KPMG's Audit Committee Institute has released suggestions for audit committees.
Their #1 tells directors to "keep the eye on the ball: financial reporting and related internal control risk." I can understand why a public accounting firm would promote a focus on financial reporting, but should that be the top priority for audit committees? Is that dated thinking, given the eye-opening events of the recent past?
For example, you have to wait until #7 to see any real discussion around risk management. Even then, the focus is on "business controls around the company's key operational risks." Personally, I would much prefer to see a focus (and it would be #1 on my list) on the adequacy of risk management processes and framework.
Where is the focus on cash management, credit, and capital structure? That has been a real issue for the last few years. Now, companies have built up a store of cash, but I would suggest this should continue to be a major concern for audit committees given the weak economies in certain parts of the world.
My list would definitely include in the top five priorities a focus on whether the information management uses to run the business is timely, current, and reliable. This is an issue that caused a number of businesses to fail. Not only were they relying on historical operational performance data, but risk-related information was also old. In some cases, executives did not receive key pieces of information. The board should also question whether it is receiving complete, reliable, current, and timely information.
The list has no mention of internal audit. Does that reflect KPMG blindness to the importance of internal audit in providing assurance to the board? Is it because internal audit has lost credibility as a valuable source of assurance? I hope neither are true (KPMG has written extensively, including pieces by Mary Pat McCarthy, on the value of internal audit to boards).
I would certainly have as one of my top priorities ensuring that internal audit provides formal assurance on the adequacy of governance, risk management, and related internal control processes.
So, my top ten would be:
- The adequacy of risk management processes and framework.
- Coordinating oversight of governance and risk management with the board and other committees.
- Cash flow, credit, and capital structure.
- The quality and timeliness of information used to run the business.
- Formal reports by internal audit on the adequacy of governance, risk management, and related internal controls.
- Linkage between strategy and risk.
- Planning for IFRS.
- Regulatory compliance. Is the company well-equipped to handle the continued growth in complexity? FCPA risk is part of this discussion.
- Changes in tax reporting, the adequacy of staffing and processes within the corporate tax department, and tax-related risks.
- IT governance and IT-related risks, including social media, mobile technology, and cloud computing.
Do you agree? What are your top ten?