Purpose, Process, Professionalism The Audit Committee Purpose, Process, Professionalism
A New World of Corporate Governance Boards of directors and committees must be: Proactive Informed Investigative Accountable Today’s governance arena requires boards of directors and their committees to be proactive, informed, investigative and accountable. This is good news for stakeholders and a wake up call for boards and their committees.
Clarifying Governance Governance is the system by which organizations are directed and controlled. It includes the rules and procedures for making decisions on corporate affairs to ensure success while maintaining the right balance with the stakeholders’ interest. No single committee of the board is more focused on or better in tune with governance than the audit committee!
The IIA Corporate Governance Model Board Management External Audit Internal Audit Effective Governance Responsibility for corporate governance is spread among several organizational entities. The cornerstone of effective governance are the board of directors, executive management, the internal auditors, and the external auditors. Four-legged stool – if you start chopping off some of the legs, you’d better balance pretty carefully!
The Bad News Stakes are greater No “figure head” board members allowed Public trust has diminished Greater challenges More director liability Gone is the day of the “figure-head” board member whose resumé proudly lists – in double digits – the prestigious boards on which he or she sits. And “sitting” harldy describes what takes place in today’s boardroom. The public is still reeling from corporate shenanigans brought to light over the past few years is more demanding and less trusting. Directors facing these challenges must be more cautious in regard to risk management, ethics, policies, procedures, and organizational leadership.
Clarifying Liability Directors need to be realistic about their personal liability under state and federal law, neither exaggerating nor ignoring their exposure.
Fiduciary Duties The duties of care and loyalty, and the expectation that directors will act in good faith. These are the primary source of director liability under state law. Source: Director Liability: Myths, Realities And Prevention – National Association of Corporate Directors Fiduciary duties – the duties of care and loyalty, and the expectation that directors will act in good faith – are still the primary source of director liability under state law. This has not changed with recent events. However, activism has increased the risk that directors may need to defend themselves in litigation alleging such a breach. Although directors are not subject to significantly greater risk of being found liable for a breach of fiduciary duty, rising stockholder-plaintiff activism has increased the risk that directors may need to defend themselves in litigation alleging such a breach.
Fiduciary Duties (cont.) Board members who wish to become empowered guardians and builders of corporate value must: Learn and follow best practices, avoid conflicts of interest, pay strict attention to board matters, drawing on appropriate expertise, including their own. Source: Director Liability: Myths, Realities And Prevention – National Association of Corporate Directors
Director Evaluations and Qualifications 38% of companies performed director evaluations in 2005 and 45% are planning to do so in 2006 97% of companies have established director qualifications up from 87% in 2005 Harvard Business School The Harvard Business School reported that 38% of companies performed individual director evaluations in 2005 and 45% are planning to do such evaluations in 2006, up sharply from the 27% in 2004. Of these companies, a growing number rely on peer reviews – 38% in 2005, and 48% planning to do so in 2006.
What is the AC’s Role in Governance? Oversight of financial reporting Risk management Internal control Compliance Ethics Management Internal auditors External auditors Some detailed audit committee responsibilities include: Ensuring that financial statements are understandable, transparent, and reliable. Ensuring the risk management process is comprehensive and ongoing, rather than partial and periodic. Helping achieve an organization-wide commitment to strong and effective controls, emanating from the tone at the top. Reviewing corporate policies relating to compliance with laws and regulations, ethics, conflicts of interest, and the investigation of misconduct and fraud. Reviewing current and pending corporate-governance-related litigation or regulatory proceedings to which the organization is party. Continually communicating with senior management regarding status, progress, and new developments, as well s problematic areas. Ensuring internal audit access to the audit committee, to encourage communication beyond scheduled committee meetings. Reviewing internal audit plans, reports, and significant findings Establishing a direct reporting relationship with the external auditors.
Committee Meetings 52% of companies report a significant increase in the number or length of meetings of the Audit Committee in the past two years. Harvard Business School The Harvard Business School reported in April 2006 that over half 52% of companies indicate they have seen a “significant” increase in the number of length of meetings of the Audit Committee in that past two years.
Tone at the Top Management, the board, and the audit committee all play critical roles in an organization’s tone at the top. Management, the board, and the audit committee all play critical roles in an organization’s tone at the top. Based on board expectations, executive management establishes the tone. It is the audit committee’s responsibility, though, to monitor that tone as well as oversee the organization’s ethical environment and compliance with laws and regulations.
Best Practices in Code-of-Conduct Oversight: Ensure: A code of conduct has been developed, reviewed and updated as needed. All employees receive the code of conduct, understand it, and receive training. Management exhibits ethical behavior and reported violations receive action.
Best Practices in Compliance and Ethics Oversight: Ensure: Compliance with laws and regulations Financial reporting of significant issues Management monitoring of program effectiveness Staying informed and recognizing trends to ensure appropriate action Internal audit includes assessment of compliance and ethics risks in their audit plan AC meetings with program manager to discuss key risks, status, issues, investigations, disciplinary action and effectiveness.
