KPMG and I talk about changes at the Audit Committee meeting
I am used to seeing some new thinking from our Canadian friends. That is hardly the case when you look at a recent publication from KPMG Canada, Audit Trends: The official word on what’s changing and how audit committees are responding.
That title not only sets the expectations high, but sets KPMG up for a fall.
This is how they start us off, with an astonishing headline section:
ACs TODAY DEAL WITH A BROAD RANGE OF ISSUES, AND ACCOMPANYING RISKS, THAT ARE BEYOND FINANCIAL STATEMENTS, REPORTING AND INTERNAL CONTROLS OVER FINANCIAL REPORTING – THEIR TRADITIONAL AREAS OF RESPONSIBILITY.
These include CFO succession management; forecasting & planning; liquidity; M&A; environmental, social and governance factors; fraud and more.
My first audit committee meeting, as the chief internal auditor, was about 25 years ago. If memory serves me well, the only audit committee meetings that focused only on “financial statements, reporting, and internal controls over financial reporting” over those 25 years were short calls to review earnings releases, and so on. Not a single in-person meeting was limited to these few topics.
KPMG continues:
THE DAYS WHEN THE AC AGENDA WAS SOLELY DOMINATED BY AUDIT MATTERS AND TECHNICAL ACCOUNTING DISCUSSIONS ARE GONE.
Sorry, KPMG, but the world does not spin around the axis of the CPA firm.
Here’s another silly profundity, a highlighted quote from the Vancouver practice leader:
“Organizations today rely heavily on technology to manage internal processes and external customer relationships, it is therefore essential for ACs to understand what management is doing to mitigate IT risks.”
In 1990, my company was totally reliant on technology. Not only was it relied upon for internal business processes, but our oil refineries were highly automated. So-called IT risks (so-called, because the only risks are risks to the business – which may come from failure in the use or management of technology) were so extensive that I dedicated a third of my budget to IT audit. Going back even further, the savings and loan companies I worked for in the mid to late-1980s relied “heavily on heavily on technology to manage internal processes and external customer relationships”.
So what are the changes that should be happening at the audit committee? Here are six ideas:
- The audit committee should be asking management to provide assurance that it has effective processes for addressing risk (both threats and opportunities) as it sets strategies and plans, monitors performance, and runs the business every day. The audit committee should not be limited to a review of the “risk de jour”; it should require that management explain how it has embedded the consideration of risk into the organization’s processes and every decision.
- The audit committee should insist that it obtain a formal report, at least annually, from the chief audit executive, with an assessment of the adequacy of management’s processes for managing risk, including the adequacy of the controls over the more significant risks.
- With the enormous potential for both harm and strategic value of new, disruptive technology, the audit committee can help the full board by challenging management on its approach to new technology. Does the IT function have the agility, resources, and capability to partner with the business and take full advantage of new technologies, while managing downside risk?
- Continuing with that theme, is the organization hamstrung by legacy infrastructure and systems that inhibit its agility, its potential for moving quickly as business conditions and opportunities change? Is it able to change systems and processes fast enough?
- The COSO 2013 update of the Internal Controls – Integrated Framework is an opportunity to revisit a number of issues. One that should be high on the agenda is whether the company is providing decision-makers across the organization, from Strategy-setting to Marketing to Finance to Operations, with the information it needs to drive success? This is not just about the deployment of Big Data Analytics because that is just a tool. It is about (a) understanding what information is available and can be used to advantage, (b) obtaining it at speed, and then (c) delivering it everywhere it should be used in a form that enables prompt use and action.
- With all the demands on the audit committee, there is a need to re-examine its composition and processes. Do its members have all the experiences and skills necessary to perform with high quality, addressing issues relating to the management of risk, the use of technology, the changing global world, and so on? Should it receive more periodic briefings from experts on these topics? Do its members even have the ability to dedicate the time they need? Are they receiving the information they need to be effective (studies say they do not)?
If the audit committee is spending more than 20% of its precious time on “financial statements, reporting, and internal controls over financial reporting”, something is seriously wrong.
I welcome your comments – especially on these six suggestions.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
I fully agree with your suggestions but everything depends on the knowledge and integrity of the members of the audit committee, particularly the Chairman or chairwoman.
