Home > Risk > Talking sense about the Audit Committee

Talking sense about the Audit Committee

November 9, 2020 Leave a comment Go to comments

I am tired of seeing nonsense written about the responsibilities of the audit committee when it comes to their oversight of risk, especially cyber risk. The latest (members-only, which may be a relief) is from Compliance Week; it says the audit committee must have an in-depth understanding of cyber risk – and pays no attention to whether a breach might affect either the integrity of the financial statements or the achievement of enterprise objectives. It also confuses the roles of management and the board.

McKinsey has a far better article, but still misses the mark.

It’s time to go back to basics!

What are the responsibilities of the audit committee of the board?

In 2018, Deloitte published a sample audit committee charter designed for US public companies. It said that:

The audit committee is established by and among the board of directors for the primary purpose of assisting the board in:

  • Overseeing the integrity of the company’s financial statements [NYSE Corporate Governance Rule 303A.07(b)(i)(A)] and the company’s accounting and financial reporting processes and financial statement audits [NASDAQ Corporate Governance Rule 5605(c)(1)(C)] • Overseeing the company’s compliance with legal and regulatory requirements [NYSE Corporate Governance Rule 303A.07(b)(i)(A)]
  • Overseeing the registered public accounting firm’s (independent auditor’s) qualifications and independence [NYSE Corporate Governance Rule 303A.07(b)(i)(A) and NASDAQ Corporate Governance Rule 5605(c)(1)(B)]
  • Overseeing the performance of the company’s independent auditor and internal audit function [NYSE Corporate Governance Rule 303A.07(b)(i)(A)]
  • Overseeing the company’s systems of disclosure controls and procedures
  • Overseeing the company’s internal controls over financial reporting
  • Overseeing the company’s compliance with ethical standards adopted by the company

Note that there is no legal requirement (yet) in the US for the audit committee to oversee the management of risk, but we can certainly add that to the list above.

Let’s add to the above with the important section from COSO’s Internal Control Framework (2013) on effective internal control:

An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives.

I will return to that definition at a later date.

Let me keep my advice for audit committee members and their advisors simple.

I will start with what we all know:

  1. The role of the board is not to run the organization. The role is to ensure it has the right management team and they are running the organization effectively. They have a governance and not a management role.
  2. The board and its committee should be focused on obtaining assurance that management prepares accurate financial statements and makes other required disclosures not only to the regulators (SEC, etc.) but also to other stakeholders (banks, etc.).
  3. In addition, it needs assurance that management has an effective system of internal control in place, not only for financial reporting and other disclosures, but also for the achievement of the objectives approved by the board for the organization.
  4. It also needs assurance that management is properly addressing the risks and opportunities (as called out in the King IV and other corporate governance codes) that might affect the achievement of enterprise objectives.
  5. Finally, the board needs assurance of the effectiveness of both the internal and external auditors.

Now here are my specific recommendations. They recognize the true role of the board as a governance body and not a management body, and the specific duties of the audit committee as described above.

When it comes to specific sources of risk of whatever color ask:

  1. Will this significantly affect the reliability and integrity of the financial statements?
  2. Will this significantly affect our compliance with required disclosures, including the effectiveness of disclosure controls?
  3. Will it significantly affect the effectiveness of internal control over financial reporting?
  4. Will it significantly affect the effectiveness of the system of internal control for other enterprise objectives?
  5. Will it significantly affect the likelihood of achieving our objectives?
  6. Is there a significant problem with relying on our systems and processes for managing risk to objectives?
  7. Will this have a significant adverse effect on our reputation?
  8. If this source of risk is not significant, given the answers to questions 1-7, why is it being brought to us for discussion? Why can we not rely on management to handle it?

I welcome your thoughts.




Apparently, there are legal minds who disagree with my statement that “The role of the board is not to run the organization.”. They point to the obligation of the board under Delaware law: “The business and affairs of every corporation organized … shall be managed by or under the direction of a board of directors.” 

There is a difference, as every lawyer would tell you, between the words “run” and “manage”.

Clearly, members of the board can be held liable (although I am not an attorney so its not a legal opinion) if the organization fails in some way.

But I am not talking about that. I am talking about running the company, and that is something the management team does with oversight by the board.

The board only has periodic involvement (at least the independent members) and it is totally unreasonable (in my lay experience and opinion) to expect them to run the company.

Instead, they appoint a management team and are entitled (given reasonable processes for hiring, reviewing, and terminating them) to rely on them to run the organization. However, they need (not a legal requirement in the US but a practical one everywhere) to have assurance on things like internal control and risk management.


  1. November 10, 2020 at 5:41 AM

    Most disturbing is that so many, as you rightfully note, seem to have no clue about the difference between governance and management. If I got 1₤ for every ‘Executive’ that considered themselves too ‘important’ to see that they’re just dabbling in the wrong sorts of management while looking down on those doing actual work, I’d be working remotely — off some nice island at a poolside bar, not Slough. Alas there seems to be some mishap with my bank account no.
    ‘Governance’ has become too much of emperor’s clothes *but also* the actual oversight is far too distant to where things go right / wrong.

  2. November 10, 2020 at 9:51 AM

    Norman, does your point 2 also cover the need to ensure the company is reporting principal/significant risks as required by some jurisdictions?

    • Norman Marks
      November 10, 2020 at 10:39 AM

      It does, yes

  3. November 11, 2020 at 1:08 PM

    A useful “shot across the bows” Norman.

    We must guard against those who “whip up” those in GRC (e.g. to become cyber experts) when there may be a an incentive for them to do this, and it will depend upon the specific situation.
    I agree:
    1 We should remember the difference between oversight and management and that the role of the AC/Board is to oversee key risks and their assurances;
    2 The AC/Board cant be experts on everything.

    BUT: The ability of management to transmit complex issues in plain language is key; as is the board’s ability to ensure they are not being bamboozled..

    So: for a tech/platform company you might want 1-2 board members to have a decent understanding of cyber. But I agree they need not be super experts. Likewise a Pharma co needs some board members who understand R&D/Supply Chain etc. well enough or we will have a problem with their ability to challenge effectively and insightfully.

    In addition, there are deep issues about what we think is a significant risk (for me, simply put: gross over net and impact over probability) and also understanding what is “reasonable assurance”, especially for non financial risks, where this is less clear.

    Finally, whilst I agree L2 functions should not necessarily be policemen, we often need them to be better at calling out/improving problems in L1; otherwise this becomes a recurring cause of issues, and IA is left too much alone.

  4. Norman Marks
    November 20, 2020 at 1:46 PM

    Please see my Postscript for clarification of the blog post.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: