I have been asked to provide an example of the type of formal report I would provide the audit committee, sharing my overall assessment of the adequacy of governance, risk management, and related internal control processes.
I started providing formal overall assessments about 20 years ago (when I led the internal audit department at Tosco Corporation). But that was limited to whether internal controls provided reasonable assurance that risks were managed effectively. You can see a copy of one of my reports from that era here.
If I were to provide a report based on the same set of facts today, it would be somewhat different. Why? Because my thinking has moved on and I would add content related to governance and risk management processes. I would also provide an opinion at the overall corporate level.
The report might be something like this, for the fictional TBD company:
BY GENERAL AUDITOR
Prepared at the direction of the General Counsel
Each year, Internal Audit completes an increasingly large number of audits in the areas considered to present the greatest risk to the company. The volume of individual opinions is such that it is difficult to see the big picture and assess the overall adequacy of governance, risk management, and controls. Furthermore, Audit does not formally review every area every year.
This report presents an overall, confidential assessment of the systems of governance, risk management, and internal control, including a comparison with the prior year where applicable. It provides our opinion whether these systems provide reasonable assurance that the more significant risks to the company are at acceptable levels. It is based upon:
- The results of internal audits completed during the year, including our assessment of the framework and processes for the management of risk.
- The results of the board's self-assessment process, performed in coordination with Internal Audit.
- The results of the board's assessment of the performance of the external auditors, Coopers & Lybrand, performed with the assistance of Internal Audit.
- Any controls deficiencies reported by Coopers & Lybrand or other third party auditors or examiners.
- Prior audit results, and corrective actions taken and reported by management.
- The results of special and other projects performed by the department, and
- The personal observations of the Audit Department's management team.
The company's General Counsel has requested this information, in anticipation of potential litigation. The report has been reviewed with senior management, who will be available to provide their perspectives at the audit committee meeting. They did not express any significant disagreement with this report and its conclusions.
The assessment is first for the company as a whole, then by division and by category. Internal controls (as defined by the Committee of Sponsoring Organizations of the Treadway Commission) "are designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations."
While the company continues to address prior deficiencies with improvements in its information technology (IT) systems and operational processes, the level of risk exceeds acceptable criteria in the following areas. This merits the continued attention of the board and executive management.
Compliance and safety: The XYZ refinery, which represents a major portion of the company's refining operations, continues to have significant weaknesses in its management of risks in these areas. This is discussed in more detail in the TBD Refining section.
Operational effectiveness: The company only tracks what it purchases for its ABC convenience store system, not what it sells. This, combined with the overall age and lack of functionality in the company's IT systems and the higher (than our competitors) number of employees, limits the ability of management to optimize efficiency and operating results.
Risk management: The company has a relatively immature and informal risk management program, reliant on the individual actions of managers rather than any coordinate and formal program. This neither provides an overall picture of risk across the business, nor assurance that risks and opportunities will be given appropriate, timely consideration in future. See our separate report on this risk area.
Information for decision-making: While the company now has a common system for all its refining and pipeline operations, the marketing business is separate and only integrated through spreadsheets. As a result, executive management may not have reliable information (other than at quarter-end) that provides insights into total company operations. Reliance is placed on spreadsheet models maintained by the Corporate Controller that include estimates of inventory levels and other key information. While this has been reasonably accurate in the past, there is a risk that future executive decisions may be based on outdated or inaccurate information.
With respect to financial and management reporting, and to operations at the other operating locations, risks are with acceptable criteria.
TBD Refining Company
As noted in the overall report, management's processes provide reasonable assurance that the more significant risks are at acceptable levels with the exception of operations at the XYZ refinery.
We continue to be concerned with XYZ's controls to ensure reliable operations; prior reports have questioned preventative and predictive maintenance and inspection practices. This directly impacts controls to ensure compliance with environmental and other regulations, as well as the effective use of resources (people as well as costs.) In addition, we remain very concerned that XYZ's turnaround planning and management practices are below standard, and that procurement activities are significantly less than desirable. These issues do not impact the adequacy of financial reporting on XYZ's assets and results of operations.
TBD Marketing Company
Management's processes provide reasonable assurance that the more significant risks are at acceptable levels with the exception of operational efficiency and effectiveness.
The major concern continues to be IT. The systems inherited as a result of the acquisition of ABC are by no means state of the art. One problem is that we don't know what we sell in each store, just what we purchase. This makes it difficult to target our marketing efforts, which include stocking each store with the right quantity of the right goods, and maximizing the effective use of our advertising dollars. In addition, TMC has more people than optimal (based on benchmarks with our competitors and our own studies); that is necessary until we can implement more effective systems. Our audits have found that departments are reasonably efficient given the limitations of the systems.
Complicating this are three issues: (a) the process for managing change to our systems is not only fragmented but also does not provide adequate assurance that the changes necessary for effective business operations will be implemented with the required quality — especially important when the problems with program and data security are also considered; (b) the IT department has more staff that are average at best than we can afford, especially given the significant number of system conversions and migrations — let alone any new functionality that should be introduced; (c) the level of turnover within IT is much too high, and it is especially troublesome when good people leave.
While I have confidence in leadership of IT, these are massive problems that will not be easily solved.
TBD Distribution Company
Management's processes provide reasonable assurance that the more significant risks are at acceptable levels. However, management needs to address a number of issues at the terminals that have been acquired in the last year.
Commercial activities include the purchase and sale of physical inventory; the hedging of related prices through futures, options, and other derivatives; and a limited level of speculative trading. Overall, risks are managed within approved criteria, although there is significant reliance on close scrutiny of all activity and positions by the CEO, and serious control weaknesses were identified during our audits.
Financial reporting of derivative activities depends on the position reports, and the risk of their being materially in error is not significant. However, our recent audit found that key reconciliations (e.g., of broker statements) were not independently performed. This increases the risk to financial reporting and to compliance.
Commercial activities are inherently risky; controls cannot prevent a trader picking up the phone and committing the company to an inappropriate and/or costly transaction. Deterrent and detective controls are essential, but cannot compensate for the poor decision a trader may make. The new IT system (COMETS) is not yet in place, and there is no overall company position report for the Risk Management Committee to review (if they were ever to meet as a group, rather than essentially consist of the CEO's personal and lone oversight). Even when COMETS is fully implemented, the system will not automatically check individual or total position limits. The lack of independence in the accounting and reconciliation of derivatives activity significantly increases the risk of fraud.