Noses In. Fingers Out. The lines of authority for audit committees and management should be clear and understood. AC members must communicate openly with management. They must also challenge management as appropriate. Balancing their role as advisor and counselor to management with their fiduciary duty to monitor and oversee management is, to say the least, challenging for most audit committees. The must communicate openly and often with management, carefully review information received, and challenge management as appropriate. They must not, though, play the management role. This oversight responsibility is referred to as “Noses in; fingers out.”
Communications Checklist Management is easily accessible. Management reaches out to the audit committee regularly. Management answers audit committee questions fully and completely. Management provides factual information to support responses. To ensure clarity, strong communications are essential both during and outside of committee meetings. Management should review the audit committee as an asset and seek its input prior to, rather than after making key decisions. The Communications Checklist can help audit committee members understand the level of communications they should expect.
Communications Checklist (continued) Management admits not knowing an answer. Management supports the audit committee by contacting additional resources and specialists. Management advises the audit committee of significant issues in a timely manner. Management seeks audit committee input in advance of key decisions.
Key Issues of Concern Financial Accuracy Risk Management Control Assessment External Auditor Oversight Effective Use of Internal Auditing These are a 5 key things that keep audit committees awake at night. Financial accuracy – completeness of financial disclosures, significant business and accounting policy changes, correct and truthful reporting, and interim reviews of financial statements. Risk Management – an enterprise risk management process, such as COSO’s Enterprise Risk Management – Integrated Framework should be implemented. Control Assessment – audit committee members must have upfront involvement and an understanding of management’s process for assessing internal controls. External Auditor Oversight – the audit committee should own the relationship with the external auditors, who provide an annual opinion on the financial statements. Effective Use of Internal Auditing – internal auditors and the audit committee are interdependent and should be mutually accessible, with the internal auditors providing objective opinions, information, support, and education to the audit committee; and the audit committee providing validation and oversight to the internal auditors.
Statistics on First Full Year of Filings As of March 30, 2006 - 404 Opinions 3710 filers 591 (15.9%) received adverse opinions from their public accountants 90 (2.4%) of all filers restated their first year’s Section 404 opinion; 59 (10%) of filers with adverse opinions restated their first year’s Section 404 opinion Source: Section 404 Internal Control Material Weakness Dashboard Audit Analytics
GAAP/Accounting Areas of Failure for Adverse Opinions Tax-related issues – 32% Revenue recognition – (31.3%) Inventory – (27.4%) Source: Section 404 Internal Control Material Weakness Dashboard Audit Analytics
Internal Controls Over Financial Reporting Issues – Adverse Opinions Material year-end adjustments (53.1%) Personnel issues (48.1%) Restatements of financials (49.6%) Source: Section 404 Internal Control Material Weakness Dashboard Audit Analytics
Clarifying the Value of Internal Auditing Audit committees must understand internal auditing’s role if they are to work effectively and share a healthy interdependence. Audit committee members should have an understanding of how internal auditing adds value and how internal auditing is guided by The Professional Practices Framework for carrying out its responsibilities.
Understanding Internal Audit Objectivity Reporting structure Risk management Staffing Prioritization Adding Value Objectivity – IA should have no personal or professional involvement with or allegiance to the area being audited; and should maintain an un-biased and impartial mindset in regard to all engagements. Reporting Structure – IA should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities and remain independent. This often results in a dual reporting relationship between executive management and the audit committee. Whatever, the reporting relationship there must be organizational independence. Risk Management – Implemented by management, ERM is evaluated by the internal auditors for effectiveness and efficiency. Staffing – A broad range of skills and expertise, and ongoing professional development are critical to the formation and maintenance of an effective internal audit activity. Prioritization – The CAE independence should provide the necessary organizational knowledge for staying in sync with risks and the organization’s overall priorities that allow for effective management of internal audit resources. Adding Value – IA serves management and the board, assesses the ethical climate and the effectiveness and efficiency of operations, and provides a safety net for organizational compliance with rules, regulations, and overall business practices.
Asking the Right Questions Audit committee members must maintain an in-depth understanding of internal audit best practices and how internal audit is functioning. Originally produced by the Canadian Institute of Chartered Accountants the 20 Questions serve as a tool to trigger awareness of the areas for which committee members might need more information. Hold up the AC Brochure and point to page 8 where the 20 Questions are located.
Consider… How does the audit committee live up to its significant governance responsibilities and meet the high expectations of shareholders and other outside parties?
Charting the Course An audit committee charter is a blueprint for its operation and should address: Processes Procedures Responsibilities Audit committee charters vary widely, but should address the three components bulleted. A sample audit committee charter is available on The IIA’s website at www.theiia.org by entering “Audit Committee Charter” into the search engine.
For More Information on Audit Committees and Governance IIA website www.theiia.org/go?to=audit committee Research/Publications Audit Committee Effectiveness: What Works Best Tone at The Top (corporate governance newsletter) The Professional Practices Framework The IIA Bookstore Guidance Audit Committee: Purpose, Process, Professionalism Audit Committee: Discussions on Performance (self-assessment) 20 Questions Directors Should Ask About Internal Audit