PwC (2011), Executive Summary, Chapter 2 & 4

Chapter 2: Risk Management and The System of Internal Control

1. Risk Management Process

A robust process to manage risks helps a company achieve its performance and profitability
targets. Ideally, such a process links risk management to company strategy and risk appetite,
effectively identifies potential events that may affect the company, and mitigates risks that
are at an unacceptable level. Internal control systems are designed to help companies
mitigate known risks, and so audit committees oversight of internal control and risk
management is often intetwined.

To provide a framework to assist companies with improving risk management, a number of

organizations have issued relevant guidance. The two most prominent frameworks are by
the Committee of Sponsoring Organizations of the Treadway Commission (COSO) with its
Enterprise Risk Management – Integrated Framework and the risk management guidelines
released by the International Organization for Standardization (ISO).

2. Internal Controls

The system of Internal control is essential to a successful risk management program.

Internal controls can help mitigate risk exposures to a acceptable level. Various countries
have developed control frameworks to assist companies in designing and assessing controls.

The Sarbanes-Oxley Act requires U.S. public companies to report on internal control over
financal reporting. Companies must document, test, and evaluate these controls and
provide a report that:

 Acknowledges management responsibility for establishing and maintaining

adequate internal control over financial reporting
 Indentifies the framework management used to evaluate controls
 Indicates management conclusion regarding the effetiveness of those controls
 Describes any material weaknesses that exist

3. Incentive and Fraud Risk

Regulators and shareholders are focusing on the link between compensation and risk in
companies – particularly whether incentives may prompt executives and employees to take
unacceptable operational risks. Audit committees focus more on the extent to which
incentives may encourage fraudulent financial reporting. Ideally, compensation committees
design compensation packages that promote ethical behaviour without compromising long-
term shareholder value.

4. Financial Reporting Fraud Risk

Asset misapprotpriations are the most common form of fraud, followed by corruption.
Though financial statement fraud is less common, it has a much greater financial impact, the
report found. Weaknesses in internal control can make companies more susceptible to
fraud. Type of fraud that is of grave concern for audit committees is financial reporting
fraud. It is commonly defined as a deliberate misrepresentation of a company’s financial
position, stemming from intentional misstatements or omissions in the financial statements.

Audit committees need to consider the potential for increased fraud risk. And if the
company is in a challenging economic environment, these risks may be exacerbated. Once
the audit committee understands any factors increasing fraud risk, it’s better equipped to
properly oversee the internal controls related to fraud detection.

5. Bribery and Corruption Risk

Bribery and corruption are significant and growing risks for companies. Companies need
robust control systems to mitigate the risk of bribery and corruption. One helpful starting
point for audit committees that are trying to understand the level of bribery and corruption
risk in their companies, is to assess whteher their companies are operating in regions and
industries that are more susceptible to corruption. Audit committees should focus on how
management is minimizing the risks of bribery and corruption fraud to protect the
company’s reputation and reduce its exposure to financial penalties.

Chapter 4: Oversight of Management and Internal Audit

1. Overall Relationship with Management

Management has deep insight into the company and its challenges, and therefore is best
positioned to recommend what information the audit committee needs. Management also
marshals and prioritizes the resources and training that are essential to the committee
effectively discharging its responsibilities. The support flows both ways.

Management should seek the committee’s input when making key decisions and promptly
inform the committee chair when significant issues arise. If the committee sees this
communication is lacking, it needs to clarify its expectations with management, ideally as
part of a private conversation.

2. Management Bench Strenght

Given the complexity of financial reporting, the work of a knowledgeable and technically
competent finance team is vital to an audit committee’s faith in the financial reports it
reviews. So, the audit committee should understand the skill, competency, and adequacy of
resources on the finance team. Committees should consider being engaged in succession
planning for the senior finance team. One way is to periodically discuss with the CFO how
key finance team managers are being groomed for advancement.
3. Meeting with Management

Formal and informal meetings with management are essential to a strong relationship. Of
course, the main venue is the formal audit committee meetings. Management typically
takes the lead in presenting on may agenda topics. Management participation should focus
on engaging in meaningful dialogue with the committee, answering questions, and
providing additional insight. To deepen the relationship, the audit committee chair and CFO
shoud meet through out the year informally. This not only provides the chair with better
insight into the issues the company is dealing with, but also enables a stronger rapport
between the CFO and the chair.

4. Defining Internal Audit’s Role

Internal audit usually cover areas such as assessing the company’s key risks and how well
they’re mitigated; assessing IT security; and conducting investigations. Internal audit’s role
should be reflected in its charter. A charter sets out internal audit’s purpose, authority,
reporting structure, and responsibilities and should specify the group cannot perform
responsibilities that could hinder its objectivity.

5. Internal Audit Plans

Internal audit bases its annual plan on its risk assessment, which ideally should match up to
key risks identified in the company’s overall risk management program. An internal audit
plan may be appropriate at the time it was approved. Some internal audit departments
build “cushion” into their plan to address these unforeseen developments. Audit
committees should understand better whether internal audit has an adequate budget to
provide the right risk coverage and whether there are any constraints on internal audit’s
scope.

6. Understanding Internal Audit Resources

Once the audit committee is satisfied with internal audit’s plan, the next question is
whether internal audit has the right resources, especially if the company’s operations and
strategy have increased complexity. There are several ways to “staff” an internal audit
function, and different approaches may affect the department’s effectiveness. Some
company have their internal audit departments fully “in house.” Others outsource most or
all of the work. Many take a hybrid approach – using outside resources in selected
circumstances to make the overall function stronger. The audit committee should
understand the depatment’s plans to address any resource or skill shortages. At times, it
may make sense to rent those skills, although if done long term, the committee should be
satisfied that is the right answer. From a strategic perspective, the committee also will want
to oversee any decisions to more broadly outsource the internal audit function.

7. Communicating Audit Results

Internal audit interaction and communications with management and the audit committee
greatly affect how the function is percieved. Positive perceptions are more likely if internal
audit ties its work and findings to the company’s business objectives and priorities. The
audit committee should expect internal audit’s reports to be as professional as the
information the committee recieves from other parties.

8. Internal Audit Reporting Lines

The internal audit reporting level in important. It should demostrate the highest support for
internal audit’s mandate, and it should support the function’s objectivity. Often internal
audit reports both to executive management and to the audit committee. The audit
committee chair can reinforce the reporting relationship through periodic contact with the
internal audit director between audit committee meetings. In major companies, sometimes
this interaction is monthly.

9. Internal Audit Leadership

The internal audit director drives the function’s effectiveness and perception in the
company. This person’s background, experience, and executive presence play a key role in
whether othe executives view him or her as part of the management team and whether
they hold internal audit in high regard. The internal audit director walks a fine line, as a
member of management and as the leader of an internal group that is expected to be
objective of management.

10. Private Sessions

The audit committee should hold regular private meetings with the internal audit director,
ideally at each in-person audit committee meeting. These private sessions should be
scheduled as part of the agenda, and astute committee chairs preserve time for the
sessions, even when other agenda items run over. Although its more typical for the sessions
to be held at the end of the meeting, some committees schedule them at the beginning so
the committee can be alert to issues when the discussion arises.

11. Evaluating Internal Audit Performance

The audit committee can rely on internal audit’s work and findings only if the function fulfills
its duties. And so it’s important the committee periodically discusses the department’s
effectivemess. Discussion with the CFO and other members of management will provide
additional vies, including how internal audit is percieved throughout the company and
whether the function approaches its work with a client service metality.