I try to stay attuned to the expectations of audit committee members when it comes to their internal audit functions. Dating back to my days at PwC (more than 15 years ago), I regularly engaged audit committee members in informal, off-the-record conversations. These exchanges, because they could be more candid, helped me to better understand what chief audit executives were doing well, and how they could improve.

The insight provided me with great coaching points for clients at the time, and for the profession in general during my years at the helm of The IIA.

Since leaving The IIA, I have continued having occasional conversations with audit committee members, but in preparing for an upcoming IIA GAM presentation, I felt it would be helpful to put my ear to the ground and gain additional perspective on how audit committee members believe we are doing.

So, over several recent weeks, I sat down with the chairs of audit committees representing 15 different companies and organizations. During our conversations, I asked about their needs and expectations for internal audit and sought their assessment of what internal auditors (and their CAEs) are doing well – and where opportunities for improvement might exist. Their level of candor was amazing and is serving me well as a basis for my presentation in March.

I opened each interview by asking about expectations for internal audit. Some of the responses were familiar, but others reflected the current era of permacrisis. The most common expectations I heard were that internal audit needs to be:

• An objective source of assurance on risk management and controls.
• Capable of connecting the dots and expressing overall opinions on the effectiveness of risk management and controls.
• Aligned with other risk/control functions or clearly articulate why they aren’t.
• Deeply knowledgeable of the company and industry they serve.
• Courageous enough to bring matters to the attention of audit committee members – even if management disapproves.
• Trusted advisors who are comfortable sharing perspectives and advice both formally and informally.
• Adept communicators.

I could explore further each of those expectations; indeed, I have written on most in my books or blogs. But hearing the perspectives freshly articulated with the 2020s as a backdrop provided renewed appreciation for what it takes to be successful.

When the conversations turned to gaps in current internal audit performance, one of those expectation stood out as a significant opportunity for improvement. These audit committee chairs clearly believe we have quite a way to go in becoming adept communicators. The most common complaints were that CAEs often:

• Dump excessive information in last-minute board packs.
• Communicate without regard to risk, leaving the audit committee struggling to know what’s really important.
• Provide copies or synopses of reports with excessive narrative and leveraging little or no graphs and analytics.
• Don’t connect the dots – leaving the committee wondering what the overall body of internal audit’s work reveals about the company’s risk management and controls.

The audit committee chairs singled out communication about planning, observing that their CAEs struggle to:

• Effectively communicate the risk universe when reporting to the committee.
• Explain their planning methodology, including how they coordinate and collaborate with second-line functions.
• Reveal how they consider new and emerging risks.
• Share what’s not going to be audited and why.
• Ensure the risk assessment/planning process is linked to the enterprise’s strategic plan.
• Acknowledge internal audit’s limitations and weaknesses in addressing risks identified in the planning process.
• Keep planning communications at the right level.

Finally, the group had plenty to say about the quality of their CAEs’ (and internal audit staffs’) presentation skills: Common concerns were that CAEs:

• Don’t always know their work – and aren’t able to respond meaningfully to audit committee questions.
• Don’t aggregate or summarize results.
• Struggle to communicate context.
• Lack effective presentation skills, as evidenced by “reading their slides.”
• Lack the courage to communicate in a frank and candid manner – even in executive sessions with the audit committee.

I realize this is a lot to take in, and I plan to circle back in future blogs to tackle many of these issues in greater detail. In the meantime, I encourage you to assess whether any of these opportunities for improvement pertain to your internal audit function.

As far as strategies for improving communications, I plan to explore these in depth during my GAM session. For those interested, you can still register for the conference to attend in person or virtually.

I welcome your thoughts on this topic. Feel free to email me at blogs@richardchambers.com or message me on LinkedIn or via X.