Assessing Risk
Assessing potential risk is an important task when selecting the most significant oversight issues to audit. Auditors can review the information they have gathered early in the audit (such as governance structure and minutes of board or committee meetings) and determine whether they can identify indicators that oversight may be at risk in specific areas of an agency, board or authority.
A list of common indicators that oversight may be at risk is presented in Table 6. While such indicators can be useful to target further examination work, their presence should not be indiscriminately accepted as evidence that an oversight deficiency exists. Auditors must always gather sufficient appropriate evidence to support a cause-and-effect relationship before concluding that the presence of an indicator means that an actual deficiency exists.
Table 6 – Indicators that Oversight May Be at Risk
|
- A wholesale change of board members took place or turnover is very high, there is a lack of turnover of board members or excessively long terms, or replacements of board members are not staggered in time.
- The board’s relationship with the CEO is overly strained, the CEO is not being transparent with the board, the board’s relationship with the CEO is too cozy, or the board does not (or rarely) question and challenge the CEO.
- The chair or the CEO is overdominant at board meetings or management is reluctant to talk at board meetings.
- Conflicts of interests are a frequent occurrence among the members of the oversight body or actions taken to manage known conflicts of interest are not documented.
- There is no communication about the organization’s code of conduct or there is no code of conduct, or board members are not in compliance with the code’s requirements.
- The regulator is too close to the regulatee and independence is compromised.
- The chair of the board is involved in the organization’s day-to-day management or there is no segregation of duties between the board and management.
- The board or its committees rarely meet or they hold short, orchestrated, perfunctory meetings.
- The board has no charter and/or no governance manual.
- Board members do not understand their roles, are not aware of the scope of their oversight responsibilities, and believe that many aspects are management’s responsibility.
- The organization’s governance structure does not include an audit committee.
- Internal audit recommendations are not, or rarely, implemented, or internal audit is being dismantled or outsourced.
- The board does not periodically review regulations that apply to boards of directors.
- The board is too passive in defining its information requirements and/or fails to follow up on information requests.
- There is an absence of risk management policies and processes or risk management policies and processes are not being implemented.
- There are significant organizational problems: poor performance against operational or strategic targets; significant delays and cost overruns; a high number of complaints, penalties, and fines; or risks that are escalating.
- The organization has a history of repeated failures for specific types of projects or initiatives.
- Business activities are not aligned with the organization’s mandate.
- There is poor documentation of oversight activities and decisions.
- There is a lack of or misleading performance information.
- There is failure to take follow-up or corrective actions when significant issues are brought to the attention of the board or its committees.
|