As a chief audit executive (CAE), you understand the need for the right “soft skills” and the importance of your working relationships with key stakeholders, including the board, senior management, external regulators, and others. In this article, we focus on what's probably the single most important professional relationship for a CAE – the one with the chair of the audit committee (AC).
Here we approach the discussion in a fresh way; in any relationship, there are two sides! We asked ourselves - how powerful would it be to view the workings of the relationship from both perspectives –the AC Chair and CAE – to try to understand what both parties need, and what both parties can do to make it work effectively?
So, here goes. Let’s first put ourselves in the shoes of the audit committee chair.
The Key Relationship – from the Audit Committee Chair Perspective
What does the audit committee chair look for when beginning to build a great professional working relationship with a CAE? It comes down to understanding the “3 C’s” in the interaction with your board – communication, competency, and cover. Of all the actions a CAE could take, here are the most critical outcomes that should be top of mind in those early exchanges.
First and foremost, the key to any successful relationship is creating an environment in which a healthy exchange of information can occur. Everyone knows how to communicate, but few have mastered the skill required to be effective. Communication with the board requires a combination of two kinds of outcomes – providing education, and ensuring understanding – both focused on helping the chair make effective decisions. How to do this?
CAEs are often called upon to provide information about the business or about the context within which events and decisions are being made. According to Jim DeLoach, managing director at Protiviti, CAEs are often perceived as “reservoirs of knowledge and insight” to inform senior management and the board of up-and-coming risks. Director education sessions, both as part of onboarding for new directors as well as ongoing audit committee meetings, should include a variety of topics such as the CAE’s evaluation of the organization’s cyber risk management program. These informal sessions can be a great way to enhance director relationships and demonstrate knowledge of critical issues in the business.
To ensure two-way communications are understood, both you and the audit committee chair need to be direct and honest, saying what you really mean and then following what you say with action. When messages are miscommunicated in a business setting they often come with a price tag; there is no “do over.” If not sure that you understand the chair’s message, be sure to ask questions for clarification. Paraphrase what you think you heard. The chair will correct you if given a chance.
A competency is the capability to successfully exhibit certain behaviors and perform required work functions or tasks in a professional setting. To demonstrate competence, CAEs must be able to perform their role with a required level of proficiency. Further, these tasks must be performed in areas deemed to be critical to the audit committee chair.
First, this requires the CAE to have a clear understanding of areas in which the audit committee requires assurance. The CAE and his or her team must be competent in a wide variety of technical and general business functions to effectively provide this assurance. Comprehensive, balanced assessments performed by persons with the requisite skills are the foundation. Results must be concisely presented --- not in hundreds of pages of reports or busy board charts. To resonate with the chair, these audits must be aligned to cover the organization’s strategic risks, and the audit reports must show a strong connection with these risks including the barriers to achieving company goals and objectives.
Lastly, the chair gauges competency by whether or not the CAE commands respect from both senior management and the external auditor. It is critical for the CAE to collaborate effectively across the organization to achieve successful outcomes. Of course, successful completion of the IIA’s Quality Assurance and Improvement Program can enhance CAE credibility and identify areas for improving internal audit effectiveness and efficiency.
Finally, it is important to note that directors care deeply about reputational risk – both from a personal and a professional perspective – and expect the CAE to provide “air cover.” While reputation risk can arise from a variety of sources, CAEs are well-equipped to help directors deal with it. For example, significant product safety or financial accounting issues, or being personally targeted by activist investors for ridicule or replacement, can result in damaging publicity or unwanted attention from regulators. Directors want to be associated with successful companies, and look to internal audit and specifically the CAE to help them manage reputation and keep their company out of the news.
There are many ways in which the CAE can contribute to minimizing director and company exposure. First, when assessing risk be sure to view the organization through the lens of key stakeholders – including employees, suppliers, customers, investors, banks, competitors, and regulators. Where do you see potential issues? Consider ways in which the organization may be vulnerable to bad practices or unforeseen events which could harm its reputation. When needed, conduct assessments of management’s plans for addressing these exposures.
Second, directors expect that they will not be surprised by the CAE in audit committee meetings with damaging new information. But how can you be sensitive to director needs while sometimes having to be the bearer of bad news? The solution lies in developing a relationship that is built on mutual trust and respect. This requires the CAE to be authentic and share openly in the relationship while respecting the chair’s time. Additionally, you need to provide early warning of significant issues as they arise and ensure issues are vetted with both management and the board at the earliest possible time.
