The Role of the CPA in Corporate Compliance Committees

By Sara R. Melendy and Ronald J. Huefner

E-mail Story Print Story

Recently, increasing attention has been given to compliance with a broader scope of laws and regulations. Most organizations are impacted by a wide range of legal and regulatory issues, in areas such as labor and employment, the environment, trade, product liability, health and safety, and truth in advertising. In addition, organizations are impacted by laws applicable to their specific area of operations, such as medicine, education, communications, defense industries, or gambling. To deal with these broader needs, many organizations are setting up compliance programs, and providing oversight by establishing high-level compliance committees.

A compliance committee is a group of individuals, usually composed primarily of members of the board of directors. They are assigned the task of ensuring that the corporation and its employees are acting in accordance with all applicable laws, regulations, ordinances, and rules promulgated by federal, state, and local governments and agencies. Where relevant, oversight should extend to international laws and regulations as well.

In some corporations, the audit committee serves in this role. An audit committee already has significant responsibilities in its normal role of dealing with financial matters; a recent study found that adult committes meet more than twice as frequently as they did prior to the Sarbanes-Oxley Act (SOX). Adding the legal compliance responsibility may overload what a board committee can reasonably handle. Or it may lead an audit committee to relegate these other areas of compliance to only cursory oversight. Thus, there has been a growing use of compliance committees that are separate and distinct from the corporation’s audit committee.

One special case should be mentioned. SOX allows for the creation of a “qualified legal compliance committee” (QLCC) to investigate issues of corporate misconduct. This type of committee has special legal ramifications as it shifts the burden of investigating complaints from corporate counsel to itself. The legal factors leading to the decision to create a QLCC are beyond the scope of this article. Some companies have both a compliance committee and a QLCC. In these companies, the duties of the QLCC are typically limited to the investigation and resolution of complaints.

The role of CPAs. While the areas of concern of a compliance committee typically fall outside the financial arena, CPAs still have an important role to play in the design and operation of compliance oversight. Expertise in control systems and in audit methodology is needed for compliance oversight. One may deem this process to be a kind of “legal audit” of the company. While the technical expertise of lawyers is needed to assess and evaluate specific compliance, the legal profession generally does not develop audit methodologies for this purpose. Thus, CPAs are in a position to advise companies, boards of directors, and compliance committees on establishing control systems and developing audit methodologies to detect potential noncompliance.

The Mission of the Compliance Committee

As mentioned above, a compliance committee is typically assigned the task of ensuring that a corporation and its employees are acting in accordance with all applicable laws and regulations. This goal is usually defined as a reactive one; that is, the committee must ensure compliance with existing laws, rules, and regulations. Some committees, however, have included in their charter the proactive role of ensuring compliance with expected future laws, rules, and regulations. This task may seem impossible, given that future laws do not yet exist; however, potential rules are often debated for years before becoming effective, or are imposed on a certain sector of companies before being imposed on all. For example, the laws regarding minimum fuel efficiency were applied to cars long before they were required of SUVs and light trucks.

The compliance committee’s role is not limited to the prevention of corporate misconduct or inadvertent noncompliance. It also includes monitoring the company to detect noncompliance that has already occurred or is currently occurring, and enforcing the compliance program by employing corrective action if noncompliance is detected, including, if necessary, the discipline of any employees found engaging in misconduct. This monitoring and detection function may entail overseeing the implementation of sophisticated internal controls, training programs, and internal compliance audits. It is imperative that the controls and procedures put in place to monitor and detect noncompliance are continually reviewed and updated to keep up with the myriad of rules, laws, and regulations with which companies must abide. Even accidental cases of noncompliance can have expensive and embarrassing consequences.

Creating a compliance committee as part of a compliance program enhances company oversight, which is an element of good corporate governance as outlined by the National Association of Corporate Directors, the Business Roundtable, and the U.S. Department of Justice. Additionally, the initiation of a compliance committee can help a company’s long-term performance by ensuring that the corporation complies with laws and regulations that, in the long run, are in the best interests of its shareholders and other stakeholders.

