What’s a shareholder to do when the chairman of Hollinger International’s audit committee admits that he (only) “skimmed” documents authorizing certain non-compete payments to certain directors? Or, what do you do when the chair of Enron’s audit committee was not only a professor of accounting at the Stanford Business School but also a former dean of that School? This governance expert has solid suggestions for making an audit committee what it is supposed to be – truly effective and beyond reproach.
As media reports and court trials over the past several years have revealed, audit committees of at least several companies involved in corporate bad behavior have been variously soporific, pliable, negligent or just plain derelict. In fact, the actions – or more precisely the inaction – of audit committees of many of these companies have been everything that fiduciary responsibility is not meant to be.
Maybe audit committees have an acceptable alibi. For example, for many years the three members of an audit committee in Canada were chosen for their many skills and abilities; however, knowledge of best-practice accounting standards and issues was not one of them. In fact, only in 2005 was it mandated that members of the audit committee had to be financially literate.
Recently, I conducted interviews with audit committee chairs and members, and with auditors. I also reviewed the effectiveness of boards and audit committees, conducted board and audit committee effectiveness forums and provided advice to regulators and other expert witness reports. Based on the data and observations I made during these endeavours, I designed a robust, systematic questionnaire to help guide the composition and effectiveness of audit committees.
A sampling of ten of my questions follows below, set out in: (i) a headline recommendation; (ii) the actual text of ten of the questions derived from my questionnaire (i.e., the ten boxes); and (iii) an explanation of each of the ten questions and recommendations following each box. These ten areas form the basis of this article, one that, ideally, will improve the effectiveness of audit committees everywhere.
1. Have a position description for, and assess the performance of, the audit committee chairs
There exists a comprehensive (i.e., detailed, complete, current, agreed to, published and communicated) Position Description (or the equivalent) for the Audit Committee Chair (including setting agendas, marshaling resources, retaining Auditors and other providers of relevant assurance, chairing in camera or Executive sessions, fulfilling Charter responsibilities, coordinating with other Committees, reporting to the Board and assessing Committee effectiveness).
Without an effective chair, an audit committee is unlikely to be effective. There should exist a comprehensive position description (or the equivalent) for the audit committee chair, tailored to individual circumstances if warranted and which may be used as a basis for recruitment, succession planning, assessment and remuneration. It was recommended to Canadian regulators that position descriptions for the chair of the board and all principal committee chairs should be recommended. This is now the law in Canada, under National Policy 58-201 – Corporate Governance Guidelines (“National Policy,” Section 3.5), having come into force on June 30, 2005.
The position description for the audit committee chair should include best practices and regulatory requirements. See Inside the Boardroom, Chapter 4, for best-practice position descriptions.
Then, making sure that the audit committee chair is comfortable with the process, conduct a comprehensive assessment of the chair’s effectiveness, e.g., considering the position description and the competencies and skills the chair is expected to bring (also recommended under the National Policy), providing feedback and reporting, taking timely, corrective action as required, and reporting on the nature of the review process in sufficient detail to shareholders in all appropriate public documents so as to demonstrate its effectiveness.
2. Audit committee members must understand the rationale for management’s choices and the implications for financial manipulation
There exists clear agreement that when an accounting treatment (e.g., critical accounting polices, those most important to disclosure of financial condition and operational results) that is open to interpretation or requires a judgment (e.g., critical accounting estimates, requiring assumptions about highly uncertain matters) has a material impact on the Company’s accounts (e.g., revenue recognition, provisions, accruals, reserves, stock-based compensation, pension accruals, income tax benefits not recorded, etc.) that there occurs appropriate disclosure of the nature of this estimate (e.g., its sensitivity or “fragility,” based on Management’s current judgment of future events being incorrect, in the MD&A or the equivalent).
At a minimum, all directors need to understand the business model and how the company makes money. But audit members must understand how such transactions require the judgments and choices management make, including the selection and application of critical accounting policies, judgments and estimates, and the potential for manipulation of financial statements, by management, as a result. Critical accounting policies require complex, subjective judgment and critical accounting estimates require assumptions about uncertainty whereby different assumptions may have a material impact.
There should exist clear agreement that when an accounting treatment that is open to interpretation or requires a judgment or has a material impact on the company’s accounts, appropriate disclosure of the nature of this estimate should be made, e.g., its sensitivity or “fragility,” based on management’s current judgment of future events being incorrect, in the MD&A, or the equivalent.
