Reporting to Audit Committee

Posted By: Incognito1

Reporting to Audit Committee - 09/18/20 12:01 AM

Hello -

I'm hoping some Chief Audit Executives or Directors might be willing to share some of their practices and expertise. My bank has grown substantially over the years and I want to make sure my practices are in alignment with others. I'm trying to figure out what is the appropriate balance between providing enough detail to the Audit Committee that they can meet the responsibilities assigned within their Charter but also not be too much in the details (Executive desire)? I also want to find a good balance for myself that I don't have to create a lot of additional documentation or reporting for just the AC meetings since the department already does so much writing/reporting internally. Below is a summary of what I currently provide to the AC. It would be super helpful to know what others are doing or if they have done something that really makes Executive management and the AC happy? Also, as an additional detail - we have very structured ALCO, ERM, Management Loan committees in place and those committees report to the Board of Directors - so my Audit Committee has no responsibilities/oversight directly for those areas (no overlap in reporting).

Meeting frequency -Every other month

Meeting Agendas
1. Audit Plan - Dashboard (status of projects, what's in que, what's ahead, alignment with annual goal) etc.
2. Internal Audit Reports - For every audit performed, we provide a dashboard showing total # of findings, # agreed to by management, # with a corrective action plan, corrective action Gantt chart showing resource and remediation timeframe. We also scrub out all high risk items and talk through those observations one by one and the corresponding management response/action plan.
3. External Audit Reports - Again we scrub out all high risk items and talk through those individually one by one and the corresponding management response/action plan.
4. Audit Response Tracker - Semi-annual dashboard with graphs, trends. We scrub out all items that are aged 1 year+ and discuss each one of those individually and the updated corrective action plan.

Thank you!!
Posted By: osucpa

Re: Reporting to Audit Committee - 09/18/20 12:04 PM

I am the Internal Audit Director for a 2 billion dollar bank with branches in multiple states. It is always a juggling act for the right balance of information and not allowing AC to take on the role of Executive Management.

1. I have a monthly meeting with my CEO to discuss the Internal Audit Department which would include going over the audit plan, audit staff and any other topics either of us would like to discuss. I think this meeting has helped both parties a lot.
2. Have detailed conversation with the AC chairperson. Technically it is their meeting and you should be providing the information they desire. I have a pre AC meeting with our chairperson. We go over all items being presented. What I have found over the years is sometimes the AC want to get in the weeds especially Low Risk findings. This can occur even if you do not want it to happen.
3. I talk regularly with the AC about what they would like to see and are they being provided enough information about risk.
4. Annually they complete a Self Assessment.

I hope this information helps.
Posted By: Incognito1

Re: Reporting to Audit Committee - 09/18/20 03:31 PM

Thank you for your response! It sounds like we have similar practices except for meeting with the Chair before the meetings. You mentioned Low risk items - does that mean that you share all your audit findings with them regardless of risk level?
Posted By: osucpa

Re: Reporting to Audit Committee - 09/18/20 04:19 PM

All findings regardless of risk rating get presented in our audit reports. We might not cover them in the meeting but the AC does see them. One reason for this is if a finding does not get corrected the risk rating could be elevated in future year audits.
Several years ago, I posed this question to the AC and they said they wanted to see all findings so they see all findings. For us they do not like surprises.
Posted By: edAudit

Re: Reporting to Audit Committee - 09/21/20 01:05 PM

I would add significate regulatory matters that have been noted in other FI in regards to audit. Some of the C&D's mention audit and serve as a do not let this happen to you.

I know where you are coming from:

In my early days of audit I had worked for a FI that insisted on providing a 600-700 page audit report to the Audit Committee each month. It was sent out a day prior to the meeting. I could not understand the complete waste of time and energy but that is what management thought was appropriate.

Most of the reports were compiled by the CFO's office. One day he requested that audit 'audit" his reports. One of the excel spread sheets did not update for 7 years giving the same and incorrect figures. No one noticed in the 7 year span.