Accounting

The Shifting Role of The Audit Committee in Working with Management to Effectively Oversee Risk


by Maureen Bujno and Krista Parsons

Learn more about the four highest priority risks for audit committee oversight.

© ajijchan/iStock/Getty Images Plus

The unique challenges of today’s business landscape and unprecedented levels of risk are causing audit committees to approach risk oversight in a much different manner than they have in the past. With the risk landscape exponentially shifting, it’s more important than ever for audit committees to understand management’s process for identifying and assessing emerging and strategic risks. This includes understanding how external risks with the potential to disrupt the company’s strategy are continually being sensed, as well as how those emerging risks are being considered within the organization’s overall risk governance framework.

Audit committees have a significant role in setting the tone with regard to the importance of this continual monitoring. The audit committee’s role in understanding the management infrastructure and related policies to govern an effective risk management process is not new. But, given the number of new risks, the audit committee should prioritize its discussions with regard to risk oversight, make sure key risks are on the agenda, and spend time brainstorming with management about other risks that should be included and continually monitored.

As a result of the pandemic, the audit committee’s oversight role in risk oversight may have shifted and, arguably, may be more critical than ever for the 2020 year-end reporting cycle. There are several actions audit committees can take to recalibrate their oversight to bring the best insight on risks to the business, including:

  • Understanding management’s process for continual refreshment of key risks. Audit committees should work with management to understand how risks are being continuously identified – something which is even more important in today’s environment where emerging risks could disrupt the business. In addition, the audit committee should understand how new risks are included on the organization’s risk map, who the risk owner is, and whether it is material and should be adequately captured in disclosures.
  • Understand risk sensing. A number of the emerging risks in today’s environment are external to the organization – those risks that the company cannot control but could have a significant impact on the business. These may include geopolitical uncertainties, regulatory shifts, supply chain constraints, competitor moves, and market risks. Many of these risks may be strategic and therefore the responsibility of the full board to discuss and oversee. The audit committee has a role in understanding management’s process for sensing these risks (including how and who is responsible) on an ongoing basis and for identifying potential triggers. These triggers should be monitored to allow for effective scenario planning with the board.
  • Allocate risk oversight across the board and its committees. Risk is never the responsibility of a single individual or group within an organization, which is why it’s important for the audit committee to work with the board to allocate oversight of key risks across the full board and its committees. Something as simple as utilizing the risk map to define how key risks are overseen can help make sure there are no gaps in oversight of the key risks. This is even more important in today’s challenging and rapidly shifting environment as companies grapple with risks they may not have had to manage and continually monitor in the past.
  • Tie identified risks to strategy. The audit committee should further make sure that any newly identified strategic risks are being discussed at the full board in conjunction with the organization’s strategic objectives. The full board should understand the impact such risks could have on the business and if management is prepared to pivot if needed.

Risks in today’s environment cannot be monitored within a vacuum. It is critical that financial stakeholders within the business are tapped for their on-the-ground expertise since their insights can have strategic importance to the risk oversight approaches the committee and the board develop. To do this, shifts may be needed to support how finance management and the audit committee work together. These shifts may include:

  • Viewing risk as dynamic and iterative. In a typical year, finance teams may evaluate risks at designated times (e.g., year-end, mid-year), but today’s swiftly changing environment has relegated the one-and-done risk assessment approach to the past. Risk is no longer static. Just as the SEC expects companies to dynamically evolve their risk disclosures to match the external risk environment, so too is it imperative that management proactively considers risks on an ongoing basis, making sure the risk dashboard is updated regularly and shared with the audit committee (even as a pre-read) for every meeting.
  • Bring a risk lens to every audit committee agenda topic. Because the audit committee typically has a full meeting agenda, the audit committee chair should work with management to proactively prioritize agenda discussion topics through a risk lens. Working with management, the audit committee can help set the tone for each presenter to focus on the topics with the most risk associated with them. From a financial perspective, this could mean having the CFO or controller discuss those financial statement line items that include significant estimates that have the most judgment. In these discussions, the audit committee should focus on understanding the process by which those estimates were developed, how management landed on the particular number, and where there were grey areas. Another example is working with the Chief Audit Executive to make sure he/she spends presentation time focused on key risks /issues identified in the plan and work performed. Additionally, with regard to setting a “risk-lens,” the audit committee should work with management to make sure the highest priority topics are at the top of the agenda and appropriate time is given to those areas. Over the course of a year, the audit committee should aim to consider all of the top risks (under the Audit Committee purview) through discussions with the respective risk owners during audit committee meetings. This may at times feel excessive or tedious, but these discussions can help align the board, audit committee, and management on the evolving risk environment.

Many financial professionals agree that the economic uncertainty and transformed operating environment created by the ongoing COVID-19 pandemic has caused significant shifts in the nature of financial and other risks. Currently, some of the highest priority risks for audit committee oversight at organizations include:

  • Fraud risk: In the US market especially, new forms of government lending and stimulus, shifting supply chains are creating new opportunities for fraudsters to take advantage of businesses that finance teams must anticipate and manage.
  • Financial reporting: As part of executing their governance and oversight responsibilities, audit committees should proactively serve as a sounding board and resource for management as they navigate the current financial reporting landscape.
  • Ethics and compliance: Whistleblower hotline usage has increased in the remote work environment, pressuring finance professionals to keep up with uncovering, investigating, remediating, and preventing fraud within the four walls of their organizations.
  • Cyber risk: The shift to the remote working environment has threatened the security of systems in place, making organizations potentially more vulnerable to cyberattacks. It is important for organizations to assess how the risk of cyber attacks has changed, and to apply appropriate controls to mitigate it.

Whatever the risks at hand, companies that align strategy and risk are better positioned in terms of strategic resiliency, which is a way of thinking about the ability to anticipate and act on risks when introducing new strategies. In today’s risk environment, it’s important for audit committees and management to partner on risk oversight and management to be better prepared for risk events and to maximize the likelihood of success despite the challenges posed by COVID-19. Organizations that can do this successfully will find themselves in a better position to anticipate, adapt, and manage risks heading into 2021.

Maureen Bujno is a managing director in Deloitte’s Center for Board Effectiveness and the Audit & Assurance Governance Leader at Deloitte & Touche LLP. Krista Parsons is a managing director in Deloitte’s Center for Board Effectiveness and is the Audit Committee Programs Leader at Deloitte & Touche LLP.