Reporting to the board: leading practices and trends in higher education

No two governing boards are same. Neither are their preferences for internal audit’s report outs of audit findings to the board audit committee(s). Let’s explore different approaches for providing information to the board, including the inclusion or complexity of completed reports, audit follow-up and other areas that are under internal audit’s responsibility (e.g., ethics hotline, conflicts of interest, etc.).

How is your audit committee structured?

How your audit committee is structured will depend on your institution. Your organization may have only one audit committee, or it may have several. For example, it is not uncommon for academic medical centers to have more than one audit committee. They may have separate committees for the academic institution, medical center and foundation. The number, size and make-up of your committee will likely influence the frequency of formal meetings, meeting agendas and content provided.

Presenting internal audit’s completed reports

Internal audit’s role is established in a charter or policy and typically includes a presentation of its audit activities and findings related to those activities to the audit committee. Some committees want more detailed report outs than others. Where some audit committees prefer internal audit present a summary of the audits and reviews conducted since the prior meeting inclusive of all findings and observations, others prefer only high-level risks be brought to their attention. So long as internal audit is providing the board with objective assurance and advice, the form the presentation takes can vary based on the board and its unique preferences. In our experience, committees typically like having, within the meeting materials, copies of the comprehensive reports that highlight each audit or review’s objectives, approach, findings and recommendations and, at its meeting, a high-level presentation of the findings and observations with the opportunity to ask questions.

Reporting on internal audit’s other responsibilities

Internal audit’s responsibilities do not stop once an audit report is issued. Depending on your organization’s structure and how roles and responsibilities are assigned, internal audit’s scope may vary. For example, internal audit may also oversee activities to ensure past internal control gaps have been addressed (i.e., audit follow-up), monitor the ethics and compliance hotline, manage the disclosure of