I became an official IT auditor in 2006 when I earned my Certified Information Systems Auditor certification from the Information Security Audit and Control Association (the keepers of COBIT as well as the governing body for all thirteen of my letters!). My three CPA partners finally lifted their ban on our use of the word “audit,” and we began offering a new, interesting service where I learned about banking just by asking questions. Back then, everything was new, and I loved learning and asking questions.

About a year later, I engaged a Client who practiced a peculiar procedure with their board meeting presentation. The fact I was presenting to the board in 2007 reflects well on this Client as an early adopter of risk management tactics; most banks didn’t start granting access to their boards until around 2010.

After I reviewed the audit report and fielded a couple questions, the CEO excused management from the meeting. Back then, board meetings were in three dimensions, so it took at least 30 seconds for about half the attendees to get up and leave the room. But it seemed like an hour to me, as my mind raced, wondering what was going on.

The CEO then asked me if there was anything I would like to say to them that I didn’t want to say, or that I couldn’t say, when management was in the room.

Now . . . picture a much younger me, sitting in the middle of a long c-shaped table, positioned in the middle of an elegant room, with a group of older men staring me down, new at everything, wondering, “what the heck?”

As IT auditing and banking and presenting and being in board meetings was new, at least for me, in 2006, the CEO’s question took me off guard, and I answered with one shaky word . . .

“No?”

Yeah, I still feel bad today, that I said that “no” in the form of a question. Such a short word, but long enough to indicate confidence, or lack thereof.

To help with this article, I spoke with the Information Security Officer of that bank, Robert Duke. He doesn’t remember the episode, so I tell myself that if my lack of confidence had caused a problem, Robert would remember.

But I remember my recovery, which tapped into my sense of honor: “Anything I would have to say to you,” I think I said, “I’ve already said to management. And like I said, they were very cooperative.”

Or something like that. Someone in the room noticed I was off guard and reassured me. I recall someone chuckling at my reaction. That person asked if management provided all requested information on time.

Fortunately, I was able to answer that positively, and then talked about how this particular management team asked us to audit controls that they were concerned might not be enforced. I remember this, because we had discussed, offsite, how this and Robert were the epitome of transparency.

I then asked this board what questions they might have for me that they wouldn’t ask management. They thought that was both funny, and a good idea.

Back then, I worked from a brick-and-mortar office housing about 45 CPAs. That afternoon, I pieced together what had happened.

According to the AICPA, an Executive Session is a private meeting held by a board of directors or a committee, such as the audit committee, without the presence of management. These sessions are designed to foster candid discussions, address sensitive matters, and strengthen the board’s ability to exercise its oversight responsibilities. They are a critical tool in corporate governance, ensuring transparency, accountability, and the integrity of the organization’s financial and operational practices.

Last summer, reflecting on my semi-retirement, I reminded Robert Duke, now promoted to bigger roles, about that event. But again, he didn’t recall it.

“I know it has happened several times, but I don’t recall the first time it happened to you.”

Well gee, Robert. Thanks!

Robert still works at First Farmers’ Bank and Trust, known for safe yet early adoption of technology. He says the board still holds executive sessions occasionally, but “it’s the audit committee,” he clarified, “not the board. Maybe you presented to the board, but we changed that to the audit committee.” I winced when he added, “quite a few years ago.”

Robert was right. I’m a creature of habit. I still say “board” when I mean “audit committee.” But guess what: bankers still point out that board members serve on their audit committees.

“We don’t really call it anything,” Robert said, when I referred to it as an Executive Session. “It’s just a part of our normal procedure.”

I asked if Robert knew in advance that management was going to be dismissed from the meeting.

“No, probably not the first couple of times,” Robert replied. “But once you’ve been doing it for a while, you know it’s always a possibility.”

Hmmm. While I didn’t point this out to Robert, my mind started putting two and two together. See, since last summer, when I experienced an executive session again, I’ve been wondering why this isn’t being done at all the banks we audit. Do our boards know it’s an available control? Should we bring it to their attention that some banks are doing this?

Why are some banks doing this?

Which brings me back to my “hmmmmm.” First Farmers’ Bank and Trust has a “culture” where management knows that it’s always a possibility their auditors will speak directly, unfettered, to the board. (Or audit committee, thank you Robert).

The fact that Robert didn’t remember a lot about it told me that it wasn’t really traumatic or problematic. And he confirmed that. “I do not recall one time where anything came of it.”

Another “hmmmmm.” So, we’re practicing a control that has no history of preventing anything. It’s kind of like having speed bumps on our website in the age of outsourcing.

But why would the board continue to do it then?

The practice has happened to me a few more times in my career, at a handful of banks. But when Brett Gallion, President, COO/CIO of The Commercial and Savings Bank, warned I would participate in an Executive Session after we presented the results of our Blue Team Exercise, I had an opportunity to ask Brett about it. (Interestingly, at the time I am writing this article, I don’t recall if it was a board meeting or an audit committee meeting.)

See, if you’re wondering what “semi-retirement” is all about, it includes reflecting on things that you didn’t have time to reflect on as you were learning them. And my reflection resulted in my realizing Executive Sessions are a control that not all banks use. And whenever I realize that I realize I may have a way to help my Clients. Either the banks still using a control can consider dropping the control, or the banks not using the control should consider using it.

So I returned to the AICPA site and there I remembered that executive sessions are a normal practice in auditing, if not IT auditing. They provide a secure environment where directors can engage in open dialogue with external parties, such as auditors, free from management’s influence. The practice allows boards to:

• Ensure Independence: By removing management, the board can independently assess key issues, such as the quality of financial reporting or the effectiveness of internal controls.
• Encourage Transparency: Auditors and other external participants may feel more comfortable disclosing concerns without management present.
• Strengthen Oversight: Boards can delve deeper into risk management, governance practices, and other areas critical to the organization’s success.
• Build Trust: These sessions demonstrate to shareholders and stakeholders that the board is fulfilling its fiduciary duties responsibly and impartially.
• Identify Blind Spots: Directors gain insight into potential issues or risks that may not have surfaced in regular meetings.

Okay. I can see them as being viable “whys,” if I was to suggest this to a Client as a practice. But boy, to me the most important “why” that the AICPA does not list is “confidence.” Especially nowadays, where IT auditing is a commodity. We’re all growing too fast, and some of the auditors out there are even younger and less experienced than I was in 2006.

“It’s an approach we take from time to time,” Brett said, when he asked if I’d be okay with his board excusing management and asking me questions.

Like Robert’s board long ago, and every bank between, Brett’s board’s questions were once again centered around the audit relationship, and whether management was cooperative, and whether I was finding anything that I felt uncomfortable bringing up with management.

But Brett’s board engaged me. I could tell they had done this far more times than Robert’s had way back in 2006. Executive Sessions, for Brett’s bank, have matured as a control. I’m sure this is the case with Robert’s bank too, having practiced the control for a decade and a half. It’s why I like working with banks. Controls mature, not languish.

When I say Brett’s board engaged me, I mean I asked the board a few questions myself. After complementing the directors on the veracity of their questions, I asked two questions: One, I asked if they had any questions for me that they wouldn’t want to ask management. Kind of throwing their approach back at them. But I then added a second question which shows how my OWN practice has evolved. I asked them if there were any questions they might have ALREADY been asking management, where they always wondered if management’s answers were correct, or just one perspective.

In other words, “would you like me to add confidence to what management tells you?”

Their answer to the first question was, “no.” Like me, if they had something they wanted to say to management, they’d say it to management. But they liked the second question, and openly discussed how they would remember to be prepared with those types of questions next time.

I always thought what I now know can be called Executive Sessions are good practice for a few reasons. First, if there was something going on between the auditor and management, the auditor would have the ability to bring it directly to the board’s attention. I take pride in the relationships we have with our Clients, and it would be disconcerting to me that we would have to exercise this. But we work for the board, not management, and we would of course do it if necessary.

We believe if you can’t speak to management, you shouldn’t be auditing. Still, I can see how this practice would help marginal, less experienced or assertive auditors. Though in banking the need is not prevalent, Executive Sessions inevitably increase respect for the auditor.

But if I was on a Board of Directors, a benefit of an Executive Session would be my ability to confirm management beliefs. Not that management is right or wrong. But how do we know their beliefs. . . the assumptions they hold as they make decisions. . . are sound?

If you remember, I started my career thinking it was great because I got to ask questions. I’m not afraid to ask questions, think it’s an important part of my job, and have become pretty good at asking questions.

If I were on a board. . . or an audit committee. . . I would keep a running list of questions that simply mirror statements management has made about technology, to see if the auditor agrees.

For example, I’d be asking IT auditors questions like:

• What are the primary risks your banking Clients face?
• “Are there any significant risks or weaknesses in our risk management practices that the board should address?”
• “Have you observed any deficiencies in internal controls that are not being reported for some reason?”
• “Were there any findings during the audit that raised red flags or require immediate attention?”

And, of course . . .

• “Has management been fully cooperative and transparent throughout the audit process?”
• “Is there anything you believe the board should know that management may not have disclosed?”
• Is management responding to requests for information on a timely basis?

But why not ask an expert the same questions you’ve already asked management:

• Did the XYZ installation project go smoothly?
• Is it normal for a bank to ignore low-risk vulnerabilities when there are a lot of high or critical risk patches to apply?
• Are most banks using MFA for all customers now?
• What are banks deploying by way of new technologies these days?

And, the most important stand-by question to ask both management and auditors:

• How does the XYZ project (or finding or suggestion or application or service or. . . ) protect our customer?

It is extremely important to know that any perceived discrepancies between what management and the audit or other presenter says is merely an OPPORTUNITY FOR CLARITY. Neither the auditor nor the manager are right or wrong. We just need to make sure we’re all on the same page about the particular issue.

Implementing an executive session is certainly not something that a CISO controls. The more I talked to Brett, the more I realized the Executive Session was a tool Brett’s board or audit committee. . . actually, the entire bank . . . could use to establish that culture of transparency. And it’s a potential tool if there are ever questions related to confidence in assurance or management.

I asked both Robert and Brett if the practice bothered them, and neither of them said it did.

But when I talked to Chris Woodard of Fahey Bank, who is not practicing this yet, she seemed cautious. We didn’t really get into the heart of it, until we emailed back and forth about it.

“I would be coming at this from an Audit Committee perspective for Audits,” Chris wrote. (Darn, I have GOT to get out of the habit of saying, “board.”) After clarifying that there are board members on her audit committee, Chris added, “While I have never been asked to leave, I know our President is tightening up. . . . [practices]. So maybe it is coming.”

I really appreciate Chris agreeing to being considered in this article, because she represents most of my readers. Most banks are not doing this, and their ISOs have enough fish to fry. I needed to understand Chris’ angle in order to properly write this article.

You see, there is one big drawback to this control. I know I would personally feel trepidation about such a practice, given how important the relationship can be between the ISO and board . . . uh, I mean audit committee.

When I first brought up the idea, Chris needed to think about it before agreeing to the interview. She wasn’t exactly sure if she liked the idea. “Not that I have anything to hide, but it seems there could be communication issues.”

Yup. That is the number one drawback I am hearing as I shop this to other Clients. It’s hard enough to make sure the board is enlightened, not frightened.

But by the time I was able to write this article, Chris had changed her mind. “I think it would be a good idea,” Chris said, “I have thought about this for a while. It would definitely help me build confidence over a shorter period of time.”

There’s that word again: confidence.

Not in the auditor. In management.

Assurance at its core is a risk measurement process. But to add value, it can be converted into a data integrity exercise. The more validation vectors there are, the more we can trust the information we use.

So to me, executive sessions could be a cornerstone of effective corporate governance, providing a confidential forum for boards to enhance their oversight capabilities. By fostering candid discussions and addressing sensitive issues, these sessions empower directors to safeguard the organization’s integrity and long-term success.

In other words, Executive Sessions are a control that bank ISOs should consider proposing to their . . .

. . . to their audit committees!