Posted: 30th November 2017
Directors must sign off on the control environment, but do we really know if it is as strong as we hope it is?
I have been on audit committees for about 30 years, and they can be the most turgid of meetings; thick piles of paper, the worry that a key item is buried somewhere, and there is too little time to discuss the key issues.
In the past, I have done a number of things to make the audit committee more effective. This is not the complete list, but will hopefully provide some pointers for firms looking at their own approach.
Idea 1 – let management write the internal audit report
As an audit committee chairperson, I want to know that management can set and operate an effective system of internal controls. An audit committee spends all its time on what the third line is saying. So how about changing things:
- The internal audit programme for the next three years is set and updated annually
- The first section of the internal audit report is written by management
- The second section is written by the second line of defence. It might say “we have nothing to add” or it might set out what is missing
- The third section is written by internal audit. Similarly, it might say “we have nothing to add” or it might set out what is missing
If an audit committee develops reports using this process, it can judge whether management is on top of its game. It can also judge the value add from the second and third lines of defence. As confidence builds in the first line, the second and third line can take a more strategic approach. It also removes that old age excuse; “we told them that”.
Idea 2 – clearance of audit issues
You will no doubt get a report at your audit committee telling you about the clearance of items, and I bet you wonder if they were cleared appropriately. I require internal audit to report back on the clearance of items.
Idea 3 – getting seriously comfortable about the Letter of Representation
Too often, it is the CEO and CFO that sign off the letter, and I have been left wondering whether they could really make all those representations – were they just holding their breath when they signed? If you were doing a prospectus, then the directors would have to be satisfied with every sentence in that document, but we do not go that far with a set of accounts. I ask the executive committee to sign that they agree with the letter of representation. Please allow management a dummy run first, because it will have teething troubles (which also indicates why this is a great process to follow). It clearly demonstrates that proper enquiries have been made before signing. I have also found that executive committee members have gone to their own executive committees with the letter and asked them to sign it off as well.
I often hear the complaint that internal audit is too theoretical, or their solutions are expensive. The question you should ask is “what do you do to make that different?” Training in internal audit is normally left to internal audit. So, what could be different?
Idea 4 – getting internal audit commercial
There are many different techniques to develop controls that are customer friendly. The one I am most familiar with is “Lean”. Why not give both internal audit and management proper Lean training or something similar?
Internal audit is a profession. It has its own Institute – the Chartered Institute of Internal Auditors. It is important to have appropriate internal auditors who know what they are doing. But how about rotating management in and out of internal audit?
Idea 5 – requiring positive as well as negative assessments from the second and third lines of defence
Too often the second and third lines tell audit committees what is wrong; they rarely tell you what is working, and certainly not in writing. So, require positive assurance in writing.
Rising to the challenges
There are a lot of other ideas to get the audit committee firing. The problem with audit committees is that they often do not think about how things should be done – they just react to piles of paper. The challenge is to break this mould, and incorporating the above ideas, in my experience, is a great start.
Good luck making your committee fire.