Over the last several years, audit committees have fine-tuned their oversight relative to internal controls and financial reporting, but as this process has matured, many committees are asking broader questions about risk and risk oversight. In fact, audit committees are increasingly charged with understanding overall risks, assessing which risks are the most important, and making sure that the existing management and governance structures are designed to mitigate, manage, and oversee these risks. This evolution corresponds to changes in the not-for-profit risk environment as a whole. Financial statement audits still provide a baseline of the relative accuracy of an organization’s financials and areas for improvement, but the focus on such is still more limited than most entities need. Audit committees increasingly use a more formalized enterprise risk assessment process to improve management and oversight of the organization. Such a comprehensive assessment can provide a road map to areas that might not be currently woven into the governance culture. Key areas in this work include information technology (IT) risk, insurable risks, and risks associated with employee benefit programs.
Evaluation of IT
Most organizations do not specifically assign IT risk to a board committee for monitoring and oversight. Organizations should consider IT risk carefully, however, because most enterprises use IT so extensively that the concurrent risk is among the most serious. Many organizations default this role to the audit committee, but realistically, an argument can be made that good board governance structure requires a separate IT risk committee. Nominating committees should consider IT skills and knowledge when filling open seats on the board. Because recruiting such talent takes time, organizations should consider how to better oversee IT risks in the interim as well. For example, the IT director could attend an audit committee meeting to discuss such risks, what is being done to manage them, and the timeline for items still being mitigated. Depending on the results of the meeting, the committee can consider the next steps. Many organizations have hired third-party firms to do penetration testing and other IT assessment services to provide management a “state of the union” and a road map to consider following. While such an exercise might only need to be done every few years, it could provide a baseline work plan to enhance risk management. Regardless, every board should keep IT risk at the forefront of its considerations.
Checking Up on Coverage
Another area increasingly folded into governance is the oversight of insurable risks. Traditionally, most organizations have left this task to management; while it is clearly a key management function, boards should still understand the level of insurance, have a good sense of the gaps in coverage, and know the kind of coinsurance risk being taken. The insurance broker should periodically brief the audit committee so that it can better understand the judgments made in putting together a cost-effective insurance program. Meeting with the broker can also highlight key decisions, including determining whether to have cyberliability coverage or how much coverage might make sense for special aspects of an organization (e.g., collections). The audit committee should also have an understanding of the level of insurance other organizations have taken in similar circumstances; often, the insurance broker has this information. Armed with this knowledge, the audit committee can offer valuable perspectives to management and align all parties with the risk transfer program. Without seeking to fully take over this management function, audit committees should be well informed as to what has been done and why in order to exercise proper oversight of management’s judgments. The insurance review does not need to take place every year, but a comprehensive look every three to five years may prove practical, with more limited updates during interim years.
Oversight of employee benefit plans has also seen clear changes in practice. While these plans are separate legal entities, the plan sponsor (i.e., the organization) is the makewhole party when compliance and other issues arise, and it makes good sense to understand the risks these plans create. The most frequent such risks are compliance risk and fiduciary risk. Compliance risk has to do with the organization not following the rules for administering these plans. Most large plans are audited, so it is wise to make the audit results available to the audit committee. The committee should understand and review those results and the related follow-up plan for any concerns raised. Currently, some organizations’ plans still report to internal management committees, but the best practice is for governance to have full awareness and be allowed input.
Fiduciary risk can include the question of whether the plan offers employees a reasonable array of funds with a good track record and reasonable costs. Boards often overlook this function, but it should be part of its own board committee, which might include members of the compensation committee or the investment committee. The risks here are high and not always obvious to detect, but assigning such risks to a committee can go a long way to making sure that these areas are reviewed on a periodic basis.
Keeping it Dynamic
Risk management is an ongoing and dynamic process that the board and the audit committee should revisit from time to time. Sometimes, regulatory changes require a risk reevaluation, but change is often warranted to ensure good corporate governance. Learning from experience and considering the dynamics of a changing world are good policies for any sector, including not-for-profit, and CPAs can and should help advise clients based on these emerging and changing practices.