Risk and Control Issues Commonly Overlooked by Internal Audit 6: The Audit Committee
Last year, I started a series of posts on "risk and control issues commonly overlooked by management." These were the first five:
- #1: Information required to run the business
- #2: The adequacy of risk management
- #3: The root cause of almost every internal control issue is people.
- #4: Linking strategy to execution
- #5: Management
Logically, #6 should be failures in governance processes. But I think I will instead focus on failures of the audit committee.
Deficiencies in the operation of the audit committee of the board might, depending on the organization, create risks to the achievement of organizational strategies in these areas:
- Oversight of financial reporting. The audit committee should be asking appropriate questions of management and the auditors (primarily the external but also the internal auditors) about the financial reporting process and the reports themselves. One of the key areas where I have seen them make a difference is in deciding what to disclose to shareholders and the regulators.
- Oversight of the external auditor. In the US and many other countries, the external auditors report, by law, to the audit committee. The committee is responsible for approving the fees and ensuring the approach and staffing of the audit team is adequate. The potential impacts are in cost, business disruption (by the auditor), and in the quality of financial reporting.
- Oversight of the code of ethics and related activities. This is frequently assigned to the audit committee, although some will have a separate board committee cover this key area. The related activities will include updates of the code, communication to employees (including certification) and training, oversight of any investigations, and oversight of management’s ‘walking the talk’.
- Oversight of risk management. While some organizations have limited the audit committee to the oversight of risks related to financial reporting, others expect the committee to step up and oversee the entire, enterprise-wide risk management process. Clearly, this is a major task as an effective risk management program is essential to the achievement of corporate strategies and objectives.
- Oversight in internal audit. Not only is the audit committee responsible for the internal audit function, but it should be its champion. Need to spell out the risks if the internal audit activity is ineffective?
- Oversight of other compliance activities. This will vary from company to company, but the committee may be concerned with compliance with US FCPA, UK Bribery Act, and other regulations.
What questions should the CAE ask in assessing the audit committee’s activities and the potential risk any failures might represent? I would start with a clear understanding of those risks, and then ask these:
I am sure there are more questions that should be asked. Perhaps you can suggest some.
I welcome your comments.
Posted on Jun 21, 2011 by Norman Marks
Share This Article: