Audit committee being asked to expand its role in risk identification and mitigation.
The management of risk is a critical issue facing companies in today’s rapidly evolving business environment, and audit committees are being asked to shoulder much more responsibility than ever before. Risks involving financial reporting, internal controls, compliance and information security all require a tactical and multifaceted approach to their management, and increasingly the audit committee is being asked to help find solutions to problems in all these areas. Audit is also being asked to ensure that the company establishes and maintains a strategic and dynamic plan of action to deal with risk.
The audit committee has traditionally been tasked with an oversight role. The SEC states that the audit committee is a subcommittee of the board of directors which provides independent review and oversight of a company’s financial reporting processes, internal controls and independent auditors.
When operating effectively, the audit committee can ensure that appropriate and adequately designed controls are in place. It can then objectively assess those controls and the procedures related to them. However, in the wake of recent corporate scandals, a seemingly never-ending recession and a severe lack of confidence in the economy, there is a clear impetus towards improving governance practices, and now the audit committee is being called upon to expand its role in the areas of risk identification and mitigation.
‘Deloitte & Touche conducted a study a year ago when the SEC required enhanced proxy disclosure and found that approximately 60 percent of public companies’ audit committees are functioning as both the audit and risk committee,’ notes Henry Ristuccia, a partner and leader of governance and risk management services at Deloitte & Touche. ‘It is key for the audit committee to work hand-in-glove with management to identify the big operational risks that could affect the organization.’
KPMG’s ‘Fall 2010 Audit Committee Roundtable report’ documents an exchange between 1,500 directors and business executives who attended the company’s Fall 2010 Audit Committee Roundtable Series, entitled ‘Risk, reform, and the audit committee agenda’. A significant focus of this conversation and report was the key risk areas that audit committees should reflect on, including the provisions of the Dodd-Frank Act, operational failure, fraud, and information technology risks relating to the extended organization.
Â
More regulations, more risks
The response to the recent spate of economic and corporate crises has been a step-up in legislation and financial reporting requirements, or revisions to existing requirements. This has made the regulatory and reporting environment much more difficult to navigate. The additional regulation, most notably the recently passed Dodd-Frank Act, brings with it compliance-related risks and, in certain instances, penalties for non-compliance which have become more onerous.
The KPMG report states that directors and business executives who participated in the roundtable demonstrated concerns about the whistleblowing provision of the Dodd-Frank Act. This provision offers whistleblowers who report a company’s wrongdoings directly to the SEC incentives of between 10 percent and 30 percent of the sanctions collected by the regulator. Many participants believed such actions could encourage employees to bypass a company’s own internal control systems for reporting suspected wrongdoings. Undermining internal reporting can threaten the effectiveness of the company’s compliance program.
Information security
The advent of cloud computing and the ubiquity of information-sharing have increased the risk of security breaches, placing sensitive information in jeopardy. Several recent corporate security breaches at companies like Citibank and Sony have shown that even sophisticated security systems may be prone to attack.
‘Cloud computing is a new frontier for information technology risk management,’ says Ristuccia, ‘but frankly IT risk is always on the short list as one of the more significant risks for an organization’s operations. IT risks also include perimeter defense and security, and the use of social media in executing the business plan.
‘Often senior stakeholders will say that reputational risk is a major issue and will ask how to best manage it,’ Ristuccia continues. ‘Boards or audit committees that are helping to provide oversight are critical to helping manage IT risk, and thereby reputational risk.’ Since information security affects so many areas within a corporation, it should be a priority on the risk management agendas of audit committees.
The audit committee should continue to ensure that the company is prioritizing IT governance. It should receive regular reports from the head of IT which identify known and new or anticipated IT risks, and the strategies for their mitigation. Some IT issues that the audit committee should consider include:
• The possible disconnect between the data security and recovery protocols of a cloud computing service provider and the company
• Compatibility of new technology with existing technology at the company
• Operational risk relating to information security and unavailability of information at critical times
• The legal jurisdiction governing information stored in the cloud
• The company’s social media policies.
