best practice for audit committees – critical fiduciary ... · page 2 session rules participate...

Best Practice for AuditCommittees – CriticalFiduciary OversightRoles30 OCTOBER 2014

SESSION RULES

► PARTICIPATE► RESPECT CONTRIBUTIONS BY OTHERS► THERE IS NO SUCH THING AS A SILLY

QUESTION► SHARE EXPERIENCES► NONE OF US IS BETTER THAN ALL OF US !!!

►CONTRIBUTE

Best Practice for Audit Committees - Critical Fiduciary Oversight Roles

YOUR POINT OF VIEW IS WELCOME


JPEG image

WHICH ANIMAL BEST DESCRIBES THEAUDIT COMMITTEE ?

Ant Cow Goat TortoiseAntelope Crocodile Horse RabbitBear Crow Hyena RatBee Dinosaur Jaguar SheepBull Dog Kangaroo SlothButterfly Dolphin Koala SnakeCamel Donkey Ladybird SpringbokChicken Duck Leopard BeetleCheetah Eagle Lion TigerFly Gazelle Shark Whale


SESSION EXPECTATIONS


THERE IS SOMETHING USEFUL FOREVERYONE


COMPETENT

B 10

A8

6

4

2

UNCONSIOUS -9 -6 -3 3 6 9 CONSCIOUS

-2

-4

-6

-8

C D-10

INCOMPETENT

SESSION OBJECTIVES

► DEFINE FIDUCIARY► DEFINE OVERSIGHT► AUDIT COMMITTEE OVERLAP WITH OTHER

BOARD COMMITTEES► ELEVEN BEST PRACTICE CONSIDERATIONS► EMERGING TRENDS IN AUDIT COMMITTEE

REPORTING► COMBINED ASSURANCE MODEL► QUESTIONS


DEFINITION OF FIDUCIARY

► A fiduciary is a legal or ethical relationship of trustbetween two or more parties. Typically, a fiduciaryprudently takes care of money for another person.

► Children or elderly people typically need a fiduciary.The person who looks after the assets on the other'sbehalf is expected to act in the best interests of the ...

► Fiduciary. An individual in whom another has placedthe utmost trust and confidence to manage andprotect property or money. The relationship whereinone ...


DEFINITION OF OVERSIGHT

the action of overseeing something."effective oversight of the financial reportingprocess"

synonyms: supervision, surveillance,superintendence, inspection, charge, care,administration, management, government,direction, control, command, handling,custody


OVERLAP OF AUDIT COMMITTEE WITHOTHER BOARD COMMITTEES

Best Practice for Audit Committees - Critical FiduciaryOversight Roles

COMMON NAMES OF AUDIT COMMITTEES:1) Audit Committee2) Audit and Finance Committee3) Audit and Risk Committee4) Audit and Oversight Committee

► WHAT DO THE EXTENDED NAMES IMPLY ?► WHAT IS THE LINK WITH THE

COMPENSATION COMMITTEE ?

Critical Fiduciary Oversight Roles for AuditCommittees1) Risk oversight2) Working with internal auditors3) Oversight of internal controls4) Relationship with the independent auditor5) Working with management6) Committee composition and operations7) Self-assessment and evaluation8) Interaction with the compensation committee9) Executive sessions10) Training and education11) Financial reporting oversight


Internal Auditing & Risk Management

► The Risk Management andInternal Audit functionsreinforce each other:-

q The Risk Management function’sfacilitated risk assessment formsthe basis for the internal auditplan;

q Internal Audit critically reviews theeffectiveness and efficiency of therisk and control framework;

q The Internal Audit functionmonitors the risk response,including the effectiveness ofcontrols;

q Internal Audit results are used tofacilitate ongoing riskmanagement activities andimprovements.

