I recently wrote about the publication of Volume 5, Issue 9 of The Bulletin, which focuses on setting the 2015 Audit Committee Agenda. Response to this piece has been tremendous and I wanted to remind anyone interested in a deeper dive to check out our free webinar from February 10, where two of our leaders in the internal audit and financial advisory (IAFA) practice, Brian Christensen and Dave Brand, and I had the privilege of addressing these issues.
Navigating a constantly evolving business environment means setting clear priorities and establishing a risk management framework that asks the right questions at the right time to yield effective risk response solutions. The webinar emphasizes the importance of finance and audit functions going beyond their traditional roles to become true strategic partners. It also discusses the impact of technology and the audit committee’s responsibility to understand it better.
As I said in the webinar, it is important to demonstrate a bias toward action. In addition to communicating the top risks, management needs to articulate who owns the risks and the strategies for mitigating the risks. If the audit committee is chartered to oversee risk, it should expect these communications from management. If another committee is so chartered or the responsibility falls on the full board, the expectation of management still applies.
The rapid rate of change in today’s business environment demands that the audit committee review the organization’s risk profile at least annually. Ideally, this evaluation should be supported by an updated risk assessment by management. For the most significant risks – for example, the cybersecurity issues that captured headlines in 2014 – either the audit committee or another appropriate committee tasked by the board should ensure that the company has appropriate action plans in place to address them.
Another critical responsibility for the audit committee is to oversee the capabilities of the finance organization and internal audit to ensure they can deliver to expectations. Brian Christensen, a member of our executive team and global leader of IAFA, recommends a holistic approach that goes beyond the traditional “rearview” financial reporting. Rather, companies should strive to develop forward-looking financial analyses, enterprise level processes and technically proficient staff that is well-versed in new technologies, communication/collaboration and regulatory compliance.
This can be challenging, because many audit committee members were chosen for their backgrounds in finance, and may not possess the technical expertise to understand technology risks. To address this, Dave Brand, who leads our global IT audit practice with IAFA, recommends avoiding the technical aspects of technology and focusing the discussion on specific operational or strategic threats or advantages tied to key technologies. Dave urged effective dialogue around these issues, over the fear-mongering that has dominated the discussion of cyberthreats lately. His point is that this conversation should be a business discussion.
Perhaps most important, it is imperative for the audit committee to pay attention to risk culture to address the risk of dysfunctional behavior undermining risk management and internal control. When issues are identified, for example, does management follow up in a timely fashion to address control deficiencies? Is the board always surprised by risk incidents? Does the organization lack timely board involvement in decisions involving significant risk?
Undoubtedly, 2015 will pose interesting challenges. By adopting a proactive philosophy and managing change, the audit committee will be better positioned to steer the company toward success. I hope this webinar will help in clarifying your agenda during this forthcoming year.