Assessing Board Minutes: A Risk Oversight Tool for Internal Control and Internal Audit Professionals

by | Apr 12, 2024

Board minutes may not seem like anyone’s idea of a “sexy,” “innovative,” or even “interesting” topic. However, internal control and internal audit professionals are often expected to understand what effective Board and Committee minutes are or should be. They are responsible for understanding how Board minutes “prove” the operation of governance activities, high-level controls, “tone at the top” as they say that stem from the discussions between Management and the Board. Unfortunately, training and resources are in short supply.

To meet this need for our own client work, and based on direct requests and questions they ask us, we developed a template (below) that provides an easy guide for assessing your Board and Committee minutes aligned with best practices. While it’s not meant to be a comprehensive guide of everything required for Board oversight, meetings, and minute practices, it is a great resource for assessing Board and Committee minutes through the filter of an internal audit or internal control professional. 

The guidance is based on many years of reviewing thousands of minutes and the best practices we’ve learned from a wide range of professionals, professional bodies, and industry resources. The template is easy to use and can be adopted by those newer to reviewing minutes for an understanding of what to look for to pros looking for fresh ideas.

Use this template to do a quick assessment of your minutes and to identify what’s working and what may need improvement. Consult additional resources if you are looking to take this into further depth.

Risk Oversight Board Minute Assessment

©RiskOversight.ca

 

 Areas of Consideration 

 Questions

Transactions, Events, and Decisions 

Key transactions, events, and decisions impacting the internal control program.

Have key transactions, events, or decisions been considered already as part of the internal control program? 

Examples:

·         Asset sales or purchases

·         Potential transactions

·         Impairments or write-offs

·         Equity transactions

·         Changes in policy

·         Changes in delegation of authority 

Entity Level Control (in line with COSO 2013) 

Budgeting and Forecasting
  • Is there evidence of the Board’s approval of the annual budget and capital budget?
  • Is the forecast presented to the Board (or Audit Committee) regularly?
  • Are budget to actuals reviewed regularly at the Management/Board level?

Board Mix and Competence
  • Are the Board’s combined skills and experiences evaluated regularly? Is Board diversity considered regularly?
  • Is there a competency matrix that is assessed against the board composition?
  • Does the Board have a self-assessment process that is documented in the minutes?

Mandates
  • Are mandates reviewed annually? Is there a process for ensuring that the mandates are covered in the Board planning and the minutes?
  • Are mandates easily available?

Board and Committee Planning
  • Is the Board and Committee planning considered to address the mandates and key topics requested by the Board?
  • Are key items outlined in the mandates covered at least annually in the minutes?

Management Oversight and Reporting 
  • Does Management provide quarterly updates to the Board?
  • Is Management presenting adequate and relevant information?

Policies
  • Does the Board review policies on a regular cycle?

Risk Management
  • Is there an annual or quarterly discussion of risk where key risk and risk owners are identified?
  • Is there evidence that risk related topics are discussed by the Board (. e.g., health and safety, economic risks)?
  • Is the insurance program reviewed regularly at the Board level?

Fraud Risk Management
  • Where relevant, is fraud risk discussed with the Board at least periodically? (. i.e., every 3 years).
  • Are fraud incidents brought to the attention of the Board or Audit Committee?

Human Resources
  • Does the Board and/or Compensation Committee review areas including:
    • Management competence
    • Compensation, compared to benchmark
    • Succession planning and retention

Expense Reports
  • Where necessary, does the Audit Committee Chair review the CEO’s and/or other Executive expense reports at least annually?

Internal Controls Program
  • Does the Audit Committee discuss internal controls program at least annually?
  • Does the Audit Committee follow-up on Internal Control related issues as required?

Internal Audit
  • Where relevant, does Internal Audit findings get discussed in the minutes? 
  • Does the Audit Committee follow-up on Internal Audit related issues as required?

Whistleblower/Ethics Hotline
  • Are whistleblower/ethics hotline calls noted in the Audit Committee minutes?

IT, Cyber, Disaster Recovery
  • Is IT discussed at the Board level at least annually?
  • Does the Board (or Committee) review topics including:
    • IT risk assessment
    • Cyber security
    • Technology strategy and roadmap
    • Disaster recovery planning
    • IT trends

Disclosure Controls and Procedures

 

Financial statements
  • Are the financial statements approved quarterly by the Audit Committee?

AIF (Annual Information Form), Management Information Circulate (MIF)
  • Are the (Annual Information Form) and Management Information Circular (MIF) reviewed and approved annually by the Board?

Press releases

 
  • Does the Board approve critical press releases?

Minute Language and Best Practices

Business Judgment Rule
  • Do the minutes follow the principle of the Business Judgement Rule?

 

  • Business Judgement rule – minutes should be clear and transparent and show (or “prove”) the thinking about what was presented, debated, decided, or postponed for later consideration.

 

Goldilocks Rule 
  • Do the minutes follow the principle of the Goldilocks Rule?

 

  • Goldilocks Rule – Avoid documentation that is too minimal or too detailed. Aim for “just right.”

   

Plain Language
  • Is language clear (and not “legalese”)?

Original Content
  • Are the minutes original for each meeting and avoid template-based or copied write-ups from the previous meeting?

 

Attachments
  • Is key information presented at the Board meeting (such as reports, slide decks, analysis) filed along with the minutes to provide the full picture of what was presented at the meeting and to provide context?

 

Follow-up on action items
  • Do the minutes provide evidence of follow-up on action items from the previous meetings?
  • If actions are asked to be made, is there a clear trail of follow-up?

 

Approval and Circulation
  • Are minutes circulated in the appropriate time after the meeting?
  • Are the minutes approved at the next meeting?
  • Are the final and approved minutes retained on file appropriate?

Administrative Details 
  • Did the minutes list the attendees, have clear date and clear headings?

In-Camera Sessions
  • Does the Board and Committees use in-camera sessions for each meeting?

Management Recusals
  • Is Management recused of discussions that they should be recused from? (i.e., where there is a conflict of interest or perceived conflict)

 

At Risk Oversight, we love to share tools and resources with our clients, colleagues, and the internal control and audit community. Let us know how it goes, and reach out if we can help.

If you are looking for the template version of this tool, email me for further information at [email protected]