The audit reforms sweeping across EU Member States (and beyond), the complexity of financial reporting, the broader and more complex risk environment and the unprecedented expectations of shareholders and regulators, require audit committees to be more focussed than ever on enhancing their efficiency and effectiveness.
When looking to enhance audit committee oversight, it is all too easy to focus on ‘leading’ or ‘best’ practices – and with good reason: these are processes, policies, or approaches that ‘work’. Yet, practices that work best for one organisation may not be ideal for another – especially in a challenging and complex corporate governance environment where corporate culture, financial reporting and other risks and governance needs can vary dramatically from entity to entity.
However, I believe that certain guiding principles underlie the effectiveness of every audit committee. Even as specific oversight practices evolve to address changing risks, regulatory requirements and corporate governance needs, the right principles can help ensure that practices are applied effectively – that is, by the right people with the right information, processes and perspectives. To this end, I offer five guiding principles for audit committees and boards to consider when developing, evaluating and refining the audit committee’s oversight processes and practices.
Five guiding principles for audit committees
These principles are essential to audit committee effectiveness and are vital to the independence, objectivity and integrity of the financial reporting, risk management and internal control processes.
- Have a strong audit committee chair
- Get the right people on the committee
- Get committee members ‘up to speed’ though an induction process
- Maintain control of the audit committee agenda
- Ensure access to the ‘right’ information
A strong audit committee chair
Effectiveness often hinges on the chair’s effectiveness. The essential characteristics of a strong audit committee chair are often personal attributes. They should be recognised for their leadership and vision and be perceived by other committee members and management as able to set and manage the audit committee’s agenda. The chair should be acknowledged as having the personal courage to raise and deal with tough issues and support other members to do the same.
Formal meetings of the audit committee are at the heart of its work. However, they are not its only point of contact with the organisation. The audit committee chair and, to a lesser extent, the other audit committee members, need to keep in touch with key audit committee stakeholders, such as the board chairman, CEO, CFO, CRO, the external audit partner, the head of internal audit and others within the organisation. In many organisations, the audit committee chair meets regularly with each of these individuals as part of the process of developing the meeting agenda and preparing for each meeting. A successful audit committee chair should not only understand the importance of the audit committee’s relationship with these individuals but also have the interpersonal skills to build and maintain an effective working environment. The characteristics of an effective audit committee chair might include being:
■ An independent, proactive leader with confidence and integrity
■ A highly respected and experienced board member, who possesses strong financial literacy skills and time available to develop and closely monitor the committee agenda
■ A person with an excellent working knowledge of audit committee practices and internal control functions and risk management frameworks
■ A good listener and communicator, who can facilitate successfully
■ Able to champion open and frank discussion with discipline
■ Tenacious and prepared to ask tough questions
The right committee members
Members of the audit committee should be independent of mind and have sufficient skills, experience, personal characteristics and diversity of thinking necessary for the role.
Independence is a cornerstone of the committee’s effectiveness, particularly when overseeing significant judgements and estimates. Audit committee members must be adept at communicating with management and the auditors and be ready to challenge and ask probing questions about the company’s risk management and control systems, accounting and corporate reporting. Members must be able, both in theory and in practice, to express views to the board that are different to those of the CEO or CFO and be confident that they will not suffer.
It is up to the board to assess the integrity and independence of an audit committee candidate, so every member’s appointment is an occasion for careful deliberation. The board should have a strong understanding of any regulatory definitions of independence and how a lack of independence occurs and is interpreted in practice; but it should also be mindful of situations where the definition of independence is met, yet practice determines otherwise.
At least one member of the audit committee should have competence in accounting and/or auditing. What constitutes such experience will, of course, vary from organisation to organisation and each board should determine its own criteria having regard to appropriate regulation. In many cases ‘competence’ must go well beyond basic familiarity with financial statements. Members must be able to understand the rules and, more importantly, the principles underpinning the preparation of the financial statements and the auditor’s judgements. They must be prepared to invest the time necessary to understand why critical accounting policies are chosen and how they are applied and satisfy themselves that the end result fairly reflects their understanding. As such, past employment experience in a significant financial role or one that included oversight responsibilities for financial reporting, or a qualification in finance or accounting might be appropriate.
Members should also have competence relevant to the sector in which the organisation operates and personal characteristics, such as integrity, strong interpersonal skills, sound judgement and the ability and willingness to challenge and probe. There is also value in having committee members from diverse backgrounds – people who are not afraid to ask simple questions, such as “Why is that the case?”, “What would one expect to see?” and “Tell me again because I still don’t understand”. These are good, simple questions that due to human nature can easily be overlooked by (say) the member considered to be the ‘financial expert’.
Getting committee members up to speed
For any new director, but particularly those joining the audit committee, a learning curve comes with the territory. Just how steep that learning curve is and how quickly a new director is able to contribute meaningfully to the work of the board and the audit committee, can hinge directly on the quality of the induction programme.