Reasonable rationales for implementing a compliance oversight committee as part of an overall corporate compliance program include: 1) promoting good corporate governance; 2) avoiding prosecution or court-imposed compliance programs; 3) facilitating intracompany communication; 4) avoiding the costs of bad publicity; 5) signaling the market; 6) avoiding overburdening the audit committee; and 7) entering new markets. The Sidebar analyzes an actual company to provide anecdotal support for several of these rationales.

Promoting Good Corporate Governance

Although for most industries a corporate compliance program is not legally required under federal or state law or under SEC or exchange regulations (an SEC mandate for mutual funds is a notable exception), the implementation of a compliance program, including effective oversight, is considered to be good corporate governance by many bodies, including the Business Roundtable, the Department of Justice, and the National Center for Preventative Law. The Business Roundtable guidelines for boards of directors include monitoring management’s actions, asking incisive, probing questions, and exercising vigorous and diligent oversight over a corporation’s affairs. Implementing a compliance committee fulfills all of these recommendations. The Department of Justice’s U.S. Federal Sentencing Guidelines encourage self-policing by corporations and include involvement of high-level personnel as its second element of effective compliance programs (see the Exhibit). The National Center for Preventative Law also includes, in its elements of corporate compliance, involvement of high-level personnel and endorsement by the corporation’s highest governing authority. A board-level compliance committee would effectively meet these requirements.

Limiting Liability

Limiting legal exposure reduces the risk that a company will have to pay substantial fines or incur costs of court-imposed probation or compliance programs. In addition, there can be indirect financial consequences associated with the negative publicity of a criminal conviction. Although sometimes difficult to quantify, these would include lowered employee morale, reduced customer loyalty, and reduced ability to obtain financing from creditors or credit from vendors. Corporations may also risk the possible loss of revenue due to debarment from (e.g., prohibition from bidding for or participating in) government contracts or other types of business transactions (e.g., buying and selling stock). A compliance committee would monitor a corporation and institute preventive controls to reduce a corporation’s likelihood of participating, accidentally or deliberately, in corporate misconduct.

According to the revised U.S. Federal Sentencing Guidelines, the existence of an effective compliance program (including oversight by top-level personnel such as a compliance committee) provides a means of avoiding or at least mitigating criminal prosecution in the event corporate misconduct is uncovered. The 2004 Amendments to the U.S. Federal Sentencing Guidelines raised the responsibility of compliance to the highest level of an organization, the board of directors. Although the second factor for prosecutors to consider (the involvement of high-level personnel) had been a general requirement in the original guidelines, the amendments replaced the wording with more-specific requirements with respect to compliance and ethics program personnel. Previously, to meet the standard of due diligence, the guidelines only required that “specific individual(s) within high-level personnel of the organization must have been assigned overall responsibility to oversee compliance of the program.” “High-level personnel” was defined as “individuals who have substantial control over the organization” and further clarified as “a director, executive officer, an individual in charge of a major business or functional unit of the organization, such as sales, administration or finance; [or] an individual with a substantial ownership interest.” The new amendment expands the oversight requirement by adding that an organization’s “governing authority” (defined as the board of directors, or if the organization does not have one, the highest-level governing body of the organization) must be knowledgeable about the content and operation of the compliance and ethics program and that the governing authority must exercise reasonable oversight with respect to the implementation and effectiveness of the program.

Concurrent with the legislative system enacting laws shifting the responsibility for oversight of corporate compliance from upper-level management to the board of directors, the judicial system has also been active in specifically promoting compliance committees as part of corporate compliance programs. In a landmark case [In re Caremark International Inc. Derivative Litigation, No. 13679 (Del. Ch. Sept. 25, 1996)], shareholders sued the board of directors to recover fines paid by the company for employee violations of health provider laws. Chancellor William T. Allen, of the Delaware Court of Chancery, considered the issue of corporate board responsibility with regard to monitoring a corporation to ensure that it operates legally. The court held that, at a minimum, the board is responsible for actively ensuring that management institutes appropriate information and reporting systems that are reasonably capable of preventing violations of the law. A director may be held responsible for losses caused by noncompliance if the corporation does not have any control mechanisms in place to prevent such losses.

Chancellor Allen very specifically suggested that the board of directors should be assisted by a compliance and ethics committee. This committee should consist of four directors, two of whom should be outside directors. They should meet at least four times a year to initiate and monitor the compliance program and related policies. The committee should report to the full board semiannually, and the corporate officer responsible for each business segment should serve as a compliance officer for that segment.

On June 7, 2000, in United States of America v. Microsoft Corporation [Civil Action 98-1232 (TPJ), Final Judgment, June 7, 2000], the Honorable Thomas Penfield Jackson, U.S. District Judge for the District of Columbia, ordered that Microsoft establish a compliance committee of its corporate board of directors. The order was part of a structured remedy for violations of the Sherman Act and various state laws.

It seems that the courts are imposing the use of compliance committees as part of mandatory corporate compliance programs to ensure that “higher-level personnel” are knowledgeable about, and ultimately responsible for, the oversight of corporate compliance programs, as described in the U.S. Federal Sentencing Guidelines. In addition, any corporation that wants to reduce the likelihood of prosecution, or mitigate the fines if prosecuted, must show that an effective compliance program was in place prior to the discovery of any misconduct. To be effective, a compliance program must have the support of the highest-level personnel in the organization.

Facilitating Intracompany Communication

In addition to the monitoring function, another reason a company may implement a compliance committee at the highest level is to facilitate communication of corporate governance practices among its subsidiaries. When companies have many divisions or subsidiaries, corporate governance practices can sometimes develop in one subsidiary without being implemented in others. Having a compliance committee oversee corporate governance ensures that weaknesses found in one subsidiary are corrected across the organization.

One recent example of the danger of failing to implement compliance improvements across an entire company is U-Haul International, Inc. The September 17, 2004, Buffalo News reported that the Occupational Safety and Health Administration (OSHA) fined U-Haul of Western New York $73,200 for chemical hazard violations. According to OSHA, the citation was being treated as a repeat violation because of a similar citation in April 2004 at a U-Haul site in Littleton, Colorado.

Avoiding Bad Publicity

Although the incentives for creating a compliance committee examined so far (improved firm performance, communication across subsidiaries) are constructive in nature, there are also defensive reasons to create one, such as fear of punishment by the government or shareholders. One major defensive reason is avoidance of the financial consequences of negative publicity associated with poor corporate governance. The financial costs of negative publicity can take many forms, and they are often difficult to quantify. For example, current and future customers may choose not to patronize a company that is subject to an investigation, even if it is not convicted. During September 2003, investors removed $8 billion from Bank of America Corp., Bank One Corp., Strong Capital Management Inc., and Janus Capital Group after they were named in the mutual fund trading scandal (The Wall Street Journal, November 4, 2003).

The bad publicity of an investigation can also lower employee morale. Discouraged employees may exert less effort on production quality and customer service, which may cause irreparable damage to the company’s reputation. In addition to lower sales, companies may incur higher costs as a result of creditors and vendors who cancel credit approval or insist on less-favorable trade terms. Advertising costs may increase as a company tries to regain customers and re-establish its reputation. A company may need to offer more-generous sales terms and better warranties to win back customers.

Investigations of misconduct are not the only source of negative publicity. Lately, the media has been using governance metrics such as the Corporate Governance Quotient (CGQ) to chastise firms with poor governance policies. The August 24, 2004, Wall Street Journal noted that the Institute for Shareholder Services reported in the Financial Times that Google Inc. had the worst CGQ of all the firms in the S&P 500, giving it a 0.2 out of a possible 100 and leading to criticism of its corporate governance practices. In another, more indirect, example, the Council of Institutional Investors publishes a “Focus List” of companies that lag their industry in terms of stock returns. The 10 S&P 500 firms with the worst performance are publicly identified in a press release each September and are also published on the Council’s web site. The CEO of each firm on the list is contacted and invited to respond. Qwest Communications International Inc. (Qwest) was included on the Council’s September 2004 list. The CEO of Qwest responded immediately by writing a letter to the Council (posted on its website) noting various financial, customer satisfaction, and corporate governance improvements that had been made. One of the highlighted improvements was the formation of a compliance committee staffed by senior level executives, along with enhancement of their code of conduct and compliance policies and establishment of mandatory training programs. The negative publicity of appearing on the Focus List seems to be a strong motivating factor for companies to improve their corporate governance by implementing a compliance committee and upgrading existing compliance programs.

Finally, there are political costs of negative publicity. Companies that are the targets of investigations are likely to face greater public and government scrutiny, possibly leading to tighter industry regulation. In addition, they may be subject to outside monitoring or more-frequent audits by regulators. For example, the recent settlement in the KPMG tax shelter case included the appointment of an outside monitor. There may also be higher costs of information production and disclosure.

Signaling the Market

To reduce the likelihood of incurring such political costs, companies have an incentive to signal the strength and reliability of their monitoring systems. One way they can signal their monitoring efforts is by establishing a compliance committee. This demonstrates to investors and regulators that the company takes compliance seriously and is investing time and resources to ensure compliance throughout the company.

Another way that establishing a compliance committee may signal the market is by raising the company’s corporate governance score on various governance metrics. Although the existence of a compliance committee is not factored into the corporate governance score for all governance metrics, as more companies establish these committees it is likely that relevant metrics will eventually include them. Furthermore, several studies have shown a link between governance metrics and busines performance. If having a compliance committee raises a company’s corporate governance score, it may signal an increased likelihood of enhanced performance.

Avoiding Overburdening the Audit Committee

A common response to a perceived need for compliance oversight is to assign the task to the audit committee, perhaps seeing general legal compliance as merely an extension of the audit committee’s role in financial compliance. Before proceeding down this path, however, a company should answer two questions: Is this truly a compatible role? Does the audit committee have the capacity to take on this additional role?

Most literature on audit committees limits their role to financial functions. The American Bar Association, in its 1978 Corporate Director’s Guidebook, set forth four functions of an audit committee: recommending the auditor; overseeing the audit plan; reviewing the auditor’s report and management letter; and consulting with external and internal auditors regarding the adequacy of internal controls. This fourth function might be interpreted as encompassing the legal compliance area. However, in its 1994 Corporate Director’s Guidebook, the ABA expanded the list of functions to 10—all of them involving auditing or financial reporting—but narrowed the internal control function to “the adequacy of the corporation’s internal financial controls” (emphasis added).

While many companies have assigned the task of legal compliance oversight to the audit committee, there are several reasons for an organization to create a separate committee:

• The audit committee is already responsible for financial statement accuracy and compliance with financial laws and regulations. Because many directors serve part-time and have other outside responsibilities, the additional burden of ensuring legal compliance may prove to be too time-consuming.
• While the audit committee is focused on complying with financial regulation, the main focus of a compliance committee is to prevent the corporation from violating a broad range of laws, rules, and regulations. The large majority of these laws, rules, and regulations are unrelated to the financial statements. The key task of a compliance committee should be to implement controls and procedures designed to prevent, detect, and punish corporate misconduct and to ensure that companies do not inadvertently overlook any of the many rules and regulations of overlapping jurisdictions.
• While an audit committee generally needs members who possess financial expertise, such as financial analysts, CPAs, auditors, CFOs, controllers, and other financial experts, compliance committees require members with legal and other nonfinancial expertise, such as government regulation experts, human resource specialists, safety engineers. Combining the roles of the two committees could potentially diminish effectiveness in these two distinct areas of expertise.

In the authors’ view, the role of an audit committee is sufficiently distinct from the role of a compliance committee, and legal compliance is a sufficiently major task in itself to warrant a separate committee.

Entering New Markets

Entering an industry brings new risks to companies that are unfamiliar with existing regulations. Some markets with heavy government regulation require those companies to meet more-stringent regulatory requirements. A company that is heavily dependent on the government for revenues, such as in the defense industry, may benefit from having a compliance committee to help protect it from being debarred from government contracts. A compliance committee with experts in the industry can help to ensure compliance with regulations by developing and implementing proactive policies and procedures designed to prevent and detect violations.

In the authors’ view, the role of an audit committee is sufficiently distinct from the role of a compliance committee, and legal compliance is a sufficiently major task in itself to warrant a separate committee.

A CPA’s Role

There are many reasons that may motivate a company to implement a compliance committee. The Sidebar discusses the specific steps taken by one company in overhauling its compliance program. The process involves many different people with different background but there is a definite role for CPAs to play. A CPA’s expertise in control systems and audit methodologies is essential in developing a compliance system and monitoring its operations and effectiveness. Even though the content of compliance is in the legal environment, accounting skills are necessary to design the day-to-day operation of the system.