I was recently contacted by a newly appointed audit committee member who was assuming the role for the first time. He wanted to pick my brain about the role he had just taken and understand how he could best acclimate to a committee where he will be the only new face. “I just don’t want to ask stupid questions,” he said. I could commiserate with his anxiety, as I have joined new boards and audit committees myself over the years. Finding the right level of engagement as a new member is particularly challenging. After all, “you only get one change to make a first impression.”

I quickly shared the old cliché, “there are no stupid questions.” But I still felt I should give him some pointers on how to break the ice as a new member in terms of questions to ask. My first piece of advice was “never ask a question if the answer is clearly included in the ‘board pack.” After all, asking a question that has already been answered will likely signal to fellow members and the chief audit executive that you aren’t prepared for the meeting. Not a good first impression!

During the remainder of our conversation, I shared with him a number of things he should know about internal audit as an audit committee member – regardless of his tenure on the committee. I also shared my suspicion that even the tenured committee members wouldn’t know the answer to some of these questions. Sadly, that is because audit committees are often too enamored with the external auditors and the CFO’s organization to spend an adequate amount of time with the internal auditors.

The topics of conversation/questions I shared with the newly appointed audit committee member are too numerous and variable to list in a single blog. However, there were five probing questions In would be asking in the last half of 2024. These answers (as well as the resulting conversation) should not only provide the audit committee with enhanced confidence in the internal audit function, but should also foster trust and candor in the important relationship between the audit committee and chief audit executive (CAE). 

No relationship for CAE has been transformed more in the 21^st century than that with the audit committee. According to The IIA’s 2024 North American Pulse of Internal Audit, almost 88 percent of all internal audit departments in North America report functionally to the audit committee or board. That statistic rises to 95% for publicly traded companies, and 99% for financial services organizations. And in most of those organizations, the audit committee holds a discussion session with the CAE at every meeting.

Whether they realize it or not, the audit committee’s success is tied to the effectiveness of the internal audit function. Accordingly, audit committee members must have complete confidence in the internal audit function and its CAE. This confidence can only be achieved with a strong, continuous, and open dialogue. Of course, dialogue is a two-way street; it’s as much the responsibility of the CAE as the committee members themselves. But the committee must be willing to drive that dialogue in a way that provides evidence of internal audit’s professionalism, business knowledge, and risk acumen.

Of the potential questions I shared with the newly appointed audit committee member, here are the five to which I would most want the answers:

• 1. How is internal audit progressing toward compliance with The IIA’s new Global Internal Audit Standards (GIAS), and what can the audit committee do to help? In 2024, the profession finds itself in a transition period between the old International Professional Practices Framework (IPPF) and the newly adopted GIAS. The deadline to be fully compliant is January 9, 2025. With the clock ticking, there is ample anecdotal evidence that many internal audit functions are not yet compliant. What is worse is that many CAEs signal privately they won’t make the deadline. Audit committees should monitor internal audit’s progress on implementing new requirements such as a strategic plan for the function and more explicit plans for the use of technology. Beyond those requirements, the GIAS substantially raises the bar in terms of the audit committee’s oversight role for internal audit. The CAE should have already briefed the audit committee on how it’s responsibilities are defined in Domain III of the new standards.
• 2. How is internal audit monitoring risks on a periodic or continuous basis and revising the audit plan accordingly? The 2020’s have been an incredibly disruptive period which some have even called the era of permacrisis. Of the many painful lessons learned over the past five years, the power of risk velocity to swiftly destroy value stands at the forefront. Risks seemingly materialize and recede in an instant. Internal auditors using traditional annual risk assessments to build and execute audit plans will constantly be caught flat-footed. The audit committee should understand how internal audit ensures it’s planning processes dynamic and shielding the organization and its board from unwanted surprises.
• 3. What are the top five risks that internal audit is not addressing due to a lack of resources or skills? Too often, the only question audit committees ask about internal audit’s resources is: “Are they adequate?” As an audit committee member, I would ask more than that. I would want to know whether the resources are adequate to address the company’s key risks. One means of answering that question is to understand what is not getting done. If there are key risks that are not being addressed due to internal audit’s resource constraints, the audit committee should know what they are, and be comfortable with the fact that they will not have assurance from internal audit that the risks are being addressed adequately by management.
• 4. How is internal audit embracing artificial intelligence (AI), and how is it assessing the risks that AI presents to the broader organization? Artificial intelligence has fundamentally transformed the landscape of business and technology in the past two years, introducing new efficiencies, capabilities, and opportunities across industries. However, with these advancements come significant risks that organizations must navigate to leverage AI effectively and responsibly in 2024. In February, I shared 6 critical AI risks that should be on internal audit’s radar. At the same time AI is presenting risks and opportunities for our organizations, it is presenting the same for internal audit itself. AI presents internal auditors’ transformational opportunities in everything from risk assessment to engagement reporting. Yet, The IIA’s recent Vision 2035 report found that only 7% of internal auditors worldwide report advanced or high levels of AI implementation. Even more alarming, 77% report low level or no implementation at all. The audit committee has a lot riding on the risks and opportunities AI presents, and its oversight of this vital topic should reflect nothing less.
• 5. Based on internal audit coverage during the prior year, what is the CAE’s assessment of the overall effectiveness of the company’s internal controls and risk management? And now we come to the most important question of all – the question that I often find is on every audit committee member’s mind, but is rarely asked. In seeking the answer to this question, the audit committee is asking the CAE to “connect the dots.” However, the committee must be prepared for an answer that it does not want to hear: that the body of internal audit’s work over the past year has not been adequate for an “unqualified” opinion or assessment on the adequacy of risk management and controls. In communicating any opinions, the CAE should be prepared to communicate qualifications based on the extent of internal audit’s coverage. If the audit committee is not comfortable with a qualified answer, then a discussion about internal audit’s resources needs to be back on the table. 

I suspect that these questions will generate some discomfort (and maybe even controversy). Sometimes, it is easier to engage in conversations with the audit committee in a “don’t ask – don’t tell” environment. Tough questions, such as those I pose above, will invariably elicit some uncomfortable answers. However, these questions drive to the heart of what we do in internal auditing. If they are troublesome, if they cannot be answered, if they represent areas where you fall short, then start taking the steps necessary to make changes in your operations. And, even if you have all the answers, find ways to make those answers even better.

Please share your thoughts on my list (including anything I might have omitted) on LinkedIn or X.