Given the dynamic environment, the audit committee should take a close look at the company’s risk profile at least annually. Ideally, this review should be supported by an updated risk assessment by management. As the committee evaluates disclosure issues, an understanding of the key risks can provide valuable insights.
Some risks are considered from a disclosure perspective — for example, cybersecurity and privacy and identity incidents, litigation developments, changes in the market and other key risks, possible contingent liabilities that are not susceptible to reasonable estimation, and significant unusual transactions or events. The committee also should review the risk factor disclosures summarizing the most significant risks that apply to the company to ascertain whether the top risks are adequately presented, particularly the risks unique to the industry sector(s) and geographic region(s) in which the company operates as well as risks that are unique to the company itself.
There is value in understanding how the company’s view of risk aligns with or differs from the view of other firms in the industry. The audit committees cannot oversee the reliability of financial reports in a vacuum.
In the financial reporting process, management often exercises significant judgment regarding various subjective estimates and valuations that are sensitive to changes in external as well as internal risk factors. For example, when evaluating the adequacy of the allowance for doubtful accounts, management should consider such internal factors as changes in the company’s credit policies, collection history and the ratio of bad debt expense to actual write-offs by reporting period. External factors such as the expected economic outlook, competitive environment and emerging regulatory requirements are also relevant considerations.
Regardless of their designated role in the board’s overall risk oversight process, audit committee members should be cognizant of emerging business risks and changes in critical enterprise risks so that they can put into proper context the representations and assertions they receive from management; newly reportable critical audit matters and audit scope changes raised by the external auditor; and internal control concerns, errors and irregularities, and other findings presented by internal audit.
To that end, it may help the committee to have access to a periodic summary or profile of the top enterprise risks. Clearly, the environment is changing, and digital technology-related opportunities and challenges are driving many of the key risks. The audit committee should consider the following questions:
- Does the committee stay current concerning emerging business risks and changes in critical enterprise risks?
- Does it consider changes in these risks when exercising its oversight responsibilities?
- Does the audit committee understand the company’s risk profile and discuss with management the company’s policies related to risk assessment and risk management?
- If the audit committee takes on only risk oversight responsibilities that address the risks inherent in the committee’s chartered activities (e.g., financial reporting, fraud, reputation, and certain compliance, technology and other risks), does it collaborate with other board committees and the full board to ensure that significant risks are not overlooked by the board in its risk oversight?
- If the board delegates its risk oversight responsibilities to the audit committee, is the committee able to devote enough time to the risk oversight process as well as discharge its other responsibilities?
You can read more about risk oversight by exploring these related samples on KnowledgeLeader: