Strong boards and audit committees stand at the core of strong organizations. The audit committee is the most commonly referred-to standing committee of the board, and for good reason, as this is the group of individuals that ensures primary oversight of an organization’s financial reporting process and internal controls. As the central board committee assigned to protect investor interests, it is fair to conclude that the audit committee is indeed a key component of the corporate governance structure. Yet failures and weaknesses in corporate governance arrangements are commonly cited behind business catastrophes, including the financial crisis of September 2008, which nearly brought the world to the brink of economic chaos. The Organisation for Economic Co-operation and Development (OECD) concluded in 2009 that “when they were put to a test, corporate governance routines did not serve their purpose to safeguard against excessive risk taking in a number of financial services companies.”
It is not just financial service companies under the microscope as history proves that every type of organization and industry is susceptible to fraud, poor strategic decisions, excessive risk taking, materially inaccurate financial statements and a barrage of other ills. A failure to mitigate these risks is often what is reported in the media, thus wreaking havoc on board members’ reputations, the organization as a whole, and investors who are harmed and left to rationalize legal actions. It is understandable, then, that people are increasingly reluctant to serve on boards and especially audit committees. Accounting complexities, legal exposures, time commitments and operating risks are all on the rise. The concepts, risks and recommended actions that follow should go a long way in helping directors and audit committee members prepare for their journey.
10 Action Steps
1. Nominate Independent Directors
Independence is arguably the most important single word for effective boards and audit committees. Defining director independence is a vastly deeper, wider and more complex topic than can be applied through strict adherence to specific definitions due to the informal nature of many social connections that could impair independence. Regulators have been challenged to articulate independence that goes beyond direct relationships to address the deep web of personal connections formed through neighborhoods, schools, fraternities, social clubs, gyms, industry associations, former board members and the like. A purist’s definition of an independent director or committee member is someone whose directorship constitutes his or her only connection to the organization.
2. Establish a Culture of Action
An effective audit committee serves as a gatekeeper, protecting the long-term interests of shareholders and other important constituencies they serve, such as creditors, regulators, employees, customers, suppliers and the public, as may be applicable. Succeeding as a committee depends on understanding the expectations and the essential competencies required of an audit committee and its members. Due to the scope of audit committee responsibilities, all members should be financial experts, or at least financially literate. The ability to read and understand financial statements can no longer be taken for granted as the complexity of U.S. GAAP has developed far beyond the accounting fundamentals of debits and credits. Prospective audit committee members should be tested for their knowledge of accounting and related internal controls, especially anti-fraud controls.
Critical thinking must be brought to the table. Committee members need to be able to freely ask difficult questions. They must work together to complement each other’s strengths and weaknesses to maintain a healthy degree of oversight and inquiry of officers. A culture of transparency, diversity and accountability should rule.
3. Evaluate the Audit Committee
Perhaps one of the most negligent and divergent areas of board governance practices is evaluating the performance of the board and its committees, and particularly the audit committee. Yet boards and audit committees are increasingly coming under fire for not effectively fulfilling their duties. The reality is that boards and their committees should be subject to proactive scrutiny just like management. A well-defined, periodic performance evaluation protocol is suggested. While a great deal of scalability and flexibility of the tool is fine, all directors should understand who will conduct board and committee evaluations, when they will be carried out, and how they will be performed objectively.
4. Direct the External Audit
Overseeing the external audit relationship from hiring to termination is one of the most fundamental responsibilities of audit committees. The following actions will help ensure a healthy relationship, both for the organization and the auditor.
Ensure Auditor Independence. Auditors possess tremendous insight into organization vulnerabilities but they may shade the truth, all while complying with professional standards, in an effort to retain a client. Let your auditors know that you demand the unvarnished truth.
Discuss Risks with the Auditor. The external auditors can provide valuable insights into organizational risks, but they may only share if asked. Be especially on the lookout for misstatements related to revenue recognition, estimates, related party transactions, contingencies and derivatives.
