AUDIT COMMITTEES RAISE THE BAR

Leveraging Resources to Oversee Risk

The 2008 Audit Committee Study conducted by Corporate Board Member and Crowe

The Big Challenge: ERM

In 2002, Sarbanes-Oxley Section 404 turned up the heat on board responsibility for risk management oversight and internal controls— issues that have grown increasingly complex. While management should have a process in place to identify, evaluate, and mitigate significant risks, good governance demands that boards—often through their audit committees—ensure these processes are working effectively. Today this board responsibility has grown such that 70% of audit committee members surveyed identified enterprise risk management (ERM) as the most challenging issue for their committee in the next 12 months (Figure 1).

Audit committee members are chiefly worried about ERM because they recognize the enormity of the task. There is risk potential in every aspect of the corporation—IT risk, legal risk, market risk, environmental risk, reputation risk—those are but a few of the significant business risks faced by every company. Moreover, companies must have the right people, plans, and processes to counter risk, because the alternative to risk management is crisis management—the aftereffects of which could deliver an onerous blow to the company as well as its directors, personally. This is why boards and audit committees of companies large and small are grappling with how best to create a meaningful dialogue with senior management on their approach to risk management throughout the enterprise.

Our survey looked at several aspects of how audit committees are moving forward on this front and what tools they are using to make inroads. First, for instance, the board must determine where the ultimate responsibility lies for ERM and how to organize necessary functions and accountability. Our survey shows that audit committee members overwhelmingly believe the primary responsibility for monitoring risk in the organization falls within the scope of the full board. However, in practice, some boards delegate the function among various committees that take ownership of certain risks, others create a separate risk management committee, and some feel it is a function of internal audit (Figure 2).

“This is ostensibly one of the most complex governance matters for boards and audit committees to deal with—the challenge of assigning accountability for risk management,” says Corporate Board Member President and CEO TK Kerstetter. “In some cases, the board will create a risk management committee to oversee specific areas and report back to the audit committee or the full board. Even in those cases, however, the audit committee—and the full board— must remain vigilant and accept responsibility for the oversight of risk in order to maintain the appropriate governance principles and leadership for the company.”

Rick Julien, an executive with Crowe’s Risk Consulting Practice, emphasizes that the board’s process for dealing with ERM is critical. ”While best practices suggest that the full board should own oversight of enterprise risk, it is critical that audit committees understand that a process exists in the organization to identify and manage risks. Effective audit committees ensure that a thoughtful process for managing risk exists and that it has the support of top management,” Julien says.

No matter how the risk management function is ultimately organized, the company needs two critical assets—skilled human resources and efficient processes in place to monitor and act on risk management issues as they arise. The corporation’s internal audit department, led by the chief audit executive (CAE), should be a proactive force in fostering good communications that will accomplish these goals. Therefore, the establishment of a strong, trusting relationship between these internal and external players is crucial.

The CAE/Audit Committee Relationship

Given the shared responsibilities for risk management activities, the chief audit executive is arguably the audit committee’s most important resource. Our survey shows that in many cases (72%), the audit committee plays a key role in hiring the CAE, so audit committees must understand the skills and competencies necessary for the CAE role.

Additionally, the person filling that position takes on a leadership role as a champion of ethics and governance issues and acts as a conduit of necessary information back and forth to the audit committee. Thus, understanding the foundational qualities necessary for the relationship is key to building a strong governance culture and having an audit committee that discharges its duties effectively.

Jonathan Marks, an executive with Crowe, agrees that having the right CAE plays a major role in audit committee effectiveness. “It is in the best interests of audit committees to understand the qualities of an outstanding CAE—among them, excellent communication skills and organizational savvy. Just as critical is the notion of developing and maintaining a sound relationship with the CAE, which in turn greatly enhances the value the audit committee can derive from the relationship.”

In general, audit committee members surveyed believe the CAE capably assists them in meeting their responsibilities—nearly three-quarters rated their CAE as very effective in this regard—evidence that for most companies, a healthy relationship exists. The majority of audit committee members also say they are comfortable the CAE is proactive and provides complete, accurate, and objective information. In essence, once a good foundation is in place, audit committee members will find they have no greater ally than the CAE in leveraging information and resources from within the organization.

Moving Beyond the Basics

Beyond providing information and support for audit committee meetings, CAEs also have responsibility for specific risk management activities.

