Stepping up: as leading audit committees take on broader responsibilities, internal auditors...

THE SCOPE OF RESPONSIBILITIES FACING AUDIT committees has expanded dramatically as a result of recent legislative and regulatory actions. Traditionally responsible for overseeing the integrity of financial statements and the audit process, audit committees are extending their oversight responsibilities

to areas such as risk management and regulatory and legal compliance. According to recent research by PricewaterhouseCoopers LLP (PwC), audit committees have had to adapt their activities to address these broader mandates effectively. Similarly, forward-thinking chief audit executives (CAEs), those who strive to lend strong support to audit committees, have had to rethink their roles.

[ILLUSTRATION OMITTED]

[ILLUSTRATION OMITTED]

[ILLUSTRATION OMITTED]

PwC conducted its research in developing Audit Committee Effectiveness--What Works Best, 3rd edition, a report sponsored by The Institute of Internal Auditors Research Foundation and published in mid 2005. The research included face-to-face interviews with more than 50 prominent audit committee chairs, corporate governance thought leaders, and CAEs from around the world, as well as surveys of audit committee chairs and CAEs in the United States. The final report describes what leading audit committees--those that are proactive and innovative in their approaches to meeting or exceeding expectations--are doing to ensure their effectiveness. And, it identifies four key activities CAEs can undertake to strengthen their audit committee relationships and increase their marketplace effectiveness.

KEY 1. PURSUE ONGOING COMMUNICATION WITH THE AUDIT COMMITTEE CHAIR

At a time when audit committees are working hard to discharge their evolving responsibilities, communication between CAEs and audit committee chairs needs to be more continual than ad hoc. More than half (59 percent) of the CAEs responding to the survey indicated their level of communication and interaction with the audit committee increased significantly over the past two years. Additionally, as indicated by audit committee chairs and CAEs interviewed, savvy CAEs recognize that audit committees function best when they have open, candid, and frequent communication with all key parties--not only management and the external auditors, but internal auditing as well.

Armed with this insight, some CAEs are scheduling monthly discussions with the audit committee chair to review the status of ongoing issues and any other concerns. Others touch base with the audit committee chair by phone on a regular basis to discuss status and issues, answer questions, develop strategies, and plan upcoming meetings. Still others use e-mail to communicate and share information on a real-time basis. Indeed, sharing information via e-mail is a particularly efficient way to communicate. The chair can either summarize information for other committee members or forward the message.

By establishing ongoing communication with the audit committee chair, audit executives can:

* Build a trusting relationship with the audit committee.

* Keep the audit committee up to date on issues and resolutions.

* Be viewed by the audit committee and others throughout the organization as a key resource, thereby improving the stature of the internal audit function.

* Understand the chair's concerns, so internal auditing can respond to them on a timely basis.

It is only through strong, ongoing communication between the audit committee chair and the CAE that the internal audit function will gain the support it needs to be most effective.

KEY 2. BUILD AUDIT COMMITTEE AWARENESS OF RISKS AND BUSINESS ISSUES

As revealed through interviews with audit committee chairs, risk awareness--ensuring a thorough understanding of the complete set of key risks that the company faces--is a growing priority of many committees. "Audit Committee Involvement in Risk Assessment or Risk Management" on page 54 reveals the level of understanding regarding risk that committee chairs say their audit committees have.

Many audit committees now tasked with overseeing enterprise risk management look to internal auditing for answers to several questions:

* What is the company's risk profile? What risks are associated with both corporate and line-of-business strategies? How do various events affect the risk profile?

* What risks are covered in internal auditing's risk assessment? What risks are not within its scope? Is internal auditing focusing on the right risks?

* How well does the internal audit function's plan link to the risk assessment?

* How does the plan keep up with the company's changing risk profile, risk trends, and systemic issues?

Regulatory and listing rule changes are driving audit committees to develop a thorough understanding of an organization's risk management processes. And, in turn, audit committee chairs say their committees are seeking more information not just about financial reporting risks but also about organizational, reputational, technology, and other risks.

Leading audit committees have developed comprehensive, integrated processes to ensure that no major risks escape board-level oversight. However, results from the survey, as well as anecdotal evidence, suggest that audit committees are struggling to fully understand and embrace their vastly expanded risk management roles and challenges.

Such struggles can spell opportunity for internal auditing, which can add value by:

* Leveraging its risk-based audit processes to identify risks to be assessed and to create risk profiles.

* Providing summaries of risk and control trends and systemic issues.

* Clearly describing the linkages between risk assessments and the internal audit plan.

* Working with chief risk officers and other managers to systematically bring information about risks and important business issues to the audit committee's attention.

* Identifying and resolving differences of opinion between the risk management and internal audit functions.

Many internal audit functions appear to have made a good start in helping increase audit committee awareness of risk issues. According to survey results, 59 percent of internal audit plans include an evaluation of the adequacy of the company's risk management processes. In addition, 81 percent of CAEs responding to the survey indicated that their internal audit functions currently identify and communicate emerging risks to the company. But the fact that not all internal audit functions are doing so provides an opportunity for improvement.

