Linking audit and risk

Peter Jones and Paul Geyer list the key take outs from the inaugural Audit and Risk Committee Forum, held recently in Melbourne.

A stronger relationship between audit committees and internal audit has been recognised as good practice for many years. Yet until now, there have been few avenues to bring these two groups together for joint professional development.

In March, the Australian Institute of Company Directors partnered with the Institute of Internal Auditors – Australia to host the inaugural Audit and Risk Committee Forum in Melbourne. Led by some of Australia’s most experienced audit and risk committee chairmen, and chief auditors, the forum provided a number of insights and useful tips for audit and risk committees. By all accounts, the forum was well received.

Some insights from the day included:

Get the information flowing: Relationships between board, management, chief risk officers and internal audit are important to allow for free and open information flow. Spending time walking around the organisation is important to build trust and to pick up nuances and management blind- spots. Bad news doesn’t get better with age and directors should be sensitive about creating a culture of fear where information doesn’t flow.

Build relationships and trust: Building relationships takes time, both in and out of session. As one speaker noted, you can’t build a relationship in 15 minutes a quarter. This is particularly important with your head of internal audit and other key channels into the audit and risk committee.

Independent information: Internal audit is a vital source of information that can help the board form a well-rounded view, and has the advantage of being required to form a view that is independent of management. This alternative view can be useful and at times critically important.

Strategic risk: Technology and international competition were highlighted as two drivers for Australian boards to focus on. It was suggested that these two areas alone are likely to require significant repositioning for most organisations in the next five years. The challenge for those in risk and assurance roles is to develop solutions that move the organisation towards the control environment they need in the future, and not just reinforce the one that has worked in the past.

Together or separate? There were mixed views on whether to have a separate audit committee and risk committee. A practical suggestion was to have separate committees comprising identical members that meet on the same day. By having different chairmen to drive their respective agendas, the required focus and synergies can both be attained.

The annual report: Leading audit committees know the trends and key accounting issues long before it comes to reviewing the draft annual report. They think about the story line and how it is communicated well in advance of the meeting to review the annual report. It was suggested that having the CEO explain the narrative for the year, and then show how this is illustrated in the accounts, is a good practice before diving into the detail.

Emerging risks: Panellists cautioned against risk registers becoming a “tick and flick exercise” and encouraged more proactive work on emerging risks. By engaging management and assurance teams around discussions on emerging risks and changing external conditions, boards can use risk information to ensure that their organisations are well-positioned as well as well-run.

Getting the best internal audit function: Seasoned directors indicated that their due diligence includes a close look at internal audit. Consensus was to be careful taking on a director role if the internal audit function is not strong or there wasn’t a plan in place to strengthen it shortly after their appointment.

Yardsticks: Several “yardsticks” were used to determine how serious the organisation was about internal audit. Two were: How long does it take to agree on audit reports? And, how long does it take to address the issues in those audit reports?

Set clear expectations: Risk management is not a “tick and flick” exercise and internal audit should be used to identify and provide assurance around risk management effectiveness and strategic risk. This includes a broader scope of functions and assurance over the key risks facing the organisation. Audit and risk committees were encouraged to partner with their chief auditor; to be clear, demanding and not to expect what they have got in the past. With the right encouragement and setting clear expectations, internal audit can add real value.