Overview
Board Oversight and Governance is the process by which the board of directors provides independent oversight of management, risk, and internal controls to set the organization’s ethical and strategic direction. It ensures leadership accountability and supports SOC 2 CC1.2 by documenting how the board actively governs the control environment.
Step-by-Step Process
Establish board charter
The CEO ensures the board charter formally defines responsibilities for oversight of strategy, risk, compliance, and internal controls. The output is a board-approved charter that explicitly references governance and oversight expectations.
Role: CEO
Schedule quarterly board meetings
The CEO or executive assistant schedules recurring quarterly board meetings with defined agendas that include governance, risk, and compliance topics. The output is a calendar invitation and published agenda for each meeting.
Role: CEO
Prepare governance materials
Management prepares board packets that include metrics, risk updates, compliance reports, and key policy changes. The output is a finalized board deck distributed to directors in advance of the meeting.
Role: CEO
Conduct board review and discussion
The board reviews materials, challenges management, and documents decisions related to oversight, risk tolerance, and control issues. The output is meeting notes reflecting active board engagement.
Role: Board of Directors
Document meeting minutes
Formal minutes are drafted capturing attendance, agenda items, discussions, decisions, and follow-up actions. The output is board-approved meeting minutes with a clear approval date.
Role: CEO
Track action items
Management logs board-directed action items, assigns owners, and tracks completion status. The output is an action item register showing progress and closure dates.
Role: CEO
Review governance effectiveness
On a quarterly basis, the CEO reviews whether board oversight activities occurred as planned and whether governance gaps were identified. The output is a documented quarterly governance review summary.
Role: CEO
Retain governance records
All board materials, minutes, and approvals are retained in a secure repository with restricted access. The output is an organized, date-stamped record set available for audit review.
Role: CEO
What You Need Before Starting
- Current board charter document
- Board member list with roles and tenure
- Quarterly governance and risk reports
- Access to board management or document collaboration tool
Evidence Your Auditor Expects
- Board charter approved by the board with signature or approval date (e.g., 2025-01-15)
- Quarterly board meeting agenda and calendar invite showing meeting date (e.g., Q2 2025)
- Board meeting minutes approved by the board with timestamp (e.g., approved 2025-06-30)
- Board packet or slide deck distributed prior to meeting with upload timestamp
- Action item tracker showing board-directed tasks with completion dates
How This Looks In Your Tools
Diligent
Log in to Diligent and navigate to Boards > Meetings to create or select the quarterly board meeting. Upload the agenda and board packet under Meeting Materials, ensuring documents are marked as “Final” before distribution.
After the meeting, go to Boards > Minutes, draft the meeting minutes, and route them for approval using the Approval Workflow. Once approved, confirm the status shows “Approved” with a visible approval date and retain all materials in the meeting record.
BoardEffect
Access BoardEffect and select Meetings from the main dashboard, then create a new quarterly meeting or open an existing one. Add agenda items under Agenda Builder and upload governance materials in the Board Book section.
Following the meeting, navigate to Minutes > Draft Minutes to document discussions and decisions. Submit minutes for board approval and verify the approval date is recorded before locking the minutes for audit retention.
Google Docs
Create a dedicated folder in Google Drive labeled “Board Governance” with restricted access. Use Google Docs to draft the agenda and board packet, and share documents with directors at least one week before the meeting using View access.
After the meeting, document minutes in Google Docs and use File > Share to request approval comments from board members. Retain the final approved version with version history showing the approval date and move it to a read-only subfolder.
Common Audit Findings
- Missing board minutes
- This occurs when meetings are held but not formally documented. Prevent it by requiring drafted and approved minutes for every scheduled board meeting.
- Lack of governance topics in agendas
- Agendas may focus solely on operational updates without governance oversight. Prevent this by mandating governance and risk review sections in every quarterly agenda.
- No evidence of board challenge or oversight
- Minutes that only summarize presentations may indicate passive oversight. Prevent this by explicitly documenting board questions, discussions, and decisions.
- Unapproved or outdated board charter
- Charters may not be reviewed regularly or formally approved. Prevent this by scheduling periodic charter reviews and recording board approval dates.