Insights for the Audit Committee From Protiviti and Marks

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


The team at Protiviti has published yet another valuable report. Although it is directed at financial institutions, the points are also valuable to other organizations. Setting the 2012 Audit Committee Agenda for Financial Institutions identifies ten major challenges that need to be on the agenda. I like them, but I wouldn’t put them in this order and I would change several.

  1. Managing regulatory change.
  2. Dealing with industry restructuring.
  3. Managing effects of globalization of financial markets.
  4. Improving information for decision-making by focusing on data management and analytics.
  5. Increasing the focus on enterprise risk management (ERM) as risk profiles change and regulators demand more.
  6. Managing the impact of technological innovation on the business model.
  7. Managing increasingly complex privacy and information security issues.   
  8. Improving business performance to enhance and sustain competitiveness.
  9. Achieving true customer loyalty.
  10. Attracting, retaining and developing top talent.

When you look at the more detailed discussion of #5, increasing the focus on ERM, you will see what I mean:

“Many of the challenges we discuss herein, as well as increased interest in board risk oversight, intense competition and exposure to an uncertain economic cycle, have raised the need for a truly enterprisewide approach to managing risk. Not an end in and of itself, ERM is a means to an end — that is, a discipline for positioning companies to recognize quickly a unique opportunity or risk and use that knowledge to evaluate its options.”

The audit committee, as well as the full board, should be asking management to demonstrate that they have good processes for identifying, understanding, evaluating, and responding to all of these risk areas — and all of the agenda items are risk areas. Focusing on individual risk areas without addressing management’s processes for handling risks in general is a poor (IMHO) approach. Who knows what event or situation will come up tomorrow — perhaps the UK effectively leaving the EU!

It is not the job of the audit committee to manage these risks. Their job is to provide governance and ensure management is managing the risks — whether it’s the potential impact of regulation, the Euro crisis, the impact of technology, etc.

If I were chair of the audit committee, I would consider holding a meeting just to review with management what their processes are, taking each of the agenda items listed by Protiviti as examples.

Here are my revised top 10:

  1. Improving the ability of the organization to be prepared for and respond effectively to events and situations: both potential adverse situations and market opportunities. This is mature ERM. (See here for more on board oversight of risk management).
  2. Improving the quality and timeliness of information for decision-making (see this earlier post for details).
  3. Being prepared for sudden and dramatic market change (including regulatory change and industry restructuring).
  4. Managing the impact of technological innovation on the business model in general and on business processes in particular — understanding not just the risks but the opportunities. The greatest risk may be in being a late adopter of technology (see here and here).
  5. Achieving true customer loyalty — considering the changing demographics in the different parts of the world.
  6. Improving business performance to enhance and sustain competitiveness.
  7. Making sure you are maximizing the value of the internal audit function.
  8. Managing effects of globalization of financial markets.
  9. Managing increasingly complex privacy and information security issues.   
  10. Attracting, retaining and developing top talent.

Protiviti has several words of wisdom. On the topic of risk management and technology: 

“According to two Senior Supervisors Group reports, many firms could not monitor their risk exposures accurately due to inadequate information technology infrastructures.”

“Significant investment in IT would be necessary for the industry to make required advances in risk management.”

On technology and demographics:

“The manner in which consumers receive and access financial products and services is undergoing change. The consumer experience is being reshaped by technology-leveraging analytical tools, expanding data sets, social media and mobile computing. With increased cost pressures and a growing demand for flexibility, accessibility and personalization, financial services organizations will accelerate their use of technology to meet customer needs. Networks will become a strategic business infrastructure platform embedding enhanced security, identity, intelligence, and scalability capabilities, enabling delivery of business and technology services both globally and nationally.”

Frankly, this doesn’t capture the entire picture: the way in which the new generations of managers and staff work with technology, indeed their expectations when it comes to technology, are changing. Enterprise applications are moving not just to the cloud, but to mobile devices. It’s not just the data, it’s the software that will be on tablets and smart phones. Companies in every industry need to understand how this will affect their business model.

When it comes to internal audit, the audit committee should:

“Make sure the internal audit function is keeping pace with changing expectations driven by the organization’s structure, culture, business performance issues, regulatory expectations and internal and public reporting requirements and issues. Is internal audit prepared to deal with regulatory changes? Is it prepared to deal with the effects of expected changes in the organization, including the technologies supporting the business model? Is it capable of auditing ERM? Does it have the right skill sets and deploy the right frameworks, approaches and methodologies? The audit committee’s oversight should ensure the function (including any co-source partners) has the resources, skill sets and tools needed to address the company’s key risks.“

I would go further and ask whether the internal audit function is:

  • Providing assurance on ERM, actively working with the risk office to ensure management is equipped to address uncertainty.
  • Where improvement is needed, is internal audit helping or watching.
  • Working on today’s risks, rather than those identified as part of a periodic (or, at worst, annual) audit plan. In other words, are they working on what matters now or what used to matter?
  • In a position to understand where change is happening and where the risks lie.

I have added to and changed around a lot of the material Protiviti has shared. Do you agree with what I have done?

What are you top areas for the audit committee?

There is an ancient Chinese curse: “May you live in interesting times.” No doubt, these are interesting times indeed. Whether it’s a curse or opportunity is up to us!


Posted on Dec 12, 2011 by Norman Marks

Share This Article:    

  1. Hi, Norman.  Thanks for covering Protiviti's FS Insights.  Clearly, we're in agreement that the audit committee agenda should be given a fresh look. 

    FYI, Protiviti also issued an issue of The Bulletin on "Setting the 2012 Audit Committee for Non-Financial Services Companies."  See the following URL to our Website: (one may have to cut and paste this as I am not sure it will function here -- sorry).  The focus of this release is on other industries, recognizing that the emphasis and prioritization will vary by industry.   


  1. Hi Norman

    You analysis going beyond the Protiviti prescription adds much value.  I'd like to focus on only one aspect - internal audit.  Your own comments take the Protiviti suggestions up another notch.  However, IMHO the USP of IA has always been assurance (this IS changing, though).  So, for a vast majority of corporates, which may be struggling with getting at least the essential value out of IA (a 'demand-supply' gap in reverse i.e. less demand!), it may do to focus on strangthening IA with an eye on the assurance role, or other main role if they've formulated one by IA mandate.  This may perhaps be the preferred route for many, rather than strengthening internal audit for its own sake (for want of a better expression).  Once the organization has moved up the maturity scale in terms of risk management (internal audit being an essential part of the equation), then it may be a good time for IA to focus on its other, more value adding role/s.

    My 2 cents.


  1. Thanks for the comment, Deb.

    I believe that the best assurance is provided when IA can help ensure risk is managed with appropriate controls and security when changes are made. That means getting out ahead of the change.

    In other words, some consulting engagements, such as pre-implementation reviews, are actually delivering assurance.

    What is the ideal result? That everything is clean and well-managed. If IA continually finds issues, it is probably (over the long run) failing.

Leave a Reply