Risk and Control Issues Commonly Overlooked by Internal Audit 6: The Audit Committee

Last year, I started a series of posts on "risk and control issues commonly overlooked by management." These were the first five:

Logically, #6 should be failures in governance processes. But I think I will instead focus on failures of the audit committee.

Deficiencies in the operation of the audit committee of the board might, depending on the organization, create risks to the achievement of organizational strategies in these areas:

  • Oversight of financial reporting. The audit committee should be asking appropriate questions of management and the auditors (primarily the external but also the internal auditors) about the financial reporting process and the reports themselves. One of the key areas where I have seen them make a difference is in deciding what to disclose to shareholders and the regulators.
  • Oversight of the external auditor. In the US and many other countries, the external auditors report, by law, to the audit committee. The committee is responsible for approving the fees and ensuring the approach and staffing of the audit team is adequate. The potential impacts are in cost, business disruption (by the auditor), and in the quality of financial reporting.
  • Oversight of the code of ethics and related activities. This is frequently assigned to the audit committee, although some will have a separate board committee cover this key area. The related activities will include updates of the code, communication to employees (including certification) and training, oversight of any investigations, and oversight of management’s ‘walking the talk’.
  • Oversight of risk management. While some organizations have limited the audit committee to the oversight of risks related to financial reporting, others expect the committee to step up and oversee the entire, enterprise-wide risk management process. Clearly, this is a major task as an effective risk management program is essential to the achievement of corporate strategies and objectives.
  • Oversight in internal audit. Not only is the audit committee responsible for the internal audit function, but it should be its champion. Need to spell out the risks if the internal audit activity is ineffective?
  •  Oversight of other compliance activities. This will vary from company to company, but the committee may be concerned with compliance with US FCPA, UK Bribery Act, and other regulations.

What questions should the CAE ask in assessing the audit committee’s activities and the potential risk any failures might represent? I would start with a clear understanding of those risks, and then ask these: 

1. Does the composition of the committee include the necessary talent?
a.      Do the members (collectively) have a sufficient understanding of the business?
b.      Do the members have a sufficient understanding of the more significant risks related to their work, such as financial reporting risks?
c.      Do the members understand, at a sufficient level, how external auditors and internal auditors work?
d.      Do they understand the role of the audit committee and what it should be delivering?
e.      Are the members sufficiently involved and committed?
2. Is the committee able to hold the right level of discussions?
a.       Does the committee have the necessary control over its own agenda, including what topics are included, the time available for discussions, who provides the members with information, and who participates in the discussions?
b.      Are the committees sufficiently free from inappropriate management interference with their work?
c.       Do the members speak freely and openly? Do they demonstrate the appropriate level of professional skepticism? Is it clear they represent the interests of the ‘owners’?
d.      Are the discussions productive? Is conflict managed appropriately? Do people avoid conflict at the expense of effective discussion?
3. Does the committee obtain the information it needs?
a.       Is the information reliable, complete, and current?
b.      Is it at the right level of detail, yet still provides the strategic view they often need?
c.       Is the information provided timely, allowing for review prior to the meeting and discussion at the meeting?
4. Is there follow-up on decisions made by the committee?
a.      Are actions taken consistent with committee decisions?
b.      If not, is the committee informed and able to follow-up?
5. Does the committee have the authority it should?
a.      Is it involved and consulted when it should be?
b.      Do the decisions and preferences of the committee carry weight with management and the full board?
c.      Do they have the budget and resources they need?
6. Do the external and internal audit leaders have appropriate access to the audit committee?

I am sure there are more questions that should be asked. Perhaps you can suggest some.

I welcome your comments.


Posted on Jun 21, 2011 by Norman Marks

Share This Article:    

  1. I agree that "The root cause of almost every internal control issue is people," however I find that this common root cause is rarely the focus of internal audits and 'people' are too often assumed to be a 'working part' of the GRC system, therefore we spend most of our time reviewing process and technology.  Is this because we get into organizational denial that we have any "bad seeds?"  Or are we too fearful of the "legal liability" in auditing the people aspects of the GRC system?  What are your thoughts?  

  1.  Michael, I agree that deficiencies in 'people' are often overlooked by internal auditors. There can be multiple reasons:

    - We didn't think of assessing this for of risk

    - I don't want to pass judgment on people

    - I am not trained to assess people's abilities, etc.

