Audit Committe Special Projects
A program of risk oversight is only as good as the processes that support it; meanwhile, breakdowns in those processes may lead to failures that can jeopardize companies. How boards can address challenges with CFOs, or other executives in charge of risk programs, can effectively work together and close any disconnects.
The disconnects that can exist between CFOs and boards were highlighted in a recent survey of nearly 200 board members by Corporate Board Member and Deloitte LLP, Bridging the Gap. While boards and CFOs were aligned in many areas the survey found that directors, more often than not, thought CFOs were spending less time on risk management than they really were. Specifically:
Just 1.6% of board directors said their CFO spends between 50% and 75% of his or her time on risk issues, compared with 5.4% of CFOs who said they devote that proportion of their time to risk issues.
Less than one-third of directors (30.7%) believe their CFOs spend between 25% and 50% of their time on risk, compared with 42.9% of CFOs who chose that time range.
Among board directors, 67.7% said CFOs spend less than 25% of their time on risk issues, while slightly more than half (51.8%) of CFOs indicated they spend less than 25% of their time on risk issues.
Providing boards the ‘right’ level of information. For example, at times some CFOs struggle with striking a balance between providing the right information to the board while avoiding information overload. Among the suggestions offered was holding regular quarterly meetings with the board to discuss risk profiles of the business units, based on the likelihood of particular risks as well as the potential impact of each risk.
What boards need to know are the critical risks—the top 10 risks—not stacks of reports with too much detail. But getting to that can be a challenge. Making clear the migration of risks from high priority to lower priority.
Linking risk to business strategy. Reviewing risks and mitigation plans in light of an organization’s strategy is also important. An organization is doing well when everyone understands where the strategy is going and the difference between right and wrong ethical choices for getting there, when risk is understood by your employees is the point of arrival.
FSC Special Project Examples
A future-oriented, systematic, and independent evaluation of organizational activities. Financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives. Internal controls and efficiencies are evaluated during this type of review.
General Controls Review
A review of the controls which govern the development, operation, maintenance, and security of application systems in a particular environment. This type of audit might involve reviewing a data center, an operating system, a security software tool, or processes and procedures (such as the procedure for controlling production program changes), etc.
Application Controls Review
A review of controls for a specific application system. This would involve an examination of the controls over the input, processing, and output of system data. Data communications issues, program and data security, system change control, and data quality issues are also considered.
System Development Review - Source Code
A review of the development of a new application system and/or proprietary code. This involves an evaluation of the development process as well as the product. Consideration is also given to the general controls over a new application, particularly if a new operating environment or technical platform will be used.
This is an audit that takes place as a result of a report of unusual or suspicious activity on the part of an individual or a department. It is usually focused on specific aspects of the work of a department or individual to support the mandate of the Audit Committee.
Call or email us to order a free assessment.