What Can Audit Committees do to Better Understand the Organization’s Risks, Including Fraud Risks, and the Adequacy of Controls in Place to Mitigate those Risks?

The global financial crisis and economic turbulence continues to expose organizations that have poor risk assessment and management practices and should serve as a warning to all organizations. The seeds of financial fraud are sown in the combination of business and financial risks facing an organization and the inability of existing internal controls to cope with them. The most prevalent means for committing fraud is an override of internal controls by management, especially senior management.

In order for the audit committee to monitor risks effectively, it must first understand the risks that the organization faces. Within its Effective Enterprise Risk Oversight guidance (see link below), COSO indicates that monitoring of risk cannot be done effectively in an ad hoc fashion but rather, requires an approach that looks broadly at the organization (through an enterprise framework) that encompasses: a comparison of the organization’s strategies with its appetite for risk (that is, the level of risk an organization may be willing to accept in order to increase donor or member value); an understanding of the processes employed by management to identify, assess and manage risk; and a means for reviewing and appraising management’s response to significant risks. Then, by recognizing that a strong internal control system is the key to risk management, it can create the right tone at the top to foster the growth of suitable controls. Some considerations:

Review risk assessments developed by management. Risk comes in many forms, including economic, legal, financial, environmental, market, technological and competitive. The audit committee cannot be expected to be responsible for continuous monitoring of all business and financial risks, but rather should rely on the special skills and research of other parties to provide input. The audit committee should ask management and the internal and external auditors about their assessments of business and financial risks in areas relating to the audit committee’s responsibility. The audit committee should perform these inquiries on a regular basis and receive updates whenever there is a significant change in the risks the organization is facing.

Receive internal auditors’ reports directly with no management filtering. Direct interaction with the internal auditors can give the committee a sense of the effectiveness of the organization’s internal control and its compliance with laws, regulations and organization policies.

Review internal and external auditors’ recommendations for improving controls as well as management’s responses and follow-up to those recommendations. In doing so, the audit committee should focus on more significant control weaknesses. Understanding management’s actions and attitudes toward improving control procedures enables the audit committee to better understand management’s tone at the top.

Ensure that the organization’s financial reporting infrastructure can support its current and future needs. The management information systems must be able to provide management with all the information it needs to run the business while producing clear, accurate and timely external financial reports.

Work with the full board and other committees of the board, as necessary, to ensure that a broad assessment of risk is understood and considered by all.

Some resources to consider include:

  • COSO’s Effective Enterprise Risk Oversight – The Role of the Board of Directors
  • COSO’s Enterprise Risk Management – Integrated Framework (Executive Summary)
  • COSO’s Strengthening Enterprise Risk Management for Strategic Advantage

Refer to the internal control section on the next page for further information.

BDO Insight

The audit committee should be alert for areas where management and senior management have the ability to override otherwise effective internal controls. Potential ways to mitigate override are included within the AICPA’s “Management Override of Internal Controls: The Achilles Heel of Fraud Prevention” and include independent review of financial reports, internal and external audit procedures and analytical review procedures. The audit committee should understand and assess how the auditors, both external and internal, as well as the organization’s compliance department, address the risk of management override of internal controls. For organizations that have experienced issues in the past with respect to errors, fraud and/or management override of controls, audit committees are further encouraged to perform look-backs on historical breaches of internal control and inquire as to how the organization is better prepared to address those risks today.

UP NEXT: What is the Expected Responsibility of the Audit Committee as Compared to the Board with Respect to Risk Oversight?

GO BACK: Effective Audit Committee Guide