KEY 3. EXPAND OR FORMALIZE AUDIT COMMITTEE TRAINING

According to many of the audit committee chairs interviewed, they formalize training plans at the beginning of their annual planning cycle, identifying the continuing education topics they wish to cover during the year and how they'll obtain such knowledge. Audit committees look to formal conferences, in-house boardroom education, and allocating specific sessions at audit committee meetings to provide training needs.

To support such proactive audit committees, CAEs can assist in assessing training needs and in developing a related training program. For example, if the audit committee wants to address a significant company accounting policy at each meeting, internal auditing can play a role in such sessions, explaining how it addresses underlying processes in its plans. Or, focusing on risk management topics, the internal audit function could develop a working list of the most significant risks facing the organization and work with the audit committee chair to ensure each is covered during meetings in the upcoming year, thereby allowing the audit committee to get a deeper understanding of the underlying issues.

For new audit committee members, internal auditing should participate in a robust orientation program to ensure that these members have a thorough understanding of internal auditing's role, scope, and reports. Survey results indicate only 62 percent of orientation programs cover internal auditing's role and relationship with the audit committee. Effective orientation on the company's operations, financial reporting, internal control, compliance activities, and other areas will enable new committee members to add value sooner.

CAEs also should consider jointly attending selected conferences with the audit committee chair. This practice enables both parties to build their knowledge bases while strengthening their relationship.

KEY 4. FACILITATE GREATER INTERACTION WITH THE AUDIT COMMITTEE

Internal audit functions are increasingly more common. Indeed, companies listed on the New York Stock Exchange are now required to have such functions. Many committees limit their interactions with internal audit personnel to the CAE. Interviews conducted with audit committee chairs indicate savvy CAEs are taking steps to provide audit committee members with broader exposure to other internal audit managers and staff by:

* Having different internal audit managers present to, and interact with, the audit committee on topics relating to their specialty.

* Having the entire audit committee meet with the internal audit management team.

* Scheduling separate one-on-one meetings between the audit committee chair and the managers who report directly to the CAE.

As "Benefits of Interaction Between Audit Committees and Internal Auditing" on page 55 shows, both the internal audit function and the committee members can benefit from increased levels of interaction.

RAISING THE BAR

In the past, CAEs often supported audit committees by developing agendas and preparing briefing material for meetings and by doing standard reporting on internal audit activities. For many CAEs, such activities remain a focus of their dealings with the audit committee. However, at a time when the audit committee is grappling with a highly demanding environment, internal auditors must raise their performance level to address the committee's heightened needs and expectations.

In providing increased support to audit committees, CAEs need to match the greater scope and intensity of activities that leading audit committees are undertaking. And, they need to lay the groundwork for internal auditing to be viewed as a trusted strategic adviser to the audit committee, as opposed to a meeting facilitator.

To comment on this article, e-mail the author at cbromilow@theiia.org.

CATHERINE L. BROMILOW, CPA

PARTNER, CORPORATE GOVERNANCE GROUP

PRICEWATERHOUSECOOPERS LLP

BARBARA L. BERLIN, CPA

SENIOR MANAGER

CORPORATE GOVERNANCE GROUP

PRICEWATERHOUSECOOPERS LLP

RICHARD J. ANDERSON, CPA, CFSA

PARTNER, LEADER

INTERNAL AUDIT ADVISORY SERVICES

PRICEWATERHOUSECOOPERS LLP

RELATED ARTICLE: Benefits of Interaction Between Audit Committees and Internal Auditing

* The internal audit function can develop a better understanding of the needs and viewpoints of audit committee members, while building audit committee support.

* The stature of internal auditing can be enhanced by increased dealings with the audit committee.

* Audit committee members can develop a stronger appreciation for the broader capabilities of the internal audit function as a whole as well as the capabilities of internal audit managers reporting to the CAE. Both are key to the audit committee's responsibility to oversee the internal audit function's effectiveness, as well as to its consideration of succession planning for internal auditing.

RELATED ARTICLE: Global Focus on Audit Committees

A marked increase in audit committee activity is occurring around the world, primarily driven by rules and recommendations issued in response to local corporate crises and scandals. Audit committees' involvement in overseeing internal auditing, risk management activities, and the effectiveness of internal control is clearly expected and explicitly stated in many countries' rules.

AUSTRALIA The Corporate Governance Council of the Australian Stock Exchange (ASX) issued "Principles of Good Corporate Governance and Best Practice Recommendations" in 2003. This document outlines 10 essential corporate governance principles and includes recommendations regarding the composition and role of the audit committee. The ASX recommends that audit committees be composed of nonexecutive directors, a majority of whom are independent, and that the audit committee's role include, among other things, assessing the performance and objectivity of the internal audit function; reviewing results of risk management and internal compliance and control systems; and assessing whether external reporting is consistent with audit committee members' information and knowledge and is adequate for shareholder needs.

