Home > Risk > Deloitte brief on audit committees

Deloitte brief on audit committees

I have been impressed by Deloitte’s contribution to discussions about risk management, in particular their “Risk Intelligence” series.

Now the firm has published an “Audit Committee Brief” that truly makes their risk management thought leadership shine in contrast. The document is truly brief: on new or interesting information.

So the question is then what should guidance to audit committees in 2012 include?

Here are some thoughts:

1. As the role of the audit committee changes, it is not acceptable for the committee to “stand pat” with the same practices, composition, agenda, attendees, etc. Together with the governance committee and with guidance from counsel and internal audit, it should regularly assess its abilities against its needs and adapt as necessary.

2. Maybe it is expecting too much from the accounting and consulting firms, like Deloitte, to provide expert guidance outside financial reporting. While that remains important, arguably the unpleasant surprises will come from other areas where the audit committee provides oversight. I would look to counsel and internal audit to be watchful for valuable thought leadership and guidance from other sources, sharing as appropriate with the members.

3. I would be mindful of the need to manage overlap between committees. In particular, I like the idea that at least one of the audit committee members would be a member of any risk committee, compliance or ethics committee, etc.

4. As technology becomes even more critical, I would make sure that the audit committee is capable to challenge management not only about risks related to technology, but also the opportunity presented by it. For example, does management have the information it needs, when it needs it, in a useful form, to run the business effectively?

What would you like to see included in thought leadership for audit committees?

  1. tony stanco
    June 3, 2012 at 9:30 AM

    Agree this brief is brief. Re-hash of the same old same old. Most useful paper I have read this year is out of University of Illinois. Key issue is information, who has it, who does not have it and how quickly it moves. The CEO/CFO have it in a timely way and the board members do not. Hence the board is always at a disadvantage. Question is how to bridge the gap. Comes down to engaged, informed board members, what I believe is a rare breed. Legislation legislates more because lawyers are talking to lawyers. What is happening is boards can monitor management when they behave well, economy strong, sales strong etc but they almost always fall down in monitoring bad management behaviour. I don’t think this can be legislated at all. Certain directors develope a track record for monitoring management bad behaviour. Investors know who these directors are. I think it makes sense to follow these directors for both investors and employees. It is only those of the highest character who are effective at monitoring management when they behave badly, anyone can monitor when they behave well.

  2. DesDizzy
    June 4, 2012 at 4:10 AM

    Tony. I agree 100% with your comments. Audit & the Audit committee within large organisations are of marginal utility unless underpinned by a proactive and senior risk management function.

  3. Hugh Parkes FCA CISA
    June 4, 2012 at 7:55 PM

    So is the Audit Committee aware of where the corporate information resides?
    It is relatively simple to produce an MS Visio chart of all the databases in the enterprise, and a logical extension is to show the quality and reliability of the information stored on each database (good, in need of cleansing, unreliable – think traffic light colours for ease of AC understanding). Then show a) where CAATs have been used to provide assurance (NO CAAT equals minimal/no assurance – it is 2012 after all, quill pens should have been retired) and b) what the quality/fitness for purpose of management reports produced from each database is like for the managers of each area charged with running the organisation (exercising governance – again traffic lights can be used to show good, indifferent, or bad management reporting). These are great strategic planning tools for Audit Committees seeking an overview of business environments in a pervasive IT world.
    All the value in an organisation is stored in its information. It is also a good idea to show how many of the enterprise’s employees are connected to each database – for prioritising assurance activities.
    Deloitte’s landmark surveys “In the Dark” I and II point to the urgent need for and scope for far greater non-financial information to be provided to Audit Committees and to Boards

    • Norman Marks
      June 4, 2012 at 10:37 PM

      Hugh, why the focus on databases? The information the audit committee needs is at a much higher level. Also, I don’t understand the emphasis on old-style CAATS used by the internal audit function when there are modern business intelligence capabilities that both management and audit can use, together with specific data quality (EIM) tools to supplement controls over the integrity of the data.

      Can you clarify?

      Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP

    • Ryan
      June 8, 2012 at 12:26 PM

      I also wonder about the focus on the databases and using CAATs to provide some sort of assurance. Not only does that seem to be more detailed than an AC would want to deal with, but it seems quite reactive. In general it’s better to have effective controls in place so that the data maintains it’s integrity instead of having techniques only to show that it ‘appears’ good at a point in time. I think you may be focusing too much on the idea that data integrity as the primary concern for IA and the main thing the AC would care about.

      I’d switch your “All” for “MUCH of the value in an organization is stored in its information…”. For the AC this can vary depending on the company, legal, regulatory and compliance requirements (for non-SOX companies the risks can extend beyond the data), location, history, etc. Otherwise all any IA department would need is a CISA with DBA knowledge and they’d be golden. Which isn’t the case.

      IA and the AC should be closely tied to the ERM process and understanding the risks of the company as a whole from all sides. Then they can make sure they have clearly defined responsibilities and an effective go-forward plan.

  4. June 25, 2012 at 8:32 AM

    This reads like something that would have been published in 2005/06 after the initial pains of SOX implementation had started fading.
    The greatest asset an Audit Committee member (or board member for that matter) has remains skepticiism. Management always has more information and more context on any subject and can influence the discussion whether done unconciously or not.
    I think it’s incumbent on the CAE and GC, hopefully with the assent of the Audit Committee Chair, to assist the committee via the annual self-assessement and through informal discussions about the most needed skill sets for the committee and the non-financial issues (risks if you will), facing the organization. Information Technology is not always a high risk, as it depends upon the industry — risk yes, but necessarily a ‘high risk’.
    Internal Audit’s mandate, hopefully, is broader than the external auditor’s mandate. While the retained external auditor’s mandate has been generally restricted to financial information, I’m surprised no mention occurred about the other roles and requirements Audit Committee’s face today.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: