I was recently asked to speak to audit committee members in Niagara-on-the-Lake on best practices for audit committees. See my slides here. I was particularly critical of how audit committees and boards oversee risk. Risk systems in many companies are immature. Look at BP, Wal-Mart, JP Morgan, HSBC, News of the World, Barclays, SNC Lavalin and MF Global. These are all risk management failures, which are turn are governance failures.
There is good reason for risk management failure.
Proper risk management requires internal controls to mitigate risk. (Internal controls are processes and procedures such as segregation of duties, documentation, authorization, supervision, physical safeguards, IT security and prevention of management override.) No one likes to be controlled. Risk management is not intrinsically profit-making. Therefore there is an inherent aversion to risk management by management.
This is why regulators now are targeting boards with greater risk governance obligations because only the board has the authority to control management. Recent bank governance guidelines in Canada require much stronger risk oversight by boards and audit committees. Recent Ontario Securities Commission guidelines offer advice to boards and audit committees with operations in emerging markets, coming out of the Sino-Forest debacle.
There is a strong bias for audit committees to oversee many risks, not just financial. No regulation mandates this however. Audit committees should not oversee risks that they are not qualified to oversee.
Here are a dozen broader questions to determine whether your Audit Committee needs a reset.
1. Do your board and board committees have coordinated coverage, assurance and reporting over all material enterprise risks, both financial and non-financial?
2. For any non-financial risks that your Audit Committee may oversee, do the skills and experiences on the committee match the oversight?
3. Has the Audit Committee proposed a written risk appetite framework, approved by the board, which translates into explicit limitations and thresholds throughout the organization?
4. Are there any acute risks that you do not understand, or over which management is capable of overriding existing controls?
5. Do all Audit Committee members have tenure on the board for fewer than nine years? (Exceeding nine years is a red flag for lack of independence.)
6. Do your independent external auditors have tenure for fewer than nine years? (This is also a red flag for lack of independence.)
7. If your company operates in an emerging market, do you have one Audit Committee member with direct experience operating in this market?
8. If your company has over 300 employees and it is a financial institution, or over 600 employees for any other type of company, do you have an effective internal audit function reporting directly to the Audit Committee?
9. Has your Audit Committee benchmarked the company's risk management and internal control framework against best practices, using an independent external advisor?
10. Do you have an effective risk function that reports directly to the Audit Committee or board of directors?
11. Does your Audit Committee understand fraud implications of accounting policies, methods for making estimates, and compensation metrics?
12. At each Audit Committee meeting, do you meet separately with each of the CFO; the internal audit function; the risk function; and the independent external auditor, without any member of management present?
When I asked for a show of hands during my lecture, not a lot of hands went up for many of the above types of questions.
If you answered yes to all questions, or even almost all, you likely have a truly outstanding audit committee. You may even wish to apply for a governance award, here.
If you cannot answer yes to the majority of these questions, you have work to do.
Join me in my next blog where I will ask if your Compensation Committee needs a reset.