In the event you missed it, the U.S. Securities and Exchange Commission (SEC) announced the adoption of new rules on enhanced proxy disclosures (PDF) December 16, 2009. The new rules will likely have far-reaching impacts on risk management and corporate governance in the U.S. They require disclosures in publicly traded companies' proxy and information statements about:
- The relationship of a company's compensation policies and practices to risk management.
- The background and qualifications of directors and nominees.
- Legal actions involving a company's executive officers, directors, and nominees.
- The consideration of diversity in the process by which candidates for director are considered for nomination.
- Board leadership structure and the board's role in risk oversight.
- Stock and option awards to company executives and directors.
- Potential conflicts of interests of compensation consultants.
So what does all of this have to do with internal auditing? Frankly, I believe the new rules could have a great deal of impact if we embrace the opportunities. Obviously, any time there are new statutes or regulations to which an enterprise must conform, there are new corresponding risks associated with non-conformance. Even if these regulations were not so closely linked to internal auditing's core mission, they should be on our radar. However, the fact is that many requirements embedded in these new SEC rules present extraordinary opportunities to demonstrate our acumen in risk management and corporate governance.
The best example of where we can immediately assist the board relates to risk management. As described on page 44 of the SEC's Final Rule (PDF), it was noted that:
"Companies face a variety of risks, including credit risk, liquidity risk, and operational risk … the risk management process should provide important information to investors about how a company perceives the role of its board and the relationship between the board and senior management in managing the material risks facing the company. This disclosure requirement gives companies the flexibility to describe how the board administers its risk oversight function, such as through the whole board, or through a separate risk committee or the audit committee, for example. Where relevant, companies may want to address whether the individuals who supervise the day-to-day risk management responsibilities report directly to the board as a whole or to a board committee or how the board or committee otherwise receives information from such individuals."
In many companies, internal auditors play an integral role in the risk management process. It is also not uncommon for internal auditing's annual risk assessment to be the most comprehensive examination of the company's risks presented to the board. Chief audit executives whose companies are subject to these new rules should familiarize themselves with them as soon as possible and engage management and the board on the role internal auditing will play in achieving compliance.
The new rules are far too extensive and complex for discussion here. However, one thing is becoming increasingly clear. The pressure on boards to demonstrate their oversight of risk management is increasing. As I have observed before, internal auditing is uniquely positioned to assist. I still envision a day in which internal auditors will routinely provide assurance on the effectiveness of risk management just as it does assurance on the full spectrum of risks facing the organizations they serve.