    - We just assess the process

    - It's a career destroyer and I need to partner with management

    - I prefer not to say

  1. Norman,
    I agree with most of your points and would complement some of them.
    As regards the risks, I’d also consider in addition to the oversight of financial reporting, the oversight of consistency of financial communication.
    On the question side, you are right to keep the list simple and I find the questions accurate. I’d also add the following.
    - Audit committees are being overloaded with work and with the 8th EU directive, face a larger scope of activities, they sometimes don’t see the forest for the trees. Does the committee focus on the right issues?
    - Working out the agenda is a key aspect of audit committee (and board) effectiveness. How does the AC balance its agenda between recurring and non-recurring items? Is enough time for discussion allowed?
    - The interactions of the AC with the board, the management (CEO, CFO, business heads), the chief audit executive, the CRO is key to understand the strategy, the business, the main risks and to obtain information.

    There is however a point on which I am a bit sceptical. This relates to having the CAE assessing the activities and somehow the effectiveness of the audit committee. In a study we recently performed for a European client, it appeared that among 20 of the largest European companies (non-financials), the evaluation of the audit committee was always part of a broader evaluation, the board evaluation. In a vast majority, this process was driven by the nomination/governance committee. It's actually a common practice.
    Would you see it as a practice that should change and fall within the remits of the CAE? Wouldn’t it put the CAE in a delicate situation, by having to assess the one that appoints/dismisses/assesses her/him?

  1. Thank you for your comments and observation, David. I am hoping Gregory Kalin will post his views - basically that this should not be the role of the internal audit function.

    My view is that we should start by checking back at our charter: to provide assurance relative to governance, risk management, and the related controls.

    We should acknowledge that the activities of the audit committee are an important part of the system of internal control (included in the Control Environment layer in the COSO Internal Control Framework).

    We should further acknowledge that a poorly performing audit committee represents a risk to the success of the organization.

    Now, what do we do about it? Do we stick our head in the sand and refuse to address a source of major risk?

    I vote that we should work with the audit committee to figure out a solution. Maybe it's to rely on the board's self-assessment process. But first, we should look to see if we can rely on them as an source of independent, objective, and competent assurance. Maybe we should partner with the audit committee and engage an independent co-sourcing provider to perform the work at our direction (or direction of counsel), using a process we approve.

    It could be that the CAE has the confidence of the board and management to perform this assessment, just as internal audit can assess tasks under the authority of the CEO/CFO.

    What say you?

  1. I don't think it's the role of the CAE to assess the effectiveness of the audit committee. The audit committee should be self-assessing its effectiveness and reporting its assessment to the full board of directors. Now, the CAE can certainly play a consulting role in working with the audit committee chair in setting the agenda, developing an effective self-assessment methodology, providing best practice guidance, etc. The audit committee should be assessing the effectiveness of the CAE, not the other way around. Now, I guess the audit committee and CAE could do a 360 review, but I don’t think this has ever been done.

  1. Just to build a little on my prior comment.

    I think the board and its committees should perform a self-assessment. That is all goodness. But, internal audit should consider assessing the self-assessment process and determining whether it can be relied upon for this major source of risk. In some cases, the CAE can volunteer to be the facilitator of the self-assessment.

    But the bottom line is that the CAE has to consider all major sources of risk to the enterprise. In the same way as the CAE can't say "I am not looking at environmental risk because we have a separate group for that, and I am not going to even look at their process" she shouldn't say "I am not going to look at risks in governance processes, even to look at board self-assessment processes."

  1.  Very good commentary gentlemen. A couple of thoughts that could be helpful.

    First, I think that most internal audit departments would be quite fearful of being able to assess the Audit Committee. They should not be fearful but they are fearful because they report to the Audit Committee and so how do you tell your boss that he/she is not doing a good job.

    Second, it is possible to have an external review done of the Audit Committee and I see no reason why this should not be done. In fact, it must be done. But to Norman's point of control self assessment, this is a good start.

    Third, if you have a robust system of risk management in place in  your company then all the questions indicated above will be tackled in identifying the events that could create risk for the company and before this stage in the context stage of the process. This is good because it need not be the internal auditor that identifies these risks. The internal auditor will just audit the risk management system (hopefully). But if there is a robust system, then t he internal auditor will indeed have access to the full range of risks impacting the company and nothing less will suffice.

