Ensuring Audit Compliance
The Securities & Exchange Commission (SEC) requires that every U.S. public company have an audit committee to oversee important compliance aspects related to auditor independence and the accuracy of financial reporting. These committee responsibilities are formalized by the 2002 Sarbanes-Oxley Act (SOX), which was enacted in the wake of several major corporate accounting scandals (e.g., Enron, WorldCom, Tyco International).
The Sarbanes-Oxley Act contains 11 sections or chapters; yet, there are a few to highlight that specifically address committee roles and requirements: Audit committees are responsible for (1) overseeing the accuracy of the financial reporting process, (2) ensuring external auditor independence, (3) reviewing the company’s system of internal controls, and (4) ensuring compliance with all laws and regulations.
Meeting SEC & Stock Exchange Requirements
The SEC outlines general criteria for committee independence, which prohibits committee members from being affiliated with or receiving consulting/advisory payment from the company (outside of standard board compensation). The SEC also requires boards to disclose whether they have at least one financial expert on the committee; if not, the disclosure must specify why.
Nasdaq and NYSE committee requirements are based on SEC requirements, yet they outline additional requirements (or make further specifications) on matters of independence, disclosure, financial experts and financial literacy.
Overseeing a Complex Risk Landscape
In addition to compliance responsibilities, the committee oversees risk management across the organization—a function that’s growing extraordinarily complex as items like cyber risk, ESG and corporate culture are being pushed to audit agendas. Are today’s audit committees overburdened?
Cyber risk has been one forum for this debate. As cyber risk becomes one of the greatest enterprise risks facing today’s companies, does it deserve more attention than the audit committee can provide? These are the kinds of questions today’s boards are grappling with as they determine the best way to mitigate risk across today’s increasingly digital landscape.
The most important thing about your audit committee chair is they [must] have a really good risk radar. There are a lot of things that come through [the audit] committee that can have a significant impact on how investors/shareholders view the company…You’ve got to have somebody in the seat that can really do a good ‘risk balance’ about what’s important and what’s not.
– Paula Loop, Leader, PwC’s Governance Insights Center
Bringing Together Necessary Skill Sets
As the risks facing today’s companies grow increasingly technical, audit committees will also have to examine their composition. While subject-matter expertise may not always be the answer for challenges like cyber risk, the committee may need to ramp up board education programs or consider advisory boards or an outside consultant as they assess the best structure for overseeing risk across the organization.
Even though financial expertise is a stock-exchange requirement for many companies, boards must also consider whether having more than one financial expert would benefit committee flexibility and succession planning.
Engaging Even When Not Required
Audit committee disclosure is largely mandated by the SEC; the committee’s report within the proxy statement is required to list whether the committee has reviewed financial statements with management, discussed all standardized audit matters with the independent auditor, and received the required independence disclosure.
Shareholders and regulators, however, are increasingly looking to the audit committee to provide enhanced disclosure around things like audit firm selection, audit firm evaluation criteria, and compensation details. The Center for Audit Quality and Audit Analytics publish an annual Transparency Barometer, which tracks the trends in progress in voluntary audit committee disclosure over the last five years.
As companies become more global and more digital, the risk environment will continue to grow in size and complexity–and the risks themselves will be harder to identify. Each board will need to assess how to best manage these risks across the organization, which may require a hard look at audit committee governance and composition.
Avoiding Common Mistakes
Finally, boards and audit committees must not ignore the risks that may be lurking in the boardroom. Several recent exposés and court cases have revealed the dangers of using personal email and text messages at the board level. Even when the nature of those conversations are seemingly incidental, personal email can be used as a point of entry for a cyber breach or discoverable under litigation. Don’t overlook the security of your board software and communication tools.