Video transcript: Audit and risk committees: How do we make them more effective?

Transcript for a video of a presentation about using your audit and risk committees more effectively, filmed at the 2019 Audit New Zealand client updates.

Title: Audit and risk committees: How do we make them more effective?

Andy Burns (Audit Director, Audit New Zealand)

I just want to introduce this session which I want to build as a conversation. This is a conversation about all the committees, just to get a poll of the people out there. Can you give a show of hands of how many people you’re organising to have audit committees at the moment? Quite a few. So, you know what it’s all about and you all think they work absolutely perfectly and have no problems with them whatsoever, or maybe not.

This conversation’s all about how we make audit committees more effective. The main thing I want to say is; you don’t really want to listen to me; you want to listen to the panel members. I might chip in along the way and I might chip in at the end. But what I want to do now; we’ve asked each of our panel members to come up with the three things that will make audit committees more effective. When I say audit committees; I mean audit and risk committees. I think the panel is going to stay at the table to introduce your three things, and we’re going to start with Graham. I am hoping that works Graham, because I have no idea how you turn it on - it does.

Graham Naylor (Independent Member of Tasman District Council's Audit and Risk Committee)

Thanks Andy. The three factors that I believe are the most important for supporting high performing audit risk committees are firstly: People. Secondly: Appropriate professional relationships. Thirdly: Appropriate agendas and communications. Starting with people; from an audit perspective of an ARC, I think it’s key that you have the right people on that committee. By that, I mean you’ve got to have at least some of the people that have appropriate skills and knowledge, so that they actually can support the right questions and challenges being put up. I believe that those people must have some understanding of the audit process. By that; I’m mean they’ve got to understand what the opinion means, and what the various communications from the auditors to the committee actually mean. I’ve seen situations where an ARC believe that because they were getting so called, ‘clean,’ audit reports or audit opinions, that everything was fine. But in fact, it wasn’t, and they were being told in the various other communications from the auditors that that was the case, but they didn’t understand it. As well as being financially literate, or what I call financially literate; you need to also have committee members that have got enquiring minds. What I call a healthy level of scepticism; don’t just take everything at face value. There’s got to be also, a good understanding of what the organisation does; what are the processes that it has?

From a risk perspective; people are also very important. But in this case, I believe the importance is actually that management have a good grasp of the risk subject and what risk management actually involves. Because it’s management that actually have to own that risk management process within an organisation and I’m think that if you don’t have that, you just don’t get an effective risk management function operating within an organisation. What I called appropriate professional relationships; really, is that the committees got to have effective working relationships with everyone that they interact with.

By that I’m mean; the internal auditors, the external auditors and any other advisors that provide advice or information to them. Auditors have been called the eyes and ears of those concerned with governance. I believe they can provide audit and risk committee members with valuable insights into an organisation. Things like the attitude to risk that the staff have, the competence of staff, the organisations culture, the quality of reporting that goes through to those concerned with governance, and the robustness of a controlled environment are just a few examples. Audit risk committee members won’t always see eye to eye with those advisors, so it’s important that they can actually have those robust conversations with those people, but still maintain a working relationship going forward. Those relationships must also have a reasonable proportion of that interaction occurring on a face to face basis, and I regret to say that even today that still doesn’t always happen and I believe that seriously compromises the effectiveness of an ARC because I think it’s important that committee members are able to ask those auditors' and advisors' questions, and get appropriate answers to those. The same applies I think in terms of the risk management side. The relationship with management must also be open and constructive, because again you won’t always get management and those concerned with governance, seeing risks in the same light.

