Imagine driving a car with a speedometer in the rear. When you crash, a voice from the back of the car gives the depressing message – “You crashed because you broke the speed limit of 60 miles an hour”. Now this question will get most of the auditors and risk managers upset, but I shall stick my neck out on this one. Don’t you think this metaphor fits the role audit committees are fulfilling presently? Should the audit committees function differently to help the CEO and board members perform better?
I am sharing below come controversial views on role and performance of audit committees. Let us say, I am auditing “auditing committees”. It might force you to rethink some issues. Do you share my views or hold different views?
1. Formation of Audit Committee
Generally, audit committees are formed with 3-4 non-executive independent directors. The premise is independent directors are in a better position to give impartial and unbiased views. Hence, the committee is entrusted with responsibility of advising the board on effectiveness of systems of internal controls, compliance and governance in relation to financial reporting obligations. The pertinent questions that arise are whether the independent directors are actually independent and capable of fulfilling their responsibilities. To shed light on this area, I am discussing some scenarios on appointment of independent directors.
Usually, independent directors are invited to join the board since they are either socially connected to the CEO or some other director. Delving into their backgrounds reveals commonalities between education, employment and/or social background. A board survey done in 2005-2006 in India showed that a “good 90% of the non-executive independent directors were appointed using CEO/chairperson’s personal network/referrals, and the remaining 10% through executive search firms.”
Another challenge is getting independent directors with the right industry experience and expertise. To illustrate, in 2010 48% UK FTSE companies were unable to comply with the provision of 3 non-executive directors forming the audit committee, as there were insufficient non-executive directors available in the board. Moreover, around 10-11% of the companies did not specify a director with relevant financial expertise.
Looking from another angle, appointment of independent directors to other company boards is dependent on favorable reviews and recommendations from existing board members. In light of this, wouldn’t the audit committee members be tempted to look the other way and avoid raising issues where CEO or board involvement is suspected in frauds. Can we really consider them independent?
Additionally, the value-add provided by the audit committee members is sometimes questionable. I couldn’t find specific data relating to India, but Grant Thornton report on UK companies states that audit committee meetings on an average were held 4-5 times during the year and non-executive directors attended meetings on an average 17-18 times during the year. If I do back of the envelope calculations, in rare cases only audit committee members would be spending more than 10 days per annum to fulfill their responsibilities for a particular company.
Considering this, I personally have doubts whether audit committee members are in a position to understand the complexities of business, the control environment and various risks impacting the organization. Keeping the size of organizations in mind and their global spread I sometimes feel that audit committees provide an illusion of confidence to shareholders rather than real confidence.
2. Selection & Appointment of External Auditors
The appointment and selection of external auditors is one of the key recommendatory functions of the audit committee. The board in the annual general meeting generally proposes the name of the external auditor recommended by the audit committee. .
Hence, the assumption is that audit committees take this responsibility seriously. I came across this Economic Times article “Can the big four survive a break-up attempt”. It highlighted some interesting facts:
- In top 100 (US) companies, the average tenure of audit firms was 28 years. 20 companies had the same audit firm for 50 years or more.
- 85% of the companies in EU are audited by big four.
- 99% of the audit fees paid by FTSE 100 (UK) in 2010 were earned by big four.
- Just 2.3% of FTSE firms changed their auditor between 2002 and 2010.
Separately, a Grant Thornton 2010 report states that average duration for UK FTSE companies of an external auditor is more than 31 years. Additionally, 55% companies provided minimum insight on selection process of external auditor and just 15% companies provided detailed information on the decision-making process.
I am going to let you decide whether with these facts you can presume the audit committees are ensuring proper selection and appointment of external auditors. The logical argument given would be that big four have the geographical reach and expertise to audit multinationals. I have a straightforward question – with the same audit firm continuing for numerous years, can one assume objectivity and independence in reporting.
I am personally in favor of the new Companies Bill 2011 (India) clauses relating to audit firm and audit partner rotations. It mandates rotation of audit firm every 5 years and audit partner every 3 years. In my view, that is a step in the right direction.
3. Relationship with Chief Audit Executive
Grant Thornton 2011 CAE Survey of US companies revealed some startling data. A quarter of the CAE’s had not met the audit committee chair outside of board and committee meetings. 29% had met 1-2 times and 31% had met 3-5 times during the year.
Another interesting fact from Grant Thornton 2010 report is that 13% of the UK FTSE 350 companies did not have an internal audit function. That is, 40 of UK largest companies did not have a third line of defense, so most probably didn’t have a CAE. Moreover, 25% of the companies did not disclose compliance to this provision in the reports. This fact is fascinating as in India internal audit is mandatory for listed companies and external auditors are required to comment on the function.
Seeing the above US data, that 85% CAEs had minimal interactions with audit committee chair, can one say that they have a good relationship with the chair and members of audit committee? Without having a good one-to-one personal relationship, do you think audit committee members are in a position to assess the real performance of internal audit department or gather critical information about the company from the CAE. With such limited communication among audit committee members and CAE, would you have doubts on their effectiveness?
Now add to this, a CEO can terminate CAE services if s/he shares an opposing view than the board. Very few boards are mature enough to allow CAEs to constructively confront their ideas. Audit committee members may not be able to protect the CAE in all circumstances. Under these circumstances, would you say that audit committee and internal audit departments are effectively assessing the internal controls environment of the organization?
My view is that most audit committee members spend time on audit committee charter, internal audit charter and internal audit reports submitted by the CAE. They don’t delve deeply into procedures used to conduct internal audits. Additionally, in some companies there might be just superficial support given to the internal audit function.
4. Challenging Board Decisions
Audit committees have immense power in the sense that it can challenge board decisions. As per Companies Bill (India) if the “board does not accept any recommendation of the audit committee, the same shall be disclosed in the report along with reasons thereof.” However, I have rarely seen a report that states audit committee’s recommendation was not followed. This would make us presume that audit committee members are exercising their power properly and keeping a control on board activities. However, the picture is somewhat different.
A KPMG Audit Committee survey conducted in 2010 mentions that – just 27% boards encourage contrarian views and discourage groupthink, 64% do it somewhat and 9% do not accept different viewpoints at all. As I had mentioned in a previous post, Satyam fraud case portrays board’s failure to exercise judgment. Although Satyam’s board consisted on renowned personalities, Central Bureau of Investigation report–
“The members of the Board of Directors had acted as “rubber stamps”, unwilling to oppose the fraud. Not a single vote of dissent has been recorded in the minutes of the Board meetings.”
Moreover, the lack of personal accountability in independent directors’ mindset was apparent after Satyam fraud came into light. In a short period, subsequent to the disclosure of fraud 109 independent directors voluntarily resigned although their term had not ended, fearing being held liable for fraud or non-detection.
SKS Microfinance case is another example of the extent to which the board will not raise issues. CEO Suresh Gurmani was fired at the behest of the Chairman Vikram Aluka. Eight of the ten directors voted in favor of his termination, the other two were absent, although the CEO had no previous performance issue.
The situation is similar across the world. Enron, WorldCom or Swiss Air failure reflects board’s ineffectiveness. They are not exercising their powers judiciously for the benefit of the shareholders. In my opinion, audit committee members and other board members can do much more by challenging the viewpoints of the CEO and his/her team
5. Evaluation of Finance Function
Ensuring the integrity of financial statements is one of the key responsibilities of audit committees. The members are required to review the financial statements with the external auditors before submission of the board. Just to give you an example, Tata Motors 2010 corporate governance report defines the responsibilities of audit committee in respect to financial reporting as follows:
“Reviewing the quarterly financial statements before submission to the Board, focusing primarily on:
- Compliance with accounting standards and changes in accounting policies and practices;
- Major accounting entries involving estimates based on exercise of judgment by Management;
- Audit Qualifications and significant adjustments arising out of audit;
- Analysis of the effects of alternative GAAP methods on the financial statements;
- Compliance with listing and other legal requirements concerning financial statements;
- Review Reports on the Management Discussion and Analysis of financial condition, results of Operations and the Directors’ Responsibility Statement;
- Overseeing the Company’s financial reporting process and the disclosure of its financial information, including earnings press release, to ensure that the financial statements are correct, sufficient and credible;
- Disclosures made under the CEO and CFO certification and related party transactions to the Board and Shareholders.”
Hence, it is crucial to evaluate the performance of finance function.
As I had mentioned in an earlier post, CFOs after CEOs are the most likely people to do accounting manipulations. CFOs either do it on their own or at the instigation of CEO. Due to the nature of their role in preparation of financial reports, they are in the unique position to hide critical information, change accounting policies, pass dubious transactions and present false reports. A Satyam or Enron couldn’t have occurred without CFOs involvement.
Another aspect to look into is that the role of CFO has expanded and become more critical. CFOs are not only managing financial reporting, but also play a key role in strategy development, risk management and business monitoring. The question is what audit committees need to take into account to evaluate the performance of the finance function. Below are some pointers:
- Evaluate the role of the CFO in the organization to understand the functioning and power dynamics.
- Assess whether CFO is able to maintain independence and hold his/her own position with the CEO.
- Understand the logic given for changing accounting policies and methods, entering into transactions that may not be arms-length and inter-group company transactions.
- Review the history of accounting frauds and manipulations, notices from regulatory agencies and industry specific risk impact on the organization.
- Evaluate CFOs relationship with external auditors to determine whether he/she is unduly influencing them. Obtain CFOs viewpoint on qualifications and disclaimers given by external auditors.
- Review the systems and processes used for maintaining accounts and preparing financial statements. Understand the finance department organization structure and segregation of duties matrix.
- Determine CFOs focus on cost control, risk management, cash-flow management, and acquisition and mergers.
In my view considering the crucial role of CFOs, audit committees need to spend time understanding the various facets of finance function and gathering critical information to evaluate the integrity of financial reports. From the past corporate scandals, one cannot assume that audit committees are doing a good job at raising red flags and/or identifying accounting manipulations.
6. Nature of External Reporting
The present day hot topic of discussion is about the aspects audit committees should include in external reporting. As such, law requires that audit committees review the financial reports and related media releases. The question is should audit committees ensure that a company sticks to minimal reporting requirements or should it go beyond them.
In my view, corporate governance is about building good and transparent relationships with investors, shareholders, creditors, public and regulators. Hence, information that contributes to a healthier relationship between management and other parties should be disclosed.
Let me explain my viewpoint. Taking the example of India, a number of listed companies are family owned-managed companies (example, Reliance group, Tata group, Birla group etc.). Shareholders, especially the minority shareholders do not have significant say in company. The perception exists that family owned groups sometimes do not invest funds for shareholder benefits and squander them for personal privileges. Moreover, Indian corporate laws are good on paper, the regulation is not so great, though improving. Hence, Indian shareholders are a vulnerable lot. Additional information builds trust and confidence as seen in the case of Infosys.
The business benefits for upholding transparency are huge.
- The market value of shares increases. Velocity of share trading is also higher than other companies.
- Financial institutions show more propensities to invest.
- Foreign investors – institutional and individual – are open to trading in the shares.
- The companies have lower legal and regulatory costs as regulators are comfortable.
- Customers prefer buying products from companies that are ethical and socially responsible, hence transparency impacts sales directly.
The most important job of audit committees and board members is to ensure that management aligns company and personal objectives with shareholder interests. If the company is doing bare minimum reporting then audit committee is not really keeping shareholder interests in mind. For instance, Grant Thornton report of UK companies’ corporate governance practices mentions that of the 303 largest companies in 2009-2010, just 11% of the chairpersons commented on the corporate governance practices.
In my view, audit committees should focus more on the extent and level of external reporting. To enhance shareholder confidence more details can be provided on functioning of board, and internal audit, finance and risk management departments. A discussion on organization objectives, strategy and evaluation parameters would also be helpful. An explanation about the external auditor selection process and fees would be beneficial. Lastly, the company’s efforts in fulfilling corporate social responsibility would provide an added advantage.
7. Information Available with Audit Committees
Besides the abovementioned activities, audit committee members are required to look into other aspects of the business also. For example, review – the utilization of funds through public issues, transactions that indicate conflict of interest, cases of suspected fraud, financial statements of subsidiary companies, political spending and overall compliance with regulatory provisions.
Normally audit committee members rely on getting information from board meetings, minutes of the meeting, discussions with external auditors, reports and discussions with internal auditors, fraud investigation reports, whistle blowing hotline investigation reports etc. However, the question remains – do audit committees get the real information to make informed decisions? A KPMG 2010 US survey report states that 77% of the audit committees are activity engaged in obtaining information.
However, I do not see the same occurring in India. At the time of Satyam scandal and more recently on formation of new Companies Bill, there was a lot of discussion about responsibilities of independent directors in respect to fraud or inaccurate financial reporting. The independent directors had complained that they are not privy to the internal workings and thinking of the organization. Especially in case of family owned group. Hence holding them responsible is not the right step. If one considers this view, then audit committee members are actually abdicating their responsibility.
Another issue to deal with is that audit committee members may lack industry expertise, hence may not know the questions to ask. In my view, audit committee members should use their right to hire external consultant in case of doubt. Moreover, they should get additional information. A few pointers are:
- Obtain strategy and implementation plans.
- Review key performance indicators – financial and non-financial with status
- Interact with external and internal auditors of subsidiary companies directly
- Hold discussions with senior and middle managers were required of various business units
- Discuss with company secretary all legal and compliance challenges
- Discuss with ethics officer the key issues on maintaining code of conduct
- Discuss with fraud risk, information security and other risk officers the key issues they have faced during the year and their overall functioning.
- Review in detail all documentation relating to material transactions, acquisitions and mergers.
- Travel to other offices and locations to understand business operations.
This is not an exhaustive list, however will be beneficial in fulfilling audit committee members responsibilities better. Without gathering this information, the audit committee members would in my mind is doing superficial oversight.
8. Effectiveness of Risk Management Programs
The financial crises got the focus back on risk management. In the annual reports boards are required to comment on the performance of risk oversight function is. Board has to the responsibility to ensure that the organizations risk management procedures are commensurate with the company’s risk profile. In most cases, board delegates responsibility for risk oversight to audit committees, especially when the organization does not have a separate risk oversight committee.
Risk reporting is generally done in the business review section, though integrated reporting of risks and internal controls is being encouraged. As per Grant Thornton UK report, 63% of 350 FTSE gave detailed descriptions of risks and focused on operations risks. The question that comes up is how audit committees assess the effectiveness of risk management function and programs.
Let me take some of the challenges of risk management in the financial industry:
- Risk management is increasingly complex for financial institutions as it involves managing interlinked strategic, financial, operational and systemic risks
- Risk managers do not have sufficient authority and are frequently overruled by business teams. In few cases, they play a role in strategic decision-making.
- Risk managers do not strong relationships with business teams
- Risk appetite is defined by the organization but data is so scattered that it is difficult to monitor when actual organization risk exceeds risk appetite.
During the financial crises some of the key examples were –
- Royal Bank of Scotland (RBS) acquired ABN Amro Bank without sufficient details. It faced quite a few unpleasant surprises later on.
- Lehman did not get timely funding as actual worth of CDOs was considered overestimated, hence had to file for bankruptcy.
- AIG faced challenges in finding an investment partner since it didn’t have financial systems for integrated reporting.
Still banks are increasing their risk profile in the coming year. Some may have improved the risk management function and reporting, while others may not have learnt their lessons.
In light of this, my question is simple. Are audit committees really in a position to comment and provide reliable assurance on effectiveness of risk management programs?
9. Assessing Risk Culture
Loud noises after major frauds and financial crises repeatedly proclaim the same thing – “The risk culture of the organization was wrong”. It all boils down to the culture of organization and the attitude of the management towards risk taking. When Wall Street bankers received bonuses after the crises, there was uproar in the government and public. The outcry was bankers should be penalized for excessive risk taking, and not rewarded for nearly collapsing the financial sector.
Hence, the question arises why doesn’t management do anything about the risk culture? The logic is simple if you view it from CEO/CXO perspective. Their performance is evaluated on the quarterly numbers they give in the financial reports. To give that incremental growth high risk taking is required. Building a risk culture requires a long-term commitment to reap rewards. While implementing a risk culture program, in the first year the performance might be lower as employees will not be as enthusiastic about taking risks. Moreover, most of the professional CEOs duration is of 4-5 years in a company.
Considering these aspects it is not surprising that only a few are committing to building a risk culture. Though the corporate scandals have reduced investor confidence and resulted in closure of many organizations, the belief persists that they will not land up in the same soup. However, there is enough evidence that a high risk taking culture can nullify all the efforts of risk departments.
To counteract the effects of high-risk taking, proactive chief risk officers focus on building the risk culture. Their challenge is that regulatory guidelines ensure lip service and real commitment is missing. The question remains, can audit committees help them in doing so?
Audit committees in my view can assess the risk culture by focusing on:
- Remuneration of key personnel, including the bonus component linked to performance.
- Code of business ethics adopted and implemented by the company
- Analyzing the extent of reputation and regulatory risks the organization is facing
- Reviewing reported ethical breaches
- The amount of risk appetite board has determined it is willing to take to meet strategic objectives.
- The processes implemented to monitor risk appetite and key risk indicators
- Transactions entered that reflect conflict of interest to some degree.
In my view, audit committees can do much more to improve the tone at the top about risks. A continued focus from board members is likely to influence management in incorporating a good risk culture. A detailed explanation on the risk culture in the annual returns would be beneficial.
10. Internal Controls
Last but not the least, audit committees responsibilities include ensuring that the organization has effective system of internal controls. In some countries including India, the board is required state in the annual report that proper systems are in place to ensure compliance to all the applicable laws of the country. If it is not so, then they need to provide an explanation.
As you recall history, the focus on internal controls had increased worldwide after the spate of frauds (Enron etc) in US and subsequent introduction of Sarbanes Oxley Act. On that premise, one would assume that most companies would have vibrant internal control systems now. Though all companies report on internal controls, the Grant Thornton report states that in UK just 25% companies provide a detailed description on procedures adopted to evaluate the effectiveness of internal controls. Just 3 companies disclosed material weakness in internal controls. Hence, the quality of assessment of effectiveness of internal controls by audit committees comes in doubt.
Therefore, the question comes up – how do audit committees improve quality of assessment. Although regulations are more geared towards audit committees reporting internal controls on financial systems, a broader view covering operational and compliance controls is preferable. To do so, audit committees need to understand the business objectives, strategy, processes and information systems of the organization. This will facilitate them in understanding whether the organization is geared and equipped to deal with day-to-day operational problems. In the current environment, management requires real time information for decision-making and managing business operations.
After gathering the abovementioned information, audit committees would be in a position to assess whether:
- The right financial and operational areas were selected for internal controls review
- Procedures and practices followed for assessing internal controls was sufficient.
- Any areas require further review.
- The reported control weaknesses are material
In short, though audit committees are focused on ensuring organizations have a proper internal control systems, additional work can be done to improve the confidence in the assessments.
Audit committees are a critical tool for corporate governance. However, presently in my view they are not significantly effective. Hence, emphasis on working of audit committee can add value not only to the board but also to the investors and shareholders. It might appear a tall order, but ensuring that audit committee meetings are frequent, maybe monthly, would very much improve the performance. Worldwide, the corporate world needs to take this route to ensure better governance and build investor confidence.
I rest my argument here; share your opinion with me.
- Economic Times article – “Can the big four survive a break-up attempt”
- Evolution and effectiveness of independent directors in Indian corporate governance – by Umakanth Varottil, Faculty of Law, National University of Singapore
- Grant Thornton 2011 Chief Audit Executive Survey – Looking to the future: Perspectives and trends from internal audit leaders
- Grant Thornton 2010 Report on UK
- Corporate Governance in India – Evolution and Challenges by Rajesh Chakrabarti College of Management, Georgia Tech
- Tata Motors 2010 Corporate Governance Report
- KPMG- Highlights of the 6 Annual Audit Committee Issues Conference 2010