It is often said that being on an audit committee is a part-time job with full-time responsibilities. It’s no wonder when you consider the broad and critical role that the audit committee plays.
In essence, every audit committee’s role is to stand objectively in the gap between management, the external auditors and the people who provide the capital to make it all happen, ensuring that those capital providers receive complete, accurate and timely financial information that has been subjected to an appropriate level of scrutiny. Not a simple task.
While SEC and listing regulations impose strict rules concerning the audit committee functions of public companies, private companies are not held to the same standards. Some may wonder why a private company would put forth the time, effort and financial resources necessary to form an audit committee and conduct supporting activities — e.g., internal audit, enterprise risk management (ERM) — if it is not subject to such requirements. But the real question is, why wouldn’t it?
Although the rules governing public companies are quite different from those followed in the private sector, private company audit committees are still charged with performing critical governance, monitoring and oversight roles. For that reason, it is in a private company’s best interest to emulate its public counterparts.
Whether required or optional, the benefits of an independent audit far outweigh the costs because an audit helps the board of directors meet its fiduciary duty to provide objective oversight and monitoring and protect stakeholders’ interests. Additionally, an audit committee that is supported by an internal audit function links monitoring, governance and oversight of the company with oversight of the internal control environment.
Yet despite that rationale, many private companies are still holding back on formalizing an audit committee or the processes that pertain to it. While this may seem reasonable, it is worth pointing out some common misconceptions.
Misconception No. 1: “My business is too small for an internal audit function.”
Internal audit plans typically cover financial reporting, operational efficiency and compliance with laws, regulations and corporate policies. As smaller businesses increase in size and complexity, internal auditors must be able to identify and address potential problems more expeditiously.
Regardless of the size of the company and the type of audit being performed, good analytical tools, risk assessment methodologies, training and planning are all important to the internal audit function. While some tools may not be needed early in a company’s life, the organization should begin to lay the foundation for long-term fiscal responsibility and put the appropriate pieces and people in place to monitor, track and perform the internal audit function from the start.
Misconception No. 2: “Our audit committee isn’t required to be independent, so there is no need to have an independent committee.”
Although a wholly independent audit committee may not be required by law in the private sector, in order for the audit committee to fulfill its duty, it should have as many independent representatives as possible.
Independence encourages objective thought about actions that will benefit the company over the long term, even if the audit committee’s recommendations sometimes run counter to management’s thinking.
Misconception No. 3: “We can’t afford internal audit.”
When it comes to cost, executives must ask themselves this: “What function is internal audit fulfilling, and how much does it really cost?” While the costs of personnel and systems needed for a solid internal audit function are not insignificant, they are far less than the costs of the fraud investigations that could result from an ill-managed and poorly monitored internal control environment.
Misconception No. 4: “Facilitating audit committee oversight takes time away from daily business operations.”
It is true that management will have to spend time preparing materials for audit committee meetings and oversight. It is likely that most of what the audit committee wants to review is already part and parcel of the daily work of the management team.
Additional time may be spent collecting and compiling information for dissemination to the audit committee, but creation of extensive new documentation should not be necessary. An effective management team will already be reporting on key metrics, corporate performance, financial results, and other relevant items.
Misconception No. 5: “Nobody cares.”
The audit committee is like a good insurance policy — it’s better to have it and not need it than to need it and not have it. The independent oversight of an organization is there to protect management’s investment.
When the right questions are not asked, important red flags are not raised and power goes unchecked, management may take advantage in unscrupulous ways, leading to fraud and other abuses. Any owner or management team that doesn’t see the need for an audit committee may want to think again.
Audit Committees Are Essential
The fact that the rules imposed upon private entities are less rigorous than those governing the public sector is not an excuse for private companies to be lax. With strong governance, companies can mitigate the risk of fraud, theft and embezzlement. However, going through the effort of independent monitoring and oversight does not require private companies to rewrite the rules.
By satisfying matrix of responsibility that public companies must follow, private entities will ultimately save themselves from headaches (or worse) down the road. Avoid taking the “only what’s required” attitude. Instead, strive for the highest bar.
Given the mounting pressures that companies face today to do more with fewer resources, the audit committee is more valuable than ever. By taking a fresh look at the inner workings of an organization, the audit committee provides the professional experience needed to assess the organization’s corporate-level risks, discuss the areas of greatest risk and create appropriate work plans to mitigate those risks.
In addition, by monitoring a company’s control environment and overseeing its ongoing risk mitigation activities, a good audit committee will complement existing audit activities and enhance the overall quality of the organization’s corporate governance.
About the Author
Warren Stippich is the National Governance, Risk and Compliance Solution Leader and the Market Leader of the Chicago Business Advisory Services Group at Grant Thornton LLP. He has over 20 years experience working with multi-national, entrepreneurial, and high-growth public companies, including boards of directors and audit committees. Warren brings experience to the business risk consulting and internal audit services areas from both the public accounting firm and industry perspectives. He leads many Sarbanes-Oxley consulting, internal audit services and SAS 70 projects for a wide-array of publicly traded and private businesses with international operations. He has worked extensively with international internal audit, Sarbanes-Oxley and business consulting assignments in Europe, Russia, China, Southeast Asia, Central and South America and Canada.