I’ve been a party to an ongoing debate about the role of the board of directors and the audit committee, in monitoring performance and responsibility for risk management and similar topics. This is an attempt to reduce the confusion and provide some clarity on the audit committee’s role, having in mind that “oversight” means to provide watchful and responsible care or supervision.The ideal culture in a company would be where risks are identified and challenged at all levels of the organization. However, the board is responsible for oversight of risk both strategic and operational, although the audit committee may also be involved. It is also accepted that the audit committee’s main focus is on risks that affect financial reporting.
It’s generally agreed that a primary responsibility of the audit committee is to oversee the integrity of the company’s internal controls over financial reporting, accounting and reporting in financial statements. Further, they’re also comfortable in monitoring compliance with laws and regulations. Therefore, I don’t intend writing anything about oversight in these two areas.
This blog post is about the role audit committees can perform in risk oversight. I’ve listed seven basic steps that may fulfill their “oversight role.”
• Understand the company’s framework for risk management including policies, procedures and their documentation.
• Understand how the company mitigates and responds to identified risks
• Understand the company’s/ risk management team’s ability to both identify emerging risks and anticipate risk events to get comfort.
• Meet directly with key management personnel responsible for risk management and clarify any unusual or material risk issues and put in place a communication process to inform the audit committee of any developments that require the committee’s immediate attention outside of the regular reporting process.
• Periodically review the risk dashboard to reassess the high impact risks, to satisfy that they’re addressed by responsible personnel.
• Use internal audit to review the company’s major financial risk areas, and understand the adequacy of controls and monitoring procedures in place to gain comfort.
• Annually review the risk report in the financial statements for appropriateness and relevance
It must be said that though many companies address risk through the audit committees, the board may decide to allocate responsibility for risk to a separate committee. Even then, the audit committee is required to understand and review policies with respect to risk management.