    Fourth, additional question to the Audit Committee- in addition to your understanding of how internal audit and external audit work together- do you think it is important that there be no overlap at all in coverage between the internal and external auditors and what process did you use to conclude that this was the case


  1. I think that there is an additonal factor here, which is whether the Audit Committee has the time/capacity for the activities that have been assigned to it. An audit committee that is responsible for not only oversight of financial controls and internal/extrenal audit activities, but also risk management, ethics and compliance but is still be working to the same time constraints as a committee that is only looking at the former (plus recieving assurance that the latter activities are being monitored appropriately) is unlikely in my view to be doing a very thorough good job.

    On the root cause point, I suspect that the reason why internal auditors do not look at root causes is probably because they have not be trained to do so. Root cause analysis is quite a specialist skill. I'd also query whether 'people' is a root cause, because in my experience you need to understand why the individual or group caused the issues before stopping the analysis, and generally speaking there will be some systemic issue that needs to be addressed. I totally agree however that considering and understanding the actions of the people involved is a key part of any RCA. given that people are key to both risk and resiliency.

  1. Arnold, why should the CRO be any less in awe/fear of the board and audit committee than the CAE? Why should the CRO be in any position to assess the audit committee performance, when he/she usually doesn't attend or have the same insights as the CAE?

    Just asking....

  1. Jacquetta, I agree with your point on the role of the audit committee. An additional question might be whether the charter of the committee is the right one. Are they assigned the right duties, especially given regulatory requirements and their capacity?

    Some of the leading thinking is that the board should be responsible for risk management, with some aspects delegated to various committees. Dodd-Frank says certain financial services companies must have a dedicated risk committee.

  1. Norman, my personal view is that where the company is large, complex or facing significant risks a dedicated sub-committee of the Board is the right way to go. This provides enough time and space to properly plan risk management, discuss risks arising, recieve root cause analysis reports and track action plans and montor both risk management and specific risks. It also gives a message to everyone in the company that risk is important.

    The audit committee should still on an annual basis receive a report from IA on the effectiveness of the risk management system, and the Board should recieve regular updates on the significant risks.

    The committee can have further roles (the last organisation I worked for had a combined quality, risk and governance committee which was very effective) , but risk should be the primary focus.

  1.  Norman:

    On your questions:

    On your first point, the CRO should fear them less because he/she does not carry the baggage of the CAE- meaning for the longest of time internal audit departments played second fiddle to the external auditors who more often than not reported to management on the competence of the internal audit departments through quality assessment reviews and through work being outsourced to them, when it should have been the other way around. The internal audit departments let this happen to them through taking a passive approach by and large. They also are missing many skill sets.

    The CROs have overall responsibility for the risk management system in the company and part of that responsibility is the clear articulation of all of the major business risks that could impede accomplishment of the business objectives. This is very clear. If the audit committees are impeding accomplishment of the business objectives through among other things inept performance, this should make it onto the the risk register. It would however be internal audit's job to assessment integrity of the risk management system.

    But you also stretch when you say that the CRO does not have the same insights as the CAE. Surely you jest right? By today's standards, a highly qualified CRO could/should walk circles around the CAE, however this is precisely why the CAE need to be trained in risk management so that they can walk around in a circle together holding hands and singing the same song in unison.


    Arnold, why should the CRO be any less in awe/fear of the board and audit committee than the CAE? Why should the CRO be in any position to assess the audit committee performance, when he/she usually doesn't attend or have the same insights as the CAE?

  1. Great article, thank you
  1. I agree that financial reporting leads the way on financial mistakes and fraud. There can never be enough questions asked to the internal auditors especially about what is being reported to shareholders. Most common people don't know the ins and outs of what they are paying taxes on. Usually when it comes to their investments, they get a printout showing their gains or losses then they pay taxes based on this. Well, if there is fraud on these statements, there's basically no way for them to know about it. Some take it a step further and study for the CPA exam so that they can have a better understanding of the intricate calculations that are used in determining their gains and losses. This was a very informational post and I plan on coming back soon. Keep up the good reporting.
  1. As you know, self assessment process is becoming an important exercise to assess performance in all leading organizations and banks. The process started by Control Self Assessment, improved to be Risk Control Self Assessment, and it has been applied accross the organizations. Now, it is time for the Audit Committee to go through the self assessment questionnaire to assess what they have been doing and take notes for things they need to improve. It is really important to educate the Audit Committee to raise the members' awareness specially in the Middle East.

    Accordingly, the question I would add is "Does the Audit Committee carry out an annual self assessment?"


Leave a Reply