Hal Garyn is an internal audit/risk management and governance leader and an Internal Audit Beacon Award recipient.
Audit Committees - especially those of publicly traded companies - have so much on their plates these days that it can seem impossible to give attention to anything beyond the necessary financial statements, reporting and supporting controls (ICFR), and disclosures. Yet audit committees are usually the only board committee also focused on internal audit, internal control, and (unless there is also a risk committee) risk management. Adding to the list of competing priorities these days are cyber exposures, which seem to now make headlines daily.
It’s important that we not allow ourselves to get so overly focused on the urgent, that we forget to include or consider the important. And that we step back and ensure that audit committees also have time to give their attention to other issues. In this article, I will lay out eight topics that audit committees should also give their time and consideration, and it is up to us to make sure time is “carved out” as much as possible:
Issue 1 - Cyber, cyber, cyber
There’s enough risk and exposure with cyber to fill a separate, stand-alone committee’s time– at least in many organizations. Attempts to hack into, phish, and/or social engineer a way into an organization’s storehouse of confidential information happens relentlessly, and will not abate. Do board members need to be technology experts? No, but there are few risks as pervasive as cyber threats. Making sure the audit committee has an appreciation for what the major risks are and how the company is managing and mitigating them is critical. An audit committee can prioritize recruiting members with technology experience as part of the audit committee competency profile, thereby demonstrating that the committee takes these exposures seriously. Take a look at how much time is being spent on cyber with your audit committee and consider if it should be enhanced.
Issue 2 - How does Environmental Social Governance (ESG) fits with corporate strategy?
There is plenty of talk on the ESG topic but, when you peel it away, much of the focus is on the environmental component, and little about the social and governance. Furthermore, a lot of the environmental discussion is about climate disclosures that exist and/or may be forthcoming. While not completely true globally, this focus on climate disclosures dressed-up as an ESG approach is what I would consider a “tail wagging the dog” exercise. The compliance focus – although important - misses the big picture. While some organizations do support internal audit having a role with ESG, that role is often relegated to a tactical compliance “strategy,” providing assurance on existing disclosures. Some organizations, though, do see ESG through a competitive lens, considering how it fits within and extends corporate strategy. Does the audit committee understand the ESG strategy, and does it spend time considering if the actions of the company are in support of that strategy? To that end, is time carved out on the audit committee’s agenda to consider the strategy and then the risks and opportunities within? These are questions for the audit committees to reflect upon.
Issue 3 - What firms does the company engage with beyond external audit?
Companies of any size and/or complexity use the services of a multitude of third parties, many of which are advisors, consultants, and subject matter experts. Some of these third parties are likely doing mission-critical things for the organization, and any disruption of what they do for the client could be disastrous. And many of them possess confidential information about your organization, your company strategy, and your customers. That is why it is up to the audit committee to ask: Does anyone in the organization have a comprehensive view of all these third parties? (Not only knowing who they are, but what they do and how critical they might be to organizational success)? The opportunities for conflicts of interest, misuse of fiscal resources, exposure of confidential information, inefficiency and waste abound. Yes, contractual arrangement exists with these parties (I hope!), but litigation should be the final answer, not the first, if things go awry.
Issue 4 - How does the organization assess employee engagement/disengagement?
The concept of “quiet quitting” and “quiet firing” has entered our lexicon recently. At the end of the day, if people in the organization are quiet quitting, they are disengaging. The cost of disengagement is high: When people do the bare minimum to keep their jobs and nothing more, there is so much opportunity left on the table, and lost. The cost is enormous.
Is the audit committee plugged into how the organization is measuring employee engagement, and are they getting informed of the results of the surveys and assessments being performed? Do they weigh in on the results and the trends, and do they consider what it means in terms of how risks might be managed?
Issue 5 - What is the state of the relationship between the CAE and the rest of the c-Suite?
Much has been discussed and has been written about the dual reporting relationship of the CAE in most organizations, and how these reporting relationships directly impact independence and may indirectly affect objectivity. We all know about the importance of both the functional and reporting lines the CAE has, as well as the relationships they need to forge with each respective “boss.” So, let’s not reiterate all that here.
But the CAE needs to establish and sustain relationships across the entire c-Suite of leaders if the person wants to be successful, “in the know,” and have the right seats at the right tables. This relationship building and maintenance work takes special skills and a notable time investment on the part of the CAE. While the importance of this effort might be overlooked, it cannot be underplayed. Many CAEs are either successful or unsuccessful as a direct result of how they manage these challenging relationships and put themselves in the role of a true trusted advisor, or not.
Yet, how many audit committee members ask the CAE, directly or indirectly how they go about managing these relationships? How many audit committees watch and evaluate how these relationships play out in the board room? As important as this is, from my experience there is little real time spent on this critical aspect of CAE success (or failure).
Issue 6 - What is the succession plan for the CAE?
While it is something that you’d think doesn’t need to be given any space in this article, it is quite amazing more companies don’t have a clear succession plan when it comes to the CAE role.
Now, sure, sometimes the role is vacated completely unexpectedly, and sometimes the role is vacated because the person was let go from their duties in a rather quick fashion. But, having a succession plan in place for the CAE position is something that should be well documented, or at least well considered, by the audit committee.
Even if there are no signs the current CAE will leave soon, the audit committee should periodically have an executive session to discuss the succession plan. This is simply a proactive, prudent exercise of governance to have a plan, know what it is, and how it would be executed if necessary.
Issue 7 - Where is internal audit not leveraging 3rd parties enough for subject matter expertise?
OK, we all are supposed to be developing “risk-based audit plans,” right? Given the myriad of complexity to the issues required of an internal audit team’s focus, it’s important these days to add specialized knowledge via third parties. Certainly, there are cost considerations. The audit committee has at least a few questions it can ask here:
If you had more resources (or dollars) to bring on 3rd parties to assist with the audit plan, which projects would you want to consider applying them to?
Are there any projects you are not undertaking right now because you don’t feel your team has the competencies necessary to execute them (or, alternatively, any projects where organizational leaders are not confident in internal audit’s competence to do the project successfully)?
What projects are in the audit plan that you would co-source (or outsource), but you don’t have confidence in the ability of the 3rd parties available in the marketplace to deliver a successful result at a reasonable rate?
Issue 8 -What is internal audit’s short- and long-term strategy around remote working?
Most internal audit professionals agree on the importance of relationship building and relationship management to the long-term ability to deliver on its promises and maximize its value to the organization. And most of these same professionals will readily admit that it is much easier to work on relationships with in-person interactions (versus remote interactions). Further, some things are just not easily auditable remotely, and in-person inspection, as well as the various clues you pick up being somewhere physically, can make a huge difference.
While remote working is here to stay – and there are many benefits to doing certain things remotely – getting the right mix of remote and in-person work is more an art than a science, and company culture and norms will play a significant role in how all this shakes out. From an audit committee perspective, there is no right answer. But there is a well thought out answer versus a tentative answer. Asking the CAE what the strategy is around remote working for the internal audit staff, both in the short- and long-term, and evaluating the answer is something that should be considered.
As I wrote this article, the Rolling Stones song “Time is On My Side” was playing in my head. Funny how songs do that. But time may not be on your side as the CAE if important topics are not brought up and discussed just because “we don’t have enough time.”
Whether or not these items are the right ones for you to be discussing with your Audit Committee is your call, but just going through the motions of external audit, financial reporting, and internal audit work is not enough. So, prioritize, find the right topics, be proactive, and carve out a little time in your packed Audit Committee agenda to talk about things that are not pressing, but important. The tyranny of the urgent can be deafening, so think about what’s important, and put time on your side.