Audit Committees’ Responsibilities and Liability

By Stuart D. Buchalter and Kristin L. Yokomoto

In Brief

The Audit Committee’s New Job Description

In the wake of Enron’s collapse, audit committee members are subject to enhanced responsibilities and liabilities, and the SEC and other regulators are conducting more investigations of the actions of directors and officers. Nevertheless, serving as an audit committee member can be a rewarding experience and provides an opportunity to make a difference for a public company, its shareholders, and the investing public. This article provides a brief history of audit committees, their evolving composition, their changing roles and responsibilities, and their enhanced exposure to liability, along with suggestions on how to minimize that liability.

As a result of the shareholder suits, governmental investigations, and criminal proceedings arising from recent financial debacles at Enron, WorldCom, and Adelphia, liability is lurking around every corner of the corporate world for directors, officers, outside auditors, and members of audit committees. The discovery of the significant liabilities and insider transactions that Enron and kindred companies hid from their shareholders and the investing public on their financial reports jolted Congress, the White House, the SEC, the major stock exchanges, shareholders, and the public. All of them are scrutinizing companies’ financial reports for accuracy, integrity, and transparency.

At the core of the financial reporting process is the audit committee of the company’s board of directors. Audit committees always have had legal responsibilities under general corporate law; however, after Enron, audit committees have been given significantly increased responsibilities under the Sarbanes-Oxley Act of 2002. The additional responsibility increases the workload for committee members and in the number of companies seeking qualified persons to serve on audit committees. At the same time, directors and officers liability insurance carriers are advising public companies that there will be higher deductibles, lower policy limits, and coinsurance provisions, all at higher premium levels.

While Congress has significantly increased audit committee members’ exposure under the Sarbanes-Oxley Act for breach of their fiduciary duties and violations of the securities laws, there are ways that audit committee members can protect themselves. Under section 301 of the Act, members of an audit committee of a board of directors have the authority to “engage independent counsel and other advisers.” The Act also mandates that companies pay the fees and expenses of such advisers as determined by the audit committee. This is consistent with the Delaware General Corporation Law which provides that audit committee members, in fulfilling their duties, shall be fully protected in relying in good faith upon independent legal counsel. Audit committee members’ concerns can be diminished by conducting appropriate due diligence and retaining competent legal and financial advisers.

The message from Congress and the SEC is that the audit committee is now the gatekeeper of financial information that shareholders and the investing public rely upon in order to make informed investment decisions. The SEC’s main objective is to mandate timely disclosure by public companies of all information, financial or otherwise, that would be considered important by a reasonable investor.

History of Audit Committees

Since 1940, the SEC has recognized that an audit committee could serve an important, and ultimately necessary, function in ensuring that a publicly traded company’s financial reporting is accurate. In the 1970s, the New York Stock Exchange (NYSE) required boards of directors of listed companies to appoint an audit committee; in the 1980s, the National Association of Securities Dealers (Nasdaq) and American Stock Exchange (AMEX) subsequently followed suit. In February 1999, audit committees received attention when a committee composed of individuals from the NYSE, Nasdaq, public companies, and CPA firms issued the Report and Recommendations of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees (available at www.nyse.com or www.nasd.com). The report recognized that the audit committee has a crucial role in ensuring high-quality financial reporting. Shortly after the report was issued, the SEC and the stock exchanges issued rules and regulations imposing certain requirements of, and responsibilities on, audit committee members. Today, a myriad of practices and regulations dictate the composition, roles, and responsibilities of audit committees.

Composition of the Audit Committee

The board of directors selects the members and chair of the audit committee, all of whom need to be able to function as a team. The audit committee should consist of three to five members, depending upon the size and business of the company. Some committee members should have experience in the company’s primary industry or company-related expertise. The board may consider setting term limits for the committee members. The Sarbanes-Oxley Act requires that each member be independent and recommends that at least one member be an “audit committee financial expert.”

To qualify as “independent,” the Act states that an audit committee member cannot accept any fees from the company other than for serving as a director, and cannot be an affiliated person of the company or any of its subsidiaries. Boards must be familiar with the new rules of the particular stock exchange or market in which their company trades, because those proposed rules, now being reviewed by the SEC for adoption, impose stricter definitions of independence under recently adopted corporate governance proposals. Under NYSE rules approved on August 1, 2002, audit committees must consist of a minimum of three members. To be independent, a director must not have any relationship with the company that interferes with the exercise of independent judgment, and must not have worked for the company within the past three years. Nasdaq’s board of directors approved similar rules on July 24, 2002, and amended them on August 21, 2002, to reflect certain provisions of the Sarbanes-Oxley Act. AMEX’s board of directors also approved new corporate governance rules conforming to the Act in September 2002. Accordingly, companies should ensure that current and new audit committee members have no potential conflicts of interest that may interfere with their ability to act independently from management.

