In these uncertain times, profits are being challenged, everyone is clamoring for more oversight, the control environment is threatened as layoffs grow, and IT has a whole new set of risks. With this backdrop, the relationship between the chief audit executive (CAE) and audit committee has never been more important. The communication must be open, continual, pertinent and timely.
To explain how to do this, consider first some thoughts on how not to do it. Here are 25 “worst practices” in educating the audit committee, with suggestions on how to avoid them. Avoid these worst practices, and you will be well on the way to leading practices.
In no particular order of importance, the 25 worst practices are:
1) Over commitment – Most audit shops are being stretched thin, as areas of responsibility are increasing faster than the necessary resources. This makes it more important than ever for CAEs to commit to what can be accomplished. It is bad practice to over commit and underachieve. To avoid this, stay focused on what is important.
2) Surprises – No audit committee wants to be surprised. Have continual communications about what you are doing, as well as a specific agenda before each meeting. This will help keep the discussion focused.
3) Not being fully truthful, especially in private sessions – This likely will end with a one-way ticket out of the organization. If you have bad news, deliver it within the culture of the organization. Not being truthful does not necessarily mean lying. It also can mean fudging, such as not telling how bad a situation really is. Or it can be guessing at information instead of knowing it. It is better to say you do not know and will get back with the answer.
4) Not being technically current on what interests the audit committee – CAEs must be up to date on what is going on within the organization and industry and know how this could affect the audit function. They also must stay current on industry issues. This is why it is important for them to be involved.
5) Not being versed on Enterprise Risk Management – Auditors cannot audit all risks. This is why they must be sure there is a risk process in place and understand what the enterprise risks are. Failure to understand could result in misdirected resources, something no audit shop can afford these days.
6) Not being above reproach – I tell people auditors live in a glass bowl. There cannot be two sets of standards, one for auditors and another set for everyone else. We have to be above reproach.
7) Having an annual audit plan that does not add value – We must have an annual plan, but that plan should be subject to continual updating as new risks emerge. And that plan must address what could keep you up at night. Everything in the annual plan should be reconcilable to one of the organization’s ERM plan. If it is not, we should question why we are doing it.
8) Letting the status quo rule – Just because something worked last year does not mean it will work this year, especially in view of recent economic upheaval. The chief auditor at Raytheon once said to me, “If I have a world-class audit function now, what am I doing to ensure I have one 18 months from now?” That is how we have to be thinking.
9) Providing too much data without interpretation – We need to provide meaningful analysis so that the audit committee understands what the information means.
10) Being SALY and JELLY (Same as Last Year and Just Exactly Like Last Year) – Just because something worked last year does not mean it will work this year. Just because no one has criticized what the audit department is doing does not mean you should not change it.
11) Not being a proactive and ongoing communicator – Auditors need to keep up with what is happening within the company, industry and in business generally. Then they need to relate that information to the organization. I have clients who pass on articles on scandals and evaluate if any of those things could happen within the company. This keeps people thinking of the possibilities and aware of what to look for.
12) Reporting to the audit committee but not reporting to the audit committee – Who really determines your compensation? If it is determined by someone other than the audit committee, you might really be reporting to someone else.
13) Failing to reconcile your annual audit plan to the ERM plan – Internal control must focus on everything from compliance with Sarbanes-Oxley and other pertinent laws and regulations to maximizing the efficiency of the organization through effective operational reviews. Risk assessment is vital to do this. A business-focused audit plan that ties to the core functionalities and risks identified in the ERM plan is likewise vital.
14) Being a mystery to the audit committee – Does the organization have regular audit committee meetings that you attend? Do you have private sessions with the committee? The answer to both questions should be “yes.”
15) Failing to annually review audit committee and CAE responsibilities – The audit committee charter should be reviewed annually and measured against minutes from board meetings, committee activities, as well as audit department accomplishments.
16) Presenting data instead of knowledge – It is not enough to present information. Auditors also must provide context.
17) Not continually educating – Activities such as participating on teams to be proactive can help an auditor educate the audit committee about various issues.
18) Not reducing data overload – How do I keep current with as little information as possible? Sometimes important information or insights can come from unexpected places. But self-imposed barriers can stop us from seeing or considering these things. Auditors need to look at certain things that may not be traditional but in this environment could add value.
19) Failing to strategize the timeliness of presenting data – Board members must absorb a lot of data at quarter end. Often so much data comes in that it is hard to absorb. It is a good practice to hold data that is not time-sensitive to be presented at mid-quarter. This will reduce the amount of information board members receive and allow them to concentrate and digest the information at hand.
20) Not knowing the audit committee’s “hot buttons” – What could be keeping them up at night? Compensation issues? Reputational risk? New regulations? Auditors need to know these issues and provide the information they need.
21) Not annually self-assessing audit committee performance – Have committee members met their requirements? An annual assessment will show if they are meeting their goals or if and where they need improvement.
22) Not continually educating how internal audit adds value – Auditors need to show how the function helps improve operations, saves money, protects the organization’s reputation, enhances the productivity of the audit process, etc.
23) Being too timid and not opinionated – If a practice is wrong, it is wrong. An auditor must have the courage to go against the grain and say, from a control perspective, “I do not like this.”
24) Ignoring the “bad news” process – Each organization must have a way to deliver bad news to the audit committee. When bad news needs to be delivered, the process must be followed to ensure the delivery is made.
25) Being too conservative and lacking in innovation to add value – We identify risks – fraud, IT, ERM, GRC, etc. CAEs need to be creative in a tight economy to give the audit committee comfort. Often the response is to hunker down in these conditions. Sometimes, though, these conditions can spur us to find new and better ways to use our resources; it is always good to be open to them, regardless of the resources at our disposal.
These 25 practices need to be avoided regardless of an organization’s size or industry. Even the largest and supposedly savviest organization can succumb. Now is the time for auditors to be aggressive in pointing out compensation and risk practices that were bad business decisions. They should also remember key lessons from this recent economic crisis: risks must be properly recognized, communicated and addressed.
Joel Kramer is Managing Director of the internal audit division of MIS Training Institute. This article as developed based on his presentation “Best Practices in Educating the Audit Committee.”