The SEC Chair, Mary Jo White, has questioned the capability of Audit Committees to take on all the responsibilities that are being asked of them. I believe that many of the responsibilities of the Audit Committee don\’t belong there; and more specifically, I don\’t think the Audit Committee should have any part in the governance of risk and compliance.
Despite the IIA’s programs, the basic role of an auditor (internal or external) is to examine the activities and outcomes of the past. Compliance is a decision process that is made in the present. It is a ‘now’ moment. Risk, on the other hand, is about the ‘future’. It is about identifying something that could potentially become a problem. Until a risk becomes an event, it could be said (and has been said) that it is not real – it is a ‘possibility’ scenario.
People who are qualified to be auditors have been well trained to examine a trail of activities and evidence that have occurred in the past. Most qualified auditors are not trained in the compliance and risk processes. A few courses are not sufficient to become qualified. These processes require the ability to process, almost instantaneously, the impact of a decision – a decision on compliance and how that decision may create new risk. This applies especially to the identification of emerging risks.
People are continually seeking to identify emerging risks that look different than what we are accustomed to. If an Audit Committee is looking back, based on an audit review, to determine what may happen in the future, they may never identify the next black swan, or never mind the black swan, anything that looks different than what it looked like last year. Good risk management and good compliance assessments identify the gaps and patterns that, when combined, create a different risk than has been seen before. A risk that deserves attention going forward.
Let Audit remain on their path of reviewing past activities and leave the compliance and risk discussions among the Directors who are seasoned risk and compliance business managers and professionals.