To be an “audit committee financial expert,” an audit committee member must have an understanding of economic and accounting principles, comprehend how financial reporting choices and accounting policies can affect a company’s financial reports, and possess an understanding of internal controls and procedures. The exchanges’ rules require some members to be “financially literate”; prior service as a CEO or CFO can qualify. Under the Sarbanes-Oxley Act and SEC rules, companies will be required to disclose the number and names of the “audit committee financial experts,” and, if none are disclosed, why no such person is on the audit committee.

Potential board members who qualify as financially literate or financially expert are scarce, and search firms are finding that such persons, if willing to serve, are in high demand. Companies should provide training and educational seminars for their current and new audit committee members to ensure that they possess these essential skills and are informed as to directors’ duties and liabilities as well as relevant financial accounting issues. Companies should also consider sending their audit committee members to educational programs such as the Directors’ Consortium, jointly developed by the Wharton School, Stanford Law School, and the University of Chicago Graduate School of Business.

Audit Committee Role and Responsibilities

For an audit committee to fulfill its new and continuing obligations, asking the tough questions, understanding the answers, and properly disseminating information are crucial. The basic responsibilities include adopting a charter, monitoring the reporting process, overseeing the outside auditor, and paying attention to management and employees.

Charter. The NYSE, Nasdaq, and AMEX require a company to adopt a charter, which must be filed with the SEC once every three years with the company’s proxy statements. The charter should contain only duties that the audit committee is required to perform under current law and any additional ones that the committee will actually perform. Specifying excess duties may lead to claims of breach of fiduciary duties. Companies with existing charters are encouraged to review them with counsel, and amend them if necessary.

Financial reporting process. As stated in the Blue Ribbon Report, audit committees do not prepare financial statements or become involved in the details of decisions required to prepare them, but rather are responsible for monitoring and overseeing the financial reporting process. To fulfill its responsibilities, the audit committee must ensure that proper internal controls are established, must be familiar with the company’s risk assessment policies, and must be informed of critical accounting choices for any kind of transaction or judgment decisions. The audit committee should meet regularly and as needed with the company’s CFO, comptroller, internal auditor, and other personnel responsible for the company’s financial reporting process and internal controls, as well as with the outside auditor.

A company’s proxy statement must include an Audit Committee Report that states, among other things, the name of each audit committee member, whether the audit committee reviewed and discussed the audited financial statements and related judgments with management and the outside auditors, and whether the audit committee recommended to the company’s board of directors the inclusion of the company’s financial statements in its annual report filed with the SEC.

Audit committee members should also be familiar with additional reporting requirements imposed upon companies by the Sarbanes-Oxley Act to ensure timely and accurate reporting. The Act requires that financial reports reflect all material correcting adjustments; that off–balance sheet transactions be disclosed; and that companies disclose to the public on a rapid and current basis additional information concerning material changes in financial condition or operations, in plain English, as the SEC determines necessary or useful for the protection of the investors and in the public interest. The Act further requires that each annual report include a discussion stating management’s responsibility for establishing effective internal controls and procedures for financial reporting, as well as provide an assessment of the effectiveness of such controls and procedures.

To ensure integrity in the financial reporting process, Congress, the SEC, and the major stock exchanges now require that companies disclose in periodic SEC reports whether they have adopted a code of ethics for their senior financial officers, and if not, why. “Senior financial officers” includes a company’s principal financial officer, comptroller, principal accounting officer, or persons performing similar functions. Oversight of the financial reporting process is perhaps the audit committee’s most important responsibility, and should not be undertaken without advice from competent counsel and financial advisers.

Outside auditor. Under the Sarbanes-Oxley Act, the audit committee is directly responsible for the appointment, compensation, and oversight of the outside auditor. The NYSE and Nasdaq rules grant the audit committee the sole right to hire and fire the outside auditor. The committee’s selection of the outside auditor is important because if the outside auditor’s performance is later criticized, so too will be the committee’s judgment in selecting or retaining that auditing firm. When Enron's financial situation unraveled, everyone pointed fingers at someone else. Arthur Andersen LLP, Enron’s outside auditor, blamed Enron’s audit committee for failing to disclose Enron’s financial reporting practices to it, while the outside world blamed Andersen. Thus, the audit committee must disclose all relevant information regarding the company’s financial reporting and accounting policies to the outside auditors. Audit committee members should ask the outside auditor to explain accounting principles and choices consistent with industry standards, and ask why a particular methodology was chosen over another.

Audit committee members should be aware of certain conflict-of-interest and other provisions imposed on the outside auditor under the Act. Under the Sarbanes-Oxley Act, an accounting firm cannot provide audit services if one of the company’s senior management was employed by that accounting firm during the prior year. The Act further provides that the lead and review partners of the outside auditor must rotate so that neither role is performed by the same individual for more than five consecutive years. After disclosures that Andersen received $25 million for its auditing services and $27 million for its nonauditing services performed for Enron during 2001, the rendering of non–audit related services was criticized, and outside auditors are now expressly prohibited from performing certain non–audit services. In addition to any future service that might be deemed impermissible by the Public Company Accounting Oversight Board (PCAOB), there are eight nonaudit services that an audit committee cannot approve:

Permitted nonaudit services must be approved by the audit committee and clearly disclosed in the company’s proxy statement and Form 10-K annual report filed with the SEC.

Management and employees. Audit committee members should meet with the executive officers on a regular basis and as much as needed to understand the treatment of complex transactions entered into by the company. The Sarbanes-Oxley Act requires CEOs and CFOs to include certifications with the company’s periodic SEC reports attesting that they are responsible for the establishment of internal controls and for the disclosure of any significant deficiencies or changes to the audit committee. This will require the audit committee and management to meet regularly.

Then–SEC Chief Accountant Robert K. Herdman recommended, in a speech on March 7, 2002, that audit committees be “proactive” and, together with management and the outside auditors, perform the following tasks:

After Enron’s management apparently ignored employees’ concerns regarding the company’s financial affairs, audit committees are now required to establish procedures for the receipt, retention, and treatment of employees’ complaints regarding accounting, internal accounting controls, or auditing matters. The audit committee must provide employees with the opportunity to submit confidential and anonymous concerns regarding questionable accounting or auditing matters. The Sarbanes-Oxley Act protects whistleblowers at public companies by granting statutory rights to informants and imposing criminal penalties (fines or imprisonment) for retaliating against informants.

Liability

Audit committee members continue to have fiduciary duties to the company and its shareholders, which include the duty of care, the duty of loyalty, and the duty to make informed judgments. The business judgment rule (BJR) is a defense available in litigation to shield directors from breach of fiduciary claims provided that, among other things, directors make informed, rational decisions. Whether audit committee members can successfully defend a claim for breach of duty to make informed judgments will depend upon whether they fully considered all material information reasonably available to them before making a decision [see Smith v. Van Gorkam, 488 A.2d 858 (1985)]. Thus, audit committees must be able to probe for reliable and relevant information. Audit committee members can further protect themselves under the Delaware General Corporation Law from breach of duty claims by retaining financial and competent legal counsel to advise them on those matters.

Audit committee members are also subject to actions by the SEC under the Securities and Exchange Act of 1934, which grants the SEC broad enforcement powers, increases the maximum penalties for existing crimes, and creates new federal crimes, such as banning any director or officer of an issuer of securities from taking any action to fraudulently influence, coerce, manipulate, or mislead an accountant engaged in the performance of an audit for the purpose of rendering such financial statements materially misleading.

Section 10(b) of the 1934 Act also lowers the threshold for the SEC to ban a person from serving as a director or officer upon a finding that such person demonstrates “unfitness” to serve as an officer or director. The SEC also has the power to ban a person from serving as a director or officer in a cease-and-desist proceeding if such person demonstrates unfitness. On August 21, 2002, the SEC permanently banned an Enron executive, Michael J. Kopper (who agreed to forfeit a total of approximately $12 million), from serving as an officer or director. The SEC has additional enforcement actions pending.

It is unwise for directors and officers to act without retaining counsel, accountants, and other experts, and a court or the SEC could find that failing to seek counsel is in itself a breach of audit committee members’ fiduciary duties. Audit committee members should insist that their companies have the appropriate directors and officers liability insurance, while understanding that insurance coverage is no longer a complete answer to potential liability.