​​​Proposed Increased Disclosures on Risk - IIA Response

Comments Views

​​Earlier this month, The IIA provided its response to the increased disclosures suggested by the SEC on risk and other matters. I believe these are important, especially to internal audit practitioners considering what their companies should do.

I have excerpted below the points I think are of particular interest to internal auditors. ​​

1.  With respect to risk and compensation, we suggest that the company's report on Form 10-K include an assertion by the Compensation Committee that:

  • It has reviewed and approved all compensation programs for executives and others whose actions may have a significant impact on the level of risks taken and managed by the organization (including the chief internal audit executive).
  • The compensation programs are consistent with the longer-term interests of the organization, not only in considering the potential for increasing risks to the organization, but also in ensuring that risks in general are managed within the risk appetite and tolerances approved by the Board of Directors.
  • It has received formal assurances from (named) management that compensation decisions (whether for individuals or groups) take into consideration whether risks have been managed within the risk appetite and tolerances approved by the Board of Directors.
  • It has reviewed and approved all compensation awards and payouts to the CEO and officers, and has taken into consideration whether any excessive risks were taken during the period that were not pre-approved by the Board. 
  • It has received a formal assurance from management that processes are in place to effectively identify, assess, and manage material risks to the business.

2.  We believe significantly enhanced procedures and disclosures should be made concerning oversight of risk management. We recommend that the report on Form 10-K include an assertion that:

  • The Board has approved the organization's risk appetite and tolerances.
  • The Board has approved the risk management policy.
  • The Board has received formal assurance from (named) management that an effective process is in place to identify risks to the organization, assess them, determine and assign responses, and manage risks within the Board-approved appetite and tolerance.
  • Management has formally reported to the Board, or a committee of the Board, any and all situations where risks have exceeded approved tolerances.
  • The Board, or a committee of the Board, has obtained a formal report from the internal auditor on the adequacy of management's risk management processes.

3.  We suggest that the proposed disclosures relating to the independence of any consultant engaged to assist the Compensation Committee should be changed. The committee should provide an assertion, included in the report on Form 10-K, that it has assessed the independence of any consultant and determined that the consultant is both independent and objective. It should describe the standards used to assess whether any other fees obtained by the consultant might impair its objectivity.

4.  Because it is material to the adequacy of internal controls and risk management processes, we believe that the report by the Audit Committee included in the 10-K should include disclosures that describe the internal audit department:

  • Whether an internal audit function exists and to whom it reports. If the function does not report functionally to the Audit Committee and the CEO, the Audit Committee should disclose why this is considered appropriate.
  • Whether the internal audit function provides a formal assessment of the company's risk management and related internal control processes.
  • Whether the Audit Committee is satisfied that the internal audit function is sufficiently resourced to consider the more significant risks to the enterprise.
  • Whether the Audit Committee has received an independent assessment of the quality of the internal audit function, and whether there were any deficiencies of significance that have not been addressed.​

I invite comments on the quality and relevance of these suggestions — and what they would mean to your organization if adopted.​



Comment on this article

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
  • Fraud-Virtual-Conference-January-2022-Blog-2
  • IT-General-Controls-Certificate-January-2022-Blog-3