Richard Roedel, director of the Association of Audit Committee Members, recalls the moment well: Earlier this year, he served on a board as chairman of its audit committee and was holding a meeting. Another board member mistakenly strolled in, expecting a meeting of the compensation committee.
Roedel joked with the director that anyone staying in the room for more than five seconds was forced to join the audit committee. “I was just joshing with him,” Roedel says, “but you wouldn’t believe how fast he got out of there.”
You can’t blame him. Times have changed.
For many public companies today, observers say, the audit committee is a committee people want to be on. It is now seen not only as the default committee for wide-reaching risk assessments that go beyond mere financial risk, but as the go-to entity for nearly everything that could be a liability for a business.
Indeed, in the wake of Sarbanes-Oxley, it’s not uncommon for audit committees to have oversight over legal compliance and litigation risk, brand management risk, operational risk, competitive risk, and information technology risk, to name a few. And that’s after the committee has tackled complex financial risks, such as derivative instruments.
Why so much responsibility piled onto one group? “In part because there’s no other obvious board committee that can consider such issues,” says Ed Smith, executive director of the KPMG Audit Committee Institute.
Smith contends that risk-management pressures come from all sides since the modern audit committee is the group that either gets assigned—or is assumed to have—responsibility for complex and difficult subject matter involving risk assessment, mitigation, and management in myriad areas.
“The [audit committee’s] increased power in the boardroom comes largely from an increased need for information and its ability to demand it,” says Paul Hodgson, senior research associate for The Corporate Library, a governance research firm. “Gone are the days when audit committees can sign off on accounts without having looked at them as at Enron and the other governance disasters.”
Leland Graul, a partner at BDO Seidman who heads up the firm’s public-company practice, agrees. “As we look forward, we’re seeing that the audit committee is definitely not the same old boys club anymore,” he says. “You can’t just sit around like that today because if you look at the board in general, the [audit committee] is going to be the committee that sees the most impact. Think about it: If anyone was to sue, the audit committee stands to face the most exposure.”
From Obscurity To Risk Overseer
Audit committees trace their roots back to 1940, when the Securities and Exchange Commission first stated that companies needed them to ensure accuracy in financial reporting. By the 1970s, the New York Stock Exchange made audit committees a requirement for all listed companies; Nasdaq and the American Stock Exchange followed suit in the 1980s.
In 2000, the SEC and the stock exchanges issued rules and regulations imposing requirements such as the financial literacy of all audit committee members and the installation of a “financial expert” as chairman of the committee. Any lingering obscurity ended with the arrival of the Sarbanes-Oxley Act and its Section 404 provisions for internal controls over financial reporting.
The increased demands and expanded risks placed upon audit committees these days also compel them to produce results that are evaluated and scrutinized by multiple government regulators, not to mention the capital markets and ultimately shareholders and the general public.
For instance, Smith at KPMG says, the NYSE now seeks an audit committee discussion of a company’s risk-assessment and risk-management processes, as well as how those processes were developed and when and how they are implemented; no discussion, no listing on the NYSE. Moreover, ratings agencies such as Fitch Ratings and Moody’s are mulling over how to factor the strength, validity, and soundness of a company’s risk assessment in their ratings. Additionally, the “risk factors” section of any 10-K report these days is more detailed than in recent years.
Still, the audit committee’s rise to prominence has sparked debate in the corporate governance and compliance worlds over how far the power pendulum should swing, whether there is such a thing as being “too serious,” and to what extent an audit committee is responsible for the entire risk matrix of a company.
Jim Morrow, founder of the Audit Committee Effectiveness Center at the American Institute of Certified Public Accountants, is concerned about potential work burdens that could dilute the strength of audit committees.
According to experts, below are some of the risks audit committees must consider addressing as they execute their fiduciary responsibilities.
IT Risk: General computer and related application controls are the building blocks of formulating timely and accurate financial statements. Information security, data migration management and continuity of information systems are all paramount at any company large or small. Many audit committees are heavily involved in setting the agenda for IT governance, particularly in areas such as IT auditing (system access trails, transaction booking, digital ledger reconciliation and the like) and to a lesser extent, IT procurement, business continuity planning, and IT change management.
Legal Risk: The audit committee is particularly vulnerable to shareholder lawsuits alleging improper or incomplete financial disclosures, lack of independence, or conflict of interest considerations with an outside audit firm. There is also the rare management lawsuit against a meddlesome audit committee. An airtight committee charter that can both define duties as well as indemnify members can be helpful, but writing one can be challenging; the evolution of the audit committee has made many charters a living document, subject to expansion or contraction depending on emerging risk factors.
Operational Risk: This is biggest area of contention in the compliance arena, where the board can sometimes lock horns with management. For the audit committee it is perhaps the most all encompassing risk area, as there is likelihood that corporate taxes, credit risks, liquidity risks, and market perception can all affect continuing operations and subsequently financial statements. Experts agree that it this is an area where all stakeholders (executive suite, board, internal auditors, external auditors, audit committee and legal counsel) should be informed.
“There aren’t 50 people on an audit committee,” Morrow says. “We have to remember that some of these members also sit on other boards and have full-time jobs. When you get into reputation risk and all these other ancillary risks that may or may not be material, you have to ask, what is the whole board doing?”
Michael Cangemi, chief executive of Financial Executives International, suggests that breaking up the audit committee into sub-committees may be an effective way of dividing the work, if risks are deemed to be too wide-ranging for the committee and board to handle.
“What we may see audit committees doing is splitting off like amoebas and sub-dividing into smaller groups that feed up to the audit committee,” Cangemi says.
Such a move would essentially create an organizational chart within an organization chart, where the audit committee splits off into sub-committees for, say, regulatory compliance group, IT governance, and external risks.
But that may only be necessary at larger companies, and even then it could create a power vacuum.
Staying In The Lane
Roedel, who now serves on audit committees at companies such as Sealy Corp., Brightpoint, IHS, and Dade Behring Holdings, stresses that too much responsibility on one committee indicates a company that has overextended itself.
“As you continue to add more and more responsibility to the audit committee, it probably means that there’s an organizational change that needs to happen on the board and in management,” he says.
Meanwhile, academics and regulators, while applauding the evolution of audit committees, caution that members should attempt to stay in their lane, which still mostly involves financial reporting.
William Holder, director of the SEC and Financial Reporting Institute at the University of Southern California, warns that depending on the culture of a particular committee, a potential exists for it to become heavily involved in what management is supposed to be doing.
“You always have to be aware of the difference between oversight and managerial duties,” he says.
Evidence suggests that many audit committees still haven’t mastered the necessary financial expertise and may need to continue to focus on recruiting more experts before branching out into broader realms of enterprise risk. As recently as last fall, a Crist Associates survey revealed that just 27 percent of audit committee chairmen at Fortune 500 companies have CFO experience; only 11 percent have spent any significant time at one of the Big-4 accounting firms.
Along these lines, Public Company Accounting Oversight Board member Charles Niemeier agrees that focus is still needed going forward.
“Audit committees are indeed branching out in scope, and they should be, but only to the extent that what they examine leads back to what their job is,” he says. “As long as the financial statements are still the nucleus, still the starting point, still the subject most germane to the audit committee’s charge, there’s nothing wrong with looking at the big picture.”
And seeing that big picture begins perhaps with being in the room for more than five seconds and actually reading the 10-K.