As 2007 has started, many listed companies begin their assessments of internal control systems and risk management practices for their corporate governance reports. What factors should be considered in meeting Board of Directors and Audit Committee responsibilities under the Code of Corporate Governance Practices (the łCode?? Effective business risk management practices contribute to the long-term, continuous existence and profitability of a company. An Internal Audit function can be the most important tool the Audit Committee and full Board of Directors have in monitoring managementąs effectiveness in creating and maintaining both effective risk management practices and internal control systems.

Section 2.1 of the Code requires the Board of Directors to conduct an annual assessment of the Companyąs system of internal controls. Section 3.3 requires the Audit Committee of the Board to maintain oversight of the Companyąs financial reporting system and internal control procedures, including risk management systems. In meeting these requirements, recommended best practices include: (a) in Sec 2.2, reviews of managementąs assessment and monitoring of business risks and internal controls; and (b) in Sec 2.5, an annual assessment of the need for an internal audit function, if the Company does not have one. Unfortunately, there is little specific additional guidance as to what should be evaluated in performing these assessments and how the reviews should be conducted.

The following questions are adapted from guidance by the Institute of Internal Auditors (IIA). These can help in assessing the effectiveness of, or need for improvements in, managementąs business risk process and internal control system. These are particularly useful for listed companies that are required to comply with the Code, companies considering a future listing, and companies that wish to establish a reputation for effective corporate governance practices.

Is Business Risk Management Effective?

• Has management established a formal, documented business risk management program?
• In an informal risk management process, is the level of risk considered consistently by management in making decisions and is the result of the risk assessment documented in files supporting the decision? Are the risk assessments communicated to the Board?
• Whether the process is formal or informal, has senior management assigned specific responsibility for identifying, monitoring, managing, and reporting business risk to appropriate people who are in the best position to be aware of the risk environment for their functions?
• Is relevant and reliable internal and external information identified, compiled, and communicated in a timely manner to those who are positioned to act to manage the risks and to those who must be aware of the risk environment of the company?
• Is there a process that is regularly conducted in which risks are identified and analyzed, and actions taken to mitigate them?
• Are controls in place to assure that management decisions are properly carried out?
  Is An Internal Audit Function Needed?
• If there is no internal audit function, has management established a regular program for monitoring internal controls. Does the program include monitoring controls over senior management actions and fully report any control failures?
• Is the informal internal control process sufficiently independent of management?
• If there is no internal audit function, has management assigned responsibility to someone having sufficient authority in each area of the companyąs operations?
• Do internal auditors have the support of top management, the Audit Committee, and the Board of Directors as a whole?
• Have the internal auditors been given a written list defining the scope of their responsibilities and has a copy of the assigned responsibilities listing been reviewed by the audit committee for adequacy?
• Is the organizational relationship between internal auditing and senior executives appropriate?
• Do the internal auditors have and use open lines of communication and private access to all senior officers and the audit committee?
• Are reports on internal control failures and issues distributed to the right people and acted upon in a timely manner?
• Do the internal auditors have an appropriate level of expertise?
  
  
  If you have several "No" answers to the questions in either set of questions, please refer to our next newsletter issue, that will discuss some cost effective approaches for implementing a business risk management program and establishing an internal audit function.
  
  Through our Business Risk Advisory Services, CWCC can provide your company the independent support necessary to meet both the spirit and Code requirements for assessing risk management and internal control systems in improving the effectiveness of corporate governance practices.

Contact Point   

Richard Archer

Email:archer.richard@cwcccpa.com