​​Insights for the Audit Committee From Protiviti and Marks​

Comments Views

The team at Protiviti has published yet another valuable report. Although it is directed at financial institutions, the points are also valuable to other organizations. Setting the 2012 Audit Committee Agenda for Financial Institutions identifies ten major challenges that need to be on the agenda. I like them, but I wouldn't put them in this order and I would change several.

  1. Managing regulatory change.
  2. Dealing with industry restructuring.
  3. Managing effects of globalization of financial markets.
  4. Improving information for decision-making by focusing on data management and analytics.
  5. Increasing the focus on enterprise risk management (ERM) as risk profiles change and regulators demand more.
  6. Managing the impact of technological innovation on the business model.​
  7. Managing increasingly complex privacy and information security issues.   
  8. Improving business performance to enhance and sustain competitiveness.
  9. Achieving true customer loyalty.
  10. Attracting, retaining and developing top talent.

When you look at the more detailed discussion of #5, increasing the focus on ERM, you will see what I mean:

"Many of the challenges we discuss herein, as well as increased interest in board risk oversight, intense competition and exposure to an uncertain economic cycle, have raised the need for a truly enterprisewide approach to managing risk. Not an end in and of itself, ERM is a means to an end — that is, a discipline for positioning companies to recognize quickly a unique opportunity or risk and use that knowledge to evaluate its options."

The audit committee, as well as the full board, should be asking management to demonstrate that they have good processes for identifying, understanding, evaluating, and responding to all of these risk areas — and all of the agenda items are risk areas. Focusing on individual risk areas without addressing management's processes for handling risks in general is a poor (IMHO) approach. Who knows what event or situation will come up tomorrow — perhaps the UK effectively leaving the EU! It is not the job of the audit committee to manage these risks. Their job is to provide governance and ensure management is managing the risks — whether it's the potential impact of regulation, the Euro crisis, the impact of technology, etc. If I were chair of the audit committee, I would consider holding a meeting just to review with management what their processes are, taking each of the agenda items listed by Protiviti as examples.

Here are my revised top 10:

  1. Improving the ability of the organization to be prepared for and respond effectively to events and situations: both potential adverse situations and market opportunities. This is mature ERM. (See here for more on board oversight of risk management).
  2. Improving the quality and timeliness of information for decision-making (see this earlier post for details).
  3. Being prepared for sudden and dramatic market change (including regulatory change and industry restructuring).
  4. Managing the impact of technological innovation on the business model in general and on business processes in particular — understanding not just the risks but the opportunities. The greatest risk may be in being a late adopter of technology (see here and here).
  5. Achieving true customer loyalty — considering the changing demographics in the different parts of the world.
  6. Improving business performance to enhance and sustain competitiveness.
  7. Making sure you are maximizing the value of the internal audit function.
  8. Managing effects of globalization of financial markets.
  9. Managing increasingly complex privacy and information security issues.   
  10. Attracting, retaining and developing top talent.

Protiviti has several words of wisdom. On the topic of risk management and technology: 

"According to two Senior Supervisors Group reports, many firms could not monitor their risk exposures accurately due to inadequate information technology infrastructures."

"Significant investment in IT would be necessary for the industry to make required advances in risk management."

On technology and demographics:

"The manner in which consumers receive and access financial products and services is undergoing change. The consumer experience is being reshaped by technology-leveraging analytical tools, expanding data sets, social media and mobile computing. With increased cost pressures and a growing demand for flexibility, accessibility and personalization, financial services organizations will accelerate their use of technology to meet customer needs. Networks will become a strategic business infrastructure platform embedding enhanced security, identity, intelligence, and scalability capabilities, enabling delivery of business and technology services both globally and nationally."

Frankly, this doesn't capture the entire picture: the way in which the new generations of managers and staff work with technology, indeed their expectations when it comes to technology, are changing. Enterprise applications are moving not just to the cloud, but to mobile devices. It's not just the data, it's the software that will be on tablets and smart phones. Companies in every industry need to understand how this will affect their business model.

When it comes to internal audit, the audit committee should:

"Make sure the internal audit function is keeping pace with changing expectations driven by the organization's structure, culture, business performance issues, regulatory expectations and internal and public reporting requirements and issues. Is internal audit prepared to deal with regulatory changes? Is it prepared to deal with the effects of expected changes in the organization, including the technologies supporting the business model? Is it capable of auditing ERM? Does it have the right skill sets and deploy the right frameworks, approaches and methodologies? The audit committee's oversight should ensure the function (including any co-source partners) has the resources, skill sets and tools needed to address the company's key risks."

I would go further and ask whether the internal audit function is:

  • Providing assurance on ERM, actively working with the risk office to ensure management is equipped to address uncertainty.
  • Where improvement is needed, is internal audit helping or watching.
  • Working on today's risks, rather than those identified as part of a periodic (or, at worst, annual) audit plan. In other words, are they working on what matters now or what used to matter?
  • In a position to understand where change is happening and where the risks lie.

I have added to and changed around a lot of the material Protiviti has shared. Do you agree with what I have done?

What are you top areas for the audit committee?

There is an ancient Chinese curse: "May you live in interesting times." No doubt, these are interesting times indeed. Whether it's a curse or opportunity is up to us!



Comment on this article

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
  • Fraud-Virtual-Conference-January-2022-Blog-2
  • IT-General-Controls-Certificate-January-2022-Blog-3