The Audit Committee and Its Expanding Role in Risk Management

By H. Felix Kloman

The National Association of Corporate Directors and The Center for Board Leadership have just published "Audit Committees: A Practical Guide." It is the work of a Blue Ribbon Committee on Audit Committees and will have a major effect on the practice of risk management. Risk and risk management are now board responsibilities. This is a document that every practicing risk manager should read, review and understand. It clearly sets the guidelines for ultimate reporting on risks and their management in any organization, profit, nonprofit or governmental.

Audit committees of the board have been required for New York Stock Exchange listed companies since 1978. This work defines a new focus on not only financial reporting but also risk assessment. The authors state that "many audit committees focus on financial reporting but neglect to assess risk." They continue: "the risks faced by companies span a broad range, including competitive, environmental, financial, legal, operational, regulatory, strategic, and technological to name only a few. Of course, the audit committee alone cannot monitor all these risks. Rather it must rely on the collective efforts of many other parties to do so — including in some cases other board committees. Nonetheless, it plays a key role in ensuring that risk is included in the ´line of vision' for other key participants in the audit process." Risk management is clearly a central challenge for both CEOs and boards today, along with financial reporting and the audit function itself.

The paper describes why corporations need audit committees, who should lead them and serve on them, how to make them more effective, how to initiate and maintain best practices, and how to operate effectively within legal requirements. It includes nine appendices containing:

  • a sample charter (in which risk management is the first of eight "primary responsibilities"),
  • a self-assessment guide,
  • sample questions for an audit committee (again, "risk" is the first topic),
  • a sample committee calendar,
  • "red flags" for financial reporting and risks (27 factors relating to management characteristics, industry conditions, and operating statistics),
  • an internal audit charter (the first item in scope of work is "risks are appropriately identified and managed"),
  • a sample representation letter to the audit committee,
  • an excerpt from the Public Oversight Board Report, and
  • key moments in the history of audit committees.

In the list of responsibilities, the report includes four steps in "monitoring risk management (identification and control):"

  • ensure evaluation of the risks faced by the organization.
  • assess the organization's control objectives and whether these objectives have been met.
  • receive risk assessments from both the internal and external auditors as well as from management.
  • obtain from the internal and external auditors and management an understanding of key control issues facing the company, and monitor progress on those issues.

This report explicitly details the risk management responsibilities of audit committees and sets the stage for new risk reporting and communications. To purchase a copy of the report, contact: The National Association of Corporate Directors, 1707 L Street, Suite 560, Washington DC 20036. Telephone: (202) 775-0509 or visit:

Felix Kloman is the editor and publisher of Risk Management Reports, in Lyme, Connecticut. He is also a member of the board of directors of the Nonprofit Risk Management Center.

© 2003 Nonprofit Risk Management Center