​​Important Questions for Corporate Boards

Comments Views

​Mary Pat McCarthy and Michael Nolan of KPMG, in Directorship, ask some important questions of corporate boards. Internal auditors would do well to note these and ask the questions both of management and themselv​es.

  • Does management have a formal process to identify the significant changes — planned and unplanned — taking place in the business, and the important risks these changes pose? Change — whether a change in people, business processes, technology, products, or business models — creates risk. And an important part of any discussion about change and risk is "complexity": The greater the complexity, the greater the risk. While a robust change management process to identify and track macro- and micro-level changes impacting the business may be ideal, every company should, at a minimum, consider the need for a formal process to identify the significant changes — planned and unplanned — taking place in the business and the risks that these changes pose.

  • Is there a formal process to link these changes and risks to the company's risk management efforts, its internal control processes, and its compliance program? All changes pose risk. For example, outsourcing changes pose an array of data security and privacy risks; changes in business processes and practices pose various internal control issues; and changes in the company's footprint may pose a host of U.S. Foreign Corrupt Practices Act and other compliance risks. Whatever the change, it is essential that it and the associated risks are communicated so that appropriate risk-mitigation activities, internal controls, and compliance initiatives can be implemented. A formal process to ensure that this communication takes place and that proper linkages are established is key.

  • Does internal auditing "connect the dots" and communicate key areas of concern about these linkages? As the role of internal auditing evolves, more organizations look to the internal audit function to observe where change and risk are first seeded in the organization, and to view how these changes and risks are managed across the organization. This requires that internal auditing has a "seat at the table," is capable of anticipating emerging risks, and that it takes the initiative to adjust audit plans and activities as changes in the business, the control environment, and the economic environment occur.
  • Given the speed of change — and the velocity of risk — does management assess the company's critical alignments on a regular and frequent basis? The economic crisis demonstrates clearly that changes are often fast and dramatic, and that there is a real need for management and directors to understand the velocity of risk — the speed at which an emerging risk can be manifested and have a catastrophic impact on the business. In this environment, management should assess the company's critical alignments on a regular, frequent basis; annual or semi-annual assessments may not be adequate. Of course, the absolutely essential component of alignment is management. And here the audit committee and the full board play a key role in helping to ensure that — from top to bottom — ​management's goals, objectives, and incentives are properly aligned; performance is rigorously monitored and assessed; and the culture throughout the organization is "right."​​​



Comment on this article

comments powered by Disqus
  •  	Galvanize-July-2021-Blog-1
  • CRMA-July-2021-Blog-2
  • Bookstore-July-2021-Blog-3