Preparing for high-impact events
The risks related to low-probability, high-impact events such as oil spills and product recalls cannot be overlooked. These events, although rare, bring with them the possibility of severely hampering or even crippling a company’s operations.
A company’s management is not only required to identify these risks, but also to determine whether the controls currently in place are adequate to mitigate them. In order for the audit committee to aid in the identification and mitigation of these risks, it has to fully understand the complexities of the company and of the environment within which it operates. Some of these risks are admittedly not new, but the landscape within which they are to be navigated has been significantly altered, and this may warrant a rethinking or refining of the way in which the audit committee operates.
Corporate secretary can strengthen committee
The corporate secretary can help to alleviate the burden of dealing with added regulations placed on the audit committee by advising the audit committee on the implications of all the changes taking place in the industry. Auditors can provide a periodic summary highlighting the changes in financial reporting requirements, and the related risks. This would be useful in light of new accounting pronouncements and the proposed convergence with International Financial Reporting Standards.
The corporate secretary could also spearhead an initiative to create and manage a secure online information portal for the audit committee. This would provide a central repository for reports, research and communication that can be accessed on demand, allowing the audit committee to keep abreast of issues as they unfold.
‘Corporate secretaries have to make sure that the board and its committees are dealing with topics of interest, and that proceedings are appropriately documented,’ says Ristuccia. ‘Corporate secretaries should ensure that the agenda is current and topical, and can also help in carrying out action steps such as reassessing the functionality of the whistleblower hotline.’
Improved communication with internal audit
Clear and established lines of communication between the head of internal audit and the audit committee can enhance the audit committee’s understanding of, and contribution to, the risk management process. A detailed review of the procedures performed by internal audit could provide further insight into operational risk and supplement the conclusions reached by external auditors.
Benchmarking
If not already in place, the audit committee could develop benchmarks to assess the effectiveness of its functions against other audit committees. No two audit committees are exactly the same, however, so if such benchmarking is not feasible, the committee members should at least assess current activities in relation to the requirements of the charter. This could not only provide insights into areas that may require review, but also indicate whether the charter requires updating as the business environment changes.
It would also be beneficial to benchmark the company’s financial reporting and, if possible, risks against those of its major competitors. This could help the audit committee to identify areas that may require further investigation. ‘The use of outside parties in benchmarking such as the National Association of Corporate Directors and the American Institute of Certified Public Accountants can bring some objectivity,’ says Ristuccia.  Â
It is indisputable that companies must look at risk management from a holistic, enterprise-wide perspective, as the impact of poor risk management can lead to operational failure. However, ongoing education, communication, benchmarking and involvement between a company’s audit committee and its executive management remain crucial in creating a risk management environment conducive to effective planning and evaluation, and thus to the prevention and detection of risks that threaten a company’s operations.
Audit committee tips
Catherine Bromilow, a partner at PricewaterhouseCoopers’ Center for Board Governance, has some advice for audit committees that are being asked to play a greater role in more key areas of their companies’ operations.
Bromilow says that audit committees must educate themselves about overseeing risk more thoroughly than ever before. Various problems with risk assessment were uncovered during the 2008 financial crisis – many companies made moves that threatened their solvency, so now audit committees must make sure corporate directors know the seriousness of the financial risks they are taking.
Audit committees are also playing a greater role in determining executive compensation. ‘We are seeing much more focus by audit committees on executive compensation because they understand that it may have an impact on how accounting estimates are being set and on general behavior and appetite for risk,’ says Bromilow.
To help the audit and compensation committee work better together, Bromilow suggests that the compensation committee chair ‘attend at least one audit committee meeting during the year and really talk to the audit committee about how compensation has been structured and why.’
Lastly, Bromilow says the audit committee will need to play a greater role in managing crises and internal investigations. ‘In light of Dodd-Frank and the new whistleblower rules, we expect that there are going to be far more investigations, far more whistleblower incidents and far more need for audit committees to get their heads around this,’ she explains.
Bromilow warns that if a company launches an internal investigation, it must be sure to pick a truly independent law firm or investigator to oversee the process. ‘The worst-case scenario is that you go through an investigation and in the end the regulators say, Sorry, the law firm you chose really wasn’t independent enough – start over.’