BY PAUL QUIGLEY
Post-Turnbull, much has been made of the significance of audit committees, board level responsibilities and effectiveness of internal and external controls. But what systems and processes are really driving the realpolitik of this vital organisational audit role?
Internal controls and the management of risk have become the new management poster children over recent years. Following the financial scandals of the eighties and nineties and into the new millennium, the focus of corporate self-assessment has risen up the boardroom agenda like a helium balloon. Where management issues such as quality, productivity, staff and executive remuneration once dominated management thinking, the equilibrium has been rocked so severely, that no organisation, public or private is ignoring the risks of continual monitoring of processes and business systems.
The Turnbull guidance in the UK was the first wake-up call regarding the black art of internal audit. However, the art goes much farther back than Turnbull. For many the COSO framework created the original mould on internal controls for organisations, with its entity/business unit level and process level structure, which has in many ways served well since and doubtless a major influence on the Turnbull internal controls guidance.
That said, the principles-based ethos of much of such risk management leaves massive scope for interpretation before, during and after implementation. Where box-ticking used to be the norm, today’s audit and compliance practitioners require much greater levels and depths of ‘soft skills’ to effectively do their work.
The lynchpin of most organisational structures regarding internal controls, perhaps unsurprisingly, now focuses on the board sub-committees tasked with this area – the audit committee.
The make-up and, if you will, bio-chemistry of this independent body is becoming almost akin to a resident, dedicated internal regulator, policing the diurnal and financial business processes of its host organisation.
“In recent years UK companies have invested considerably in establishing robust and effective frameworks for their audit committees,” says Andrew Ratcliffe, senior client partner, PricewaterhouseCoopers LLP. “PricewaterhouseCoopers believes the quality of the work done by audit committees has increased as a result. This is borne out by the findings of our recent research into audit committees’ reporting as well as by the effectiveness reviews and professional development programmes that we are asked to carry out on their behalf.”
According to Ratcliffe, the number and behaviour of members, the calibre of the chairman and how well meetings are run are all important to how well the committee operate. “The effectiveness of audit committees is also highly dependent on the clarity of their role in the company – in particular where and how they gain their assurance – the nature of the working relationship between the board as a whole and the executive team.”
However, one delicate area of concern arises where audit committee members are, essentially, made up of non-executive directors, reliant on reports from within the organisation. They are not executives, not managers, but bring their valuable objectivity to the table. Gerald Russell, a senior partner with Ernst & Young in London sees another danger looming. “Audit committees are increasingly being seen as the guardians of risk management. But such a view is just not reasonable. Risk – strategic, operational and financial – is a board matter and cannot just be kicked sideways” Russell warns. “Indeed, it is the executive members of the board and their direct reports who should be in a better position to manage risk. Audit committees cannot, and should not, be expected to know all the detail.”
Tim Copnell, director of KPMG’s Audit Committee Institute, concurs with Russell. “The responsibility for risk and control within an organisation rests firmly with the board. However, audit committees can exercise effective oversight on behalf of the board. To do so, the committee must have clarity as to its role; trust management but seek robust assurance through verification; maintain good relationships with management and auditors; and feedback to the board in a meaningful way.”
One of main dangers facing internal controls and the corporate governance aspect for audit committees in particular is becoming to closely intertwined into the day to day fabric and operation of the business. This danger of tackling the complexity of modern-day compliance, whether IFRS, Sarbanes-Oxley or EU directives, is at the expense of the core value of audit – independence, objectivity and value-add. If these become lost in the quagmire of compliance, then the whole purpose of internal controls is compromised.
For organisations, unloading burdens on audit committee workload is critical. Keeping them free from the devil in the detail, such as IT risk and compliance, whilst providing them with the overview capability and strategic vision, is the most important balancing act organisations must engender.
Indeed, IT risk – especially business continuity and contingency planning – has risen to become as much a priority for organisation’s business level and process level controls as for financial controls. According to a recent survey by KPMG, just 15 percent of 282 audit committee members surveyed said they were ‘very satisfied’. Some 20 percent stated that their oversight of IT risk could do with improvement, while 90 percent believed their audit committees needed to spend more time on reviewing IT risk.
The IT infrastructure of organisations is perhaps far and away the most tangible risk management factor today. Leaving the responsibility for its oversight solely to non-executive directors on the audit committee seems folly. Ultimately, the main board is where such decisions on other specialist sub-committees must be hammered out and implemented. Outsourcing such risk is another risk in itself, as ultimately, the Board is accountable for such matters, not audit committees. Outsourcing takes the processes outside the remit of internal controls, and yet is ironically, still part of the organisations’ wider, holistic entity level. Therefore, careful planning and agreed responsibility is still required, as business processes become more complex.
So for the conventional weapons of internal control and process audit, in the future, it should be more a case of steady as she goes rather than full steam ahead, as PricewaterhouseCoopers’ Ratcliffe concludes. “In future, we expect to see audit committees continue to use their performance evaluation reviews as a means to continuous improvement of the quality of their membership, processes and communication. However, we see little appetite or justification to increase the public reporting requirements for audit committees.”