Often, they will put different risk weightings on individual risks, and you need to be able to resolve that appropriately. My final factor is appropriate agendas and communications. As Andy said; the roles of audit and risk committees can vary. Some just call them audit committees, some call them audit and risk, some call them audit finance and risk. It doesn’t really matter. The critical thing in my view is that whatever their role and whatever they’re called, the agendas and the annual work programmes must address all the areas that they are required to cover under their committee charter. I like to see reports be clear, concise, free of jargon and having a very clear recommendation from management. I have a rough rule of thumb; that if committee papers are more than 100 pages for a meeting, that they need to have another look at those and see what they can cut out. I’ve seen one situation where there were 800 pages for an individual audit and risk committee meeting, and it was all because there was contentious item on the agenda, and management had decided that they’d just dump everything in there, rather than actually sort out what was important.

To me, that was just straight laziness, and to me it’s important that committee members are given the information that they want, and that need, and not just what management want to give them. When I’m the chair of an audit and risk committee, I always want to see the agenda and the papers prior to them being circulated to the committee and that’s to ensure that the information that is being circulated is appropriate. I also don’t like reports that are prepared only for the committees use. One of the areas that I find often occurs here, is risk reports that are prepared just for the committee. My view is that a committee should be able to use similar sort of reports that senior management are using to monitor and manage risk within the organisation, and if they can’t then I think there’s something fundamentally wrong. I am also a great believer in having context with papers.

I suppose a good example of this is; for infrastructure organisations, when asset condition reports are being presented to audit and risk committees. I think that not just providing the extent of assets that need attention within a certain period of time, but if you can provide the context of what is the total value or measure of that class of assets in total, it then gives the committee members an indication of a significance of the issue that they’re confronted with. That’s all I want to say at this stage - keep it brief. I’ll pass onto Kim.

Kim Wallace (Chair of Christchurch City Council's Audit and Risk Committee)

Thank you. Good afternoon, and firstly; thank you Andy for inviting me to participate in this panel today, I am very pleased to be here. I am based in Christchurch, and as Andy said my background has been from executive roles. I was 10 years as CFO and so worked within audit and risk committees, as well in the dairy industry. I was in the dairy industry for 24 years working in cooperatives, and now working in a governance career.  I think that it’s quite an art moving from management to governance, so I want to touch on that as well as I go through my theme, so taking it from both perspectives. The top three things around a match fit, I’ll say an audit committee for me, and there are some crossover from what Graham’s presented here as well, so around the composition and committee culture and having a good diversity and deep diversity of thought. Secondly for me: Around focus; balancing the committee’s time and effort on audit, whether that be internal, external and assurance matters around financial matters and prudence, probity and having the right physical responsibility and reporting coming through. And also your risk strategy as well, so I think there’s a role there for the chair to play and the committee to play in regard to that focus. Then thirdly; around key relationships as well. Around the first one; around diversity of thought. I chair three committees and I’m also on the audit committee of a fourth board as well. When I look at the different groups and the different cultures, I think collectively having a range of thinking being presented on the various matters that get presented to you, is just so important. Generally, I think that leads to a better, more effective and better decision making and outcomes. Broader insights around the effectiveness on determining how to progress with recommendations for board approval resolving to endorse, act or progress initiatives.

So, often in the audit committee, you have been formed as a sub committee of a board or of an elected member body, and your role is often to recommend through to the full board, and you have at some points some limited decision-making authority as well. So, you’re often there to ensure that there is assurance that appropriate actions are evident, you’ve got proper process, that reasonable expectations are being met and also your considering risk. When I think about that diversity of thought and who’s sitting around the table and when I’m chairing the committee, I’m mindful of succession planning and the fact that often you’ve got a bit of churn that’s happening in the different committees and on the board for the elected member bodies that you’re working for. So, you’re wanting to have, as Graham said; a good broad set of skills. Independence is very important as well, coming a cooperative structure and having in my experience; in the dairy industry you’ll have farmer elected members that come to the board that may have not worked with within an audit committee before, and may not understand how an audit committee functions and what their role is.

