Effective Audit Committee Reporting
As The Institute of Internal Auditors (The IIA) is currently revamping the Three Lines of Defense model, this is a perfect time for us to revisit our interactions with the Audit Committee. Audit departments are soon going to find themselves in more advanced risk management discussions with senior management and the audit committee. A good internal audit department is one that can effectively work with the audit committee as a partner in enterprise governance. A world-class internal audit department goes much further.
As a best practice our reporting to the audit committee should educate them on the state of the organization and the work performed by audit. The IIA even states that “the critical connection between audit committee effectiveness and internal auditing mandates that committee members maintain an in-depth understanding of internal audit best practices and how their internal audit activity is functioning”.
Unfortunately, internal audit leaders often struggle when it comes to sharing information with the audit committee. By focusing on the information that is presented and the manner in which data is presented, we can elevate internal audit’s value to the committee and thereby the audit committee’s value to the organization.
What Goes into the Presentation?
One of the most important factors in helping the audit committee focus and set priorities for the organization is the quality of information we present. We must be careful not to overwhelm the committee with extraneous information. Always present high-level summary information and provide any details as an appendix to the summary.
In line with the Three Lines of Defense update, we should provide more risk information to the audit committee. You should feel free to have open, risk-based discussions with the audit committee when explaining the annual risk assessment. Changes to the organization’s risk profile should also be revisited throughout the year. If we want to take this to the next level, we should include our risk management counterparts in the reporting and in the meeting.
Always provide more trending information related to audit results. Showing trends is more illustrative of the organization’s overall status. Examples could be trending by types of audit findings, audit results by region, by severity, or by any other category that is relevant to your organization. You should have open discussions with the committee members to determine if the information you are capturing is relevant to the committee, and find out if they have any concerns that could be addressed with information you should be trending.
Audit committee reports should also include an assessment of the internal audit department’s quality and performance. The reporting should go beyond basic statistics on the audit staff (e.g. experience and certifications) and external quality assessment reviews, and include information on the specific KPIs from interaction with stakeholders, possibly even employing Balanced Scorecard techniques.
Improving Communications
Audit committee presentations are a formal method of communication, typically held quarterly. Since the organization’s operations and risk profile are fluid, audit management should feel free to engage the audit committee chair person more frequently and less formally with phone calls or emails. There is no reason why the Chief Audit Executive (CAE) should limit communications with the Audit Committee Chair to four (or fewer) times each year. If you have the technology capability, you could even provide real-time access to reports and dashboards to the audit committee.
During the formal presentation, always make sure the materials meet audit committee needs. If using a slide deck, the slides should be to the point and look interesting. Again, the amount of information should not be overwhelming, but should cover what they need to know, want to know, and should know. Remembering the basics of any presentation should help. Slides should have summary data in an easy-to-read bullet format with color coded charts, dashboards, and heat maps. No one wants to read slides full of text.