Audit risks - Widening the level of assurance
Audit risks - Widening the level of assurance
Presentation by Clint Ramoo, Audit Director, Audit New Zealand
Last year I talked about how we can jointly work at addressing the risks identified as part of our planning process. This year, my focus is on a key structure that can assist in managing these risks, namely your Audit and Risk Committee (ARC). If you already have an ARC, in the next few minutes I will provide you with some key points on how to get better value out of your ARC, and for those of you who do not have one what benefits you can get.
Entities often establish internal audit departments, set up project governance structures for strategically significant projects, obtain real time probity advice on large and complex procurement or have in place various committees to oversee different aspects of the business. Sometimes having too many structures in place to manage risk is in itself a risk and it is therefore important to keep things simple and appropriate for the size of your entity.
While the responsibility for managing entity’s risk rest with the Chief Executive or Board, an ARC can help in meeting these obligations.
The composition, terms of reference, and roles of ARCs vary from one organisation to the other. There is plenty of guidance out there on Audit and Risk Committees, and you may be aware that the Office of the Auditor-General (OAG) is in the process of updating its own guidance on the matter. As part of the current audit round, Appointed Auditors will be collecting information on Audit and Risk Committees to feed into this updated guidance. In preparing for today’s presentation I have however used the current OAG guidance and United Kingdom Treasury material as a reference point.
In the next few minutes I plan to share with you some key principles to consider with regard to Audit and Risk committees. These are:
- Independence
- Open and effective relationships
- Diverse skills
- Role and scope
You may already have considered this as part of establishing your own audit committee, however, it is always useful to reflect on this in the context of your own organisation, and whether there is a need to revisit your current practices.
Principle 1: Diversity of skills
Having a committee with the ranges of skills similar to the Village People is probably a good starting point, provided of course they do not break out into a rendition of YMCA!
A key role of the Audit and Risk committee is to provide the Board or Chief Executive with the assurance they need on governance, risk management, the control environment, and the overall integrity of the financial and service performance information. In order to give effect to these responsibilities, the committee needs a range of skills and experience in relation to these matters, and more importantly the operations of the entity.
While financial management and reporting is a key responsibility of the Committee, it does not mean that the Committee should be loaded with a bunch of accountants! Having at least one member of the Committee with recent and relevant financial experience should do. The committee should agree with the Chief Executive or Board on other skills required in order for it to be effective. These skills could relate to the core business or strategic projects within the entity. While members may be selected for their skills, it is equally important that they are able to work together. A dysfunctional committee will only serve to increase an entity’s risk profile.
Principle 2: Independence and objectivity
No, this is not a plug for EECA’s “Right light” campaign but rather a reminder of the need for members of the ARC to be independent and objective, to be able to engage with and challenge the organisation. The ARC can also shine a light, if you like, on the key risks facing the entity!
Ideally, the Committee should have no executive responsibilities and should therefore be chaired by a non-executive person and comprise at least another independent member. The entity should also consider seeking other independent members to ensure that there is an appropriate variety of skills and experience.
In so far as the role of the Executive is concerned, your attendance at meetings is important for the purposes of providing information and participating in discussions. The attendance of the Chief Executive, Heads of Internal and External Audit is equally as important if the Committee is to be effective. Provision should be made for the Committee to meet privately with the Chief Executive, internal and external auditors on a regular basis.
Managing of conflicts of interest on the Committee should mirror that of the Board or any other structure within the entity. The perceived integrity of the ARC is to a large extent determined by how this is managed. Each member should take personal responsibility to declare any conflicts arising from business undertaken by the entity, items on the agenda or changes in their personal circumstances. This should be raised with the chair to determine the appropriate action to be taken and must be dealt with immediately.
Finally, it goes without saying all members of the committee should have a clear understanding of what is expected of them, how their performance will be appraised, the duration of their appointment and how often it will be renewed and what training and development will be provided. These terms should be provided to members prior to their appointment.
Principle 3: Open and effective communication
While communication with the Board or Chief Executive is an important aspect, the committee should also communicate across the entity and demystify its activities.
After each meeting, the Committee should summarise the business it considered and offer views and advice on issues that requires action to the Board or Chief Executive. These reports should be shared with the internal and external auditors.
The committee should have good relationships and on-going communications with those from whom it seeks briefings, and those to whom it provides assurance. This will go a long way to ensuring high levels of engagement and enable the committee to effectively fulfil its function.
On an annual basis, the Committee should consider providing a report to the Board or Chief Executive on its views of the effectiveness of governance, risk management and the control environment and the reliability of assurance mechanisms to support decision making.
The Committee should also use this as an opportunity to report on the quality of internal and external audit and the effectiveness of their approach. Finally, the Committee should assess its own performance and effectiveness and report on this. This is also a good time for the Committee to consider changes to its own composition.
Principle 4: Role and scope
The direction that the Committee takes is largely defined by what the Chief Executive or Board is looking for by way of assurance. The primary role of the Audit and Risk Committee is to support the Chief Executive and Board by reviewing the comprehensiveness and reliability of assurances on:
- governance,
- risk management,
- the control environment and
- the integrity of the financial and service performance information.
The scope of the Committee should be defined in its terms of reference and cover of all the assurance needs of Chief Executive or Board. The terms of reference should allow for specific engagement with the work of the internal and external auditors and financial and non-financial reporting.
Given the competing issues facing Boards and Chief Executives, they need to know that they are focussing their efforts on the right issues and key to addressing this is obtaining the right assurance. Assurance draws attention to how effective risk management, governance and controls are functioning and also gives attention to how they can be improved.
A risk-based approach to assurance will help your Board and Chief Executive to judge whether they are focusing on the right issues and applying the resources to the right areas. The ARC can help to formulate the assurance needs and assess how well assurance received actually meets these needs.
The committee has an important role in constructively challenging the overall provision of assurances and whether the nature and scope of assurance work meets the needs of the Board and Chief Executive. They should at the very least challenge the credibility and independence of providers and test the conclusions and be allowed to commission assurance work from appropriate sources if it identifies significant risks.
The Committee should draw the Board and Chief Executive's attention to areas where:
- Risk is being appropriately managed; in which case no action is required
- Risk is being inadequately managed, action is required
- Risk is over controlled – resources being wasted that could be applied in other areas of the business.
The Committee should endeavour to obtain assurance from across the entity. For this to happen, the leadership team in the entity need to ensure that there is effective communication of risks and controls across the entity. Assurance should also extend to outsourced service arrangements.
The Internal Audit function is the most significant resource of the Committee. The Committee therefore has a role to play in advising on the:
- Strategy of the internal audit department and how it addresses the entity’s risks;
- Adequacy of resources in internal audit;
- Charter and terms of reference for internal audit;
- Result of internal audit reviews; and
- Performance of internal audit.
For external audit the Committee should engage with the external auditors on their planned audit approach, the results of the work and resolution of identified weaknesses.
The Committee should also consider how the external and internal auditors are working together to maximise efficiency and avoid duplication. In my experience this is done pretty well especially at the time of fee negotiations.
A final aspect that the committee needs to consider is how governance arrangements support the achievement of the entity’s strategic objectives and the control environment.
All of this should be captured in the terms of reference and agreed to by all parties. The Committee should have the appropriate authority to require any member of the entity to report on risk and controls within their area of responsibility by attending meetings or in a written report.
In summary, an ARC can act as the conscience of your entity and can provide insight and constructive challenge when required, how you choose to use it is up to you!
Thank you.