How often do they meet?
Frequency of meetings is driven by the business need - and is well known among executives in advance (imagine the effort required to coordinate schedules). In "normal" times, most committees will meet at least quarterly. Usually the committee will have an "annual calendar" to help ensure that mandatory committee activities (e.g., legal and regulatory requirements) are scheduled, monitored and completed. Depending on the company, meetings last for approximately one to three hours. Some committees employ sub-committee meetings to delve into areas requiring more attention (like technology).
How is the meeting conducted?
Audit committee members are provided with an agenda and reading materials prior to the meeting (typically one to two weeks) so that actual meeting discussions can focus on high level summary presentations and discussion of "exception" or items of concern. Either the CFO or the Chief Auditor will serve as the committee's liaison with management taking care of administrative issues or other committee member needs. Both of these will attend the meeting as well as executive management.
The chair of the committee will ensure that agenda items are appropriately addressed. The chair will also manage the pace of the meeting. Reports from the auditors - especially recommendations to improve internal control are discussed. Issues requiring resolution are monitored until completed. The focus is on ensuring things get fixed - not validating excuses or encouraging silo mentality which is very much frowned upon at this level. Honesty is key as any sense of lying at this level will result in loss of confidence in the presenter and will probably eventually result in separation from the organization.
Executive sessions - where the real story gets told
Perhaps one of the most important but lessor known activities performed by the audit committee is when they meet separately with the CFO, head of internal auditing and the external auditors and management is not present. It is in these sessions that the individuals can share their concerns about management and audit committee members can question these individuals without the presence of bosses. These sessions are used by audit committee members to make the necessary inquiries that enable them to fulfill their fiduciary responsibilities and corroborate any impressions and understandings.
This is where auditors - both internal and external - have the opportunity to provide informal impressions on the job management (and information security) is doing. So remember, it's not just what auditors write about, but also what they are thinking.
Sign up for Computerworld eNewsletters.