Dr Steve Priddy, Head of Technical Research at the London School of Business and Finance, told CRE that it is too early to assess the value of audit committees and that the picture is mixed across Europe. “The UK has a very clear idea about corporate governance and the role of audit and risk committees,” he said, adding that crossing the English Channel to the continent throws up a different picture.

The situation could become more confusing if companies feel the need to set up risk committees, said Mr Priddy, who wonders if a company’s risk committee will talk to its audit committee.

However, Dr Roger Barker, one of the authors of the European Confederation of Directors’ Association’s (ecoDa) guidance for audit committees, and Head of Corporate Governance at the Institute of Directors in the UK, said that it is important that audit committees are not overloaded with risk concerns. “It is important that boards as a whole consider risks,” he said.

In 2004, the EU’s then internal market commissioner Frits Bolkestein said: “Auditors are our major line of defence against crooks who want to cook the books.”

In 2005, in the run-up to the adoption of the company law directive the following year, the then internal market and services commissioner Charlie McCreevy said: “This is a crucial directive, which will bring EU financial reporting into the 21st century by introducing a much more rigorous and ethical audit process for company accounts. Importantly, it will also require the application of international auditing standards and establish criteria for public supervision.”

However, one part of the directive has particularly worried some risk management and auditing professionals; article 41 on audit committees.

Among other requirements, article 41 says that an audit committee must: ‘Monitor the effectiveness of the company’s internal control, internal audit where applicable, and risk management systems’.

The Federation of European Risk Management Associations (Ferma) and the European Confederation of Institutes of Internal Auditing (ECIIA) have produced joint guidance on meeting that requirement, in separate documents for board directors and audit committees and for senior executives.

A key term in the directive is ‘effective’, said Mr Priddy, as large firms tend simply to list risks to fulfills the requirements, whereas risk management implies assessing risks and their potential effects on a business.

One aim of the Ferma/ECIIA guidance was to help reduce the risk of further regulation.

However, any belief that sound internal controls and risk management had been introduced, at least in financial institutions, may have been shattered by the financial crisis that became apparent in 2008, when risk analyses and risk management were found to be inadequate in many firms.

The Commission and others felt that better audit rules were needed in the EU to improve company governance and reduce company failures and malpractice.

For example, in 2010, the Commission carried out a consultation on audit policy, including the auditor’s role, the governance and independence of audit firms, the supervision of auditors, the audit market, the creation of a single market for audit services, the simplification of audit rules for small and medium-sized firms and audit practitioners and international cooperation for the supervision of global audit networks.

A study for the Commission last year into the dominance of the EU audit market by the ‘big four’-PricewaterhouseCoopers, Deloitte Touche Tohmatsu, Ernst & Young and KPMG—found that the four had a combined average market share of more than 90%.

Doubts have been raised about their independence, as they often also provide their audit clients with non-audit services that account for 10–40% of total fees. Investors and regulators also increasingly distrust the quality of audit, the study found.

As a result of such concerns, the study concluded: ‘These issues need to be addressed to avoid a legitimacy risk for the audit function in the mid-term’.

Last November, the Commission said that the 2008 financial crisis ‘highlighted considerable shortcomings in the European audit system’.

Some large financial institutions just before, during and since the crisis received ‘clean’ audit reports despite ‘the serious intrinsic weaknesses in the financial health of the institutions’.

The Commission thus proposed to clarify the role of auditors and introduce stiffer audit rules, particularly to strengthen auditor independence and to loosen the market grip of the ‘big four’.

The Internal Market and Services Commissioner Michel Barnier said: “Investor confidence in audit has been shaken by the crisis and I believe changes in this sector are necessary: we need to restore confidence in the financial statements of companies. Today’s proposals address the current weaknesses in the EU audit market, by eliminating conflicts of interest, ensuring independence and robust supervision and by facilitating more diversity in what is an overly concentrated market, especially at the top-end.”

The Commission has also been rethinking corporate governance, with potential implications for risk management.

More than two third of the respondents to a consultation last year on a corporate governance green paper said that a company’s board should approve and take responsibility for risk, with the setting out of key risks an essential part of strategy. However, many respondents felt that current legislation was adequate and many saw no justification for further EU action.

Liz Murrall, Director of Corporate Governance and reporting at the London-based Investment Management Association, said that it would be disconcerting if anyone thought that boards should not be responsible for such issues.

Ferma said that boards should include members with ‘experience and awareness of risk management, ideally in the context of the company’s business activities’. Boards and senior executives should be supported by audit, operational management and risk management and compliance, it added.

Ferma said that the disclosure of a company’s risk appetite to shareholders, as suggested by the Commission, was not always appropriate. Reporting to shareholders needs to strike a balance between providing meaningful information for investment decisions and investment protection, which requires confidentiality, it said.

The Commission said that there was almost unanimous support for the green paper principle that boards should ensure that risk management arrangements are effective and commensurate with the companies’ risk profiles, although many respondents called for no further EU intervention.

Day-to-day risk management is a duty of executives, with the board monitoring the framework, and risk management in financial institutions may not be relevant for other companies, said many respondents.

Ferma agreed that the board should ensure oversight of risk management and should set the company’s risk policy.
The Commission has yet to reveal whether such ideas should be turned into legislation. Yet there are many defenders of existing approaches to risk and audit.

Kristian Koktvedgaard, of the BusinessEurope grouping of federations representing 20 million companies in 35 countries, says that most companies have probably already been conforming with article 41 of the company directive. “But we have seen an increasing amount of time going into documentation and formalising of procedures,” he said.

Although he says that risk assessments were already carried out before the financial crisis, for example, auditors have reacted to failings: “They have already changed,” concluded Mr Koktvedgaard.

Please sign up here to our full-time mailing list to ensure that you receive our weekly newsletter.

• More Corporate Governance News