A short essay on the discipline of prioritization — and a template we use in every engagement. For the CAE who is rewriting the next quarterly pack on the plane home from the off-site, and the audit committee chair who would like the meeting to take 75 minutes instead of 150.
An audit committee meets four times a year. The shortest meeting I have ever attended ran 47 minutes. The longest ran six hours, and ended with the chair asking everyone to come back the following Tuesday. The difference was almost never the number of issues at the institution — it was the discipline of the report. The 47-minute meeting had three findings. The six-hour meeting had twenty-eight.
This is a short piece about a specific habit I have watched several CAEs grow into over the years, and that we now insist on at every internal audit engagement we run.
The deck shows up in my inbox a week before the meeting. Forty pages. A two-page executive summary that names a dozen themes. A four-page heat map that has had the same colors for the past four quarters. A risk register that lists 28 open findings, color-coded by severity, with target remediation dates that have all slipped at least once. An appendix with the testing detail for the eight audits that closed during the quarter.
The directors will read the executive summary on the morning of the meeting. Maybe. The CAE will spend forty minutes walking through the heat map, ten minutes on the risk register, and fifteen on themes. The questions, when they come, will be about the one finding everyone is already thinking about — the cyber incident from October, the AML examination from November, the IT integration from the acquisition that closed in March. None of those will have gotten more than two slides.
The function of an audit committee meeting is not coverage. It is direction. A 28-finding report covers everything; it directs nothing.
Independent directors are smart, busy, and serving on three to five boards. They are reading your packet on a plane between two of those boards. The number of issues they can leave the meeting holding — meaning: able to recall the issue, the action, the owner, and the date without re-opening the deck — is small. Three to five. I have seen empirical work on this; it lines up with what every CAE I respect tells me, which is that the directors who serve their institution best are the ones who can ask the four right questions in February that they could not have asked in November.
A report that leaves a director holding 28 findings is a report that leaves them holding zero. They lose all of them because they cannot retain all of them. The action items get sorted by remediation date in the GRC tool and ignored.
Every quarter, before we write the committee pack, we sort the open issues into three buckets:
The triage requires a conversation with the committee chair. The chair is the partner who tells you that the regulatory item you would have buried in bucket two needs to be in bucket one because the OCC's lead examiner has asked for it twice. The chair is also the partner who tells you that the open item you had in bucket one has already been discussed in their one-on-one with the CEO and is fine in bucket two.
Once the triage is right, the template writes itself. Three sections, one finding per page in section one, a structured table in section two, and an appendix the committee will not open unless they want to.
That is six pages. It will produce a 60-to-90-minute meeting, regardless of the size of the institution.
The other half of the discipline is the verbal briefing. The CAE walks the committee through the three findings in twelve minutes. Not the deck. The three findings. The discipline is to be able to say each one in three minutes: the finding, the action, the question for the committee. Anything that does not fit in three minutes belongs in the read-ahead, not in the meeting.
I tell every CAE who has not done this before to time themselves at home, with no audience, before the meeting. The first time it will run twenty minutes. The discipline of cutting it to nine is the discipline of figuring out what actually matters.
The last piece is the pre-call with the committee chair. Twenty minutes, the Friday before the meeting. Walk the chair through the three findings, the awareness register, and the questions you are bringing. The chair will tell you what to emphasize and what to defer. You will arrive at the meeting having already aligned on the agenda — which is what allows the meeting to run 75 minutes instead of 150.
None of this is original. The discipline has been written about by every thoughtful CAE I respect; I am writing it again because I keep getting 40-page decks from clients who tell me, with some pride, that they have raised the rigor of their audit committee reporting. The rigor is in subtraction.
If your committee meetings have stopped finishing on time, or your directors have stopped asking questions, the report is the place to start. — acastaneda@continentalriskpartners.com
Risk Advisory · Internal Controls · 27 yrs
Andres has briefed audit committees at community banks, regional banks, and Fortune 1000 institutions for twenty-seven years. He has a particular allergy to heat maps that have stopped meaning anything.