RiskAssessment

AnnualInternal AuditPlan

Facilitates

Internal AuditExecution

Facilitates

Risk&ControlFramework

Results

in

Facilitates

Internal AuditReporting

Results

in

Facilitates

MaintenanceofRiskManagementSystem

Internal AuditERM

Mutual

Reinforcement

between

Internal Audit and

Risk Management

Review


Emerging trends in disclosures by auditcommittees

CATEGORY DISCLOSURE 2012% oftotal

2013% oftotal

2014% oftotal

Disclosure inthe AuditCommittee (AC) report

Statement that the auditcommittee independentName of audit firm included in ACreport

58%

71%

55%

71%

59%

71%

AuditCommitteeComposition

AC with 1 FEAC with 2 FEsAC with 3 FEs

33%16%51%

30%24%46%

33%14%54%

Audit committeeresponsibilitiesregardingexternalauditors

Statement that the auditcommittee is responsible forappointment, compensation andoversight of external auditor

40% 53% 65%


Emerging trends in disclosures by auditcommittees (cont..)


2013% oftotal

2014% oftotal

Fees paid toexternal auditor

Explanation for change in feespaid to external auditorStatement that the auditcommittee is responsible for feenegotiationStatement that the auditcommittee considers non auditfees/services when assessingauditor independence

3%

1%

79%

5%

10%

79%

8%

19%

80%




2013% oftotal

2014% oftotal

Assessment ofexternal auditor

Disclosure of factors used in theaudit committee’s assessment ofthe external auditor work qualityand qualificationsStatement that the auditcommittee is involved in the leadpartner selectionStatement that the choice ofexternal auditor is in the bestinterest of the company and/orshareholderDisclosure of the year the leadpartner was appointed

16%

1%

4%

3%

19%

10%

24%

3%

31%

19%

46%

6%




2013% oftotal

2014% oftotal

Tenure of theexternal auditor

Disclosure of the length of theexternal auditor tenureStatement that the AC considersthe impact of changing auditorswhen assessing whether to retainthe current external auditor

26%

3%

31%

16%

50%

28%

Accessibility ofthe AC charter

Link available to site with charter 100% 100% 100%

Identification oftopicsdiscussed

Topics discussed by the AC andexternal auditor

8% 8% 8%


What is Combined assurance ?

1. A combined assurance model aims to optimise theassurance coverage obtained from management,internal assurance providers and external assuranceproviders on the (key) risk areas affecting thecompany.

2. The combined assurance provided by internal andexternal assurance providers and managementshould be sufficient to satisfy the audit committee thatsignificant risk areas within the organisation havebeen adequately addressed and suitable controlsexist to mitigate and reduce these risks.


Insights on combined assuranceBackground


Insights on combined assuranceWhat will the combined assurance framework result in?


InternationalBanking

InformationTechnology

Treasury Finance

EXAMPLE 1 OF A RISK REGISTER


Microsoft Excel97-2003 Worksheet

Value scorecard example #1

Utilization

Leadingpractices

implemented

Cost savingsrealized

Training

Audit plancompletion

Trad

ition

alIA

KPI

sEm

ergi

ngIA

KPI

s

Risk areascovered

Underutilized At or above target

No training 100% compliance

Compliance only Leading practicesabove target

No quantifiedcost savings

Cost savingsabove target

Significantly delayedprogram

100% auditcompletion

Compromisedrisk coverage

100% risk coverage

Is our team fully utilized at all levels within theIA function?

How many IA recommendations on leadingpractices were implemented by business?

What cost savings has IA identified throughcontrol efficiencies or operationalrecommendations?

Has the IA team completed training, CPEcredits, and appropriate certifications?

What percent of the audit plan beencompleted?

Have all significant risks been monitored by IAthrough the audit plan?

Benchmarkingand business

insight

What type of external business insight andindustry benchmarking is brought to thebusiness by IA? No external

insightsBenchmarking onall targeted areas

Assessment of KPI

Subject-matterresources

What percent of the audit plan makes use ofsubject-matter resources to increase auditdepth/value? General IA

team onlySMRs brought intoall targeted audits


The objectives of Combined Assurance

1. A combined assurance model aims to optimise theassurance coverage obtained from management,internal assurance providers and external assuranceproviders on the (key) risk areas affecting thecompany.

2. The combined assurance provided by internal andexternal assurance providers and managementshould be sufficient to satisfy the audit committee thatsignificant risk areas within the organisation havebeen adequately addressed and suitable controlsexist to mitigate and reduce these risks.


King III introduces combined assurance as arecommended governance practice

► “3.5. The audit committeeshould ensure that acombined assurance modelis applied to provide acoordinated approach to allassurance activities”

► “7.3.1. Internal auditshould form an integralpart of the combinedassurance model as internalassurance provide


Combined assurancemodel

The Source (Continued)

Principle 3.5 “The audit committee should ensure that a combinedassurance model is applied to provide a coordinated approach to allassurance activities”Ensure- How?

