What the Audit Committee Expects of the Chief Audit Executive

Today’s corporate environment is exceptionally challenging and presents new critical issues for boards compared to the past. It is worthwhile for chief audit executives (CAEs) to take stock of this new environment and assess and anticipate how they can be most helpful to board leaders, particularly the audit committee, in fulfilling Audit Committee Expectations.

With corporate value increasingly tied to intangible assets like knowledge and intellectual property, human capital management—including diversity, equity, and inclusion (DEI), talent access, and corporate culture—is more important than ever. The pandemic highlighted risks to resilience and supply chains as well as audit and reporting quality in remote work settings. The top concerns are macroeconomic issues, pressure on corporations to address social and political topics, and geopolitical risks.

Audit committees are expanding their focus but often still navigating these complex issues. While compliance with ESG regulations is a start, boards, and management must define how ESG impacts their firm’s risks and long-term value while seeking competitive advantages.

There is a lot of work ahead for the audit committee to meet these challenges. The committee may seek input from those they trust within its sphere of influence such as fellow board members, independent auditors, third-party advisers, and management. Notwithstanding the key role that the company’s chief executive and other C-suite officers must play here, this is an opportunity for the CAE to strengthen its function as a trusted adviser to the audit committee.

Here are five ways for CAEs to better anticipate the needs of today’s audit committee.

1. Align on Priorities by Standing in the Shoes of the Audit Committee Chair

CAEs can play a role in helping the board prioritize a heavy agenda to focus attention on the right risks and opportunities. Most audit chairs expect the CAE to provide strategic advice here and to speak up if the committee is off base or missing something critical. “CAEs are trusted advisors and should understand the committee’s priorities and aim to solve their pain points to the extent those issues are within internal audit’s remit,” said John Rodi, Audit Partner and Leader, KPMG Board Leadership Center. 

Understanding the audit committee’s pain points starts with gaining alignment on what the committee believes are its pain points and, when warranted, helping to shape priorities. A CAE’s path to aligning with the audit committee is to stand in the shoes of the chair. Knowing the full range of the committee’s issues, the CAE should ask themselves their priorities if they were a chair. Keep in mind that directors are concerned with regulatory mandates and the company’s strategic direction, and they are accountable to shareholders. Lest we forget, concerning publicly traded companies, shareholders are the only ones imbued by law with the right to vote on directors. Thus, knowing what the directors’ constituents expect is a very effective way of standing in the directors’ shoes. The CAE will also exude competence and confidence by considering these relevancies.

Next, ask the chair, “What keeps you up at night?” In our experience, that question usually prompts both a thoughtful response and the chair turning the tables to ask the CAE, “What should keep me up?” That’s fair game, and itwould be insightful for the chair to probe the thoughts of the committee’s only direct employee, technically, who is considered the audit committee’s eyes and ears.

By communicating to the audit committee chair those issues that keep her awake at night, CAEs can provide valuable input to help the committee and the board identify critical areas for discussion and action.

2.  Embrace the Various Challenges of ESG

Regarding ESG, management, and boards have been overwhelmed by the speed and volume of demands in this space. Companies can understand and consider many voluntary global standards, frameworks, stakeholder expectations, and current and forthcoming regulations. 

Anticipating the challenges facing audit committees concerning ESG starts with being familiar with the evolving regulatory landscape and any voluntary reporting and disclosures the company has chosen to make. Then, it is helpful to translate what those mandates mean in the language of risk and controls.

Additionally, management may seek guidance from the board on the extent to which they should go beyond minimum regulatory mandates to voluntarily disclose certain ESG information consistent with stakeholder requests or as part of a management strategic initiative. In this situation, the internal audit team has a role in reporting on whether the firm is indeed meeting those stated challenges, the veracity of statements made (protecting against so-called “greenwashing”), anticipating opportunities for related fraud, and assessing if the appropriate controls are in place.

3.  Articulate the Company’s Fitness and Capacity to Handle Anticipated Crisis Management Risks

With today’s heightened uncertainty, it is important for companies to assess their resilience. The ability to quickly align, execute, and bounce back can distinguish between failing to be a going concern or thriving beyond your competitors. This has never been truer than today in this era of deep economic uncertainty, competitive pressures, and heightened geopolitical volatility. 

Audit committees should understand those emergent issues and assess the company’s preparedness to respond. CAEs can anticipate some version of this ask by contemplating scenarios and readiness assessments to respond to critical emergent issues they may face. Such issues range from cyber incidents, high-profile current social and political issues, and health-related crises (e.g., pandemic) to ESG and DEI-related matters and, of course, audit quality. CAEs’ fitness assessment should be backed by anecdotal and empirical information from internal and external data sources.

Audit committees should understand how management addresses ongoing challenges related to possible talent shortages and remote working environments to avoid those issues impacting audit quality. Thus, quality controls and procedures are heightened in importance to maintain the quality of the audit and reporting.  

Questions that audit committees may ask include: 

• “Given the tight labour market and the ‘Great Resignation,’ does the finance organization have the talent capacity to do its current job?”
• “Have we experienced any degradation of audit quality given the move to remote work?”
• “Are the teams working on new ESG initiatives fit for purpose, and do they have the right skill sets?” 
• “Are we comfortable having the appropriate disclosure controls and processes around ESG and DEI-related statements?”
• “Is our cyber hygiene sufficient with the appropriate response processes in place?”

4. Assess the Fitness of the Internal Audit Organization

Internal audit is not immune to the current talent pressures and those above “Great Resignation.” Thus, CAEs should stand ready to answer the audit committee’s question about whether their teams have the capacity and tooling to perform their duties. Such assessment should be revisited annually during the internal audit strategic planning cycle. This may also include internal audit capabilities related to ESG and whether and how the CAE’s team is building its ESG bona fides to effectuate its duties.

CAEs need to be ready to articulate the bench strength of their team and its succession plans, which may include how training and critical development experiences are provided. This may be best captured in the CAE strategic roadmap to evolve the function over the longer term. 

Further, the CAE should be able to communicate how they ensure an inclusive environment within the internal audit environment and to articulate the culture of the team. And don’t hold back any concerns: An authentic and honest assessment bodes well for the audit committee’s confidence in the CAE’s leadership capabilities.

5.  Demonstrate the Breadth and Depth of Internal and External relationships

CAEs must show their breadth of reach and relationships throughout the company. Audit committees want to know that the CAE and their team are respected within the organization and that the CAE has strong relationships with leaders in the finance, technology, cyber, legal, sustainability, and supply chain functions. Without thoughtful internal stakeholder engagement strategies, trust and relevance may erode.

Demonstrating that the CAE has a line of sight with key internal stakeholders, outside organizations, and/or regulators that are germane to the enterprise builds confidence for the audit committee. Similarly, concerning publicly traded companies, it is worth displaying the CAE’s understanding of the shareholder community and those shareholders’ expectations of the board and audit committee.

Moments, when the CAE is one-on-one with the audit committee chair or with the full audit committee in executive session, should be seen as prime time to instill confidence and trust. They are looking for guidance and want a confident, competent leader they can trust as their eyes and ears.