A Candid Look at Board Practices

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


Bridging Effectiveness Gaps: A Candid Look at Board Practices is the title of a new study by the accounting and consulting firm McGladrey LLP on behalf of the National Association of Corporate Directors (NACD).

The report focuses on the quality of information provided to and used by the board. In the words of the authors:

  • Effective board oversight demands information that is as current and relevant as possible. There are, however, natural gaps between what management communicates and what the board needs to know. The information flow between management and the board may not always be perfect, and board committees may have similar troubles bringing the full board “up to speed” on certain issues.
  • [The] oversight role is largely dependent on the quality and scope of information the board receives, exclusively in some cases, from management. The sole reliance on one avenue of information may limit or skew needed dialogue on the most important issues facing the company. Information on risk management, for example, may be accurate but incomplete.
  • If the board’s oversight relies on the information it receives, then a board may be limited by management’s ability to present data in a manner consistent with its own views and artfully direct the board’s decision process.
  • The C-suite’s ability to transfer their knowledge of strategic risks is paramount to the board’s oversight and understanding. Unfortunately, some CEOs may be unwilling to unveil the full scope of risk facing a company because it may be seen or felt as an admission of weakness.

A couple of other board practice topics are covered, but barely touch the surface. In my opinion, this is a skimpy and disappointing document.

However, it does raise the important question: how can the board provide effective oversight without assurance that it receives the information it needs, when it needs, and in a useful way?

I think this is a good area for the internal audit function. They can and probably should perform audit engagements designed to provide the board with assurance on this important area.

What do you think?

Posted on Jan 10, 2013 by Norman Marks

Share This Article:    

  1. This past year I have directed two 26 week programs for top bank executives in compliance,IA,risk, legal, M&T...One thing is really clear. Those commenting are unanimous that neither their top management and especially the outside directors have any really clear picture of both the operational and reputational risks emanating from failures to comply with existing (older) regulations (BSA/AML/OFAC/KYC, etc.)and especially the newer regs coming out out of the 127 rules so far (139 remain to come)As a trained management consultant and educator it is clear to me that the communications both top down and especially bottom up are not optimally organized or implemented. This is a basic need of INTERNAL GOVERNACE-- the policies and procedures that ensure that everyone at every level and horizontal (business units)as well as vertical are clear and communicated on a regular basis. Believe me there are really very few people on this planet that are totally and always currently informed on any of the old laws...{There is NO perfect AML program (the environment changes constantly)} The key and the objective of our 26 week program is to train execs and managers how to manage uncertainty....and how do compliance, risks fit in...
  1.  Insightful report. Indeed they might always be be a mismatch between what Management may report to the board as they might choose only to report good news which has an effect of increasing their rewards. Consequently, I agree that audit should then provide assurance on the process.  However, this can only succeed only why the Chief Audit Executive dual reporting responsibilities (to the CEO/FD and Audit Committee Chair).

  1. Norman:

    I agree with you completely that this should be a key area of IA focus.  I have promoted the concept for many years that the #1 role of internal audit should be to ensure senior management and board of directors are aware of the significant residual risk positions being accepted.  How that is accomplished can come from the organization's ERM system, IA assurance on the reliability of the organization's ERM system,  direct report audits, reports from Chief Legal and Chief Compliance Officers, consultant reports and others means. 

    Unfortunately, in my experience, the way many IA functions have done their work has not been optimal in terms of identifying and continuing to report each year on the status of residual risk related to key value creation and potentially value eroding areas like compliance and reliable financial disclosures.  The revised IIA IPPF standards effective this month require CAEs report areas where they believe residual risks being accepted are outside of risk appetite/tolerance, but only if they become aware of them. The IPPF should be changed to focus CAEs on the goal of ensuring boards are aware of significant residual risk positions.

    The NACD Blue Ribbon Commission report on board risk oversight provides excellent objectives for boards to focus on.  Internal auditors should focus on providing services that help boards discharge those responsibilities.

  1. Truly indeed, the internal auditors, would be in the good opportunity to assess and recommend to the Board the kind of reports and information that matter most to the strategic decision-making process.

    Some board members could also be complacent and would not even bother requiring reports and information that "matters most" to the shareholders and the company.

    Some of the practices could be borrowed from the Sarbanes-Oxley compliance regime. Example (as commented by Tim) reports (preferably in the form of certification or declaration - monthly or quarterly) from key officers, i.e. Chief Legal, CFO, CCO and GM of any known and potential or evolving issues, risks that could potentially or contingently affect the bottom line (as well as other risks esp. reputation) to be reported to the Board. 





Leave a Reply