These duties range from objectively monitoring risk levels globally within the company to identifying specific risks and even supervising and coaching management on responding to actual risks as they surface.

To get a better handle on how audit committee members assess the strength of this relationship in terms of ERM support, the survey measured a number of aspects. We first asked audit committee members how well they work with the CAE to define the scope and design of ERM projects or risk assessments conducted through internal audit and found that 50% believe there is room for improvement in this area. With regard to determining and evaluating risks, 53% of audit committee members told us they believe their CAE’s ability to conduct risk assessments was not highly effective. Slightly higher numbers (59%) were satisfied with their CAE’s ability to communicate information on relevant risks once those risks were known, as well as his or her ability to communicate information on risk management strategies. Functions outside of ERM garnered higher CAE effectiveness ratings, such as Sarbanes-Oxley compliance, audit committee meeting preparation, and championing ethics and whistleblower programs (Figure 3). Thus, the results reveal that while audit committee members are satisfied with the effectiveness of their CAE and the functioning of the internal audit department in many foundational areas, the findings that relate to ERM functions are hardly glowing in that regard. The bottom line? ERM is intrinsically a complex and troublesome area to manage and many companies’ audit committees lack confidence and/or support from internal sources. This in turn has created an ongoing ERM challenge for the board of directors and its constituents.

“It’s a vicious cycle,” says Crowe’s Rick Julien, who says audit committees who lack appropriate internal support will have a which in turn creates an even bigger challenge down the line. “Given that the true risk environment changes frequently, audit committees need to have a comprehensive understanding of what ERM is (and is not) along with appropriate internal support. Even with a thorough understanding, however, there’s no guarantee that all problems will be avoided. Still, taking a practical approach to ERM is a critical step in ensuring an adequate, thoughtful ERM process is in place.”

Conclusion: Raising the Bar

Audit committees, with their increased responsibilities, require high-level internal support, good working relationships, and quality organization and information in order to operate effectively and within good governance standards. In the past several years, regulatory changes have mandated that audit committees improve controls and take a more active, accountable role in the risk oversight process. The time commitment required for audit committee members has grown in lockstep with these additional responsibilities, requiring directors to take a hard look at how their committee must function to work most efficiently and effectively.

Jonathan Marks from Crowe notes that CAEs have an opportunity to add important value to audit committees by making sure they offer more than just basic assistance. “Those CAEs who proactively take the lead to educate the board and management about governance and risk management have the opportunity to add tremendous value. On the flip side, audit committees who leverage the CAE to assist with more strategic endeavors, particularly around ERM, will likely end up with a more effective audit committee.”

Today, audit committee members must continue to build solid relationships with their CAEs in order to leverage the resources they need to fulfill their responsibilities. The 2008 Corporate Board Member/Crowe Audit Committee Study results demonstrate that audit committees are working to reach higher levels of potential—taking many positive steps and helping to identify areas that will need further improvements in the years to come.

A Glance in the Mirror: Evaluating Audit Committee Effectiveness

The survey focused on several key measures of audit committee function and asked respondents to rate their committees’ effectiveness in these areas. The following highlights describe audit committees’ self perceptions on their strengths and weaknesses:

Leadership ability–Forty percent of audit committee members say there is room for growth in how effectively the audit committee assists in the design of the internal audit department’s mission, strategy, and focus, as well as how they are able to articulate the parameters for implementing the mission of the internal audit function.

CAE orientation and mentoring–Audit committees’ effectiveness is enhanced by reaching out to newly hired chief audit executives to establish a relationship. Of those polled, 76% say they are very effective at initializing this relationship with new CAE hires; only 45% say their committee is very effective at ongoing mentorship.

Budget oversight–Slightly more than half (51%) of the audit committee members surveyed say their committees are very effective at overseeing the internal audit budget.

These results indicate that while there are substantial percentages of high-performing audit committees today, there is leeway to increase both communication efforts and effectiveness. Resolving these issues means working to eliminate inefficiencies and learning to build and maintain strong board/management relationships. “It is a complex and often sensitive matter for a board committee to put itself under a microscope. But periodically doing so is critical for good governance,” says Corporate Board Member President and CEO, TK Kerstetter. “Sometimes, audit committees are reluctant to discuss these chinks in the armor for fear of openly admitting their processes—or people—are not working as efficiently as they should,” he continues. “This is often the time when a third-party can ease those concerns by providing an objective assessment of the situation and offering valuable recommendations for improvements.”