3. Ensure that audit committee independence is real as well as perceived
All Audit Committee Members always act independent of Management (e.g., Members exercise great care not to allow, even in subtle ways, their relationships with Management or their trust or confidence in Management to compromise their continual display of impartiality and objectivity).
It is important that audit committee members not only possess formal independence according to prescribed criteria, but also have independence of thought, judgment and action, so that independence is not only perceived or seen, but is real and applied. Audit committee members should voice their own opinions and not allow their trust in, or relationships with, management to compromise their continual display of impartiality and objectivity.
The role of the audit committee is to review, report and recommend (and in certain instances approve) and the role of a board is to review and approve. Once an audit committee chair or member becomes involved in the “do” part of the decision, through offering advice, there is an inherent conflict, as one is reviewing one’s own work, or a decision in which the chair, or another member (e.g., financial expert), participated, even in a subtle fashion.
For example, an audit committee chair may be asked for a preliminary opinion (e.g., advice) on an issue, project or transaction, prior to the audit committee meeting, or informally, off-line, by a skillful CFO, thus possibly influencing a later review, i.e., being ‘co-opted’ by management, as this earlier consultation may preclude, or deter, the chair, psychologically, emotionally or intellectually, from possibly forming a later more objective opinion that might be inconsistent with the chair’s earlier position or feedback, after further reflection or consultation. Audit committees must exercise great care in this regard, particularly on a psychological level, in not advising management in any substantive way. They may even need to be firm with management. e.g., “You decide, I approve.”
4. Recruit, orient, educate and retire your audit committee members carefully
Rigorous succession planning occurs for all Members of the Audit Committee (e.g., includes, with due consideration by the Nominations Committee, a formal and transparent process, identifying gaps between current Member competencies and skills and Committee requirements, a pool of Directors possessing desirable qualifications to serve on and Chair the Committee and, where appropriate, retaining a search firm to identify such a Director(s)).
Rigorous succession planning should be in place for all members of the audit committee. This means, with due consideration by the nominations committee, (i) having a formal and transparent process; (ii) identifying gaps between current member competencies and skills and committee requirements; and (iii) having a pool of directors possessing desirable qualifications to serve on and chair the committee and, where appropriate, retaining a search firm to identify such a director(s)). The financial expertise on the audit committee should also be recent, relevant, meet regulatory criteria and match the future financial oversight needs of the company (e.g., capital and balance sheet management, accounting, financial control and assurance, financial markets, treasury, funds management, investment banking, taxation, risk management, etc., as required).
All new audit committee members should receive a comprehensive, formal and tailored induction, which includes the following: committee charter, past agendas, papers, minutes and reports, key accounting standards and treatments, regulatory, risk and control framework, auditor and other assurance provider work plans, and in-depth sessions with reporting management and auditors.
All audit committee members should receive, and display commitment to, continuous education on leading practices in order to enhance their contribution to the audit committee. Members should update or enhance their knowledge of relevant accounting, auditing, industry and other regulatory requirements, via briefings by management, auditors and subject experts, funded external offerings and site visits that address member preferences. This last item, site visits, is particularly important as audit committees should actively visit operations within the company to gain first hand insight to (e.g., to see the results, talk to people and hear concerns from business unit managers regarding) the control environment. One particular company, who is regarded to be very well governed and whom the author advises, finds site visits particularly useful as part of its broader director education program.
5. Have agenda “mapping” and effective committee documentation and reporting from the audit committee to the board
All Audit Committee Charter responsibilities (includes ad hoc items and amendments) are comprehensively mapped into an annual work agenda (i.e., Committee responsibilities are integrated within a detailed calendar of scheduled meetings, agendas, matters, Management, Audit and other Assurance reporting requirements and Committee action, coordination and reporting).
There should exist sufficient time between the audit committee meeting and board meetings to allow any work arising to be carried out prior to reporting to the board (e.g., reviewing minutes, following up actions and developing matters for information, recommendation or decision, within timeframes for financial reporting, other committee meetings and members’ schedules).
In addition, the chair of the audit committee should report to the board in a timely, comprehensive, meaningful and focused manner. Meeting minutes provided / available should be clear, accurate, consistent, complete, timely and include the appropriate detail, e.g., including supporting materials and satisfactory diligence of the basis for the audit committee’s recommendation to the board.
6. Have proper reporting relationships between management and the audit committee
The Audit Committee Chair’s working relationships with key parties (e.g., with the Board Chair, CEO, CFO, Auditors, independent advisers, other reporting parties) are constructive (i.e., supportive, consultative and collaborative, yet independent, transparent and candid, with the Chair devoting sufficient time to develop such relationships).
The audit committee should have positive working relationships (e.g., exposure, interactions, reporting and confidence) with reporting senior management such that these managers are honest, candid, transparent, responsive, constructive and appropriately accountable to the audit committee. If not, addressing this issue is warranted. The level of integrity of financial reporting management (i.e., the CFO and reporting team) should be high. They should maintain confidentiality, identify, disclose and manage conflicts of interest, act in a manner that would withstand scrutiny, foster responsible, ethical decision-making, lead by example and instill a culture of accountability, transparency and quality financial reporting throughout the company.
Bad news should be promptly reported to (and recognized by) the audit committee. Such news includes any warning signs, e.g., inconsistent industry practices, concerns of analysts and institutional investors, improper revenue recognition or capitalization of assets, management pressures or opportunities for fraud, material matters of litigation or non-compliance.
Second, the audit committee should also have similar positive working relationships with all assurance providers (i.e., the lead external audit partner, head of internal audit, appointed actuary, regulatory auditors, OH&S, sustainability, IT, quality and other specialized auditors, as required), so that these assurance providers are similarly candid, transparent, responsive, constructive and directly accountable to the audit committee.
7. Have effective risk management oversight by the audit committee
There exists a clear understanding of the scope of risk oversight by the Audit Committee (i.e., the risk profile, established by the Board, has regard to the material business risks, financial reporting and otherwise, as identified by the Company’s risk management system, and oversight of such risks have been allocated by the Board, exhaustively and holistically, to itself and to Board Committees, appropriately documented, including reporting and accountability within Charters, such that the risks subject to Audit Committee review are clear and no diminution of risk oversight by the Board has occurred).
There should exist a shared commitment displayed among the board, audit committee and management for an effective system of risk management, which means that it is enterprise-wide, robust, integrated into operations, real-time, continual and culturally embedded and which responds to, identifies, evaluates, monitors, controls and mitigates material business risks to the company. This risk management system should enhance the review process that the audit committee undertakes, i.e., it should drive the internal audit plan, external audit process, insurance negotiations and other business processes, e.g., identifying key risks and compliance obligations where independent assurance is needed.
Second, there should be a clear understanding of the scope of risk oversight by the audit committee. The risk profile, established by the board, should have regard to the material business risks, financial reporting and otherwise, as identified by the company’s risk management system, and oversight of such risks should be allocated by the board, exhaustively and holistically, to itself and to board committees, and should be appropriately documented, including reporting and accountability within charters, such that the risks subject to audit committee review are clear and no diminution of risk oversight by the board has occurred. This is an important point and addresses the “We missed it” phenomenon, which has occurred in some of the boards I have examined.
The risk appetite (i.e., acceptable amount and type of risk set by the board) should be clearly articulated for each material business risk subject to the audit committee’s review. For example, risks should be ranked and clear tolerance ranges and boundary limit indicators should set strategic parameters for management, guide risk mitigation action and inform audit committee deliberations and private sessions.
The audit committee should receive regular, detailed, comprehensive, analytical information on risk impact, e.g., updates on new, ongoing, mitigated and monitored risk ratings (e.g., extreme, high, medium etc.) and risk and control “ownership,” which allow the audit committee to compare, informatively, the consistency between current risk management performance and the defined risk appetite set by the Board.
8. Have a strong internal audit function reporting directly to the audit committee
The Head of Internal Audit sees the Audit Committee as its key client (e.g., Internal Audit may be administratively accountable to the CEO or CFO, but is functionally accountable and owes its loyalty to the Audit Committee, who recommend to the Board, CEO and CFO the appointment, evaluation, compensation (at least annually, including incentive structure) and retention of the Head of Internal Audit, including the reassignment or replacement of senior staff, and review and approve the mandate, work plan, budget and resources for this function).
The audit committee should strive to concern itself that the head of internal audit is independent from management and external audit, and is objective in the reporting of factual findings to the committee. The head of internal audit (including senior staff) should not engage in operational duties or non-internal audit transactions or oversight and should have direct access to the audit committee chair.
The audit committee should also ensure that follow up of corrective action is taken by management in response to an internal audit report. Major findings for each report should be documented, e.g., exceptions, differences, disputes and implications for the risk profile; a register of recommended changes should be maintained for each report received; resources and accountability should assigned; and matters raised are tracked, promptly resolved and reported to the audit committee.
