The quality of an internal audit function's relationship with its audit committee matters more than most audit plans acknowledge. A committee that trusts the audit function, understands its methodology, and engages seriously with its findings is a fundamentally different governance environment from one that receives reports politely and moves on. Getting that relationship right is partly about the quality of the audit work. It is also about the quality of the presentation.

Before the meeting

The most important work happens before anyone sits down in the boardroom. Reports and papers should reach committee members with enough time to read them, a minimum of five working days, and ideally a week. A committee that is reading the audit report for the first time in the meeting cannot engage with it substantively. They can ask questions, but they cannot ask the right questions.

It is worth establishing, with the committee chair, what the chair wants from the agenda time. Some chairs want a brief verbal summary and then to go straight to questions. Others want a structured walkthrough of the key findings. Some want the CAE to lead; others want to lead themselves and use the CAE as a resource. Understanding this before the meeting saves time and avoids misjudging the room.

If there are findings in the report that are likely to be challenging, for management, for the committee, or for the relationship between them, it is usually better to have a preliminary conversation before the committee meeting than to let a difficult discussion develop in real time in front of the full committee. This is not about softening the finding; it is about ensuring that the right context is available when it is discussed.

Structuring the presentation

The opening should orient the committee quickly. What period does this report cover? What was the scope of the work? Are there any significant changes to the audit plan or resource position that the committee should know about? This takes three minutes, not fifteen.

The main substance should focus on the things that matter most, not on providing a comprehensive summary of everything in the papers. If the committee has read the papers, which they should have, they do not need a verbal summary of every finding. What they need is the CAE's judgment about what is most significant, what it means, and what action it requires.

The most common mistake in audit committee presentations is treating the verbal time as an opportunity to repeat the written report out loud. It is not. The verbal presentation should add something that the written report does not, context, judgment, emphasis, or the CAE's personal assessment of how seriously to take a particular finding.

Handling challenge

Audit committees should challenge internal audit. A committee that accepts everything the CAE presents without question is not doing its job, and the CAE should be troubled by the absence of challenge rather than relieved by it.

When challenge comes, the response matters. If the challenge is substantive, the committee member believes a finding is overstated, or that the audit scope missed something important, the right response is to engage with it seriously, not to defend the report reflexively. If the committee is right, say so. If the committee is wrong, explain why clearly and provide the evidence.

The more difficult challenge is when it comes from management rather than the committee. Management that disagrees with an audit finding and uses the committee meeting to relitigate it is putting the CAE in a position that requires careful navigation. The CAE should not back down from a finding because management is challenging it in the room, the committee is watching how the CAE handles that pressure, and what they see informs their assessment of the function's independence. If management has a substantive point that changes the conclusion, acknowledge it. If they are simply uncomfortable with the finding, hold the line politely and clearly.

Actions and follow-up

Every committee meeting should end with a clear record of what the committee has decided, what it has asked management to do, and what it has asked internal audit to do. This is the chair's responsibility to drive, but the CAE should be prepared to support it, by summarising the key actions at the end of the discussion, by ensuring that the minutes capture them accurately, and by following up at the next meeting.

The follow-up report, the update on management actions from previous audit findings, deserves more attention than it typically gets. Committee members remember what they were told at the last meeting. If a management action that was due to be completed in Q3 is still open in Q4, the committee will notice if it is not explained. A follow-up section that candidly reports on overdue actions, with a clear explanation of why they are overdue and what the revised timeline is, builds credibility. A section that quietly rolls overdue actions forward without comment does the opposite.

Building the relationship over time

The audit committee relationship is built over multiple meetings, not in any single one. The CAE who consistently provides clear, honest, well-evidenced assessments, including assessments that are uncomfortable for management, will develop a committee relationship that is genuinely useful. The CAE who manages the relationship primarily by managing what the committee hears will eventually find that the committee does not trust them when it matters.

Kyle McMullan
Kyle McMullan
Founder, the audit hub

25 years in senior financial services internal audit and risk advisory. Kyle writes from direct practitioner experience, having held audit leadership roles, managed regulatory remediation programmes, and advised boards through some of the most complex compliance challenges in UK financial services.

Connect on LinkedIn
← Financial crime audit in 2025: what the FCA expects from internal audit functionsGetting your first Head of Internal Audit role: what panels are actually looking for →