Powerful questions

Sometimes, the most powerful thing an audit committee can do is ask the right question.

Many governors told us that sometimes it was a good question that stimulated most change and improvement. Asking powerful questions is a skill that needs to be developed. We asked governors for some of the more powerful, and some of the more commonsense but useful, questions they liked to ask.

One governor uses these key questions:

  1. What are the entity's three top risks and how did you arrive at those risks?
  2. Who are our customers?
  3. Have we carried out a project of this size before?
  4. Do we have the right team in place to execute this project and realise the benefits?
  5. What are the three top risks in this project?
  6. Why should the entity carry out this project and how does it link to our strategic plan?
  7. Do we have clear accountabilities and ownership for any initiatives that we carry out?
  8. Is our audit and risk charter clear about what we should focus on?
  9. Have we considered how this service could be delivered differently?
  10. Do we understand our project portfolio?
  11. What are our most important performance indicators?

Another governor focused on questions the audit committee should ask about purpose and strategy:

  1. For Ministries and departments, what is our purpose? What is our level of engagement with the chief executive and others at the formal and informal audit committee meetings?
  2. What is our risk management approach? Please describe it, including listing our coverage of specific risks (such as health and safety, cyber risk, and privacy)? What is our level of risk appetite or tolerance for each key risk, and how would we explain whether we consider it "fit for purpose"? How does this enable us to manage our risks while delivering value?
  3. What should the composition of the audit committee be? How often should we carry out board evaluation reviews? What are the advantages and disadvantages of a board evaluation review that is independent as opposed to self-review? Describe the value we provide to our stakeholders each year. Why is an independent chairperson the best option for the audit committee?
  4. What other additional resources should we be tapping into to ensure that we are discharging our obligations under our charter/terms of reference?
  5. How do we know when the relationship and communication between the chairperson of the audit committee, the chief executive, and the chairperson of the board is effective?
  6. Do we know the level of cyber-security risk we are exposed to, and how would we respond if subject to a succesful attack?
  7. What are our main operational risks and what is our control environment over them?
  8. How do we understand and measure staff well-being? Should we be hearing from others and not just senior management?
  9. How can audit committees stay up to date in a rapidly changing public sector environment, including having a strong understanding of the financial information?

Another governor mentioned that a useful question he has used on several occasions, immediately before the board signs the final accounts, is:

In the course of your analysis and audit, have you become aware of anything that, if the directors were aware of it, might cause us to hesitate in signing these accounts?

In his experience, auditors tend to pause before replying. The question is unlikely to provide any significant defence if there is some material error or mis-statement, but it provides one further layer of comfort to the board that they have acted diligently.

Other types of questions are useful for improving the quality of test and challenge the audit committee provides the entity:

  • What value does the audit committee add?
  • What is the committee's, and the entity's, appetite for risk?

Working out which questions to ask

If you want to ask questions about performance, but don’t know where to start – this framework may help:

View 1 View 2 View 3
Headline questions How is the organisation’s portfolio/program of business transformation projects performing? How is/will the organisation be rewarded for the operations related investments it is making/intends making? Do the financial statements appropriately reflect performance and valuations.
Sub-questions Does our portfolio/program remain fully relevant in addressing the  main strategic and operational  challenges the organisation faces? How confident are we in the benefits (timing and quantum) management has targeted to realise from the  portfolio/program? Do we have any reservations about impairment to any assets or performance based on our informed view of the risks and controls environment?
How confident are we in management’s ability to successfully deploy and deliver the portfolio/program? What are our reservations? And why? What is the organisation’s maximum "downside" (adverse) exposure if management fails to deliver? What additional contingent strategies may need to be put in place to either prevent or deal with this eventuality? Given the opportunity for additional assurance in which area/s would we seek this and why?