Being a member of the audit committee used to be an easy job. However, the stakes are much higher given the new regulatory environment and sudden increase of scandals. Therefore, audit committee members are trying to figure out how to oversee risk management but not be the sole risk management group in the firm.
The view of the role of the audit committee has dramatically changed with the inception of Sarbanes Oxley Act of 2002 (SOX). Prior to SOX, regulatory bodies tried to get the audit committees to adopt a risk-management agenda but with mixed success. SOX significantly increased the audit committee's importance and duties in overseeing the business. This resulted in some confusion about how much bigger their job is now and exactly which risks should the audit committee oversee.
Let's start with how SOX changed the audit committee. First, the auditors used to be hired and fired by management. SOX changed that. After SOX, the audit committee was required to hire and supervise the external auditors. In some cases they also have responsibility for the internal audit team as well (but this was not regulated). This was a big change to their responsibilities. Also, the audit committee was required to have at least one "financial expert" or explain to the SEC why it didn't need a financial expert. This means that not only were the responsibilities changes but the qualifications changed too.
Sarbanes Oxley influences the SEC and NYSE rules and so the audit committee moved from being an overseeing controls over financial reporting and financial disclosures to requiring the audit committee to have a charter that addresses their responsibilities, including policies about risk assessment and management. In the annual and quarterly reports to the SEC, the companies now have to include discussion of business risks. The requirement to include risk factor disclosures, of course, means that the audit committee must be knowledgeable about risks to ensure the disclosures are complete. By definition, SEC reports that do not include expected business risks will not be non-compliant financial reports. So, the expectations have grown from just needing to oversee the financial reporting process to potentially reviewing all business risks.
While other parts of the organization, including management and risk committee, can and should be involved in risk identification, evaluation, and mitigation, the audit committee is clearly charged with making sure the risks are identified and a process exists for finding new ones and deciding how to address existing ones. While the regulations do not prohibit other parts of the organization from...