Couldn’t agree more about point 5 (information) but the fundamental issue is decision-makers defining the information they need, which is not necessarily information available to them in their company. For example, a merchandising director in a retail company can get his/her best information by walking round the stores of competitors. One of the best ways of deciding the information actually required is by knowing the risks hindering objectives, and then asking the question, ‘What information do I need to anticipate/manage this risk?’ (more details from http://www.managing-information.org.uk)
David, how about identifying the opportunity to excel? “What information do I need if I am to leap ahead of the competitors, with improved products, display and presentation, customer experience, pricing, and so on?” For example, “can I get faster and more insightful feedback that tells me whether customers like my new product?” “Can I find out what people are saying about my retail stores and those of the competitors? What do they like and dislike and why?”
Norman, you have a valid point but you should come up with the same information either way. I have risks: that the competition pulls ahead of me, customers won’t like my new product, my stores aren’t liked by customers, I’m not selling products customers want. Perhaps I’m just a ‘glass half empty man’
Norman.
Spot on!
Audit committees should not be concerned with risks but with risk management. By that I mean that they should seek information to assure themselves that management has a soundly based and effective approach to managing risk – that is embedded in decision making.
Any audit committee that is just sent a risk register or list of risk should complain bitterly. They should quite rightly assume that management are paying lip service to risk management and think that list management is risk management.
The real issue here are that Audit Committees (and Boards for that matter) do not know better. They are fed a diet of mis-information by the various professional bodies (including the various Institutes of Directors) and by the audit companies.
You get the Audit Committee you deserve and that means that companies and other organisations must invest in director training – and not by people who either don’t know better or have a vested interest in mis-information.
Norman- I would not share these excellent ideas of yours but would wait until the next set of disasters and then be called upon to come on in to help clean up the mess. The fact that you are critiquing a report (pablum) of the large accounting firms for probably the 100th time and they are missing in action (meaning that they cannot intelligently respond to your comments) demonstrates that they are clueless. I have stated this consistently over the past several years- pretense and nothing else. You are just toying with them and they have no idea how to respond to your remarks- ridiculous report.
I fully agree with your article, a major problem we face in the middle east is the level of expertise the chairman of the AC may have for over looking there functions in the organization , un fortunately most of the members including the chairman will not have the adequate expertise and education to discharge there responsibilities, now the CAE in this case will have a difficult situation what should he do? If he tried to say to the audit committee members that they don’t have the expertise and educational back ground to full fill there duties as AC members most probably he will loss his job, other approach is to try to educate the audit committee members and chairman and raise there awareness level but it is not easy to do and needs a dedicated and honest CAE, please comment and any suggestion on this dilemma the CAE may face with the AC are welcome.
Ihab,
While the Chair of the Audit Committee might think he is rather special. The truth is that he will benefit from being trained – as we all do. The solution, as with all Boards and Committees is that the organisation must invest in training the members. Otherwise you get the Board or Committee you deserve!
If the CAE is not up to it, he must buy in the training from outside the organisation. Just don’t use cheapness as the primary criteria for selecting a training supplier.
Couldn’t agree more.
I fully agree on six suggestion and in my opinion most of the global company’s follows this principal.
Sir,
Really all points are valid.It is strange that leadership qualities of the chairperson exposure to risk situations Governance,ethics,his enquiry skills,fact finding methods,judgment are to be ranked.The three images product/services image,company image and management image are basic ingredients for the insight of chairperson to aspire to ride over the risk audit
and to see the merits versus demerits with out prejudice in the light of all stakeholders either active or passive.such leaders are very very few in the world by large.How many GM
ford cards imperfect are called back,how cheap drugs royalty /patent jacked and sold in underdeveloped(technology lack areas) at skyrocket prices/in short human race is cynical/hypocritical and no corporate law can bring them/regulatory authorities can book them for their errors. The self discipline the other name ethics/self consciousness/empathy
is to be practiced in true sense.
This I found universal in manufacturing,service,Govt/public undertaking through out. the world
Now international law contract law application from the third party/tort need revised thinking to protect the layman.who will bell the cat? trillion dollar question.
Raman
Director (Risk &project)
Mark consultnats