In a recent blog, I delved into The Art of Deceiving an Audit Committee. I highlighted that management doesn’t necessarily need to lie to mislead an audit committee. Deception often takes the form of withholding or selectively editing information. In fact, nearly all the chief audit executives I interviewed for that blog shared experiences in which audit committees were not fully informed about risks or issues they really needed to know.

The extent of these misrepresentations varied, ranging from subtle omissions to more serious acts that bordered on deliberate deceptions. Here are some situations where management chose to downplay or completely withhold critical information from the audit committee:

• Results from an enterprise employee satisfaction survey that highlighted current or potential risks within the corporate culture.
• Whistleblower complaints alleging sexual harassment or misconduct involving senior executives.
• Emerging risks that had not yet fully materialized but posed potential significant consequences for the organization’s future.
• Internal control deficiencies, especially those that management deemed manageable or in the process of being resolved.
• Actual or potential litigation risks, particularly those that were not yet confirmed or were considered low risk by management.
• Partial or withheld disclosures regarding major vendor reliability, performance or ethical concerns, particularly when management feared it could reflect poorly on their oversight.
• Financial adjustments or reclassifications that management considered non-material or unlikely to impact the audit committee’s perspective on financial health.
• Delayed or downplayed discussions of strategic initiatives or high-risk decisions, such as expansion plans, mergers and acquisitions, or entry into volatile markets.

As I shared in the earlier blog:

The CAEs with whom I spoke frequently used the word “rationalized” when describing management’s motives. For example, management would justify not disclosing certain risks because they thought doing so would be premature — often indicating they would disclose the risk at the appropriate time. They also rationalized limiting disclosure because they didn’t want to overburden the audit committee by adding additional information to already voluminous board packs.

If CAEs know that information is being withheld from their audit committees, why aren’t they doing something about it? The answer is complicated and reveals an inconvenient truth: CAEs often lack the independence or courage to override implicit or explicit direction from the CEO on what they can disclose. To the extent these practices are true, they don’t serve our audit committees well. This must come to an end!

Audit committee members often refer to internal auditors as their “eyes and ears” – enabling them to better understand what goes on in the organization when they are not around. There are many ways internal auditors can enhance their role as the eyes and ears of the audit committee, but here are several concrete steps/strategies:

Engage In Frequent/Informal Conversations With The Audit Committee Chair

The best internal audit functions are those led by CAEs who have a great relationship with their audit committees. Continuous, informal communication may make some in management nervous, but it is vital to keeping at least the audit committee chair fully and swiftly informed of risk, control and governance matters that warrant their knowledge.

Secure and Execute The Role of Audit Committee Secretariat

The secretariat of the audit committee is crucial to the committee’s effectiveness by providing administrative, logistical and advisory support. Duties can include coordinating meetings, preparing agendas, managing documentation and taking minutes. Internal auditors are ideally suited for this role because they are well-versed in the organization’s risks, controls, and compliance requirements. They understand the audit committee’s focus areas and priorities, making them effective facilitators. As secretariat, the internal auditors would be well-positioned to ensure the committee is fully and currently informed, as appropriate.

Coach Corporate Executives on The Importance Of Disclosure

It is said that internal audit is often the conscience of the organization. A CAE whispering in the ear of a reluctant executive can reinforce that full disclosure is in the best interest of the organization. I’ve often found that talking in terms of risk will foster a more open and receptive conversation. For example: “There is a significant risk that, if we don’t disclose this information to the audit committee now, they will believe we deceived them if the problem doesn’t go away.”

It is said that internal audit is often the conscience of the organization. A CAE whispering in the ear of a reluctant executive can reinforce that full disclosure is in the best interest of the organization. I’ve often found that talking in terms of risk will foster a more open and receptive conversation. For example: “There is a significant risk that, if we don’t disclose this information to the audit committee now, they will believe we deceived them if the problem doesn’t go away.”

Be Courageous

During my research for the earlier blog, several CAEs used the term “courage” when describing how internal audit can head off deception of the audit committee. Sometimes, it comes down to confronting tight-lipped executives and saying, “either you tell them or I will.” To be sure, that should be a last resort. But depending on what might be withheld, the consequences could be much less than the fallout from a surprise.

Communicate With The Audit Committee Clearly, Concisely And With Candor

Effective communication between internal audit and the audit committee is crucial for building trust, ensuring transparency and promoting informed decision-making. Ensuring clarity means avoiding jargon, technical terms or unnecessary complexity. Translate audit findings into language that non-specialists can easily understand. Be concise by focusing on the most significant risks, findings and recommendations. Avoid long descriptions of the audit process. Emphasize outcomes, conclusions and their implications for the organization. Finally, discuss risks and audit results openly, even if they reflect poorly on certain areas of the organization. The audit committee values integrity and objective insight.

Plant Questions

Although not the most courageous strategy, CAEs sometimes have to elicit a difficult conversation by encouraging audit committee members to ask specific questions. The risk, of course, is that a pointed question from an audit committee member might raise suspicions by management that the CAE planted it. That is the reason a courageous strategy up front is preferable.

There are other ways to ensure the audit committee is well-informed. For example, offer training on technical and strategic topics, such as the importance of audit committee members possessing intellectual curiosity, critical thinking and skepticism. If audit committee members are encouraged to ask probing questions in advance of meetings, they are more likely to exercise the proper skepticism during meetings.

Finally, there is no more valuable role that internal auditors can play than to foster effective governance in their organizations. Audit committee members often respond to the question “what do you most want to get from internal audit,” by simply saying “no surprises.” Yet, when they are routinely kept in the dark through a strategy of omission, surprises are bound to come. Let’s do our part to ensure they are well-informed.

I welcome your thoughts on this important topic.