FoxPointe Security Hub

What the Audit Committee Really Wants to Know

March 31, 2023 by Christopher Salone

risk management

This article was written by Christopher Salone, CISA, CCSFP, MBA

After years of presenting to Audit Committees, you develop effective ways of communicating not only the results of your IT Audits, but also the health and state of the Organization as a whole.  Frequently, I find that at the end of my presentations, when I fall silent and welcome any questions, Audit Committee members’ concerns lie in areas that are large in scope and industry wide.  “What is ransomware?” and “Should we be worried about this conflict overseas?” are questions I often get instead of ones directly related to my audit.

I think it is important that as auditors and consultants, we embrace these questions and opportunities for open discussions while also delivering the audit package effectively. Contextualizing the results of the audit as part of the greater function of the Organization and cybersecurity as a whole is one way of engaging with broad questions that come your way.  For example, if in the audit you have a high-risk IT finding, you could use that time to discuss the finding and recommendation, while also outlining the potential for a ransomware attack to occur if the risk that finding presents were to be exploited.

It is not uncommon during an Audit Committee meeting to get asked questions that were unrelated to the original presentation materials. While you always hope to display and convey your expertise, an acceptable response when you are unsure or wary about a topic is to let the Committee or a specific member know that you are uncertain and will look into their question offline.  Using contact information provided by Management, a follow up response can go a long way in building and maintaining a strong relationship with the Audit Committee.

Over time, as you present to your Audit Committee on a regular basis, you begin to understand each member and what is important to them.  Be sure to effectively convey risks and concerns in terms they can relate to and care about.  If you are presenting on something more technical (like cybersecurity or emerging technology risks), it’s important to find the balance of educating the Audit Committee and achieving the objectives you have for your presentation. In general, the Audit Committee is looking for insights.  That might be trends or themes, or concerns or challenges.

An organization’s internal audit department has a limited number of opportunities to interact with its Audit Committee throughout the year.  Utilizing time effectively to deliver key information on engagements is critical, but you must also remain flexible should the Committee want to discuss other topics.  Improving presentation skills is a sure way to connect with the audience and tackle their concerns.  If you deliver your presentation genuinely and with care, you can then take the time to address any concerns or adjacent topics various members have on their mind.  Preparation and knowledge of your industry is key to making good impressions on an Audit Committee.