This means the Audit Committee should coordinate the work of allassurance providers using a suitable combined assurance modelmeant to address all significant risks facing a company

On What?Ø Financial controls (FCI)Ø Risk management processes (ERM)Ø Compliance (Regulatory)Ø OperationsØ IT Risks (Information Management and systems)Ø Sustainability (new requirement in King III focusing on social,

environmental and community impact of business activities).Best Practice for Audit Committees - Critical FiduciaryOversight Roles

Benefits of combined assurance


Numerous benefits could be achieved if combined assurance isimplemented in a balanced manner, which may include:► Maximising risk and governance oversight and control efficiencies► Optimising overall assurance to the audit and risk committee► Collaboration between audit and other assurance providers► A common view to risk► Providing a framework of how risks are covered by the various

assurance providers► Identifying areas of potential assurance gaps and facilitating the

implementation and management of improvement plans for the gapsidentified

► Better co-ordination of assurance providers reduces the risks ofassurance “fatigue”, identifies areas of duplication and createsopportunities for cost savings

► Improved degree of confidence that in assurance reports

Insights on combined assuranceBackground


► Within most organisations there are a number of assuranceproviders that either directly or sometimes subconsciously providethe board and management with certain assurances. The lack ofharmonisation between these assurance providers leads to thefollowing issues:► These functions are usually loosely aligned, connected via

informal channels and working with different riskcategorisations, terminologies, approaches and rating scales

► They interact independently with business units and linemanagers across the value chain

► Assurance ‘’fatigue’’ among line managers due to multipleuncoordinated interactions with risk and assurance functions

► Executive management and Board of Directors (BoD) receivingdifferent unaligned reports containing redundant or evenconflicting information

Insights on combined assuranceWhat will the combined assurance framework result in?


► A co-ordinated and relevant assurance effortfocusing on significant risk exposures

► Improved reporting to the Board and AuditCommittees including reducing the repetitionof reports being reviewed by the differentcommittees

► Alignment and co-ordination between thedifferent assurance providers

EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )1) Financial reporting oversightA primary responsibility of the audit committee is to overseethe integrity of the company’s internal controls over financialreporting, accounting and reporting practices and financialstatements. As financial reporting becomes more complex,the audit committee should determine whether the financialstatements are understandable and transparent.

Leading practices• Consider whether the company reports information that isreliable and understandable


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )• Continually evaluate capabilities of company personnel• Understand complex accounting and reporting issues, suchas fair value accounting and related assumptions, and howmanagement addresses them• Continue to focus on matters such as potential assetimpairments, quality of earnings, cash flows and liquidityposition, pension and major obligations and other ongoingbusiness, risk and financial statement issues affected byeconomic conditions• Review significant financial reporting and regulatorydevelopments, including their effect on the financialstatements and on the company’s resource needs


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )• Invest time in understanding the company’s operations andsignificant risks• Assess the quality of the accounting principles and theirappropriateness, considering alternative treatments

2) Risk oversightRisks by their very nature are uncertain and can affect allareas of a business. The audit committee’s role is to reviewand challenge, where appropriate, the company’sassessment of its risk profile and determine that riskmanagement processes are in


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )place, especially those affecting financial reporting andreputational risks.

Leading practices• Understand the company’s framework for risk assessmentand management’s related policies and procedures• Understand how the company documents and responds toidentified risks• Review whether the company is appropriately focusing onits risk intelligence gathering and assessment processes,and understand the company’s ability to both identifyemerging risks and anticipate risk events


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )• Review whether the risk disclosures in the financialstatements are appropriate, robust and understandable• Review the company’s major financial risk areas andunderstand the adequacy of controls and monitoringprocedures in place• Periodically reassess the list of top risks, determining whoin management and which board committees areresponsible for each• Meet directly with key executives responsible for riskmanagement and focus on whether they understand thatthey should inform the committee of extraordinary risk issuesand developments


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )that require the committee’s immediate attention outside ofthe regular reporting process• Focus on the company’s plans for achieving anyinformation technology (IT) milestones, especially for ITtransformation projects, given the importance of IT to mostorganizations• Understand the use, if any, of emerging technologies suchas cloud computing, as well as their relevance to thecompany and the associated risks• Understand whether IT security processes are updatedappropriately


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )3) Oversight of internal controlsInternal controls form an integral part of a company’senterprise risk management. While the audit committee’skey focus is on internal controls over financial reporting, thatfocus is expanding to assist with the board’s legal andregulatory compliance efforts.

