What High-Performing Audit Committees Do Differently
Research on audit committee effectiveness consistently identifies a cluster of behaviours that distinguish committees providing substantive oversight from those providing nominal oversight of internal audit.
High-performing audit committees engage with internal audit between formal meetings. The audit committee chair has a direct relationship with the CAE that allows concerns to be surfaced and addressed informally, without waiting for the quarterly reporting cycle. This relationship ensures that the CAE feels genuinely safe to bring difficult information to the audit committee's attention — including information about management resistance to audit findings or attempts to influence the scope or content of audit work.
High-performing audit committees use internal audit proactively — directing audit attention toward areas of emerging governance concern rather than merely approving plans that management and the CAE have already developed together. They ask questions like "What are we not auditing that we should be?" and "What would you audit if you had additional resources?" These questions surface governance intelligence that standard reporting processes cannot produce.
High-performing audit committees also distinguish between the audit function's assurance role and its advisory role — understanding that advisory work provides value but does not provide independent assurance, and ensuring that the balance between the two is appropriate for the governance purpose the function is intended to serve at any given point in the organisation's governance cycle.
Common Weaknesses in Audit Committee Oversight
The most common weakness in audit committee oversight of internal audit is passive consumption of reports without active engagement with their governance implications. An audit committee that reads management summaries of audit findings, notes the overall finding count and rating distribution, and approves the follow-up status update without probing the substantive governance questions those findings raise is not exercising meaningful oversight of the function or of the control environment it is designed to assess.
Active oversight requires asking harder questions: Why did this significant finding not appear in previous audits of the same area? What does the pattern of findings across business units tell us about the organisational culture and tone from the top? Why has this finding remained open for three consecutive reporting cycles? What is the CAE's overall assessment of the control environment — not just the findings list, but the synthesised professional judgement that only someone with the audit function's cross-organisational visibility can provide?
The most important question an audit committee can ask the CAE is one that has no prepared answer: "What concerns you most that is not yet on the audit plan?" That question, asked regularly and received with genuine openness, transforms the audit committee's relationship with internal audit from procedural to genuinely inquisitive.
The Dual Reporting Relationship in Practice
The IIA Standards require the CAE to report functionally to the board while typically reporting administratively to senior management. Making this dual reporting relationship work in practice requires deliberate governance design. Audit committees that genuinely exercise their oversight responsibility ensure that they — not management — are the primary audience for the CAE's most significant communications, that the CAE's performance evaluation is conducted by the audit committee rather than by the management the function oversees, and that budget and resource decisions for the audit function are made with the audit committee's explicit approval rather than through management alone. Committees that exercise these responsibilities consistently produce internal audit functions that are better resourced, more independent, and more effective than those where the administrative reporting relationship effectively determines the function's practical accountability and operating scope.