CANADA Canadian Securities Administrators issued rules to improve investor confidence in early 2004. The rules mandate independent audit committees, require written committee charters, authorize audit committees to communicate directly with internal auditing, and cover a variety of other issues.

CHINA The China Securities Regulatory Commission requires at least one-third of board members to be independent directors, and its rules provide for the optional appointment of an audit committee. If an audit committee is established, a majority of its members must be independent, and at least one independent director must be an accounting expert. The committee's principal responsibilities should include supervision of the internal audit function.

GERMANY A government commission appointed by the Ministry of Justice adopted the German Corporate Governance Code (Kodex) in February 2002. In July of the same year, the Transparency and Disclosure Act was passed, requiring companies by law to publish an annual statement of compliance or noncompliance with the code's recommendations. The code recommends the establishment of audit committees to deal with issues of accounting, auditing, and risk management.

HONG KONG The Rules Governing the Listing of Securities on the Stock Exchange of Hong Kong Limited and The Rules Governing the Listing of Securities on the Growth Enterprise Market of the Stock Exchange of Hong Kong Limited require listed companies to establish an audit committee composed of nonexecutive directors, a majority of whom are independent. The audit committee should have clear terms of reference, including oversight of the financial reporting system and internal control procedures. For issuers with an internal audit function, the audit committee should review and monitor its effectiveness and ensure it has adequate resources and appropriate standing. The rules also require directors to report to shareholders annually on whether they have conducted a review of the effectiveness of the system of internal control and, if not, the reasons why.

MEXICO The Securities Market Law, Ley del Mercado de Valores, was last updated in 2004. It requires listed companies to establish an audit committee with a majority of independent directors. The Mexican Securities and Banking Commission recommends that all public companies adopt its Code of Best Practices, which recommends the size, role, and responsibilities of the audit committee. Among those responsibilities are assisting the board in reviewing financial information for external reporting and helping to oversee internal control systems and to evaluate their effectiveness.

THE NETHERLANDS The Dutch Corporate Governance Code, issued in 2003, recommends practices for the supervisory board and the audit committee. The supervisory board should supervise the operation of the internal risk management and control systems. The corporate governance code recommends that audit committees be established and fulfill an oversight role with regard to the responsibilities and functioning of internal auditing and the organization's compliance with recommendations and observations.

RUSSIA A Corporate Behavior Code was developed through the efforts of regulators, the business community, and professional advisers and recommended by the government in November 2001. The Federal Commission for Financial Markets, in April 2002, recommended the code for adoption by all regulated exchanges and listed companies. Compliance is voluntary. The code recommends the establishment of an audit committee for purposes of implementing and monitoring controls over an organization's financial and business activities. The code also recommends that the audit committee consist solely of independent directors.

SOUTH AFRICA The King Report on Corporate Governance, issued in 2002, focuses on board and audit committee practices and their conduct to improve governance. The role, function, and reporting requirements of internal auditing are specifically covered. Audit committees are required to concur in the appointment and dismissal of the internal audit head. And, the report recommends that internal audit plans be based on risk assessment as well as on issues highlighted by the audit committee and senior management.

UNITED KINGDOM The Combined Code on Corporate Governance, issued in 2003, has appended guidance on internal control from The Turnbull Committee, guidance on audit committees from The Smith Group, and suggestions for good practice from the report authored by Sir Derek Higgs. Regarding internal auditing, audit committees are advised to monitor and review the effectiveness of the internal audit function--including reviewing internal auditing's remit, appointing or terminating the head of internal auditing, and meeting privately with the head of internal auditing at least annually. The Turnbull guidance recommends that directors acknowledge in annual reports their responsibility for the company's system of internal control and for reviewing its effectiveness. It also recommends that boards disclose whether there is an ongoing process for identifying, evaluating, and managing the significant risks faced by the company.

Many other countries have issued similar rules for audit committees. For all rules, including those described above, it is important to refer to the text for specific language and to become aware of any subsequent changes.

Audit Committee Involvement in Risk Assessment or Risk Management

PERCENTAGE OF AUDIT COMMITTEE CHAIRS WHO AGREE THE COMMITTEE:
* Understands the company's key risks.                             94%
* Understands management's processes used to assess risk (e.g.,    88%
  impact, likelihood).
* Understands management's processes used to identify events that  88%
  put the company at risk.
* Believes management's action plan to mitigate key risks is       84%
  appropriate.
* Understands and concurs with the company's risk appetite.        83%
* Understands management's plans to mitigate key risks.            81%
* Is comfortable that emerging risks are identified timely.        81%
* Understands who is responsible for risk identification,          78%
  assessment, and management throughout the company.
* Believes it receives sufficient information to determine         68%
  whether the company's risk assessment or management processes
  are effective.

SOURCE: PwC survey of audit committee chairs