. Visual aids such as dashboards, graphs, and charts should help the board members understand the complex data can also help.
The CAE should be candid about challenges, risks, and any issues that have arisen. They should be bold in narrating the matters to the audit committee (or the board) even if the executive team disagrees.
It is not easy to gauge the optimal level of communication correctly, but over-communication is preferable to under-communication.
4. Remain Open to Engagement and Interaction: The CAE should schedule ample time for questions and discussion and encourage open debate to ensure board members fully understand the information presented and could impact the action plans if needed.
The CAE should seek continuous feedback from the board and audit committee members to improve future communications and address potential concerns.
The CAE must establish a strong working relationship with the board and audit committee chair through regular communication.
5. Provide Updates on Compliance and Governance: The CAE should inform the board and the audit committee of the risks to the organization that stem from changes in laws and regulations.
The CAE should update the board and the audit committee on key risks, controls, and governance issues. For example, the IIA’s 2023 Pulse Survey indicated cybersecurity as one of the top threats facing publicly traded companies.
The new SEC rules require the board of directors to oversee cybersecurity risk management processes. In addition, management’s oversight must be disclosed in the company’s annual reports moving forward.
The CAE should report on the effectiveness of internal controls and any areas needing improvement.
6. Provide Info on use of Technology: Advanced analytics tools are available and can facilitate the presentation of complex data in a more precise, concise, and usable manner.
Auditors can use AI (Artificial Intelligence) to produce data-driven insights and visualizations for audit committee and board reporting (Artificial intelligence in auditing | Wolters Kluwer).
AI could provide the CAE with deeper insights and predictive analytics, thereby increasing the overall effectiveness of communication with the board and the audit committee.
An audit management tool could significantly reduce some of the manual steps in the overall reporting process and compilation of the audit results to the audit committee and the board.
7. Provide Documentation and Follow-Up: The organization should maintain detailed minutes of meetings, follow-up action items and records of decisions.
Board or audit committee minutes should be prepared and distributed promptly after the meeting. Ideally, minutes should be circulated to board members through a cloud-based board portal software for review and approval in a reasonable timeframe, such as before the next scheduled meeting.
The CAE should provide information to the board in a format that is most useful to their decision-making.
Management should load pre-read materials to the cloud-based board portal at least two weeks before the meeting to allow board members to review them and come to the meeting prepared with questions. Pre-read materials should be consistent with look and feel so board members can quickly identify exceptions.
Solidifying the “Dotted Line”
Meetings and interactions with the board and audit committee can be nerve-wracking moments for internal audit leaders, but they don’t have to be. With a little planning and the right mind-set, chief audit executives can build solid relationships with members of the board and audit committee that will pave the way for better communications between them.
In more recent years, the “dotted line” reporting relationship between chief audit executives and the audit committee has begun to turn more solid, with audit committee chairs often relying on the CAE for an unvarnished view of what’s happening inside the organization. With the strategies above, those lines of communication can remain open and the relationships can yield real value for the board and for internal audit.
Nirpendra “Nick” Ajmera B.COMM, CA, CIA, CISA, CFE is an internal audit influencer with more than twenty years of experience in internal audit and risk arena. He currently leads internal audit for Qulliq Energy Corp. in Nunavut.
Mark McEvoy CPA, CIA, CRMA, MBA is an experienced internal audit, external audit, internal controls and board member. With more that twenty years of experience working with corporate and government bodies to identify and respond to risks while always working to reduce the burden of controls to that what is materially required.
Megean Ward is the Executive Services Coordinator for Qulliq Energy Corp. in Nunavut, where she’s lived for 9 years. Her background is executive office administration with a focus on Governance protocols. She is a member of the Governance Professionals of Canada.
What should the CAE do if the Audit Committee request that all communication be issued through the Company’s Corporate Secretary.
This question is a respose to “..informal chats with the board or audit committee members could facilitate setting clear expectations.”
THE BEST AND THE MOST EFFECTIVE WAY FOR COMMUNICATION BETWEEN THE EXTERNAL AND INTERNAL AUDITORS WITH THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS IS = THE EXTERNAL AND INTERNAL AUDITORS SHOULD REPORT – FUNCTIONALLY DIRECTLY TO THE MEMBERS OF THE AUDIT COMMITTEE WITH CHAIRMAN AUDIT COMMITTEE AS THE MAIN / AND EXTERNAL AND INTERNAL AUDITORS REPORTING ADMINISTRATIVDELY TO THE CEO / MD OF THE ORGANISATION
ALL THE AUDIT REPORTS SHOULD BE MARKED COPY GTO THE CHAIRMAN AND THE MEMBERS OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS AND WITH A COPY TO THE AUDITEE HEAD OF THE DEPARTMENT / FUNCTION AND THE CEO OF THE ORGANISATION