“AUDIT COMMITTEE MEMBERS MUST BE ADEPT AT COMMUNICATING WITH MANAGEMENT AND THE AUDITORS AND BE READY TO CHALLENGE AND ASK PROBING QUESTIONS ABOUT THE COMPANY’S RISK MANAGEMENT”
Understanding the business – its operations, strategies, risks and management team – as well as the responsibilities and culture of the board and its committees takes time. But a structured induction programme – including essential information and briefing materials, quality discussions with key people and a ‘roadmap’ for getting up to speed – can greatly accelerate a new director’s integration and contribution to the board’s work.
For new audit committee members, induction presents an added layer of complexity, given the intricacy and scope of the corporate reporting, risk management and compliance issues on the audit committee’s plate – not to mention the expectations of regulators, particularly in the financial services sector.
A suitable framework for new audit committee members – and management and audit professionals supporting them – to consider as they develop an induction programme, might include:
■ Suggested reading for the new audit committee member, such as corporate documents and other briefing materials
■ An initial orientation session
■ Follow-up, one-on-one meetings with key people in the company to develop a deeper understanding of the business, its key governance and control processes and its leaders
■ Site visits
Formal induction programmes for new members help ensure the individuals understand their responsibilities, the current issues and the specific circumstances of the organisation. However, the on-boarding needs for new members will vary from individual to individual, depending on a number of factors, including the director’s background and experience and the role the director is expected to play on the board and audit committee. As a result, all new audit committee members should be prepared to take responsibility for their own induction programme – working with management and others to determine how best to get up to speed and build a strong foundation for informed oversight.
Maintaining control of the audit committee agenda
Traditionally, audit committees were – without prejudice to the legal responsibilities of the board – responsible for the oversight of financial reporting, audit quality and internal financial controls. However, in the wake of a series of corporate failures in the last 15 years, oversight of various new
(often non-financial) risks has been added to the agenda of many audit committees. And these new risks – cybersecurity and IT risk, supply chain and other operational risks, legal and regulatory compliance – become more complex each year (as do the audit committee’s core responsibilities).
Keeping the committee’s agenda focussed is therefore crucial. This requires an agenda that is manageable (what risk oversight responsibilities are realistic?); a sharp focus on what’s most important (starting with financial reporting and audit quality); and allocating time for robust discussion while taking care of ‘must do’ compliance activities. At all times the responsibilities of the audit committee should be clearly documented and communicated – not only for the benefit of audit committee members, but also for the board, management and auditors.
“AUDIT COMMITTEES SHOULD REGULARLY ASSESS THEIR PROCESSES, PRACTICES AND THE VALUE THEY ADD TO THE ORGANISATION”
The audit committee’s terms of reference should also be co-ordinated with the responsibilities of other committees in the organisation – finance committee, remuneration committee, governance committee, risk management committee and other committees focussed on a particular risk (e.g. investment committee or environment, health and safety committee). These committees may be required to consider similar issues from different perspectives so care should be taken to define clearly the roles and responsibilities of each, when collaboration is required, whether cross-membership is allowed and whether the audit committee chair or members might attend other committee meetings as an observer (and vice versa).
Access to the ‘right’ information
Audit committee oversight is only as good as the information available to the audit committee. Getting the basics in place is important – ensuring committee papers are timely, not overly long or complex (if possible), prioritisation of the key issues that are well-signposted and clarity as to whether each issue is for discussion, information or decision.
Equally, if not more important, is the committee’s access to and relationship with, management and others within the organisation. Paradoxically, the balance between strong relationships and robust oversight is at the heart of the audit committee role. A committee that fails to understand the line between oversight and management can easily find itself in a poor relationship with management; and effective oversight is difficult to achieve where management sees the audit committee as nothing more than a necessary corporate governance burden. Equally, an overly cosy relationship is unlikely to lead to effective oversight as challenging questions are all too easily avoided in such circumstances. The ideal place to be is where those working with the audit committee (whether it be the CFO, CRO or auditors) look to the committee as a useful partner or sounding board. The exchange of information flourishes in such circumstances and this naturally leads to better oversight.
Finally, as most of the information at the audit committee’s disposal comes from management, audit committees should also consider what actions they could take to guard against asymmetric information risk. This might include engaging specialists to update the committee in certain areas or to simply provide a different perspective to management. Social media is also an important source of ‘unfiltered’ information.
In practice audit committee effectiveness will hinge on many individual practices – but the above five guiding principles represent the essential building blocks. Having put the foundation in place, audit committees should regularly assess their processes, practices and the value they add to the organisation with a view to enhancing their effectiveness. Always remember, audit committee effectiveness is a journey – a constantly evolving goal. A committee that isn’t open to improvement is a dangerous thing!
