Is Your Audit Committee Asking the Right Questions?

I’ve worked with a variety of companies – both public and private – during my career, and I have seen a variety of approaches to the role of audit committees. In the best cases, the audit committee works in collaboration with the internal audit group, the external auditor and management, and all of them share common goals.  In other companies, each function takes care of its own area of responsibility with little collaboration among them.

Organizing work groups into silos has never been a best practice, but it’s easy for groups to focus on their own work without sharing information with other groups. Today, the speed of change and the complexity of the issues companies face make isolation particularly risky. You can’t mitigate risk that you don’t see coming and, oftentimes, collaboration is the only way to identify risks.

Finance teams must be capable of performing daily processes, but they must also look into the future. Issues like the upcoming changes in revenue recognition can threaten the success of a company’s financial reporting if a company doesn’t have the foresight or expertise to respond appropriately.

As an arm of the board of directors, the audit committee is charged with specific responsibilities, and its members, ideally, will have a profound knowledge of current financial issues and the company’s strategy regarding them. There are several key areas where your audit committee must probe for answers. As a start, I recommend that you ask the following questions, with the caveat that this is only a beginning.

1. Is the internal auditor or audit team focused on the right areas, and are they able to identify and address the key risks of the organization?

Internal audit teams can get mired in the status quo and fail to adapt to changing business threats and opportunities. Many IA teams conduct the same reviews and complete the same programs from year to year – sometimes missing new or increasing risk because they aren’t compelled to examine the entire organization.

In addition, IA teams often are understaffed and overwhelmed with day-to-day operations. Audit committee members must assess the workload of the IA group. Is the team staffed appropriately? Is the team required to perform procedures that eat time, but aren’t focused on the company’s highest goals? Can the team stop doing anything in favor of higher priority tasks?

The audit committee should also ensure that the IA team regularly gathers information about potential risks throughout the entire organization. The committee should consider questions such as: Is the IA team an integral part of the organization? Do team members regularly share ideas and concerns with their colleagues in other areas and listen for potential risks? Do they have access to C-level executives on a formal or informal basis? Is the IA team respected or overlooked throughout the organization?

2. Is management able to identify and mitigate IT risk?

Information technology is changing rapidly and affects almost every area of a company and its exposure to risk. To effectively carry out its governance responsibilities, the audit committee must begin by examining four basic areas of concerns – cybersecurity, disaster recovery, the capabilities of existing information technology systems, and any planned changes to existing systems.

With the rapid increase in cloud services, cybersecurity is a growing concern for all organizations. Cloud storage vendors and their subcontractors, for example, can be security risks and assessing their security safeguards falls under the audit committee’s purview. Likewise, physical disasters can pose risks to companies across the country. Hurricane Sandy flooded the main processing center of a banking service provider and shut down operations for many of the company’s customers – even those in areas unaffected by the storm.

An audit committee should ask about the IT capabilities for the company’s existing systems and should ask questions to understand future needs. Similarly, the audit committee should ensure proper planning for scheduled changes to IT systems. Far too often companies establish extremely aggressive timelines for system implementations without fully considering the impact on its operations.  If poorly executed, the system changes can put the company in a tailspin and take them back to the drawing board.  An independent assessment by the audit committee of a company’s readiness for these changes can serve as a way to ensure these changes occur as seamlessly as possible.

3. Is financial management positioned to address new accounting challenges, such as the new standards in revenue recognition?

Although the audit committee doesn’t have direct oversight of the accounting staff, it is responsible for accurate and timely financial reporting. It is appropriate for the audit committee to ascertain corporate readiness to implement accounting changes.

Accounting staffs often concentrate on daily operations and may not have the expertise or perspective to proactively address coming challenges. They may not begin planning for required changes until it’s too late. They may not be able to meet new standards or make changes to accounting procedures in a timely manner because they don’t recognize the need early enough. Working with an outside firm as an advisor can give your management team the expertise it needs and the perspective is may lack. 

4. Is the staffing level in accounting appropriate both for current operations and for strategic initiatives under consideration?

The financial management team must make certain that the accounting staff is sufficient to handle the organization’s existing and future needs. The audit committee must ensure that management is addressing staffing needs and planning appropriately to meet them. In this case also, working with an outside advisory firm can boost your staff on an “as-needed” basis. You only add staff for specific tasks and projects, rather than for all accounting functions.

In Conclusion

Of course, audit committee members can’t assess all of these issues alone. They must ask probing questions of management to understand the company’s challenges and strengths thoroughly. They should ask, “What does this mean?” or “How will it impact the company?” Audit committee members must be interested and involved enough to rise above surface analysis to provide careful, informed and involved guidance to the board of directors.

For weekly insights into enterprise complexity, please sign up here: