What should the audit committee focus on in 2015?
Every year, the audit firms provide audit committees with their ideas of what the agenda should include in the coming year. Their ideas are usually good, although typically (and understandably) focus on matters of interest to the audit firms. Each year, I have wondered (and blogged) why they don’t include any discussion of obtaining formal assurance from internal audit on the effectiveness of risk management.
This year, the publication from Deloitte is more interesting than usual. In their Audit Committee Brief, November/December 2014, they ask What’s on your agenda for 2015? They highlight:
- Effectively managing IT
- The audit committee report (as filed in the 10-K)
- Internal controls, in particular the focus by the PCAOB on material weaknesses and the work of the external auditor, as well as the update of the COSO internal controls framework
- Globalization and its effect
- Finance talent
- Risk oversight
- Tax considerations
Addressing the risk oversight issue first, Deloitte has made some progress this year. They make the important statement:
“Regardless of who in the company is in charge of risk, the most important consideration is that the company has a clear view of where risk monitoring and related activities are housed and that risk issues are being adequately covered.”
All of the topics in the Deloitte document are food for thought, but none more, in my opinion, than the topic of IT.
While Deloitte understandably focuses exclusively on the negative risk from technology (cybersecurity and so on), they make the excellent point that they need to get face time with the CIO. I think it is an excellent idea for the CIO to attend every other audit committee meeting.
Deloitte suggests questions for the audit committee to ask about technology-related risk, I think additional questions should be considered, including:
- How do you assess and manage business risk relating to technology? Are you engaged with the enterprise risk management process?
- How much risk is enough and how much is too much?
- How do you determine how much to invest to address technology-related risks?
- Are you taking enough risk when it comes to new technology that might advance the business? How do you know? Who do you work with to assess whether and when to deploy new technology?
- How do you know that the IT function is delivering the value it should to the business?
- How involved are you with the company’s strategy-setting processes? Is this the right level of involvement?
I welcome your comments.