Leading practices• Understand key controls and financial reporting risk areasas assessed by financial management, the internal auditorand the independent auditor, as well as mitigating controlsand safeguards


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )• Understand risk issues involving taxes• Understand internal audit’s role and planned coverage• Meet with the head of internal audit on a regular basis• Assess and help set the company’s tone at the top• Consider levels of authority and responsibility in key areas,including pricing and contracts, acceptance of risk,commitments and expenditures• Monitor implementation of significant internal controlchanges• Determine whether the company devotes the resourcesrequired for its internal control processes to functioneffectively


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )4) Relationship with the independent auditorOverseeing the independent auditor is a keyresponsibility of the audit committee. The audit committeeappoints the independent auditor, assesses itsindependence, discusses the audit scope and results anddetermines the independent auditor’s compensation. Candidand open communication between the independent auditorand audit committee is imperative for a productiverelationship.

Leading practices• Exercise ownership of the relationship with the ext auditor


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )• Get to know the lead partners and meet with themperiodically• Establish expectations about the nature and method ofcommunication, as well as the exchange of insights• Review the proposed audit plan and scope of work• Engage in regular dialogue outside the scheduled meetings• Focus on independence• Consider the findings from the audit and determine thatmanagement responds to the findings• Discuss with the auditors their views regarding thecompany’s internal controls over financial reporting


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )• Seek the auditor’s views on the effectiveness of thecompany’s governance process• Provide formal evaluations of the auditor as well as regularfeedback

5) Working with managementAudit committees rely heavily on management and thereforeneed an open and effective relationship. The committeeshould meet with the finance department, the legal counsel,and compliance, risk and ethics officers. Many auditcommittees are expanding these lines of communication toinclude business unit leaders, treasury and tax functions and


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )the chief information officer.

Leading practices• Focus on the tone at the top, culture, ethics and hotlinemonitoring• Work with management to anticipate and identify emergingissues• Provide input to management’s goal setting• Discuss succession planning for the CFO and staff• Conduct annual evaluations assessing management'scompetency and integrity


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )6) Working with internal auditorsAs audit committees take on increasing responsibilities,many are interacting with the company’s internal auditorsmuch more frequently, whether in relation to internalcontrols, compliance matters, “whistle-blower” hotlines orother matters.

Leading practices• Determine whether the internal auditors have a directfunctional reporting line to the audit committee and anindirect line to senior management for administrativeactivities


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )• Be involved with the internal audit risk assessment andaudit plans, including activities and objectives regardingcompliance with regulations• Understand whether the internal audit department isviewed as objective and competent by the independentauditors• Establish how the internal audit function relates to otherrisk related functions, such as legal, security, environmentalhealth and safety, compliance and credit risks, consideringduplication of efforts or gaps between these functions• Conduct annual evaluations assessing the effectivenessand competence of the internal audit department


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )7) Committee composition and operationsThe committee’s composition is an important part of itseffectiveness. The appropriate level of skill, commitment andavailability of its members is critical to the committee’s abilityto perform its responsibilities effectively. A range of diverseperspectives and thinking helps strengthen the quality ofaudit committee deliberations and provides real value tocompanies and shareholders.

Leading practices• Focus on committee composition issues, includingindependence, financial expertise, broad business or


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )leadership experience, and succession planning• Evaluate the expertise and competence of the members inthe context of the company’s strategy and risk profile todayand for the next several years• Consider the ability to work collectively, to challengedecisions in a credible manner and to avoid groupthink• Help promote healthy scepticism among fellow committeeand board members• Consider periodically rotating audit committee members,staggering the terms of service to bring in new skills andperspectives• Engage independent advisers as necessary


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )• Align audit committee meeting materials and agendas withpriority areas• Present compliance matters, standard reports andinformational items at the end of advance material packagesand meetings• Follow meetings with private and executive sessions withindependent auditors and the internal auditor

8) Self-assessment and evaluationTo be successful, an audit committee must understand itsresponsibilities and monitor its effectiveness, identifyingimprovement needs and opportunities. Regular performance


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )evaluation enables the audit committee to determine that it ismeeting the expectations of its members, the full board andregulators. An effective performance assessment processhelps the audit committee prioritize focus areas and can helpidentify areas for continuing education.

