After what I would assume would be a thorough and detailed orientation to the organization and its challenges by such key people as the CEO, CFO and her direct reports, General Counsel, Chief Operating Officer, Chief Accounting Officer, Chief Strategy Officer, Chief Information Officer, Chief Audit Executive, Chief Risk Officer, head of Investor Relations, Chief Information Security Officer, Chief Compliance Officer, Chairman of the Board or Lead Independent Director, lead external audit partner, and outside counsel (and others, depending on the organization), I would turn my attention to the following:

• Do I now have a fair understanding of how the organization creates value, its strategies, and the risks to those strategies?

• Do I have a sufficient understanding of the organization’s business model, including its primary products, organization and key executives, business operations, partners, customers and suppliers, etc.?

• How strong is the management team? Are there any individuals whose performance I need to pay attention to, perhaps asking more detailed questions when they provide information?

• Who else is on the audit committee and do we collectively have the insight, experience, and understanding necessary to be effective? Where are the gaps and how will they be addressed?

• What are the primary financial reporting risks and how well are they addressed? What areas merit, if any, special attention by the audit committee? Who should I look to for assurance they are being managed satisfactorily? Who owns the compliance program (if any) on controls over financial reporting, and how strong is the assessment team?

• What are the other significant financial and other risks (for which risk management oversight has been delegated by the full board) that merit special attention? Who should I look to for ass

urance they are being managed satisfactorily?

• How strong is the external audit team and how well do they work with management and the internal audit team? What are their primary concerns? Is their fee structure sufficient or excessive? Is their independence jeopardized by the services they provide beyond the financial statement audit (even if permitted by their standards)?

• How strong is the internal audit team and does the CAE have the respect of the management team and the external auditor? Are they sufficiently resourced? Are they free from undue management influence (for example, is the CAE hoping for promotion to a position in management, does he have free access to the audit committee, and is his compensation set by management or the audit committee)? What are their primary concerns? Do they provide a formal periodic opinion on the adequacy of the organization’s processes for governance and management of risk, as well as the related controls? How do they determine what to audit?

• Who owns and sets the agenda for the audit committee? Is there sufficient time and are there enough meetings to satisfy our oversight obligations?

• Do the right people attend the audit committee meetings, such as the general counsel, CFO, CAE, CRO, CCO, chief accounting officer, and the external audit partner?

• How does the approval process work for the periodic and annual filings with the regulator (e.g., the SEC)?

• How are allegations of inappropriate conduct managed? Who owns the compliance hotline, who decides what will be investigated and how, and at what point is the audit committee involved? Is there assurance that allegations will be objectively investigated without retaliation?

• What concerns do the other members of the audit committee have? Does the former chair of the committee have any advice?

I have probably missed a few items. What would you add?



Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/