AUDIT and risk committees must share greater responsibilities in order to help boards of companies and committee chairs to handle increased EU requirements on financial and non-financial transparency.
In a response to increased demands for greater corporate transparency in the Eighth Company Law Directive, the Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA) outlined several areas of collaboration between the two committees could help meet that end.
The two bodies recommend a ‘three lines of defence’ approach, based around operational management, internal governance functions and internal audit.
The first line has responsibility and accountability for assessing, controlling and mitigating risks; the second monitors and facilitates the implementation of effective risk management practices and; the third provides assurance to the group governing body and senior management on the organisation’s effectiveness.
Key to that mechanism is clearly defining the role and responsibility of each committee in order to avoid overlap and ensure that the coverage of risk is comprehensive. In particular, the bodies said, reviewing the risk management systems should be a shared responsibility.
Under those auspices, a framework and system should be recommended to the board, risk tolerance and appetite determined, and regular considerations and adjustments made depending on conditions or circumstances.
To that end, a chief risk officer or equivalent is necessary, FERMA and ECIIA said. Such an appointment gives the function greater visibility and helps ensure it is appropriately resourced, while by the same token, its performance and effectiveness can be accurately assessed.
Review of external auditors’ reports should also be shared in order to allow the risk committee to act on threats identified by auditors.
But before any of that can happen, a coherent and effective relationship must be fostered between the two bodies, FERMA and ECIIA added, with emphasis placed on reconciling the findings of both internal and external audits and acting on the risks identified.
“Overall, the burden for audit committees is increasing and the knowledge requirements of their members is expanding,” explained FERMA President Julia Graham. “Even if some EU countries already have reporting requirements that go beyond what the EU is now imposing, there is a clear constraint on the time and resources on audit and risk committees when they set their agenda. The support of risk managers and internal auditors has become more relevant than ever to ensure meaningful and qualitative reporting.”
Thijs Smit, ECIIA president added that the increasing regulatory and business burdens necessitate efficient and integrated corporate models.
Ten recommendations made by FERMA and ECIIA
Review risk management systems
Assess and evaluate the risk profile in light of the activities concerning risk appetite, risk development and risk aggregation and provide advice to the board
Appoint chief risk officer or equivalent
Assess the performance of the framework and procedures in place,
Review the external auditor’s report
Exchange with the audit committee on the risks identified in the financial reporting process
Relationship and coordination
Communicate with the audit/risk committee on the risks identified by internal auditors, their impact and recommendations. Identify areas where assurance is required, and ensure that appropriate assurance is received and that this informs and updates the organisation’s risk profile
Report annually on the effectiveness and efficiency of risk management
Review annually the performance to determine whether it is functioning effectively
Oversee the integrity of the financial reporting processand financial reports
After review with the management and the external auditors, the committee should recommend to the board for approval the financial statements and reports that are intended for publication
Review the efficiency of internal control and risk management systems
Regularly meet with the management, the external auditors and the internal auditors and other assurance functions to discuss issues and concerns warranting committee attention
Review and appraise the audit activities: independence, objectivity and effectiveness of the audit process
Approve all non-audit services and advise the board on statements to be made in the annual report regarding the statutory auditor’s provision of non-audit services
Supervise the internal audit function
Review the scope of the internal audit plan, including the work programme and the quality control procedures and should also approve the internal charter