Skip to main content

Audit Committee and Risk Management Oversight Questions for Boards

Many of the questions below are based on hypothetical and disguised but plausible scenarios that I researched, or upon which I directly advised.

Let’s say a worker is responsible for maintenance of a machine, but because of time pressures, cuts corners and does not address fatigue (or wear and tear) in the machine, and no one oversees this person’s omission. The machine fails and affects the failure of other machines nearby. The company is in an industry where, if that machine fails, 300+ customers will likely die.

Or let’s say it is another machine where, if it is not treated properly, the company’s product can be poisonous. Or another machine where, if procedures are inadequate or not followed, property destruction and death can result. Or another process in an institution, where if internal controls are inadequate or not implemented, millions of dollars of losses can result.

Aside from senior management, is it fair to hold the board responsible for the above failures in risk management and internal controls, in the above hypotheticals? Is it fair to hold the committee chair or committee overseeing this risk responsible, in part?

I am not sure. It would depend on the actions (or inactions) vis-à-vis best practices and legal tests. One thing I can say however, is that I have had the good fortune of interviewing and seeing how one or two excellent board or committee chairs, or directors on a board, can completely reform and turn around risk management of an entire large, complex organization by pressing management and holding them accountable. This is a pleasure to watch and see, how effective a strong board and strong directors can be.  This is how boards should be.

I recently interviewed directors and senior management of an important organization, along with nine leading Canadian directors and audit committee chairs. Here are some questions that address the above scenarios and incorporate learning I have developed from my research and assessing audit committees.

  1. Risk Management Coverage and Assurance Mapping

    Is each material financial and non-financial risk (no more than 12-15) covered (via explicit mapping) through identification, treatment, independent assurance and upward reporting? Do board guidelines and committee charters cover off all material risks so none slip through the cracks?

  2. Whistle blowing and Code Compliance

    Employees may now go directly to regulators without utilizing the company’s internal investigation procedures, and participate in a monetary reward. Does the company code of conduct have fair, impartial, credible investigation procedures that employees trust and actually use? Does effective oversight occur of ethical reporting by the Audit Committee?

  3. Internal Audit

    Does the Audit Committee approve the appointment, compensation, work-plan, independence and accountability of this function? If not, why not? This person should report directly to the Audit Committee.

  4. IT Governance

    Is IT risk and opportunity management adequately overseen by the board (or a committee), including over IT investment, cloud computing, social media, security of information, privacy, business interruption and crisis planning? Does management (and the board) have competencies in these areas?

  5. Stress and Scenario Testing

    Is the capital structure, quality of earnings and revenue tested under various adverse conditions (including regulatory, competitor and contagion), such as “what if” or “when”?

  6. Audit Committee Bench Strength

    Does the Audit Committee have the competence and courage to understand and constructively challenge the basis and rationale for management’s estimates, assumptions, judgments and forecasts, both in terms of potential manipulation by management, and the fairness, balance and quality of financial disclosure?

  7. Chair Reporting to the full Board

    Does the Audit Committee Chair (and other committee chairs overseeing non-financial risk) submit a written report that enables non-committee members to understand the deliberations, recommendations and reporting, and ask questions and receive satisfactory answers?

  8. Auditor and Financial Management Bench Strength

    Does the board have confidence in the quality of finance and risk management, and external and internal audit (including integrity, competence, responsiveness and reporting)? The board should oversee all of these positions, subject to shareholder approval for the external auditor.

  9. Internal Controls over Non-Financial Reporting

    This area may be a weakness for many boards. Has the regime for financial reporting and assurance been adopted for the most important non-financial reporting risks of the organization (e.g., operations, compliance, environmental, social, reputation)? Has the effectiveness of the design and implementation of internal controls been tested on and reported to the board or relevant committee, for these areas? Boards should press management for this reporting and obtain independent (outside) assurance for risks of concern, to put the heat on management.

  10. Undue Influence / Reliance, Integrity and Fraud Risk

    Are there any pockets within the organization or executives who may have the opportunity, pressure or incentive to take inappropriate risks, or engage in potential fraud, that may be exacerbated during an economic downturn? As two audit committee directors said, the systems must be “person-proofed” and run on “auto pilot.” Can the board demonstrate that it has taken reasonable steps to satisfy itself that executive officers possess integrity? (The board is responsible for satisfying itself that executive officers have integrity under NP 58-201.)

Conclusion

Back to our original hypothetical scenarios. Directors have said to me, “we missed it,” or that you cannot protect yourself against a “rogue” or someone who is intent on committing fraud. I am not sure these answers are entirely satisfactory.

It seems to me that if the above steps are followed, and a culture of risk management and tone-at-the top is set by the board, there is a much lesser likelihood that “we missed it” will occur.

Updated on August 7th, 2011.