Achieving excellence: audit and risk
Tuesday 16, December 2014
The CGIUKI policy team and the judges of the Excellence in Governance Awards identify examples of good practice in reporting from FTSE 350 companies
The CGIUKI policy team and the judges of the Excellence in Governance Awards identify examples of good practice in reporting from FTSE 350 companies
A good audit committee report clearly and concisely explains what the committee has done throughout the year and demonstrates an understanding of the significance of the audit function to shareholders. Some audit committee reports entered into this year’s awards were not standalone, which is not compliant with the Corporate Governance Code. Those written by the audit committee chairman seemed to be better managed.
The best audit committee reports include an examination of the specific accounting issues considered. In particular, this should include anything which resulted in a debate between the audit committee and the auditor. The report should demonstrate what satisfied the audit committee that the approach taken by management was appropriate.
Companies should also consider explaining how they arrived at the ‘right’ number of audit committee meetings – a few companies only had two or three meetings, which the judges felt was rather light and needed some explanation. The same would apply if there were a lot of meetings, as that might imply there were issues.
There is a new requirement that the annual report be fair, balanced and understandable. Although this is a responsibility of the whole board, some audit committees made efforts to explain what they had done to establish that this was the case and why they were undertaking the work on behalf of the board.
The report needs to explain clearly how relations with the external auditor are managed, what is done to ensure their independence and the arrangements in place to monitor this to the satisfaction of the committee. This is likely to include a discussion of non-audit services and fees and why the level allowed is considered reasonable. It should include details of how the committee challenged the auditor’s work and what thought has been given to the tenure of the auditor. If tendering the audit has been considered then the issues that led to that decision should be stated. If there has been a tender, then the process and how the decision was reached should be explained. We read in one report that the auditor had ‘confirmed’ it is independent – this is not adequate.
Noticeable in more integrated reports is the way in which a meaningful discussion of the company’s strategy and its operations include an incisive analysis of specific risk. Some really good reports demonstrate an understanding that taking risks is the nature of business. They link these risks and their associated mitigation back to the strategy and business model – with KPIs and with remuneration. In some cases this included a description of how remuneration was used as a risk management tool.
There should be a detailed analysis of the process of risk governance within the organisation and how the effectiveness of this is tested. This provides evidence that risk management is seen as integral to strategy and operations rather than a compliance necessity. The best reports also show evidence that that the company’s risk management is dynamic in terms of the identification of new risks; improvement or deterioration in the impact of risks; development of better mitigation practice; and the response to external environmental changes – such as how high impact but low frequency risks are managed. It is apparent not enough companies see their competitors as a risk.
Identification of principal risks is important but a number of reports beg some explanation of why so many risk are considered ‘principal’. These are areas fraught with difficulty, especially for those companies with US listings and the consequent input from US lawyers in the UK reporting process. UK companies should remember that this is a UK report and as such they are required to discuss principal risks and will be expected to indicate what they are doing to mitigate them. Tabular formats worked well for a number of companies. All of the winning and shortlisted companies were strong in this area.
Good risk reporting will also include an explanation of how the internal audit function is managed in a business, usually both in the risk section of the strategic report and in the report of the relevant committee. This might include disclosure of how controls have been improved, perhaps as a result of an incident or change and describing how risks that have grown in importance are being managed (if applicable). Case studies work quite well in this section of the report. Centrica provided a good overview of internal audit, including noting the audit committee’s responsibilities for appointment and removal of the head of audit.
Centrica talked about getting feedback from people within their business to ensure that the report was fair, balanced and understandable.
Experian’s section on audit tendering was very well thought through.
Halma’s audit committee report was very easy to read and described by one judge as ‘passionate.’ The company provided excellent disclosure of significant issues discussed by the committee. There was a helpful diagram, with good sections on auditor engagement, oversight and tendering, non-audit fees, training and cyber risk. It stated that one hour at each meeting is set aside for training audit committee members.
Great Portland Estates included clear information on how it assesses the external auditor and the audit tendering process.
Spectris provided good descriptions of the key issues considered by the committee, an interesting breakdown of who attends meetings to discuss which topics and why, a great discussion on ensuring that reporting is fair, balanced and understandable, and an interesting discussion on cyber security.
GKN provided an unusually high level of detail without compromising readability – including information rather than data. The report included some good detail in the audit committee’s main issues section, split between those issues relevant specifically to the 2013 statements and those of an ongoing nature. The company also provided a good description of the accounting issues, and also how assurance had been obtained, including the use of external expertise. This report listed not only the material issues, but also some others that were not significant but added to the ‘flavour’ of what was discussed during the year. GKN’s report included a clear explanation of how it assesses external auditor independence, including the use of internal audit to review and an interesting note on the committee’s suggestions for improvements to the auditor.
Tullow Oil included a comprehensive audit committee report with a good description of how the committee spent its time including details of key issues and which judgements are unique to 2013 and what will recur.
Amec took the interesting approach of integrating risk management reporting into the business model review rather than it being a separate section, making it easy to understand the links to strategy and performance. The quality of information in this report was felt to be unusually high.
Centrica provided a clear overview of the risk management process and improvements made in the process during the year, as well as plans for improving the process the following year. It also provided a ‘box out’ of risks in each business sector.
Experian was strong on the risks associated with the business model.
GKN impressed the judges with its four lines of defence when many companies rely on three. The report focused on outcomes and responsibilities rather than reporting lines.
Great Portland Estates included an interesting section on risk in the sustainability report.
Tullow Oil included lessons from crystallised risk.