Home > Governance > What should the audit committee focus on in 2015?

What should the audit committee focus on in 2015?

January 31, 2015 Leave a comment Go to comments

Every year, the audit firms provide audit committees with their ideas of what the agenda should include in the coming year. Their ideas are usually good, although typically (and understandably) focus on matters of interest to the audit firms. Each year, I have wondered (and blogged) why they don’t include any discussion of obtaining formal assurance from internal audit on the effectiveness of risk management.

This year, the publication from Deloitte is more interesting than usual. In their Audit Committee Brief, November/December 2014, they ask What’s on your agenda for 2015? They highlight:

  • Effectively managing IT
  • The audit committee report (as filed in the 10-K)
  • Internal controls, in particular the focus by the PCAOB on material weaknesses and the work of the external auditor, as well as the update of the COSO internal controls framework
  • Globalization and its effect
  • Finance talent
  • Anti-corruption
  • Risk oversight
  • Tax considerations

Addressing the risk oversight issue first, Deloitte has made some progress this year. They make the important statement:

“Regardless of who in the company is in charge of risk, the most important consideration is that the company has a clear view of where risk monitoring and related activities are housed and that risk issues are being adequately covered.”

All of the topics in the Deloitte document are food for thought, but none more, in my opinion, than the topic of IT.

While Deloitte understandably focuses exclusively on the negative risk from technology (cybersecurity and so on), they make the excellent point that they need to get face time with the CIO. I think it is an excellent idea for the CIO to attend every other audit committee meeting.

Deloitte suggests questions for the audit committee to ask about technology-related risk, I think additional questions should be considered, including:

  • How do you assess and manage business risk relating to technology? Are you engaged with the enterprise risk management process?
  • How much risk is enough and how much is too much?
  • How do you determine how much to invest to address technology-related risks?
  • Are you taking enough risk when it comes to new technology that might advance the business? How do you know? Who do you work with to assess whether and when to deploy new technology?
  • How do you know that the IT function is delivering the value it should to the business?
  • How involved are you with the company’s strategy-setting processes? Is this the right level of involvement?

I welcome your comments.

  1. Hiram Chege
    February 1, 2015 at 11:56 AM

    Precise and insightful. Thanks Marks!

    An additional question could be on the correlation between IT related risks and crystallization of operational risks.

    Its important for ever entity to recognize the importance of ICT in any work environment today and the inseparable correlation between IT related control lapses and crystallization of operational risks.
    my point? by addressing basic IT controls,whether at system level(system design along the specific business idea) or enforcing (eg maker checker) many operational risks can easily be eliminated

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: