Audit committees began to receive more attention and focus since the passage of the Sarbanes-Oxley Act (SOX) of 2002. While SOX brought attention to the audit committee, it is only one potential body of law that governs the audit committee or member of an audit committee. State statutory law remains the primary law governing audit committee members’ responsibilities.
A director may also have responsibilities under federal securities law, if your organization is a public reporting company, or federal tax law, if your organization is a tax-exempt entity. If your organization is in a regulated industry, such as insurance or banking, a director’s responsibilities are also governed by the laws governing those industries, such as federal or state banking laws or state insurance laws, including, if adopted, the NAIC model audit rule.
With increasing demand for greater transparency in financial reporting, avoidance of self interest and fuller disclosure of executive compensation with comparison to performance, the role of the audit committee continues to be in the spotlight.
The audit committee has been described by the Blue Ribbon Committee on Improving Effectiveness of Corporate Audit Committees as one leg on a three-legged stool:
A proper and well functioning system exists, therefore, when the three main groups responsible for financial reporting—the full board including the audit committee, financial management (including the internal auditors) and the outside auditors—form a “three-legged stool” that supports responsible financial disclosure and active participatory oversight.
The key responsibilities of the audit committee include:
- Hiring, discharging and determining the scope of work and approving the fees of the external auditor
- Overseeing management in its responsibilities in the audit process
- Primary recipient of most reports and other communications from the external auditor
- Instituting procedures for receiving and investigating risks.
With its primary responsibility to provide oversight related to the audit process, the audit committee will communicate directly with the external auditor regarding judgments and estimates, material accounting policies, significant audit adjustments, difficulties encountered during the audit, disagreements with management, auditors judgment about the quality—not just the acceptability—of accounting principles, illegal acts, reportable conditions with internal controls, and material violations of law or breach of fiduciary duty.
While a requirement for publicly traded corporations and some regulated entities due to its responsibilities, all organizations, regardless of their type, should strive to have their audit committee comprised of individuals independent of the organization and at least one financial expert.
It is important to remember that a member of the audit committee and other directors of a board under most states’ laws have a statutory right to rely upon:
- Officers or employees as to matters for which the director reasonably believes they are reliable and competent
- Professionals, such as lawyers or accountants, as to matters that the director reasonably believes are within the person’s professional competence
- Duly established committees of the board as to matters within their designated authority that the director reasonably believes merits confidence.
Accordingly, non-audit committee directors are entitled to rely upon the audit committee as to matters within the audit committee’s designated authority, which is the purpose of the audit committee’s charter. In turn, the audit committee is entitled to rely upon the CEO and CFO on matters in which the committee believes the CEO and CFO to be reliable and competent, and on the external auditor as to matters within the external auditor’s professional competence.
How to determine reliability and competence
How can an audit committee have a reasonable belief that someone is reliable and competent? By asking questions. Not only will asking questions fall under the protection of the right of reliance, but is also necessary to comply with a director’s fiduciary duties of care and loyalty.
The golden rule for audit committees is to ask the same questions of all three legs of the audit-process stool: (1) the CEO, CFO, chief legal officer and others in management (including meeting with each separately of the others); (2) the internal auditor; and (3) the external auditor. Then compare the answers. The questions should be asked separately of each of the three legs. If the answers are consistent, a committee has strong evidence that it is entitled to rely upon the reliability and competence of each of the three legs. However, it is still advisable to validate reliability and competence by asking all three legs about their view of the reliability of each of the other legs.
If the answers are inconsistent, the audit committee likely has a duty to make further inquiries. First, the committee should review the inconsistent answer of one leg with the other two legs. For example, if an inconsistent answer was received from the CFO, ask the internal and external auditors something like, “Do you know what Mr. CFO may have had in mind when he told us . . . ?” Then, the committee should discuss the inconsistent answer with the CFO, by saying: “When we asked you about XYZ, you said 123, but when we asked the internal and external auditors, they said 789. Can you explain the difference between your answers and theirs?”
This will generally resolve the inconsistencies, especially if the committee validates the reliability and competence of all three legs. However, when in doubt, the committee would be well advised to consult with a lawyer or accountant experienced in audit matters.
The audit committee is responsible for giving direction to management, the internal auditor, and the external auditor through decision making and oversight. The committee may not be able to prevent fraud, but by asking questions to determine the reliability and competence of the participants in the process may allow the committee to detect fraud early enough to prevent harm to the organization’s shareholders, members or policyholders.
In addition to its responsibilities above, the audit committee has become the recipient of other reports and communications, including but not limited to:
- Complaints received by the organization regarding accounting and internal controls, including whistleblower claims concerning questionable accounting or auditing matters
- Reports of actions taken by any officer, director or other person acting under the direction thereof to take any action to fraudulently influence, coerce, manipulate, or mislead the outside auditor
- Reports from attorneys representing the organization of any evidence by them of material violations of securities law or breaches of fiduciary duty not appropriately responded to by the organization’s chief legal officer.
To assist your organization in implementing or directing your audit committee, the following chart offers a planning calendar of typical functions that an audit committee of either a privately held, publicly traded, tax-exempt or mutual company should consider. Please note that the chart is simply a guide and does not contain all acts that may be required by the audit committee of publicly traded or certain regulated entities.
Click here to view the table.