This week, I have spent time reviewing a proposed rule by the SEC that would expand required disclosures relating to, among other things, the board's oversight of risk management — a major governance activity. It's fair to say that while I am pleased that the SEC is addressing important needs, I am disappointed in the results.
For example, I would like to see the compensation committee disclose whether and why it believes any consultant engaged to help it review executive compensation is sufficiently independent of management influence (e.g., not affected by other consulting engagements) to be objective in its advice. Instead, the SEC proposal would require the company to disclose fees paid the consultant — and let the investor decide.
I would also have preferred to see the SEC recognize the value that can be brought to the governance table by an effective, resourced internal audit department. The document does not mention internal auditing. I for one would like to see significant changes to address internal auditing's role in providing assurance. For example, the audit committee report should include disclosures of whether there is an independent, resourced internal audit function that reports to the audit committee and CEO — and if not, why not.
Talking to others, there appears to be a body of opinion that internal auditors are ready to take up the challenge of providing assurance on risk management, but not yet on governance processes. The IIA is developing guidance on both, but the people I spoke with want to take one large step at a time.
What do you think? Let's not forget that assurance on both governance and risk management are required by IIA Standards.