Don’t Forget about Disclosures Outside of the Financial Statements: While restatements pertain strictly to an organization’s financial statements, most entities are subject to additional regulatory disclosures. These can range from tax returns to satisfying debt covenants to regulatory reporting such as proxy statements, annual reports and real-time reports as required by the SEC. A public company’s management and discussion analysis disclosures are especially important. Confirm the auditor’s responsibilities for these disclosures and procure independent assurance activities for important disclosures not covered by the external audit process.
5. Scrutinize the Financial Statements
There’s so much that goes on within an organization at the operational level that it can be difficult to grasp the business reality of an organization by just reading board packets and listening to briefings from management. This is especially important for audit committee members as they are tasked with oversight of the financial statements, underlying controls and audit activity. Accurate financial reporting serves as the cornerstone of board oversight, arming directors with data points that ensure that the organization is meeting agreed-upon goals and providing early warning signs of impending disaster. Yet motivations abound for senior managers to distort financial information, especially when those distortions allow managers to enhance their personal wealth through incentives and bonuses. Some managers are lured into distorting financial reporting to improve personal or organizational prestige. Still more managers distort the financial picture as a desperate act to stay in business. The audit committee should never be lulled to sleep on this front.
6. Leverage Internal Audit and Outside Resources
The oversight of auditors, financial statements, controls, risks and other duties adds up to be an incredibly daunting task. A properly utilized internal audit function can serve as the audit committee’s eyes and ears. Directors need someone to tell it like it is, not how management wants it told. Many organizations have an internal audit function that provides directors with an independent and reliable stream of information. Other organizations may engage an outside assurance resource. Regardless of how the internal audit function is staffed, it is important for the audit committee, rather than management, to authorize the budget of internal audit activities, approve the audit plan, and evaluate the performance of the Chief Audit Executive (CAE). To take full advantage of the internal audit function, be sure that the reporting lines for internal auditors remain independent of the CEO and CFO.
7. Satisfy Regulators and Other Stakeholders
Companies are in trouble without the support and understanding of their key stakeholders. Long-term value creation for shareholders goes hand-in-hand with strong stakeholder relationships. Protecting the interests of key stakeholders such as customers, communities, creditors, suppliers and regulators is critical for success. While all directors need to be cognizant of their stakeholder relations, this is especially true for audit committee members regarding credit agreements, regulatory laws and other applicable compliance criteria.
Sarbanes-Oxley has prescribed specific requirements mandating the existence and composition of the audit committee that apply to publicly-traded companies. In addition, there are important corporate governance provisions included in the Federal Sentencing Guidelines placing requirements on the oversight role of board members. Federal Sentencing Guidelines apply to all types of U.S. organizations, making them a topic of interest to all boards. When courts consider granting sentencing reductions under the guidelines, courts take into account whether an effective compliance program is in place. The guidelines define an effective compliance program as one that is reasonably designed, implemented and enforced so that it generally will be effective in preventing and detecting criminal conduct. Crucial elements that support an effective compliance program are often referred to as the seven minimum requirements of an effective compliance and ethics program.
8. Address Risk Proactively
The audit committee plays a vital role in identifying risks and providing oversight on how officers manage risks. Ideally, these activities are incorporated in the company’s enterprise risk management (ERM) system. Coordinating this effort with other risk objectives, such as strategic, operational and compliance, is essential in helping to ensure an efficient and effective company-wide risk response. The audit committee, as well as the entire board, must approve the risk appetite as opposed to management.
Risk management must occupy space in strategic planning because risk response affects organizational goals. In a perfect world, risks are understood and retained only if residual risks fall within agreed upon risk appetites. When residual risk does not meet stated risk tolerances despite best efforts to share or mitigate risk, those in governance must avoid such risks. These instances in which appealing opportunities must be refused due to poor risk-reward trade-offs demonstrate one of the most fundamental roles of those in governance who are commanded to be responsible stewards of organizational resources.
9. Spearhead Fraud Deterrence Initiatives
With headline cases of fraud causing many shareholders to shoulder enormous losses, fraud deterrence has become one of the primary jobs of audit committee members. For example, the SEC accepted a settlement from InfoGroup’s audit committee chairperson a few years ago. The SEC charged the audit committee chairman for inadequately investigating allegations of improper related party transactions by the CEO. The audit committee chairperson accepted an injunction that included a $100,000 fine and a restriction against serving as a director or officer for five years.
