Audit Committee Responsibilities

Focusing on Oversight, Open Communication, and Best Practices

By Annemarie K. Keinath and Judith C. Walo

E-mail Story Print Story

In 1987, the National Commission on Fraudulent Financial Reporting (the Treadway Commission) investigated ways to detect and prevent fraudulent financial reporting. The Treadway Commission made six specific audit committee recommendations aimed at deterring fraudulent financial reporting.

In 1999, the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees (BRC) made 10 recommendations for improving audit committees’ effectiveness. BRC also provided five broad guiding principles for audit committees to follow in devising company-specific policies. The BRC recommendations resulted in changes by NASDAQ, the NYSE, AMEX, and the SEC.

In 2002, the Sarbanes-Oxley Act increased audit committees’ responsibilities and authority, and raised membership requirements and committee composition to include more independent directors. In response, the SEC and the stock exchanges proposed new regulations and rules to strengthen audit committees.

Audit Committee Best Practices

The authors obtained proxies for the 98 domestic companies in the NASDAQ 100 as of August 2002, most of which are in the technology, pharmaceutical, and communications industries. The audit committee charters in the sample were filed before the passage of Sarbanes-Oxley. The authors examined all other areas of the proxies where responsibilities of the audit committee could potentially be reported, and included these disclosures in our evidence.

Rules, regulations, and recommendations have been made to strengthen audit committee composition and authority, to increase audit committee responsibilities, and to improve the audit committee’s monitoring role.

Exhibit 1 presents audit committee requirements specified by Sarbanes-Oxley. Exhibit 2 presents disclosures required by the SEC in the audit committee report filed in the annual proxy. Exhibit 3 presents preexisting and proposed NASDAQ rules beyond those in Exhibits 1 and 2. Additional responsibilities not required for NASDAQ companies are included as best practices in Exhibit 4. These additional items cover recommendations by the BRC and Treadway Commission, along with current or proposed regulations of AMEX and the NYSE. Exhibit 5 presents the compilation of best practices, organized into seven general categories, and a comparison of best practices to disclosures of actual audit committee practices.

Analysis

Exhibit 5 presents the percentage of NASDAQ 100 companies asserting responsibility for each item on the best practices list. The results show that audit committees have to significantly expand their responsibilities to just cover practices required by Sarbanes-Oxley and NASDAQ. In addition, if audit committees are to be proactive and effective, they should voluntarily expand their responsibilities to include all best practices, including those not required.

Oversee the financial reporting process. Annual and quarterly financial statements are the primary means for reporting the financial condition and operating performance to stockholders. The BRC recommended that the audit committee review these financial statements with management and the external auditors. The NYSE proposal requires that the audit committee review Management’s Discussion and Analysis (MD&A), the company’s earnings press releases, and earnings guidance provided to analysts.

All of the companies reported that their audit committees are responsible for reviewing annual financial statements, and 95% reported that they discuss these statements with management and auditors. Only 84% of the committees or committee chairs reviewed quarterly statements, however, and only 68% discussed these statements with management and external auditors. The SEC requires that audit committees discuss annual reports with management and disclose this discussion in the audit committee report. Although neither current nor proposed NASDAQ rules specifically address this issue, audit committees not discussing quarterly statements with management and auditors are clearly not being proactive.

As for the remaining items relating to the financial reporting process, results show a need for major improvement. Only 8% of the audit committees reviewed the MD&A, and only 1% discussed it with management and auditors. Earnings press releases were reviewed by only 14%, and none reviewed earnings guidance provided to analysts and rating agencies.

Although review and discussion of the MD&A, earnings press releases, and earnings guidance is not required of NASDAQ companies, audit committees should monitor all financial information communicated to the public to ensure that investors are not receiving misleading information. The NYSE proposal includes these reviews as audit committee requirements, and it urges audit committees to pay particular attention to earnings releases using “pro forma” or “adjusted non-GAAP” information. The SEC has expressed concern that pro forma disclosures do not necessarily “convey a true and accurate picture of a company’s financial well-being.” Under the direction of the Sarbanes-Oxley Act, the SEC has approved rules requiring that pro forma results be reconciled to GAAP numbers. Audit committees should ensure that the earnings releases are not in violation of SEC requirements. The fact that so few audit committees reported reviewing earnings press releases suggests that NASDAQ audit committees need to assume much broader responsibility.

Monitor choice of accounting policies and principles. The choice of accounting principles significantly affects the financial statements. The Sarbanes-Oxley Act requires that the audit committee receive a report from the auditor about the principles used and the effects of alternative choices on the financial statements. The NYSE proposal requires that the audit committee review with management and the external auditor the effects of estimates or judgment on financial reporting.

Only 63% of the audit committees in the sample disclosed that they were responsible for monitoring the choice of accounting policies and principles. Only 54% specifically indicated that they review the quality of accounting principles with their auditors. The number of audit committees that actually review quality may be greater than this, because the discussion of the quality of accounting principles is a current requirement under GAAS. Discussion of principles will be expanded under Sarbanes-Oxley to include alternative principles, the ramifications of principles used, and the auditor’s preferred principle.

It is preferable that the charter explicitly state the responsibilities required by GAAS. Audit committees not acknowledging responsibility for discussing matters required by GAAS nor explicitly stating their responsibilities on critical duties such as the choice of accounting principles may be too passive in their oversight. They might leave it to the auditors to determine what the committee should know, rather than taking an active role by asking probing questions and ensuring that all items of importance are discussed.

Monitor internal control process. The audit committee’s role is to ensure that management has developed and followed an adequate system of internal control. The seven best practices discussed below are important factors relating to internal control. None of these functions are currently required for NASDAQ companies, although the last two items are part of NASDAQ’s proposed changes. All seven are recommended or required as a best practice by at least one authoritative source.

Almost all audit committees asserted responsibility for monitoring the system of internal control. Oversight of the system of internal control was an audit committee best practice in the BRC report. The Sarbanes-Oxley Act elevated internal control to such importance that it requires an annual internal control report by management, including a statement about the effectiveness of the internal controls over the company’s financial reporting. In 2003, the SEC approved a rule to implement this requirement.

Monitoring compliance with legal and regulatory requirements is part of the NYSE proposal. Only 60% of the audit committees in this study acknowledged responsibility for this area, a surprisingly low figure.

Risk assessment and risk management have been of particular concern since the Enron scandal. Corporate boards and their audit committees must understand the business and financial risks that may be threats to their company. An audit committee of independent and knowledgeable directors is in a good position to ask management the right questions to determine whether the company is adequately managing risk. The BRC identified risk assessment oversight and risk management oversight as an audit committee best practice. The NYSE proposal requires the audit committee to discuss with management the company’s financial risk assessment and risk management policies. It is imperative that audit committees determine not just what management has done to identify the risks, but also what they have done to monitor and control the risks. Given the importance of this area, it is surprising to find that only 39% of audit committees acknowledged responsibility for this area.

The Sarbanes-Oxley Act proposed that companies adopt a code of ethics for senior financial officers. The SEC has approved regulations recommending that the code of ethics include both senior financial officers and senior executive officers. Companies would be required to disclose whether or not they had adopted such a code, and if not, why not. All three of the exchanges have proposed that companies adopt a code of ethics. In addition, all three propose that the code should apply to all employees.

A mechanism for compliance is required by the SEC and all three exchanges, but none of them specifically indicate who should perform compliance oversight. The Treadway Commission stressed that an ethical code of conduct cannot succeed without a monitoring and enforcement mechanism. It also stated that it is the board of directors’ responsibility to ensure that a mechanism exists and functions as intended. The Treadway Commission recommended that this responsibility be delegated to the audit committee, supporting it as a best practice. Only 40% of the audit committees in this study assumed responsibility for this area.

The BRC stressed the importance of the internal audit function in the internal control process, along with its importance in assisting the audit committee in monitoring the adequacy of the internal control process and the extent to which management follows the control procedures. The BRC stated that it was essential for the internal auditor to be able to approach the audit committee in private, confident of receiving the necessary support and guidance. The Treadway Commission recommended that the audit committee review the internal audit’s scope of responsibilities, and the NYSE proposal requires that all NYSE companies have an internal audit function, with oversight responsibility from the audit committee. Only 58% of the audit committees in this study asserted responsibility over internal audit. Given the critical importance of the internal audit function, audit committee oversight should be required for all companies.

The Treadway Commission emphasized the necessity of a mechanism, perhaps within the code of conduct, to receive complaints from employees and protect employees from reprisals. The Sarbanes-Oxley Act and NASDAQ’s proposal will require that audit committees establish procedures to handle complaints on “accounting, internal accounting controls, or auditing matters” and to provide confidentiality to employees that submit complaints. None of the audit committees in this study acknowledged responsibility for such a function.

The Sarbanes-Oxley Act requires disclosure of related-party transactions between management and principal stockholders, but it does not specifically require audit committee oversight of these transactions. Both the NASDAQ and AMEX proposals require that the audit committee, or a comparable body, review and approve related-party transactions, making it a best practice. Only 4% of the audit committees in the study asserted responsibility for this function.

Ensure open communication among management, internal auditors, external auditors, and the audit committee. The BRC recommended that the audit committee meet separately with management, internal auditors, and external auditors. The NYSE proposal requires that the audit committee meet separately with all three groups. As stated by the BRC: “Since the audit committee is largely dependent on the information provided to it by management, the internal auditor, and the outside auditors, it is imperative that the committee cultivate frank dialogue with each.” It is critical that the audit committee meet in private with each group, both on a regular schedule and on an as-needed basis.

Eighty-two percent of the audit committees in the study indicated that they met in private with external auditors, 61% with management, and only 46% with internal auditors. This last result may be related to the low percentage of audit committees that took responsibility for overseeing the internal audit function. These findings lend support to the contention that audit committees have underutilized the internal audit resource.

Oversee hiring and performance of the external auditors. The passage of the Sarbanes-Oxley Act has greatly expanded the duties of the audit committee in monitoring the external audit. The audit committee will be responsible for selecting and replacing auditors and preapproving audit and nonaudit fees and services, as well as overseeing the external auditor’s performance. Under Sarbanes-Oxley, the audit committee is solely responsible for hiring and firing the auditor. Only 10% of the audit committees in this study assumed this responsibility, while 87% of the committees shared the responsibility with the full board. Only 9% preapproved audit or nonaudit fees.

With respect to monitoring performance, 90% of the audit committees surveyed oversee the external auditor’s performance by reviewing the audit scope or audit plan along with the audit results. Although NASDAQ has not specified this requirement, it is a best practice that all audit committees should follow. With the passage of SAS 99, Consideration of Fraud in a Financial Statement Audit, external auditors will be asking audit committees to discuss the company’s risk of fraud. Assessing the risk of fraud will be included in the audit scope, and the audit committee should satisfy themselves that the external auditor is doing this.

In addition to the above responsibilities, there are five audit committee responsibilities related to oversight of the external audit process itself:

• The BRC recommended that the external auditor be accountable to both the audit committee and the board. This is consistent with the markets’ listing rules. Eighty percent of the audit committees surveyed acknowledge this accountability. The Sarbanes-Oxley Act requires the external auditor to report directly to the audit committee, which may potentially change future accountability.
• Ensure auditor independence. The three exchanges and the SEC require that audit committees get a written statement from the external auditors on their relationships with the company, consistent with ISB 1. There is no requirement that the audit committee make a statement about the committee’s conclusions concerning the external auditors’ independence; however, they are required to have a discussion with the auditors regarding their independence. As required by the SEC, all audit committees in this study reported that they had received ISB 1 from their auditors, and nearly all of the audit committees indicated responsibility for oversight of the auditor’s independence in their charter.
• Ensure auditor qualifications. The NYSE proposal requires that the audit committee receive a report from the external auditor describing the auditor’s quality-control procedures, any material issues raised by the auditor’s most recent internal quality-control review or peer review, and any investigation by governmental or professional authorities within the preceding five years. Although only the NYSE has proposed this requirement, it is included in audit committee best practices. Only 2% of the audit committees in our sample asserted responsibility for this function, a disappointing result.
• The Sarbanes-Oxley Act requires that the audit committee not only discuss disagreements between management and the external auditors, but also resolve those disagreements. Only 1% of audit committees indicated that they both discuss and resolve disagreements. Thirty-five percent indicated that they discuss the disagreements, but took no responsibility for resolving them. Because discussing the disagreements is required by GAAS, 35% may be an understatement. Many audit committees included a disclaimer that they were not responsible for resolving disagreements.
• Audit committees and external auditors are required to discuss various matters required by GAAS. All of the audit committees reported discussing GAAS with the external auditors in the audit committee report, as is required by the SEC. Nonetheless, many did not explicitly list this as a responsibility in their audit committee charter, leaving open the possibility that this is the external auditor’s responsibility only. A proactive audit committee should explicitly state their responsibility for this function in their charter.

Composition. The Sarbanes-Oxley Act requires that all audit committee members be independent and that one member have accounting or financial management expertise. NASDAQ, the NYSE, and AMEX all proposed independence criteria similar to the SEC rule changes. The NYSE added a waiting period before a former officer or employee may be a director. In addition to the expertise requirement, the three stock markets require that the committee consist of at least three members and that all members be financially literate.

Nearly all of the audit committees surveyed required all audit committee members to be independent, although a few indicated that one nonindependent member would be allowed under exceptional circumstances. Over 90% indicated that the committee would include at least three members. Almost 90% stated that one member must have accounting or financial management expertise and that all members must be financially literate or become financially literate within a reasonable time after appointment. Some companies were explicit regarding independence and financial knowledge, while many companies merely stated that committee members were required to meet the qualifications required by NASDAQ.

The fact that all requirements were acknowledged by the vast majority of the companies is reassuring. Sarbanes-Oxley has tightened the criteria for independence. Therefore, NASDAQ companies must review the criteria they are currently using. In addition, the NASDAQ proposal requires that audit committee members must be financially literate at their time of appointment, with no opportunity to become financially literate on the job.

Other requirements. The following are additional best practices of audit committees:

• Sarbanes-Oxley requires that the audit committee have the authority and funding to use outside experts in their investigations. The NASDAQ, NYSE, and AMEX proposals all include this requirement. The study results indicate that 63% of audit committees already have this authority. It is essential that companies not currently granting this authority to their audit committees do so as soon as possible in order to be in compliance with both the Sarbanes-Oxley and the NASDAQ listing requirements.
• The audit committee charter should disclose the scope, structure, and audit committee process. This is required by all three stock exchanges. All of the audit committee charters surveyed met this requirement and are in compliance with NASDAQ requirements.
• As specified in Exhibit 2, the SEC requires an audit committee report to be included in the company’s annual proxy. All of the companies provided this report, and all included the required disclosures. Only 49% of the audit committees acknowledged responsibility for this item in their charter.
• The charter should be reviewed annually; the SEC requires that it be provided to stockholders at least every three years. NASDAQ, the NYSE, and AMEX all require an annual review of the charter.

Seventy-eight percent of the audit committees indicated that they were responsible for reviewing their charter annually.

The remaining items are neither required nor proposed by any regulator, but are considered to be best practices:

• The BRC recommended that the audit committee have the authority to investigate any matter considered necessary. Just 69% of audit committees surveyed had the authority to investigate any matter within the scope of their responsibilities. In order for them to be effective monitors of the financial reporting process, this authority should be granted to all audit committees.
• The NYSE proposal requires an annual performance evaluation of audit committees. Only 2% of audit committees asserted responsibility for performing an annual evaluation of their performance.
• The BRC recommended that the audit committee report annually about whether it has fulfilled its responsibilities as listed in its charter. None of the committees studied said they were responsible for reporting annually as to whether or not they had fulfilled the responsibilities assumed in their charter.

Implications and Recommendations

Audit committees are not assuming all of the responsibilities that would lead to effective, proactive oversight. Very few of the best practices surveyed were assumed by all of the audit committees, and the practices with the highest reported percentages were those that were required. With the passage of the Sarbanes-Oxley Act and the proposed NASDAQ listing requirements, audit committees will be required to provide even greater oversight.

The study’s results indicated that audit committees currently are not fulfilling oversight responsibilities for which they will soon be responsible. Audit committees reported little or no authority for providing a mechanism to report whistle-blower complaints, approving related-party transactions, and preapproving audit and nonaudit fees. Audit committees should be proactive in complying with the new requirements, and should seek any necessary advice and training in order to fulfill these new responsibilities.

Individual audit committees should consider adopting all of the audit committee best practices that apply to their situations, even those that are not required, such as oversight of internal audit, oversight of company compliance with the code of ethics, and increased monitoring over financial reporting. The results imply that audit committees are very good at taking on responsibilities when required. On the other hand, their record for assuming nonrequired best practices is mixed, at best. If audit committees do not voluntarily assume best practices, regulators may find it necessary to intervene. The effectiveness of the audit committee should be evaluated at least annually in order to ensure continued compliance with best practices requirements and recommendations.

Second, the audit committee is accountable to the shareholders it represents, and must make significant improvements in their communication and disclosure to shareholders. They must disclose responsibilities that they have assumed, and they also must disclose the extent to which they have fulfilled these responsibilities. In order to ensure that shareholders can easily determine audit committee responsibilities, all audit committee responsibilities should be disclosed in a single place in the proxy, preferably in the audit committee charter. The findings suggest that the audit committee charters do not always include all of the assumed audit committee responsibilities, which are sometimes listed in the audit committee report, sometimes in the description of the board committees, and sometimes with the information on the audit fees. The audit committee should disclose all of its duties in its charter. Boilerplate charters should be not be used; charters should be written to address the individual needs of the specific company.

Finally, to improve accountability to the shareholders, as recommended by the BRC, the audit committee should report whether the responsibilities assumed in the charter have actually been carried out. The current audit committee report required by the SEC mandates only minimal disclosure and does not provide complete and adequate disclosure of audit committee responsibilities actually performed. In order to provide complete disclosure, audit committees should follow the BRC’s advice and communicate to shareholders both their assumed responsibilities and the extent to which these responsibilities have been carried out.