In the eighth in our series of blogs about independent assurance we explore the function of the Audit Committee. Operational Risk Software can be key to supporting this discipline.
Taken from: Mastering Risk Management
The audit committee, comprising as it does, independent non-executive directors, performs a key oversight role for the board and should be the critical link between the board and both internal and external audit. In most financial sector firms, there will be a separate risk committee. However, in many firms the audit committee fulfils both functions. It therefore acts as a catalyst for improving both oversight and risk management. Having said that, the risk committee should work together with the audit committee to ensure that internal audit looks at the risk management function, at least every 3 to 5 years.
Audit committee and internal audit
As we said in our first blog on this topic, the head of internal audit should report to the chair of the audit committee from a functional point of view (or failing that the senior independent non-executive director) even if, administratively, they report to the CEO or CFO. Given the key role of the audit committee in the audit governance structure, its chairperson should be actively involved in the appointment of a new head of internal audit. The committee should also ensure that any review of the effectiveness of internal audit is truly independent.
It is for the audit committee to agree the internal audit plan and any changes to it. The committee may also wish to consider the extent to which it is able to call on internal audit to perform investigations on its behalf. In all of this though, it must make sure that the board is kept fully advised of its activities.
An important role of the audit committee is when management objects to internal audit’s findings. If so, the head of internal audit is entitled to speak to the chair of the audit committee who is the final arbiter.
For its part, internal audit needs to have a clear understanding of the responsibilities and operation of the audit committee and the expectations of both the committee and its chairperson. In summary, the board, audit committee and internal audit need to have a shared vision for internal audit.
Audit committee and external audit
Here, the audit committee’s duties are clearer cut in that it is its job to appoint the external auditors and agree their terms of engagement and fees. While the chairperson of the audit committee does not manage the relationship between the firm and its external auditors, they should be fully aware of plans for the audit, its progress and outcomes.
The external auditors’ principal point of contract will probably be the CFO and the point has already been made that the audit committee should be satisfied that there is an appropriate relationship between the auditors and the CFO. The audit committee has a duty to ensure that management’s processes deliver adequate disclosure, but it must also ensure that the finance function is adequately resourced to fulfil its function.
An audit committee health check
A last word on oversight. Audit committees are not just about financial reporting and assessing internal controls. Their brief as independent assessors of the quality of risk management also takes them into non-financial risk assessments.
Below is a useful checklist of risks which audit committees should be continually considering in assessing the overall health and tone of the company they serve. Some are what might be termed ‘soft’ risks for which the indicator is effectively a binary ‘yes’ or ‘no’. If there are more than a very few ‘yes’ answers, it is likely that the firm is dangerously exposed to risk. For some, however, firmer indicators can be established.
Risks and risk indicators for audit committees
Soft Risks
- Inappropriate tone at the top
- Autocratic management
- Inexperienced management
- Poor management oversight
- Frequent senior management over-rides
- Overly complex organisational structures or transactions
- Lack of transparency in the business model and the purposes of transactions
- (Late) surprises
- Unrealistic earnings expectations
- Exposure to rapid technological changes
Hard risks
- Unusually rapid growth
- Frequent organisational changes
- High turnover of senior management
- Lack of succession plans
- Ongoing or prior investigations by regulators or others
- Untimely reporting and responses to audit committee enquiries
- Industry softness or downturns
Risk indicators
- Percentage growth in sales
- Number of key staff lost
- Percentage of divisions/units completed
- Industry growth/decline from industry reports
In our final blog on the topic of independent assurance and oversight we discuss the qualities needed to do this kind of work.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information about how Operational Risk software can help your organisation, contact us today on sales@risklogix-solutions.com
