I’m a member of three audit committees; a national charity; world-class university; and a global multilateral organisation. In my career I have been to thousands (literally) of audit committee meetings.
Whilst audit committees vary in terms of effectiveness, form, nature, personalities, remits, scopes and charters, there is I think an ideal (in a Platonic sense) of what an audit committee should do. i.e. any good audit committee should do certain things.
I don’t want to list all of the things an audit committee should do. Instead I wish to focus on one core thing – its dialectic. So let’s define this (per wikipedia):
Dialectic or dialectics (Greek: διαλεκτική, dialektikḗ), also known as the dialectical method, is a discourse between two or more people holding different points of view about a subject but wishing to establish the truth through reasoned arguments.
This is a core process for audit committees. It is not aggressive or conflictual. It is a joint process to discover the ‘truth’. Who holds those opinions? Well the management team; independent auditors (both internal and external) and the independent audit committee members. What is truth? Long time readers of my blog will understand that I have epistemological and ontological issues with the concept of ‘truth’. Simply, I don’t believe in truth. Evidence and ‘facts’ can be interpreted in different ways to create different ‘truths’.
So what is dialectic process in audit committee settings? Well I think it is the core process and point of audit committees. An audit committee is delegated a role of independence and organisational oversight by the board. Most audit committees oversee as their core task, the suitable application of risk appetite (as set by the board) through ensuring there is a reasonable system of risk management and that risks taken are within the board-approved risk appetite. They also oversee governance. So they will ensure the management and the board are working to ‘direct and control’ the organisation effectively (which is the definition of governance). They also oversee the implementation of control.
Now there are various definitions of control – one that sees control as compliance with rules and procedures and another that sees control as mitigation of risk through control actions to be within the organisation’s risk appetite. It may appear that control can be detached from risk and risk appetite, but what is a system of control if not a designed set of actions to ensure risk is mitigated to within risk appetite? Personally I would cut out the middle man and just define control as mitigation of risk within appetite, rather than set it up as being something independent of risk, which ultimately is a documented version of risk appetite control in any case.
So how does the audit committee dialectic fit? Well a good audit committee will receive data (normally reports from the management team or auditors) and it will debate these. Through this debate it will attempt to discover the ‘truth’ of the data presented. At a fundamental level do these data tell the committee that the board-approved risk appetite is being breached or not? Are the systems and processes of governance, risk management and control working adequately?
So this means it is incumbent on all parties at the audit committee to bring their opinions and be willing to debate them. This for most audit committees takes the form of debating reports, considering the author’s view and comparing them to the response or to the committee’s own views. So for management reports the audit committee should decide whether it is happy with the data and views presented and approve or not modifying actions. This is the basis of its consideration of reports, fundamentally to approve the actions taken / to be taken as proposed in the report. For audit reports the audit committee should consider the audit and management view and then decide to approve the management response to risks or not.
Yet I’ve been in so many committees that do not do this. They either don’t consider reports (there are too many of them); or they are conflict avoidant (and yes some tension and conflict is helpful and necessary in an audit committee); or they are not presented with anything to consider. Far too many of my audit colleagues are guilty as charged on this one. For what value is an audit report without a conclusion or an opinion? How much less valuable is a report that does not include a risk based opinion.
So all of my audit colleagues will claim to be risk based. Yet they do not form risk based opinions, or in many cases, any conclusion. For the presentation of a list of risks and issues is not an opinion or a conclusion. There is no ‘truth’ to test.
I work hard with my team to make them form an opinion. It is difficult. Often there is no right or obvious answer. So, as an example, is a complex aid programme in a conflict state good or bad? Is net risk too high? Hmmm. Difficult to tell. But if an opinion is not formed the audit committee cannot do its role. It cannot approve the management response (to do less, nothing, or more) to the report. It cannot apply, on behalf of the board, the organisation’s risk appetite. A series of decisions to improve the organisation either in terms of control or value cannot be made and implemented.
Back to my team. Finding a set of issues or risks is fine. If one reads them, however, and is none-the-wiser whether those tell me something is good, bad, or indifferent, then what is the point? My team has the very brightest and best and they are getting great at forming a view, though it takes constant work in my experience. If, later, we discover that opinion turns out to be wrong then fine – if we could predict the future we would be in the business of buying lottery tickets, not audit. At the time we issue the report however, through the audit committee dialectic process we will have created organisational change through stating an opinion and a ‘truth’ to be tested. That is the point.
So why do we as auditors fail in this? Well, as auditors we confuse audit with science. We confuse complexity with impossibility. We apply our conservative nature to avoid taking risk ourselves. We are conflict avoidant (though a dialectic process is not meant to be conflictual). Yet having an opinion and sharing that in a proportionate, justified, way is our core job. We are best placed, being independent of management, to do this. We can say what we like and we should (must) do that. As auditors we should work hard (with Socratic questioning if necessary) to enhance our audit committee’s dialectic processes.
So how is your audit committee’s dialectic?