Leading practices• Perform a self-assessment in a thorough and thoughtfulmanner rather than treating it as a compliance exercise• Consider evaluating the performance of individualcommittee members and assessing the effectiveness of thecommittee as a whole


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )• Consider using self-assessment results as a catalyst to re-engineer processes, procedures and agendas, which shouldinfluence where the audit committee is spending time• Communicate with the board on activities andrecommendations• Consider the committee’s composition in the context of thecompany’s current and future strategy and challenges

9) Interaction with the compensation committeeWhile overseeing the assessment and disclosure ofcompensation-related risks is mainly the role of thecompensation committee and the full board, the audit


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )committee can help assess how certain financial metrics areemployed in the company’s compensation plans. Thecommittee can also review the proxy statement, thecompensation discussion and analysis, and otherdisclosures.

Leading practices• Coordinate with the compensation committee to helpassess how certain financial metrics are employed in thecompany’s compensation plans and to review the proxystatement• Periodically conduct meetings with the compensation


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )committee about management incentives and related topics• Consider, in conjunction with the compensation committee,the appropriateness of the incentive structure and whether itcontributes to increased fraud risk• Determine whether adequate and appropriate focus isbeing paid to the compensation of officers and directors,including the appropriate use of corporate assets such asvehicles andapartments

10) Executive sessionsAudit committees are increasingly holding private sessions,


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )often with internal audit, the independent auditor andmanagement. Audit committee members may use this timeto explore matters in greater detail, reflect on issues,evaluate what is working and what opportunities exist forimprovement, and identify follow-up actions.

Leading practices• Schedule regular sessions with and without internal audit,the independent auditor and management• Schedule regular sessions with various members ofmanagement, such as the CFO, controller, general counseland others as appropriate


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )• Consider private audit committee sessions both before andafter meetings with the internal auditor, the independentauditor and management• Provide clear objectives and expectations for each meeting• Prepare specific topics and questions• Understand the response and resolution for each issueraised

11) Training and educationAudit committee members — especially those who are newto the role — need sufficient training and education to fulfiltheir responsibilities. At a minimum, the education programs


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )should provide an overview of the company, cover the role ofthe audit committee and convey the expected timecommitment of the position. Any new audit committeemember also should meet with senior management,controllers, business unit leaders, internal audit, independentauditor and other committee members.

Leading practices• Make sure that board education as described in thecompany’s corporate governance guidelines is consistentwith best practice• Provide orientation for new audit committee members


EXTENDED NOTES ON CRITICAL ROLES OFAUDIT COMMITTEES ( for individual use byparticipants )• Consider offering continuing education in specialized orregulated industry matters, industry trends, reporting,operations and regulated topics• Consider customized programs of continuing education thataddress topics relevant to the committee’s needs andincorporate company-specific processes and objectives• Offer one-on-one and committee-level education


EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisoryservices. The insights and quality services we deliver help build trust andconfidence in the capital markets and in economies the world over. Wedevelop outstanding leaders who team to deliver on our promises to allof our stakeholders. In so doing, we play a critical role in building a betterworking world for our people, for our clients and for our communities.

© 2013 EYGM Limited.All Rights Reserved.

EY refers to the global organization and/or one or more of the member firms of Ernst & YoungGlobal Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UKcompany limited by guarantee, does not provide services to clients. For more information about ourorganization, please visit ey.com.

This publication contains information in summary form and is thereforeintended for general guidance only. It is not intended to be a substitutefor detailed research or the exercise of professional judgment. NeitherEYGM Limited nor any other member of the global Ernst & Youngorganisation can accept any responsibility for loss occasioned to anyperson acting or refraining from action as a result of any material inthis publication. On any specific matter, reference should be made tothe appropriate advisor.

ey.com

best practice for audit committees – critical fiduciary ... · page 2 session rules participate...

Documents