Three findings, not thirty. What an audit committee actually needs to see.

An audit committee meets four times a year. The shortest meeting I have ever attended ran 47 minutes. The longest ran six hours, and ended with the chair asking everyone to come back the following Tuesday. The difference was almost never the number of issues at the institution — it was the discipline of the report. The 47-minute meeting had three findings. The six-hour meeting had twenty-eight.

This is a short piece about a specific habit I have watched several CAEs grow into over the years, and that we now insist on at every internal audit engagement we run.

The 28-finding deck

The deck shows up in my inbox a week before the meeting. Forty pages. A two-page executive summary that names a dozen themes. A four-page heat map that has had the same colors for the past four quarters. A risk register that lists 28 open findings, color-coded by severity, with target remediation dates that have all slipped at least once. An appendix with the testing detail for the eight audits that closed during the quarter.

The directors will read the executive summary on the morning of the meeting. Maybe. The CAE will spend forty minutes walking through the heat map, ten minutes on the risk register, and fifteen on themes. The questions, when they come, will be about the one finding everyone is already thinking about — the cyber incident from October, the AML examination from November, the IT integration from the acquisition that closed in March. None of those will have gotten more than two slides.

The function of an audit committee meeting is not coverage. It is direction. A 28-finding report covers everything; it directs nothing.

What a director can hold in their head

Independent directors are smart, busy, and serving on three to five boards. They are reading your packet on a plane between two of those boards. The number of issues they can leave the meeting holding — meaning: able to recall the issue, the action, the owner, and the date without re-opening the deck — is small. Three to five. I have seen empirical work on this; it lines up with what every CAE I respect tells me, which is that the directors who serve their institution best are the ones who can ask the four right questions in February that they could not have asked in November.

A report that leaves a director holding 28 findings is a report that leaves them holding zero. They lose all of them because they cannot retain all of them. The action items get sorted by remediation date in the GRC tool and ignored.

The triage rule we use

Every quarter, before we write the committee pack, we sort the open issues into three buckets:

Findings the committee must act on this quarter. Almost always three. Sometimes two. Rarely four. These are findings where the committee has a decision to make: approve a remediation plan, authorize a budget, replace a leader, escalate to the regulator, change the audit cadence. The CAE owes the committee a clear ask on each.
Findings the committee should be aware of. Typically six to ten. These are open issues with active remediation that the committee should know exist and be able to ask about, but where the committee is not the decision-maker. They go in a structured one-pager — not a heat map.
Findings the committee does not need to see. Everything else. These belong in the GRC tool, the management risk committee, or the operational risk forum. Not the audit committee.

The triage requires a conversation with the committee chair. The chair is the partner who tells you that the regulatory item you would have buried in bucket two needs to be in bucket one because the OCC’s lead examiner has asked for it twice. The chair is also the partner who tells you that the open item you had in bucket one has already been discussed in their one-on-one with the CEO and is fine in bucket two.

The template

Once the triage is right, the template writes itself. Three sections, one finding per page in section one, a structured table in section two, and an appendix the committee will not open unless they want to.

Audit committee report · template

Page 1 · Executive summary · five sentences, no more. Pages 2–4 · The three findings — one page each, formatted: finding, root cause, impact, action, owner, date, the question for the committee. Page 5 · The awareness register — six to ten open issues, one-line each, with a status indicator. Page 6 · Audits closed since last meeting. Appendix · Detail for any of the above.

That is six pages. It will produce a 60-to-90-minute meeting, regardless of the size of the institution.

The verbal version

The other half of the discipline is the verbal briefing. The CAE walks the committee through the three findings in twelve minutes. Not the deck. The three findings. The discipline is to be able to say each one in three minutes: the finding, the action, the question for the committee. Anything that does not fit in three minutes belongs in the read-ahead, not in the meeting.

I tell every CAE who has not done this before to time themselves at home, with no audience, before the meeting. The first time it will run twenty minutes. The discipline of cutting it to nine is the discipline of figuring out what actually matters.

The pre-call

The last piece is the pre-call with the committee chair. Twenty minutes, the Friday before the meeting. Walk the chair through the three findings, the awareness register, and the questions you are bringing. The chair will tell you what to emphasize and what to defer. You will arrive at the meeting having already aligned on the agenda — which is what allows the meeting to run 75 minutes instead of 150.

None of this is original. The discipline has been written about by every thoughtful CAE I respect; I am writing it again because I keep getting 40-page decks from clients who tell me, with some pride, that they have raised the rigor of their audit committee reporting. The rigor is in subtraction.