Resources for Audit Committees

Risk Management and Internal Control1


The CEO and CFO certification requirement has resulted in an increased focus on the importance of control. Audit committees should ensure that the certification process implemented by the CEO and CFO complies with the requirements, and is aligned with the principal business and financial reporting risks faced by the company. This requires management to make an assessment of principal business and financial reporting risks and requires the audit committee to understand those risks.

The issue of risk management and the alignment of controls with principal business risks is not addressed in the certification requirements. We believe that audit committees should satisfy themselves that an appropriate alignment does, in fact, exist.

When framing questions related to risk management and internal control, the audit committee's objective is to ascertain whether the company effectively manages its principal business risks and is "in control". Whether an organization is "in control" is not dependent solely on the risk management and control procedures built into computer networks and applications. It is also dependent on the culture of the organization and its ethical values, the adaptability and resourcefulness of its people, and the quality of its leaders.

To make this assessment, audit committees must address the issues of risk management and control at the business unit, subsidiary and corporate function levels. Guidance for Directors: Dealing with Risk in the Boardroom, published by the CICA, identifies five factors directors can use in considering whether an organization is "in control". They are:

  1. Members of the organization have a clear sense of corporate purpose, and are committed to achieving it.
  2. They take risk knowingly, mitigate risk where appropriate and strive to be prepared for the unknown.
  3. They trust each other and communicate openly to get the job done.
  4. They have the human, physical and financial resources required.
  5. They monitor progress and adapt to new circumstances.

The audit committee should consider these factors in framing their questions on risk management and control.

1Source: Integrity in the Spotlight: Audit Committees in a High Risk World – Second Edition – CICA 2005

Dig Deeper

Questions to Ask

Here are examples of questions that audit committees may ask management about the internal control certification.

Publication date: 5/2007 | File size: 19 KB

Integrity in the Spotlight

Audit Committees in a High Risk World

This book discusses updated regulatory environment, deals with issues arising from that changed environment, and provides an enhanced focus on establishing, managing and nurturing effective relationships among the board of directors, the audit committee, management and the external auditors.

Additional Resources

Authoritative Guidance

Thought Leadership