Articles Matt Kelly Mar 13, 2019
Audit committees and chief audit executives (CAEs) talk constantly about how to foster more engagement with each other, and rightly so. Their relationship is one of the most important for an organization to get right, if it wants effective corporate governance.
A good place to begin, then, is to consider the origin of the word engagement. It descends from the French verb engager. Today that word means “to hire” or “to employ” — but 400 years ago, when engagement first crept into the English language, engager actually meant “to pledge.”
That’s a useful point to remember when contemplating how to improve the relationship between audit committee and audit executive. It’s about pledging to be there for each other: I will help you, and you will help me, and we both know that. In other words, it’s about trust. Audit committees and audit executives have to trust that the other is thoughtful, competent, and looking out for the best interests of the organization.
That’s all the more true today in an immensely complex modern business world. Audit committees have a fiduciary (and for publicly traded companies, statutory) responsibility to oversee risk management at their organizations. Audit executives are watching their profession transform from an older era of financial statement audits to a newer one of monitoring risk and working with other parts of the organization to manage risk (see “The Audit Committee Connection”).
In other words, both parties now have more to do, and more to worry about. That’s why cultivating a strong working relationship is important. That’s why fostering trust is important. Each needs the other to succeed.
“It’s a whole new world,” says Theresa Grafenstine, a managing partner at Deloitte, audit committee chair of the Pentagon Federal Credit Union, former audit committee chair of ISACA, and former inspector general of the U.S. House of Representatives. “We need to see this as a partnership.”
For starters, audit committees and audit executives can simply talk more often. There should be executive sessions at the end of audit committee meetings without management present. The audit committee chair should schedule informal chats with the CAE between formal meetings, even without anything specific in mind. Talk.
Marty Coyne, audit committee chair at Ocugen and a past audit committee member at numerous other technology companies, swears by both practices. “It’s almost mandatory in my mind,” he says. “If the audit committee isn’t doing that, shame on them.” (In the most recent North American Pulse of Internal Audit survey, nearly one-third of audit executives say they do not meet in private session with the audit committee.)
What questions should audit committees put to CAEs in those sessions? Unless some specific issue demands attention, they should pose open-ended questions without any right or wrong answers. What’s been happening in the last quarter? Are there any challenges where they can help? Coyne’s go-to question in such meetings: “What didn’t you say?”
Those questions give the CAE a chance to speak his or her mind, and to lead the discussion where the CAE believes it should go. “It’s so you can draw that person out,” says Brenda Gaines, audit committee chair for Tenet Healthcare. That, in turn, can foster the CAE’s trust in the audit committee.
Audit committee chairs should take the extra step of regular communication with the audit executive beyond the standard audit committee meetings. Gaines schedules a monthly phone call; Coyne has met CAEs for coffee. However the chair does it, that casual, unstructured line of communication can be invaluable.
“It would help me frame out the agenda for the audit committee meeting,” Coyne says. After all, audit committees have plenty of risks they can discuss in a formal meeting, and time is limited. So Coyne would chat with the audit executive to pinpoint which risks (aside from any standard matters about financials, investigations, and so forth) truly warranted the audit committee’s attention.
“There’s always room for a topic,” Coyne says, “and I want to make sure that the topic we talk about, beyond the normal topics, is germane and important, and going to move the needle.”
All that communication and trust spadework can pay off in several ways. First, the very act of creating an open culture among senior executives and the audit committee reduces the chance that difficult matters will arise where the audit committee needs to “take sides” in an impasse between internal audit and management. Second, when those impasses do arise (spoiler alert: sooner or later, they will), the audit committee can resolve it with the least amount of acrimony.
That also means the audit committee needs a healthy relationship with management, and needs to ensure management and the CAE have a healthy, respectful relationship, too. Grafenstine calls it the “triangle of success” — each side having equal power, where they each understand the other’s roles and responsibilities.
Coyne’s approach is, whenever possible, to bring all sides together in open communication at a committee meeting. After all, the CAE may be disappointed with the pace of improvement in a business process, but management might have a good reason for the delay: product launches, sudden departure of key personnel, or some other operational issue.
The audit committee’s job is to ensure such differences of opinion are aired openly and respectfully. The best way to do that is to foster trust long before that conversation happens.
“What you don’t want is all sorts of back-door conversations going on,” Coyne says, like the CEO and CAE speaking to the audit committee members separately, but not to each other. “That’s a disaster when that happens.”
That need for collegial relations with management raises another point. From today into the future, success as a CAE will be more about exercising leadership and working with other parts of the organization to manage risk, rather than technical mastery of audit techniques.
Good audit executives “are not only a valuable resource to help the audit committee discharge its duties,” Gaines says. “They provide management with valuable insight as well on whether risk mitigation is effective.”
Those risk issues can range from IT controls for cybersecurity, to successful integration of an acquisition, to the rapidly rising concern of “culture risk.” Business processes might need improvement. Data analytics might provide valuable insights that someone needs to translate into updated controls and practices.
A good audit executive can do all of that, even while balancing the need for independent analysis of risk issues — if the audit committee fosters an environment of trust and open dialogue, and assures that the CAE has the resources he or she needs (financial, technological, personnel) to do the job.
It’s a lot to ask, of the audit committee and CAE, alike. One might almost say the French had it right 400 years ago: Engagement really is about pledging yourselves to each other.