The number of risks that organizations face are increasing rapidly as regulations evolve and the business world faces new challenges—this is especially true for highly regulated sectors like financial services. Audit committees, responsible for the oversight of the enterprise wide control environment, often don’t fully understand or consistently execute this role outside of the internal controls over financial reporting (ICFR).
These inconsistencies have been escalated by the pandemic, which revealed new health and safety risks, as well as other environmental, social and governance (ESG) issues—such as cybersecurity, data privacy and human capital development—that are driving business disruption and magnifying financial risks for companies. The growing adoption of new technologies and a rapid shift to remote working has raised concerns about business resiliency and transformation adoption including, but not limited to cybersecurity, data privacy, third party risk management and increased regulatory risk as the corporate dynamic changes. Add to these areas the existing operational risks that have been and will continue to be important to safety and soundness of the business.
All of these new moving pieces make the audit committee oversight that much more important, and audit committees need to sharpen their focus on areas like operational risks and controls or chance sloppy business practices or even falling out of compliance with regulations. That makes it a critical time to take another look at core oversight practices:
It’s important to clearly establish the role of the audit committee in overseeing the enterprise-wide internal control environment—beyond financial reporting—and its effectiveness. The audit committee’s responsibility in matters of financial reporting and oversight of the related controls is commonly known and well understood. But audit committees are also typically tasked with overseeing a company’s enterprise-wide control environment and holding senior management accountable for the effectiveness of its internal controls.
During the annual review of the audit committee charter, be sure this responsibility is clearly laid out. Confirm that it is aligned with other committee charters that also have risk oversight responsibilities to avoid any unintended duplication. For example, companies in regulated (and unregulated) industries may also have a risk committee that could oversee some aspects of the company’s risk governance framework. To avoid duplication of effort, make sure responsibilities are clearly defined by committees, delineated and well understood across the board and the organization. Boards will also want to make sure the dots are connected across those committees by establishing communication protocols (e.g., chair-level discussions, committee read-outs, etc.)
Communicate who should be involved at every level of the risk and control framework—from both a board and management perspective. Audit committee members should understand the types of questions to challenge management with and help ensure that risks don’t go unmonitored and that the proper control environment is in place to mitigate those risks.
Active sponsorship and support from the audit committee and management of internal audit will enable the group and other control functions to provide independent oversight over the system of controls.
Committee members should evolve as the risk and regulatory environment does. While it’s necessary for public companies to meet the stock exchange requirements related to financial knowledge for audit committee members, there are other skills that are imperative as well. For example, given the increased cybersecurity activity over the past year and the regulatory scrutiny for certain industries, some companies are searching for directors with cybersecurity/data, technology and regulatory experience. Audit committees should consider reviewing its skill set needs on a regular basis and ensure it has all the requisite skills needed to discharge its oversight responsibilities.
It’s important to provide ongoing education to committee members, so that the right topics are addressed. For instance, in recent months, healthcare companies should be staying abreast of regulatory shifts at the Centers for Medicare & Medicaid Services that were implemented during the pandemic and will likely remain in place.
Audit committees must challenge executive management to establish a clear ownership of the control environment that is visible throughout the organization. Committees should hold executives accountable to own the effectiveness of their control environment, including timely and sustainable remediation of the control issues. One way to do this is to require those with overdue or aged control deficiencies to attend the audit committee meeting and provide rationale for delays and plan to complete the remediation without further delays. In industries like financial services this becomes particularly important; the ability of the audit committee to credibly challenge management’s decisions and focusing on intended outcomes could be a factor in avoiding regulatory criticism.
To demonstrate the importance of strong leadership and provide the right tone at the top, the CEO and CFO should play an active role in key meetings and discussions. Executive management’s commitment to openness and transparency will trickle down to the rest of the team.
For the audit committee to effectively execute its oversight responsibilities, the reporting they receive from management related to operational and regulatory risks and controls must be crisp, concise and informative. It is critical for the lead directors to work closely with management to establish the agenda for the committee meetings that provides adequate time for the discussion of risk and control related topics and ample opportunity for discussion of overdue or aged control issues. Audit committees could also consider inviting business leaders to come before the committee to identify emerging risk issues and their plan to proactively address them.
If committees aren’t already receiving concisely summarized, impactful reporting, consider asking management for control reporting that highlights internal audit plan status, number of observations by risk rating, overdue and aged issues and issues that are being retargeted frequently—flagging priorities (e.g., red, yellow, green) as they rise on the list. Using the reporting as a guide, ask management to provide a clear and concise status of enterprise-wide open control issues and their remediation status. Focus on the “red” or “yellow” areas, since those are generally the higher-risk areas where the committee should spend time.
For financial services companies, the control reporting should include a snapshot of control issues identified across all three lines of defense and regulatory actions and tracking of open issues and actions. These materials provide the committee insights to the company’s control environment and should provide clear, critical information needed for discussions at the committee meetings.
For highly regulated industries, like financial services or healthcare, the operational risks and control environment that the committee oversees aren’t exactly new. Layer in the risks that are coming with shifts in technology and the new regulations around climate initiatives, and accountability in oversight becomes even more important. The ability of the audit committee to gain insights beyond the organization’s financial risks and controls and to ask management the right questions to create accountability are key to successful oversight.