What the audit committee expects of the Chief Audit Executive
Today’s corporate environment is exceptionally challenging and presents new critical issues for boards compared to the past. It is worthwhile for chief audit executives (CAEs) to take stock of this new environment and assess and anticipate how they can be most helpful to board leaders, particularly the audit committee.
While traditional internal audit necessities the building of and maintaining an inventory of baseline responsibilities as it relates to emerging risks and strategic priorities of the firm remain unchanged, the addition of the broad and quickly evolving issues of environmental, social & governance (ESG) is a game changer.
Today, as more corporate valuations are derived from intangibles (i.e., creating and monetizing knowledge and intellectual property), there is an appropriate heightened focus on all elements of human capital management, from diversity, equity and inclusion (DEI) and access to talent to corporate culture. The pandemic ushered in new risk concerns related to corporate resilience and supply chain, and risks related to audit and reporting quality with respect to remote work environments. Additionally, global macroeconomic issues, increased pressure on the corporations to express their voice political and social topics, and geopolitical risks have climbed to the forefront of concerns for business leaders to manage.
Leading audit committees have had to expand their focus to ensure they are appropriately prioritizing current challenges. That said, many boards and management teams are still in the early stages of confronting the complexities of these issues. For instance, compliance with current and forthcoming regulations mandating disclosures related to ESG is only a starting point. Additionally, boards and management should earnestly define how ESG issues affect risks to their respective firms and impact long-term enterprise value. At the same time, companies must look for opportunities for competitive advantage when it comes to ESG.
There is a lot of work ahead for the audit committee to meet these challenges. The committee may seek input from those they trust within its sphere of influence such as fellow board members, independent auditors, third-party advisers, and management. Notwithstanding the key role that the company’s chief executive and other C-suite officers must play here, this is an opportunity for the CAE to strengthen its function as a trusted adviser to the audit committee.
Here are five ways for CAEs to better anticipate the needs of today’s audit committee.
1. Align on priorities by standing in the shoes of the audit committee chair
CAEs can play a role in helping the board prioritize a heavy agenda to focus attention on the right risks and opportunities. Most audit chairs expect the CAE to provide strategic advice here and to speak up if the committee is off base or missing something critical. “CAEs are trusted advisors and should understand the committee’s priorities and aim to solve their pain points to the extent those issues are within internal audit’s remit,” said John Rodi, Audit Partner and Leader, KPMG Board Leadership Center.
Understanding the audit committee’s pain points starts with gaining alignment on what the committee believes are its pain points and, when warranted, helping to shape priorities. A CAE’s path to getting aligned with the audit committee is to stand in the shoes of the chair. Knowing the full range of the committee’s issues, the CAE should ask themselves what their priorities would be if they were a chair. Keep in mind that directors are concerned with regulatory mandates and the strategic direction of the company, and they are accountable to shareholders. Lest we forget, with respect to publicly traded companies, shareholders are the only ones imbued by law with the right to vote on directors. Thus, knowing what the directors’ constituents expect is a very effective way of standing in the directors’ shoes. The CAE will also exude competence and confidence by considering these relevancies.
Next, ask the chair, “What keeps you up at night?” In our experience, that question usually prompts both a thoughtful response as well as the chair turning the tables to ask the CAE, “What should keep me up?” That’s fair game and would be insightful for the chair to probe the thoughts of the committee’s only direct employee, technically, who is considered the audit committee’s eyes and ears.
By communicating to the audit committee chair those issues that are keeping her awake at night, CAEs can provide valuable input to help the committee and the board identify critical areas for discussion and action.
2. Embrace the various challenges of ESG
Regarding ESG, management and boards have been overwhelmed with the speed and volume of demands in this space. Companies can understand and consider many voluntary global standards, frameworks, stakeholder expectations, and current and forthcoming regulations.
Anticipating the challenges facing audit committees with respect to ESG starts with being familiar with the evolving regulatory landscape and with any voluntary reporting and disclosures the company has chosen to make. Then, it is helpful to translate what those mandates mean in the language of risk and controls.
Additionally, management may seek guidance from the board on the extent to which they should go beyond minimum regulatory mandates to voluntarily disclose certain ESG information consistent with stakeholder requests or as part of a management strategic initiative. In this situation, the internal audit team has a role in reporting on whether the firm is indeed meeting those stated challenges, the veracity of statements made (protecting against so-called “greenwashing”), anticipating opportunities for related fraud, and assessing if the appropriate controls are in place.
3. Articulate the company’s fitness and capacity to handle anticipated crisis management risks
With today’s heightened uncertainty, it is important for companies to assess their resilience. The ability to quickly align, execute and bounce back can be the difference between failing to be a going concern or thriving beyond your competitors. This has never been truer than it is today in this era of deep economic uncertainty, competitive pressures and heightened geopolitical volatility.
Audit committees should understand what those emergent issues may be and assess the company’s preparedness to respond. CAEs can anticipate some version of this ask by contemplating scenarios and readiness assessments to respond to those critical emergent issues that they may face. Such issues range from cyber incidents, high-profile current social and political issues, and health-related crises (e.g., pandemic) to ESG and DEI-related matters, and of course, audit quality. CAEs’ fitness assessment should be backed by both anecdotal and empirical information from internal and external data sources.
Audit committees should understand how management is addressing ongoing challenges related to possible talent shortages and remote working environments to avoid those issues impacting audit quality. Thus, there is a heightened importance on quality controls and procedures to maintain the quality of the audit and reporting.
Questions that audit committees may ask include:
- “Given the tight labour market and the ‘Great Resignation,’ does the finance organization have the talent capacity to do its current job?”
- “Have we experienced any degradation of audit quality given the move to remote work?”
- “Are the teams working on new ESG initiatives fit for purpose, and do they have the right skill sets?”
- “Are we comfortable having the appropriate disclosure controls and processes around ESG and DEI-related statements?”
- “Is our cyber hygiene sufficient with the appropriate response processes in place?”
4. Assess the fitness of the internal audit organization
Internal audit is not immune to the current talent pressures and the aforementioned “Great Resignation.” Thus, CAEs should stand ready to answer the audit committee’s question as to whether their teams have the capacity and tooling to perform its duties. Such assessment should be revisited at least annually during the internal audit strategic planning cycle. This may also include internal audit’s capabilities related to ESG and whether and how the CAE’s team is building its ESG bona fides to effectuate its duties.
CAEs need to be ready to articulate the bench strength of their team and its succession plans, which may include how training and critical development experiences are provided. This may be best captured in the CAE strategic roadmap to evolve the function over the longer term.
Further, the CAE should be able to communicate how they ensure an inclusive environment within the internal audit environment and to articulate the culture of the team. And don’t hold back any concerns: An authentic and honest assessment bodes well for the audit committee’s confidence in the CAE’s leadership capabilities.
5. Demonstrate the breadth and depth of internal and external relationships
CAEs must show their breadth of reach and relationships throughout the company and beyond. Audit committees want to know that the CAE and their team are respected within the organization and that the CAE has strong relationships with leaders in the finance, technology, cyber, legal, sustainability and supply chain functions. Without thoughtful internal stakeholder engagement strategies, trust and relevance may erode.
Demonstrating that the CAE has a line of sight with key internal stakeholders and outside organizations and/or regulators that are germane to the enterprise builds confidence for the audit committee. Similarly, with respect to publicly traded companies, it is worth displaying the CAE’s understanding of the shareholder community and those shareholders’ expectations of the board and audit committee.
Moments, when the CAE is one-on-one with the audit committee chair or with the full audit committee in executive session, should be seen as prime time to instil confidence and trust. They are looking for guidance and want a confident, competent leader who they can trust as their eyes and ears.