Many of us who are or were in the profession of internal audit typically supported the work of the Audit Committee (AC) in our respective roles whether as a member of the IA team or the Head or Director of Internal Audit. This including working with, for and under an Audit Committee Chairperson as well as members of the Audit Committee.
One of the unique experiences I went through in my 29 years of corporate life that included close to 10 years as Director of Internal Audit on a public sector agency was to serve three different Audit Committee Chairpersons. What made it particularly unique was that for three of those 10 years, I was also the Audit Committee Chairperson of a Government Linked Non-Profit entity.
During the period as both the Director of Internal Audit, I was also the Audit Committee Chairperson. This allowed me to review audit issues and corporate governance issues from the lens of both the IA practitioner as well as the Audit Committee Chairperson.
Whilst both had similar objectives and concerns, one was more operational and the other was more oversight and strategic.
In reality, the experience allowed me to see things from both sets of lens and they provide a very useful insight into what goes on in the minds of the IA Director and the AC Chairperson.
The key differences between the two perspectives was mainly that of perspective and details.
In general, when you are in the AC as a member or the Chairperson, you are responsible for governance and exercising oversight over what the entity is doing in terms of designing, implementing and ensuring that adequate internal controls exist within the organization to allow it to achieve its corporate objectives.
The Director of IA is part of the organization’s control mechanism in providing the third line of defence against failures of the organization other lines of defence for internal controls such as management, and the second line, i.e. risk management or compliance. IA is provides independent assurance to both management and the AC that controls are in place and working effectively.
Thus, IA has to be more details oriented but yet able to articulate the audit issues or areas of control weaknesses or lapses.
AC Chairs look more at the big picture but need to know sufficient details in order to make sense if management is being straight with them in terms of the presence and effectiveness of controls.
The ideal AC Chair is able to both align the big picture of knowing the key risks and controls for the entity and be technical enough to assess from the IA’s reports whether management takes controls and compliance seriously. At the same time, the AC’s role is not to micro-manage management by telling them what controls to put in place. The AC Chair’s role really is to help ensure that all stakeholders in entity discharge their duties. That management balances their entity’s mission and objectives in a controls-conscious way to be in compliance to the regulations and the entity’s own policies.
I have encountered AC members who forget that as a member of AC, their role is not to direct management to take specific actions unless it is a clear case that management is in dereliction of their fiduciary and management responsibility in applying sufficient controls to manage the risks of their business. This resulted in a lot of tension and awkwardness the AC member got involved in even engaging certain department heads directly on certain audit issues.
I have also encountered AC Chairs that were sharp, able to move smoothly between having a reasonable understanding of the audit issues at the operational level, but able to zoom in on whether the issues were once-off or systemic. They also knew to ask about the root causes for why the audit issue surfaced, i.e. was it that the business process was poorly designed, did not have adequate controls or was due to the staff not trained well enough to adhere to the robust rules and regulations set-up by the entity?
AC Chairs also have to manage and at times mediate the interactions amongst the audit committee members. I recall a member who was too invested into the entity’s controls and would on his own accord meet up with line function heads over the audit issues to try to “solve” their problems. Whilst I commended his drive and passion, I thought he had overstepped the boundaries of what the AC should or should not do.
At the end of the day, being an AC Chairperson had its interesting times and challenging times.
My own stints as a AC Chair for a government linked entity as well as for a non-profit professional association have both helped me develop a better appreciation of the entire value-chain of statutory audit, internal audit and the audit (and risk) committee.
Leave a Reply