5 Questions You Should Ask Your Audit Committee

Are you a risk and compliance professional?

Risk and compliance professionals rarely get the chance to interact personally with their audit committee members. Wouldn’t it be nice to know how your work contributes to their judgments and how to anticipate what they need from you?

To find out, we recently sat down for a webinar with two industry-leading audit committee chairs to hear their thoughts on these topics.

Everything You've Always Wanted to Ask Your Audit Committee

This webinar was hosted by the SOX & Internal Controls Professionals Group, which is composed of professionals who are actively involved in Sarbanes-Oxley, internal controls, and internal audit processes. The group fosters networking among members, promotes industry thought leadership, and provides unique opportunities for members to share best practices. Members of the group submitted questions they have for their audit committees, and we chose a handful to answer during the event.

According to a recent survey report from Forbes and KPMG, 60% of executives believe audits should help in assessing risks and management processes. Providing the necessary information for audit committees is consistent with the desire to create and disseminate accurate audit practices and results.

The following responses from Bob Herz and Scott Stubbs are pertinent information that will help clarify the audit committee's roles, responsibilities, and concerns.

What information does the audit committee receive?

BH: Audit committees receive a number of reports, along with their findings. We see internal audit reports and findings, results of regulatory examinations for regulated entities, SOX deficiency reports, observations and comments from external auditors, along with findings from the compliance group.

How do audit committees use this information?

BH: We use this information to find patterns, understand root causes, and identify issues for which senior management attention and accountability is required. The company should compile a remediation plan on each issue, keep track of its progress, and identify how significant control deficiencies are being mitigated in the meantime.

What are the top concerns for an audit committee chair?

SS: Risk, failing to understand a process and how to keep the process going, making sure you have the right people in the right place, and managing change. These are huge areas that are fragile for any company.

BH: There are three categories that are top of mind for me:

1. Change. If you are not changing, you are at risk. You can't keep the status quo as the world and your competitors are changing and moving on. However, change can bring new risks. Assess if the risk there is with and without change and if the company is capable and competent to implement change effectively.
2. Controls and culture. Assess if the right controls—internal controls and financial reporting—are being implemented around new changes. Does the company's culture emphasize and embrace the importance of having sound internal controls?
3. Outdated technology. Technology that is embedded in change and controls touches several high-impact areas such as data protection, data privacy, and data quality that are needed in both external reporting and internal decision-making reporting. Using inefficient technology can create higher risk of data issues for organizations.

To what extent do you want to be informed about issues related to compliance, deficiencies, audit, and risk?

SS: The audit committee might not need to know about every control failure, but there should be some compensating control. However, when there is a material failure or an issue revolving around ethics, the audit committee wants to know about it. It is important to know what the issues are, what is material, or what could become a material or ethical issue.

BH: For material and ethical issues: summarize what the issue is, why it is an issue, put it into context, report on remedial and disciplinary actions and management accountability, and lessons learned. See if there are themes of issues, if further investigation is required, and if the root cause has been identified.

How do changing technologies affect controls and auditing?

BH: The changes in technology affect controls and auditing, which may vary by the size of the company, industry, and maturity. Smaller companies can be more hands-on with less resources and have more responsibility in decision-making. Larger companies may have more resources and structure to rely on. However, cybersecurity is a prime concern for everyone, regardless of the size of your company and what industry the company is in. As cyberattacks are evolving, defense, detection, and response mechanisms must evolve as well. So, the company should keep up with controls and vulnerability assessments.

SS: Cybersecurity is the number-one risk for any company. From phishing emails to the passing of data, this is a reason why internal audit and controls should be brought in early. Make sure controls are built in, that they are part of the process, and they are integrated on a day-to-day basis. Companies, especially smaller ones, are tempted to underspend in this area, but it can be crippling for them if the unthinkable happens.

Key takeaways

As demonstrated, audit committees receive significant amounts of information. However, it is important that they sift through each piece with scrutiny. With ever-changing technology, audit committees are only becoming more aware of what the red flags may be and how to combat them. Similarly, if you see red flags, respond accordingly.

Watch the full webinar on-demand to hear more of your questions posed to the audit committee chairs about establishing a relationship with your audit committee, the audit committee's preferred level of involvement, and more.

More about the interviewees

Bob Herz

Robert H. Herz was Chairman of the Financial Accounting Standards Board (FASB) from 2002 to 2010. He is also a board member and chairman of the audit committees of Fannie Mae and Morgan Stanley. Before joining the FASB, he was PricewaterhouseCoopers' North America Theater Leader of Professional, Technical, Risk & Quality and a member of the firm’s global and U.S. boards. He is both a U.S. certified public accountant and a U.K. chartered accountant. He also serves on the board of directors and audit committee for Workiva.

Scott Stubbs

P. Scott Stubbs currently serves as a member of the board of directors of ZAGG Inc. and as the audit committee chairman. He has also served as Chief Financial Officer at Extra Space Storage since December 2011. Prior to that, he served as Chief Financial Officer of the Lyon Company and as the U.S. Controller of Critchley Inc. He is a licensed CPA.