What Should Audit Committees Focus on in 2011?

KPMG’s Audit Committee Institute has released suggestions for audit committees (you can download the report here).

Their #1 tells directors to “keep the eye on the ball: financial reporting and related internal control risk”. I can understand why a public accounting firm would promote a focus on financial reporting, but should that be the top priority for audit committees? Is that dated thinking, given the eye-opening events of the recent past?

For example, you have to wait until #7 to see any real discussion around risk management. Even then, the focus is on “business controls around the company’s key operational risks”. Personally, I would much prefer to see a focus (and it would be #1 on my list) on the adequacy of risk management processes and framework.

Where is the focus on cash management, credit, and capital structure? That has been a real issue for the last few years. Now, companies have built up a store of cash, but I would suggest this should continue to be a major concern for audit committees given the weak economies in certain parts of the world.

My list would definitely include in the top five priorities a focus on whether the information management uses to run the business is timely, current, and reliable. This is an issue that caused a number of businesses to fail. Not only were they relying on historical operational performance data, but risk-related information was also old. In some cases, executives did not receive key pieces of information. The board should also question whether it is receiving complete, reliable, current, and timely information.

The list has no mention of internal audit. Does that reflect KPMG blindness to the importance of internal audit in providing assurance to the board? Is it because internal audit has lost credibility as a valuable source of assurance? I hope neither are true (KPMG has written extensively, including pieces by Mary Pat McCarthy, on the value of internal audit to boards).

I would certainly have as one of my top priorities ensuring that internal audit provides formal assurance on the adequacy of governance, risk management, and related internal control processes.

So, my top ten would be:
1.       The adequacy of risk management processes and framework
2.       Coordinating oversight of governance and risk management with the board and other committees
3.       Cash flow, credit, and capital structure
4.       The quality and timeliness of information used to run the business
5.       Formal reports by internal audit on the adequacy of governance, risk management, and related internal controls
6.       Linkage between strategy and risk
7.       Planning for IFRS
8.       Regulatory compliance. Is the company well-equipped to handle the continued growth in complexity? FCPA risk is part of this discussion
9.       Changes in tax reporting, the adequacy of staffing and processes within the corporate tax department, and tax-related risks
10.   IT governance and IT-related risks, including social media, mobile technology, and cloud computing

Do you agree? What are your top ten?

 

Posted on Jan 5, 2011 by Norman Marks

Share This Article:    

  Comments (2) un-categorized
  1. Comment by: Michael Corcoran   (1/5/11 02:44 PM)   

    It does seem dated.  I just looked at Morgan Stanley's proxy and they recently established a separate risk committee.  So maybe we now need a separate risk committee 10 ten list.  At Morgan, it was interesting to see how the various risk categories were divided up between the two committees.  Good news much better discussion how the business is governed, how risk is linked to compensation and who is doing what and how.

  1. Comment by: arnold schanfield   (1/6/11 10:28 AM)   

    Norman:

    Thanks for sharing the survey. Another good document you have made available to the internal audit community. I agree with your assessment and am particularly focused on the number one priority which is the assessment of the adequacy of the risk management processes and framework. Their thinking is dated. But this will change soon.

    Best regards,

    Arnold

     

Leave a Reply