Under the Mask and Into the Head

Halloween costumes have become much more elaborate since I last personally went trick-or-treating for candy. The thin, molded-plastic Luke Skywalker mask and matching plastic bib that my mother tied in the back has been replaced by Black Panther chest plates and sturdy tiaras hardly different from an actual crown. However, what has not changed with the costumes are the judgments children place on the candy—good or bad, generous or stingy, a rich treat or a “healthy” treat.

Not all neighbors may care what trick-or-treaters think about their offerings, but for those who do, there are only two choices: (1) offer a portfolio of choices and hope one appeals, or (2) ask for feedback and let the visitor know early on what you intend to offer. The upshot is that it is often difficult to understand how others view and receive your intentions. This is an inherent challenge in every two-way interaction. And the interactions between the board’s audit committee and the chief audit executive (CAE) are no exception.

Last year the Institute of Internal Auditors (IIA) surveyed 636 CAEs to learn more about how internal audit views their interactions with the board’s audit committee. At most organizations, reporting on the state of internal controls is at the center of internal audit’s board reporting. Yet, just over half—56 percent of CAEs reporting to fully independent audit committees—strongly agree that, as a result of their discussions, the audit committee has a clear understanding of the strengths and weaknesses of the organization’s internal control and risk-management systems. And at 45 percent, CAEs with some nonindependent audit committee members are a bit worse.

One potential explanation—at least from the CAE perspective—is that audit committees could make their expectations of internal audit clearer. Just 41 percent of CAEs with independent audit committees strongly agree that the audit committee regularly communicates with the CAE about the current performance of the internal audit function and about areas where the committee would like to see improvement in the organization’s internal audit activity as a whole. That figure rises to 50 percent when CAEs are asked if the audit committee sets clear expectations for internal and external audit. Both of the numbers are slightly lower when the board has some nonindependent members.

Further, many CAEs do not see robust continuous improvement activity in the audit committee itself. Thirty-six percent of those reporting to independent audit committees strongly agree that those committees assess the effectiveness of its own role in the oversight of risk management, with an eye to clarifying the scope of its oversight activities.

Taken together, many CAEs perceive that audit committees

• do not have a clear understanding of the information presented to them,
• do not communicate their expectations as well as expected, and
• do not reflect on their own effectiveness.

Now, it could be that CAEs have a limited perspective. It could be that audit committees are doing these things outside of the gaze of internal audit, leaving the CAE with a mistaken impression. However, that is the best-case scenario. At worst, audit committees are lax in their engagement with internal audit, creating a wrong impression.

Like assessing trick-or-treaters’ judgment of your candy options on Halloween, some audit committee members may not be interested in the opinions of internal audit. However, there is no doubt that many are making judgments.

Those audit committees that are interested in improving their relationship with internal audit might consider taking the following steps:

1. Review formal and informal communications with heads of the internal audit function. The audit committee may consider its communication style, methods, and modes with CAEs and others during committee evaluations. They might also solicit feedback from the CAE to help understand how communication with the board and relevant executives can be improved.
2. Create a feedback loop. The audit committee could identify some ways to get feedback from the CAE to ensure that the committee’s message is understood as intended. This could entail more focused conversations with the CAE between board meetings or changing the nature of conversations currently in place.
3. Consider risk and control oversight broadly. Internal controls may go well beyond the internal audit function to include information technology and cybersecurity, compliance, legal, and other departments. Audit committees, in coordination with the full board, may consider a comprehensive approach to risk and control oversight and review lines of responsibility and communication between the boards and these corporate functions.

Although Halloween costumes have become more sophisticated, it’s still hard to tell whether the trick-or-treater would have preferred a full-size Zagnut candy bar to the four Jolly Ranchers you just dropped in their bag. Similarly, it may be difficult for the audit committee to understand whether or not the messages they give to internal audit are received as intended. Simply put, when directors engage with internal audit, they should work to ensure that their messages are properly understood. Nobody intends to give bad candy, but sometimes the neighborhood kids misinterpret your intention.