9. Make effective use of in camera or executive sessions with the audit committee
Separate sessions (e.g., private, in camera, Executive sessions or consultations outside of Meetings) contribute to the Audit Committee’s effectiveness (e.g., regular sessions (i) among independent Committee Members themselves, (ii) between the Audit Committee and each of the External Auditor and Head of Internal Audit, and (iii) between the Audit Committee and any internal personnel or an external adviser, as needed or appropriate).
Private sessions with the head of internal audit and the external auditor are particularly important. For the private meeting with the head of internal audit, all major issues should be discussed in a thorough manner. There should be candid, quality and complete dialogue, where tough, necessary questions are asked in a “protected” environment, pursuing substantive and material issues to satisfactory resolution, including the following: Internal audit views on areas of high risk, judgment and sensitivity, potentially aggressive accounting treatments, IT integration, automation of control testing, compliance vulnerabilities, suspected fraud or irregularity, and any independence, budget, resource or staffing concerns.
Private sessions should also be held with the external auditor occur to discuss all major issues (including any disagreements with Management) in a thorough manner. Similarly, there should be open, transparent, honest dialogue, as a “safety valve,” on all substantive and material issues of concern, e.g., Auditor views on the application of accounting principles to specific transactions or events, the basis for judgments about estimates, audit scope, disclosure in financial statements or footnotes, etc., suspected irregularity or error, areas needing improvement, and risks, exposures, information or questions of which the committee may not be aware or asking.
10. Regularly assess the effectiveness and contribution of the audit committee
A comprehensive assessment of the effectiveness of each Audit Committee’s effectiveness is regularly is conducted (e.g., considering the Charter’s duties and responsibilities, providing feedback and reporting, taking timely, corrective action as required, and reporting on the review process in sufficient detail in all appropriate public documents so as to demonstrate its effectiveness).
Lastly, a comprehensive assessment of the effectiveness and contribution of the audit committee should be conducted, considering the audit committee charter and the responsibilities the committee is expected to fulfill, and, in terms of best practice, in a manner with which the committee and its members are comfortable, providing feedback and reporting, taking timely, corrective action if or when required (e.g., developmental suggestions, peer remediation, addressing information quality and reporting relationships, and with leadership provided by the audit chair) and reporting to shareholders, through the board, on the nature of this review process in sufficient detail in all appropriate public documents so as to demonstrate the effectiveness of the audit committee review process. This self review may be done internally or with the assistance of a third party expert, depending on the preferences of the audit committee and the board.
Audit committees have, to one degree or another, transformed themselves since 2002, when the Sarbanes-Oxley Act was passed. They continue to undergo a great deal of scrutiny. A similar transformation may also occur in respect of Compensation Committees, resulting from the recent Rules put forward by the Securities and Exchange Commission in the United States (Executive Compensation and Related Person Disclosure; Final Rule and Proposed Rule, 17 CFR Parts 228, 229 et al., Part III, SEC, Federal Register, 8 September 2006) and Proposed Form 51-102F6 Statement of Executive Compensation, put forward by the Canadian Securities Administrators (March 29, 2007).
A good deal of what has been distilled above, however, is not based on legislation or prescriptive rules or external requirements, but on respondent interviews and my studies of audit committees’ and boards’ inner workings. Rules simply provide a framework or a minimum threshold. Audit committees, in their business judgment, may elect to go beyond minimum requirements.
Perhaps the greatest worry of any audit committee member in 2007 might be that, despite the rules, the audit committee “missed it” and reputational damage would ensue to that director. Some of the audit committees that I have examined, in one form or another, including member interviews, include those that were thought not to have met their oversight responsibilities, as well as those audit committees that have been regarded as exemplary, and in a few instances indeed transformed by effective audit committee chairs.
These data suggest that audit committee renewal can and does happen.
What may tend to differentiate those audit committees that are ‘at risk’ from those that are ‘best practice,’ in the words of one respondent, is the collective “sense of self,” or lack of it, that the board has.
This “sense of self” may also be thought of as a “tone at the top” because the board is united in setting and managing expectations of management, including its board committees and assurance providers. This “tone” is difficult to measure by traditional quantitative academic inquiry.
The second important differentiator of audit committee effectiveness, also difficult to measure, may be the quality of the audit committee chair. There not only needs to be a requisite level of financial skill, but also leadership qualities and a level of engagement and commitment for a chair managing the relationships with the external auditor, head of internal audit, reporting management and the board, such that no “gaps” exist in the reporting system. Effective audit committees are quite likely to have effective audit chairs, with a succession plan for that chair.
This article is for your own, personal use. To order reprints for any other use, please go to http://cases.ivey.uwo.ca/cases.