As I look back at many years in internal audit, two audits stand out — not because we found anything significant, but because they addressed the most significant risks.
The first was on the reliability (completeness, accuracy, timeliness, and so on) of the "board package." That is the set of materials provided to each of the board members as the basis for discussions at the full board and committee meetings.
Arguably, the meetings of the board and its committees are where the greatest risks are taken by the organization. So, auditing the controls over the completeness, accuracy, timeliness, and so on of the information provided by the executive team to the board was an important engagement.
The audit identified some interesting points of concern, including:
- The board package was so massive that it made it very difficult for board members to read, understand, absorb, and be prepared to discuss the materials prior to the meeting. The size was a disincentive. It was also difficult to pick out the key points on which to focus.
- Major portions of the package were provided only a few days before the meeting. As a result, the directors were unlikely to do more than give it a quick review. The meeting spent most of its time just knowing what was in the board package instead of discussing the issues it raised.
- The CEO and sometimes his direct reports were selective with the information provided to the board. Information that the board might want to see, such as alternatives to the strategies and plans recommended by the CEO, were not shared with them.
- Information derived from the company's systems was "massaged" prior to being included in the package. That massaging might adversely affect the integrity of the information seen by the board. Fortunately, we did not see any errors introduced at my organization.
The second audit was around the information that the executive team used as a basis for their key decisions. Again, the risk I was concerned about was that the executives would make decisions based on faulty information — surely, a huge potential source of risk to the achievement of objectives.
We talked to each of the members of the executive team to find out what information they used, both for major strategic decisions and for the daily running of the business. We then identified, assessed, and tested the related controls. I believe this is an area frequently overlooked, both by risk and audit practitioners.
Risk is taken through decision-making. One of the greatest sources of risk to quality decisions is the information that people rely on when making their decisions.
Is your audit department concerned with the risk of poor decision-making? Note that faulty information is just one source of risk.
Does your risk identification and assessment activity consider the potential for poor decision-making? Is this not a critical area to address?
I welcome your comments.