So, often you will need to be making sure that there’s clear expectations, inductions, understanding of the key challenges and understanding how that committee will function. Really important to have the ability to devote sufficient time to be well read and also to be able to step in and do some heavy lifting from time to time as it is required. I think that’s the key thing that often will catch you out; is that all of a sudden something will come from left field; whether it’s a significant black swan event of which here in Canterbury we’ve had many when I think about the earthquakes, and of course the terrible attacks on the city that we’ve had recently as well. So, being aware that from time to time have to lean into these situations that there’s a key role that the audit and risk committee may have to play, and so do you have the right capacity around the table to be able to step in and lean in together and collectively work through strategic matters when they come to you? You’ve talked about willingness to ask pertinent questions, and asking the right questions, and to be able to partake and contribute to discussions.

So, part of that is as I say is around being well read, being well engaged, understanding what the real strategic issues are in the organisation, being able to then translate them to having conversations at the audit committees around the matters that really you should be focusing on. So, that leaves me to focusing and balancing the committees time on audit, financial reporting and risk for example. I think about from time to time where you might have business cases or as a sub-committee there’s a specific piece of work that hopefully is not… how many pages did you say? - 800 pages long, but you might have to turn your mind to something that’s very pertinent, do a lot of due diligence working as a sub-committee. So I think just being very clear around the committees expectations and around how you work through that, and how you’re keeping that balance around whether it’s business plans, budgets, forecasts, or whatever that might that you’ve got adequate and equal discussion regarding financial opportunities which is often where you might want to leap to, and how do you balance that with financial risks as well as the reward. I think that’s something that as chair of the committee, you need to be just aware of that. Just around that focus; I do also see the benefit of having a self-evaluation of the committee.

So, from time to time you might want to just at the end of the committee meetings, be able to just have a bit of a self-reflection with the committee meetings to say, “How are we performing?” But certainly, that annual assessment is so important. To be agile and be able to work out, actually have we achieved what we set ourselves; from whether it’s out charter, terms or reference or whatever for the committee; have we actually been successful? And having a real honest conversation about that, and working out actually is our membership still fit for purpose, are we still matched fit, do we still have people who have got the time and the ability to contribute, and to work collectively? It could be fair to say a lot of responsibility often falls on the chair of the audit committee, and you might often be the only one that has financial experience, and so often people will say, “They’ve got this; the chair’s well informed.”

I suppose as chair, I think that’s something that I’m pretty hot on, is making sure that the board is aware of their collective responsibility and the need for everyone to reach a satisfied view to be able to recommend and approve key decisions that are coming through to the board as well. That leaves me to maintaining key relationships. Around the chair role, making sure that as things go through from management to the audit and risk committee and then through to the board, that there’s a very good line of sight and an understanding in keeping the board well informed. I see that as a dual role with both management and the audit and risk committee, and particularly the chair role, in making sure that the board is well informed on decisions that are coming through to them as well; why the audit and risk committee may have come to a decision; I think that that is important to be able to give some line of sight into that as well.

Having a chief executive and CFO that is engaged, and also invests sufficient time and effort in the role of what the audit and risk committee function, and what you need to be doing, and the performance of that. You were talking about board papers, and I think that’s just so important because you will focus the committee on what ever comes through in those board papers as well, so I think the chair making sure that those board papers are focusing us on what matters is just so critical. Working in partnership with your external auditors, make sure that they’re adequately informed on key financial matters, and also on the strategy of the business, because you can’t assume that from one year to the other that a business is going to go through the same organisational rhythm for those 12 months that they did potentially the year before.

I think that just keeping that agile mind and keeping your auditors informed on what’s going on and what your key challenges are is just really important, so whether that’s a kick of conversation you might be having at engagement time, and then there might be a pause and reflect at interim, and then obviously that final audit as well. I like having those sorts of structures in there, and just making sure there’s a clear and appropriate relationship there, but well informed and transparent with your audit partners, and really having a business partnership there. And lastly just engaging external advisors when you think it’s necessary; just making sure that you do raise your hand, and if that is absolutely necessary, and from time to time there’s things that you just don’t have the experience and the competence around the table. I think it’s just making sure that you make right calls on that as well. So, that’s me.

Greg Schollum (Deputy Controller and Auditor-General)

Thanks Kim. Going last; I get to say I agree with what the others have said. But I will just quickly run through my three for you, and there’s quite a strong overlap.

My first one is about mandate and scope of the committee. I think you’ve got to have the right mandate and scope, and it’s got to be broad, so this is sort of in a sense the reach of the committee. It’s already been mentioned; I think it’s got to be audit and risk, so it’s a focus on the business, not the audit, obviously it includes the audit. Financial information and non-financial information. Parent and subsidiaries if there’s a group, and planning and reporting, so looking forward and looking back. I think that’s multi-dimensional; I think the committee should have a very broad mandate, doesn’t mean deep examination of all those parameters, but I think the mandate has to be broad. And, I think that has to be captured nicely in purpose of a committee. I think it has to have the backing of the governing body, so if there is a board of directors, which isn’t always the case, but if there is a board of directors and an audit committee, or if it’s a council with elected members and an audit committee, it’s really important the audit committee’s not left out in the cold. It’s got to have a really strong connection I think with the governing body and have the backing of the governing body.

Critical friend – I’ve written down – and a sounding board. So, playing an important role in wearing a few different hats, I think potentially. Being a chief executive can be a really lonely role, as I found out recently, and having our own audit committee operate in that critical friend sort of mode, was really critical for me, and helped me to do that CEO type role that I was asked to do. Kim’s mentioned strategy. I think strategy and culture; obviously don’t have to be involved in shaping it but need to understand both of those things as a committee in order to put in context what you’re seeing coming through.

So, that’s my first one; the right mandate and the scope. The second one is rules of engagement, so this is sort of the operation of the committee, and I’m think Kim and Graham have covered a lot of this. I think an annual work program of the committee is important. It can be varied, but there’s a broad outline for each meeting; what are we focusing on? What are the general items, and what are the specifics that are going to come up in that meeting versus that meeting? And probably a quarterly cycle works well, can be more or less, but I think I would recommend that, and at certain meetings, deep dives into certain risk areas. I think it’s useful for management to have to front up and explain what they’re doing about risk ‘a,’ or risk ‘b,’ and for the committee to have time through a deep dive and proper agenda setting to be able to examine those sorts of things. Graham mentioned setting the agenda in conjunction with the chair; I think that’s really important. Committee-only time is important, but also so is time with the external auditor without management; I think that’s absolutely vital.

So, the external auditor can feel comfortable and be able to say what they think without necessarily having to manage the message with management there. Good relationship with the auditors been mentioned. I think that’s right. General ability to be free and frank – I think the rules of engagement of any committee like an audit committee, the members have to be able to feel that they can speak what’s on their mind, I think.

My third one is the right membership, and again it’s already been largely covered. I’m a strong advocate of an independent chair. I think if you don’t have an independent chair, you certainly need some independent membership, and a good mix of internal and external.

Those external members – it’s already been mentioned – but they need to develop an understanding of the business otherwise they’re just going to be always asking questions that are a little bit out of left field; might be relevant, sometimes hit the target, but they’ve got to really over time build a knowledge of the business, so the questions and the value that they’re adding will improve over time. I just noted some attributes for skills and experience and again lots been covered, but business acumen; I think its sort of number one for me. Industry knowledge; if there’s a particular industry, and this is not in individual members, but across the committee. I’ve got a vested interest in this, but some public sector experience is good in a public sector audit committee. Risk awareness, and obviously a knowledge of financial reporting and auditing, but I would not put that at the top of the list to be honest. Intellectual curiosity and professional scepticism, and I think those have been mentioned. Prepared and equipped to ask the right questions, would be how I’d sum up, so probably said enough Andy.

For more information and to download presentations, visit auditnz.govt.nz.

Watch the original video.