Keeping these three things in mind – communication, competency, and cover – will help you create and enhance your relationship with the whole board and the audit committee chair in particular.
Let’s now address the situation from the perspective of the CAE and see what is different.
The Key Relationship – from the CAE Perspective
So, what does a CAE need from a relationship with the AC Chair, why is that so important, and how does he/she go about making that great relationship happen?
Why is it such a big deal?
Well, what the CAE needs can only really be understood by reflecting on the nature of our role and the competing pressures on that role. The internal audit (IA) function plays an important part in the functioning of the organization, by providing assurance and consulting on the strategy and operations of the business. And of course, we all know that business is becoming more complex, risks of many types (geopolitical, regulatory and many others) are increasing.
But here’s the thing about our role that makes the CAE / AC Chair relationship particularly important: we have a wide range of stakeholders, and sometimes the interests of those stakeholders are not fully aligned. This is inevitable in a business world where ownership and management are separate, and where stakeholders have access to so much, and quicker, information. And of course, there is an element of our role which can be about “speaking truth to power.”
All of this means that the CAE needs to feel that he/she has the full backing of the AC Chair and board when carrying out IA duties.
And this is a relationship well worth investing in. Think of the various benefits that can accrue if the relationship is working well. Things like strong backing (as noted above), input into and support for the audit plan, input, and perspective on the performance of the IA function, advocacy and support where necessary in board discussions around IA resourcing, and much more.
So, it is about support, advice, and advocacy. And that really matters.
What can a CAE do to maintain a great AC Chair relationship?
In many ways, the answer is the same as for any other key business relationship. A big part of it is simply the essence of honorable and professional behavior – be authentic, be clear in communications, deliver what you promise, look to minimize surprises, etc. However, based on our experience of working with a number of AC Chairs over our careers, here are some further specific thoughts:
Get to know their preferred style. AC Chairs are people too, so no two are the same. It's imperative to establish what style of communication works best for them. Some prefer a lot of detail; others require us to distill the messages into a few key takeaways. Some will want an AC meeting to take papers as reading and focus the meeting purely on questions; others will want to be “walked through” the papers in detail. Don’t assume – ask them what works for them.
Remember it is not easy being a non-executive director. The AC Chair will typically be a non-executive director of the organization, and this means that have limited time to devote to the role. Although they will build up a good understanding of the business, they are not involved day-to-day. Little things like taking time to explain the context of a review, and avoiding acronyms, can be very helpful.
Make sure the communications are open and clear. My first meeting with the latest chairman was very impactful. His first action in our introductory meeting was to take out his mobile phone, have me put his mobile number in my phone, and then said: “if you need this number, do not hesitate to ring it.” Steps like this that seem small are significant in building the relationship – seek out opportunities to do these.
Remember how much this matters to them. It’s easy to focus on what you need from a relationship. But much of the trust will be built up from remembering that the AC Chair depends a lot on the effectiveness of the CAE. You are giving him/her a perspective that they cannot get from anyone else in the organization. At times, you are providing assurance and advice in areas that even have implications for their personal liability. Find a way to let them know that you know and value this.
Looking at the needs and requirements of both sides, the conclusions we make are not surprising but perhaps remind us of some essential truths. This relationship is pretty unique in its importance and the level of mutual dependency, as well as in the tremendous value that can be gained by both parties, regarding support, advice, guidance, protection of reputation. With these points in mind, consider what may work best in your situation and use every opportunity to build a great foundation that works well for both parties.
About the Authors
Derek Foster lives in London and is the Group Head of Audit for Thomas Cook plc. He started his career with Deloitte and has held senior audit and CAE positions with several major international companies, including Electrocomponents plc, General Motors and Royal Mail. Derek is also on the External Quality Assessments Panel of the Institute of Internal Auditors in the UK.
Jay R. Taylor lives in Michigan and is CEO of EagleNext Advisors LLC, focused on helping middle-market public and private company boards and senior leaders achieve business success through improved decision-making, governance and risk management. Jay previously developed Strategic Risk Management for General Motors Company and served in executive roles within global internal audit for information technology, cyber risk management, treasury, pension fund management, financial services and automotive operations. Follow Jay on Twitter at @RealJayRTaylor.