The Association of Certified Fraud Examiners has amassed enormous amounts of data on the effectiveness of various fraud deterrence tools and has found that many of the least expensive fraud deterrence tools are the most effective. As an audit committee member, be sure your organization is taking advantage of some of the most effective fraud deterrence tools, such as whistleblower hotlines, employee support programs and ethics training. These fraud deterrence tools work in tandem with internal audit efforts that can include data-assisted continuous monitoring and surprise audits. Taken together, fraud deterrence and internal audit activities will help audit committee members and board directors address the ever-expanding scope of director responsibilities.
10. Expect the Unexpected
While it is impossible to anticipate every possible emergency triggering an audit committee response, there are several scenarios that should always be on the radar screen. These include emergency succession planning for officers, investigative responses to high-level fraud, backup external audit firm, disaster contingency plans and crisis media plans. Questions audit committee members can ask to improve readiness include:
Emergency succession planning for officers: Does the company have contingency plans to quickly fill the vacancies of key officers in case of emergency situations? This is especially important for the audit committee in terms of the Chief Financial Officer (CFO), Chief Audit Executive (CAE), Chief Risk Officer (CRO) and other positions that may report directly to the audit committee.
Investigative responses to high-level fraud: Does the company have resources identified to successfully investigate allegations of fraud?
Backup external audit firm: Does the company have contacts with other CPA firms in the event that their external auditor suddenly resigns?
Disaster contingency plans: Has the audit committee worked with the full board on backup and recovery plans in the event of a natural or physical disaster?
Crisis media plans: Does the company have in place a comprehensive crisis media plan to inform shareholders, stakeholders and the press of sensitive material developments?
A Call to Action
Good governance by directors and audit committee members is a game of endurance. It requires a systematic approach that must be continuously updated and monitored to address emergent threats. As a director, you can be sure that the scrutiny over the execution of your duties will continue to increase in direct proportion to the level of the public’s distrust over financial reporting and poor decisions. By following the steps listed above, a director can protect themselves, other directors, the company’s reputation, stakeholder interests and most importantly, shareholders.
Ron Kral has co-authored a book entitled “The Board of Directors and Audit Committee Guide to Fiduciary Responsibilities: Ten Critical Steps to Protecting Yourself and Your Organization“ published by AMACOM this summer. The book streamlines the voluminous and highly technical literature typically available to board directors. It simplifies complex corporate governance standards and supplies concrete action steps. It is a comprehensive and practical book to help board members fulfill the complex requirements of board service while protecting themselves and their organization. In addition to directors, the book should prove to be a valuable resource for auditors, attorneys, management, consultants and anyone aspiring to be a director. You can order it at www.amacombooks.org/book.cfm?isbn=9780814431665.
Ronald Kral, MBA, CPA, CMA. Ronald is the Managing Partner of Candela Solutions LLC, a public accounting firm with a national focus on governance, risk and compliance. He knows the auditing and consulting arenas well having assisted over two hundred clients with Big-4 and local CPA firms. Ronald works extensively with executive management teams and boards, especially those of public companies registered with the SEC. Prior to forming Candela Solutions in 2003, he was a Principal Consultant at PricewaterhouseCoopers (PwC) where he led performance auditing, internal control, and governance projects from PwC’s Southern California offices. He began his public accounting and consulting career with a California-based CPA firm as a Financial and Compliance Auditor, where he worked extensively with Ernst & Young on joint projects. Ronald is a nationally recognized speaker on regulatory accountability, business ethics, internal controls, boardroom leadership, and SEC rules & regulations. Mr. Kral was a member of FEI’s Task Force on the COSO Monitoring Guidance Project and has authored numerous articles on governance, risk and compliance. He helps companies understand the regulatory environment and devise cost-efficient responses to extract value, not just compliance. Ronald is a member of the AICPA, FEI, IIA, IMA, and WICPA. He is licensed as a CPA in Wisconsin and California, and holds an MBA from Arizona State University and a BBA from the University of Wisconsin. Ron can be reached at rkral [at] candelasolutions [dot] com. Ron Kral has contributed the following articles to Corporate Compliance Insights: