Video transcript: Using your audit and risk committee effectively

Transcript for a video of a presentation about audit and risk committees filmed at the 2019 Audit New Zealand client updates.

Title: Using your audit and risk committee effectively 

Warren Allen

Good afternoon everybody. Thank you, Clint, for that introduction, and it’s indeed a great pleasure to be here with you this afternoon and to share with you my insights into audit and risk committees and, in particular, how they operate in the New Zealand public sector. Can I first of all start off by congratulating Steve and his team for setting up this update? It’s excellent and very timely topic in improving trust and confidence. And, hopefully, I will, in the short time that we have available, demonstrate to you the importance of audit and risk committees and the way, if they’re structured properly and work properly, how they can add in that regard.

So, whilst I had an External Reporting Board logo up there, these comments are really personal ones. Certainly our primary mandate is not corporate governance; as you’ll all know, it’s accounting and auditing standards. We do have a little bit of mention in our legislation about corporate governance. But my credentials, as Clint pointed out, are really from many years as an audit practitioner at EY, many of those years as an appointed auditor for the OAG. And I currently chair two audit and risk committees in the public sector. So it’s on that basis that I’m speaking with you today.

So this is what I’d like to cover. We’ve dealt the welcome and introduction. Just have a look at the key differences between audit and risk committees in the private sector and the public sector, because there are a lot of differences and it’s important that we understand those. How to add value, how to avoid the traps. Be careful, and we’ll talk about the benefits of a well-functioning audit and risk committee. And then a few concluding comments, and then I’m going to ask Steve to join me on the stage here and we’ll have a bit of a panel discussion and deal with your questions. And, if we don’t have any questions, we can get Steve’s view on this topic.

So let’s first of all look at the differences of audit risk committees in the public sector, and, to do that, we need to look at how they operate in the private sector first. And they are a formal subcommittee of a board of directors in the private sector. So, therefore, they comprise just board members only. So, being a subcommittee, it’s generally chaired by somebody that has an understanding of financial matters – but not always – and it’s made up of two or three or four members from the board. It’s interesting to note that they are required by New Zealand regulators – the NZX Listing Rules and the FMA Guidelines fairly strongly point to all listed entities; all large private companies must have audit committees.

They have a very formal structure and set of responsibilities. You’ll find that they are quite tightly scripted around terms of reference, and they have quite a narrow set of topics that they deal with. So I would describe them as having a restricted agenda, with quite a narrow focus around financial reporting, internal and external operations. It’s interesting to know that they have a long history of good practice. I think it was around about the 1960s or 1970s that audit committees came into favour. They came out of principally the UK. There was a commission looking at corporate governance, and there was a strong recommendation of setting up audit committees. So that was its genesis; that’s where it started, if you like. And they’re well established in the corporate sector as part of the corporate culture. And, certainly, any private sector enterprise of any note these days will definitely have an audit committee.

So let’s compare that with what happens in the New Zealand public sector. And the first thing to note is that they’re not legislatively required, so there’s no legislation that says that the public sector must have an audit and risk committee. And they generally comprise external members. So, certainly the ones that I’ve seen over my years of experience and the ones that I’m currently involved with, they comprise external members. Sure, internal members of the enterprise attend those meetings, but they’re not members of the audit and risk committee. Now, this is a very important point, and this is very different than what’s in the corporate sector. So they are there at the request of the chief executive or the governing body. And, in the rest of what I say, I’ll tend to use chief executive, but read chief executive or governing body for that.

So I say regularly that they are there at the behest of the chief executive. So, if they don’t work, if they don’t add value, the chief executive should get rid of them. And certainly the two chief executives that I work for, I say that to them: “We’re there to support and add value to you, and, if we don’t do that, then we need to have a discussion or you need to get rid of us.” And I think that that is a really important point and is really the baseline, if you like, for the balance of what I’m going to cover this afternoon. So it needs to add value to survive, and that’s a big difference from the private sector. But that creates a real benefit. And the benefit is, because it’s not legislatively required, because it’s not required by regulations like in the private sector, there’s a lot more flexibility in terms of the structure and also the responsibilities that you want to add within that audit and risk committee. So I see that as a real benefit.

It enables you to have flexibility in the agenda. And I’ll talk to you of what we did in one of the audit and risk committees that I chair recently to the benefit to address this value-adding requirement of the audit and risk committee. So the good practice within public sector is not that well documented. I do acknowledge the good work that Audit New Zealand and the OAG have done – they have publications available about audit and risk committees – but that’s not quite the same extent as exists in the private sector. And also, it’s not well understood as part of the public sector culture. I don’t think that it’s as strong within the public sector as I see it in the private sector. But I acknowledge that it is strongly recommended and encouraged by Audit New Zealand.

And just backing up to that flexibility in that, the benefit of that is that you can develop it for what works for you. There’s no prescribed set of what you need to do here, so you set the audit and risk committee up to what works for the chief executive for the organisation. Let’s look at Warren Allen’s view as to how you add value with an audit and risk committee. So first of all, you need to respond to the chief executive’s or the council’s need. And the only way that you can do that is by having regular communication. And, on one of my audit and risk committees, we had a change of chief executive just in the last few months. So I’ve already had two meetings with that chief executive to sit down and work out what’s going to work. With a new chief executive, I’m expecting that will probably change the way in which we run that audit and risk committee. But I’ve said to him – and it is a he – I’ve said to him, “Let’s do a couple of meetings and just see how it goes, and then we’ll sit down with a whiteboard and plan out how we will do it going forward.” So that’s responding to the needs of the chief executive.

The external members need to become very familiar with the entity. If they are going to add any value, they need to be appraised of that entity. So I’ve ensured that our members on the audit and risk committee, that, on appropriate things, we have access to items that go up on the intranet; that we’re bought into the confidence of the organisation; we’re given documents; that the documents that we get for preparation for the meetings are appropriate to what we’ve got on the agenda. And you cannot ask these people to add value if you keep them in the dark, so they need to be taken in.

Also, it’s important to understand – and I’m one of these myself – the role of a chief executive can sometimes be quite lonely. And sometimes, as a chief executive, they’re looking for somebody to share an idea with. You might be thinking of doing some sort of new project, and it might be too early to share it internally. Use the audit and risk committee. Use them as a sounding board. And I encourage my chief executives in that role to use us, to bring us together, and to run as a sounding board, maybe before they are willing to share their idea within the senior management team within the organisation.

Also, you need to have a high level of formality. It’s pretty easy to take it quite casually when you are putting together an audit and risk committee, because it’s not legislatively required. But I would recommend that, to get that value, you need to have a degree of formality. You need to follow up on the actions that come out of the meeting. So keep an action register; keep minutes. And that’s probably about the level of formality that you need to make sure things happen following an audit and risk committee meeting.

Divide up the agenda. One of the things that we did with one of the committees that I’m on, it was too heavily dominated – and I feel at risk saying this in this venue – it was too heavily dominated by the internal and external auditors. To the point that we weren’t delivering the required level of value to the chief executive. So what we did is we took the three-hour agenda and we divided it up. We were an audit and risk committee, so we needed a third of the agenda on audit and risk matters. We had a third looking at systems, like IT or HR or health and safety, and then we had a third looking at strategy. And we spent time – and I’ll cover that in a minute – we spent time looking at the strategy and giving input to the strategy. So divide that agenda up. Don’t have it all solely on audit and assurance.

One of the key things is the pre-meetings. And I always have a pre-meeting with both the internal audit manager, who has responsibility for putting the meetings together, in one of the entities I’m involved with. And also, immediately preceding the meeting, I have a meeting with the chief executive. And it gives and opportunity for us to say, “These are the areas of which perhaps we will concentrate our discussion in the meeting.” And it gives the chief executive a little bit of a heads up as to what is coming, so you don’t end up blindsiding them. And it encourages the chief executive to go through the papers before the meeting, because he or she knows that there’s going to be some discussion around that.

Now, this is a real value-add situation. In the systems and the strategy part of our agenda, we have second- or third-tier managers come in and present on their projects. And this is a wonderful opportunity for them to come and present to external people some of the projects that they’re working on. Because generally, they only present internally. They don’t get many opportunities to present to an external audience. So this is a relatively safe environment for which they can do that.

And the Audit New Zealand directors will see a common theme here, because I spoke to their annual conference a couple of weeks ago. And I see the ground shifting here in an audit or assurance committee. And we should be spending less time on the systems side of audits, because generally, in this day and age, we can take that not totally for granted, but we can put a high level of confidence that systems these days work. But the things that don’t work – and it links in to the two previous sessions on internal audit and the Serious Fraud Office – is that human interface with systems. So what is the culture; what is the behaviour that’s brought to bear on those particular systems? So spend some time understanding, discussing the culture and the behaviour within the organisation. And this goes somewhat without saying, but you must have free, frank, open, unchallenged debate. For there to be value added, that debate needs to be in that regard.

So what are some of the traps? Well, you don’t want to, and I have seen some audit and risk committees made up exclusively of internal members. That won’t work, in my view. And some of the most valuable discussions that we have had is when we’ve been working within the systems area, like health and safety or the IT, or in the strategy area, and the level of discussion and the input. And we’ve had situations where the chief executive’s gone out of that meeting and said, “Wow, that was really, really good, really valuable.” So the total concentration on audit and risk or assurance is a trap to avoid.

Also, because it’s not legislatively required, and we all have really busy lives, it’s pretty tempting that, when you set a date up for an audit and risk committee, if the chief executive or the chair of the council, whatever it is, gets busy, it’s pretty easy to defer it or to not attend. And that’s a real trap. It needs to be given the importance if it’s going to deliver the value. So avoid the trap of infrequent meetings, or finding it really easy to cancel them or postpone them. Also, avoid the trap of no action taken on the matters raised. And I’ve always been amazed at the impact that comments and discussions at an audit and risk committee can have.

And I can remember the very first one that I went to for one of the entities, I made a throw-away comment, and two years later, there was a complete change in the way they presented their external report. And, when I enquired as to what was the catalyst of that, they said, “It was your comment at the audit and risk committee two years ago.” So don’t overlook the benefit and the power of somebody external coming in and making a comment. But it is important that you act on those comments, those actions being raised at the audit and risk committee.

Now, this one is important: avoid too much detail. Generally, the external people – and I’ll come to this again in a minute – generally, the external people are senior, experienced people. So don’t waste their time; utilise their skills appropriately. And I’ve found that that’s a trap that’s often fallen into, particularly by the internal and external auditors. They get very passionate – and as they should – about their roles; they get into a level of detail. And, when you look across the table and you see this glazed look from the senior members of the audit and risk committee, you know you’re drilling down. So keep it at that helicopter level. You only meet four or five times a year; you only have two or three hours. So, to get the real value, keep it at the appropriate level.

And avoid the capture – this is the concentrated on audit and risk – avoid capture by the external or internal auditors. This is not their forum. This is the forum for the chief executive or for the council. So that needs to be paid attention to. Right, the things to be careful of is that an audit and risk committee cannot remove the ultimately responsibility. In the New Zealand public sector, the ultimate responsibility in central government lies with the chief executive or, in a council situation, with the council. So an audit and risk committee does not alter that line of responsibility.

Also, to keep the external auditors to the task. Timeliness is essential. And what I mean by that is that the audit and risk committee is a really important part of the audit process. So they should be involved in signing off both the internal and the external audit plan. They should be involved at the year-end audit. So it’s no good coming along after the accounts have been finalised and sent in to Treasury for consolidation that you come together and report after the fact to the audit and risk committee. So, to add value, they need to be integrated; they need to be weaved in to the timetables to complete either internal or external audits.

So an audit and risk committee chair needs to be very active, and they need to meet regularly with the chief executive – I’ve talked about that – and not only just pre a meeting. As I say, once or twice a year sit-down is test the temperature of the water. “Is this working? Is this adding value? Because, if it’s not, we need to pack up and go home.” So it’s important, that regular conversation with the regular executive. Meet regularly with the internal auditor. I have a coffee meeting with the internal audit manager on one of mine every month. And there’s always something to talk about; there’s always something to go over, and we have a little bit lengthier meeting when we’re coming towards and audit and risk committee meeting.

And include appropriate information channels of the entity. So this is make sure that your members on the audit and risk committee have the information, can gain the knowledge of the entity. Because they cannot add value if they don’t know, don’t understand the importance of the entity. Take the audit and risk committee into full confidence. And, if you’re from an agency that has a high level of security, ensure that they have the appropriate security level. Some of the best discussions that we’ve had, in one of the entities, is where it’s been so secret, the chief executive had to say, “Excuse me, I’ve got to take my phone out of the room and deposit it out of the room as a security issue.” So three of the things that we’ve been involved with have been absolutely top secret. But that was worthwhile; that’s how we added value. And they were some of the sessions that the chief executive called out as being real value. So take them into your confidence.

Regularly test the effectiveness with the CE; I’ve covered that off. And just think about the dichotomy that exists with your audit and risk committee members. On one hand, it’s important to have this institutional knowledge, that they can participate in the discussion and add value; and then, on the other hand, you want new ideas, new skills and experience every now and then. So I wouldn’t advocate that they be there for 20 years; but then, on the other hand, you don’t want the three members changing every year or two, because it does take a while for them to build up that institutional knowledge.

So let’s quickly gallop through the benefits of a well-functioning audit and risk committee. It’s an excellent forum for the senior management to present their projects. Do not underestimate the value of that. We see some management come in to the meeting and they’re quite nervous, they do a lot of work in preparing for it, and they always say that that was a very different slant on the discussion and input to their project that they’d seen internally. So real value in that second-tier management being asked to go to an external group of people to present. As I mentioned before, the opportunity for the chief executive to test ideas outside the full blare of the organisation. Sometimes you want to just share an idea with somebody – ideal for that. They give assurance to the chief executive on financial management, key systems, and strategies. So this is the ability to go wide across various aspects.

Also, it’s an opportunity to give proper visibility within the organisation to both internal and external audit. This not just the moment in the sun for the internal auditors and the external auditors, but it does raise the level of awareness, if you like, particularly for internal auditors. One of the ones that I’m involved with, we’ve seen fantastic advancement, if you like, in what the internal audit has achieved, the way that they are perceived within the organisation, because of the audit and risk committee. Obviously it strengthens the governance structure.

And this last one, it’s an excellent opportunity to involve some outstanding expertise at a very reasonable cost. So I’d ask the question, why wouldn’t you do this? In the ones that I’m involved with, we’ve got three or four of some of New Zealand’s outstanding achievers that come along and get involved and give their benefit of their skills and experience at a daily rate of about $1100 or $1200. So there’s a very large component of public interest, public service in this. So why wouldn’t you do this? They build up that institutional knowledge and they can add real benefit and a different perspective to the way you do things.

So, concluding comments. Just an example of an audit and risk committee that’s effective and adds value. The ones that I see: regular communication. Keep in touch with the internal auditor; keep in touch with the chief executive; keep in touch with the members on the audit and risk committee. Consultation on the agenda, planning the agenda. I have a lot of input into what goes into the systems part of the agenda or what goes into the strategy. But I don’t do that in isolation; I talk to the internal auditor; I talk to the chief executive, say, “What’s happening? What is it that you feel that would be worthy of some input from the audit and risk committee?”

Regularly test the effectiveness, I’ve covered that. And split the agenda into three. I’ve found, and I’ve talked to a lot of other audit and risk committee chairs that have liked that idea, to have a third of a meeting on assurance, a third on systems and a third on strategy. But you might have different headings, but whatever works for you. Encourage your audit and risk committee chair to participate in the OAG forum. The OAG run a very good forum of the audit and risk committee chairs that are in the public sector. They have a meeting at least once a year, sometimes more frequently than that. I’ve been a regular attender, and I know Graeme Mitchell down there; he’s a regular attender, also chair a number of audit and risk committees, and it is a worthwhile forum. So, if you’re unaware of that, Greg Schollum, Deputy Auditor-General, tends to run that session, so reach out to Greg.

Balance the skills when selecting external members. It’s no good having all accountants or all IT people, or all industry expertise. Balance those skills up, because those people bring a different perspective which really helps that value equation. And embed it as a key part of the governance structure. Be committed to it; make sure that you place a degree of importance of it. Make it happen, and I’m sure that you will find that it adds tremendous value. You get some great people that are happy to be involved at very little cost. So good luck with that. You can see I’m a great fan of them. Structured and operated properly, they’re great value. So I hope those of you that don’t have them are inspired to go and do something about it from this meeting. So good luck. Thank you.

For more information and to download presentations, visit

Watch the original video.