Earlier this year, the SEC adopted rules mandated by the Sarbanes-Oxley Act of 2002 (“SOA” or “the Act”) that, among other things, expanded and formalized the responsibilities of audit committees. The major exchanges have also weighed in, defining expectations for audit committees. This issue of The Bulletin explores the new requirements of audit committees and their implications.
The audit committee is a priority for many companies
Protiviti conducted an independent survey of CFOs with 300 publicly held large, midsize and small firms across multiple industry sectors in the United States. In the survey, CFOs were asked to name the most significant challenge to their companies as they implement the requirements of SOA. The CFOs named three major areas of concern, two of which related to audit committees. Specifically, 27 percent believe aligning audit committee activities with SOA responsibilities will be the most difficult task, while 23 percent cited identifying and recruiting a “financial expert,” as defined by the SEC, to serve on the committee.
Sarbanes-Oxley expands audit committee authority
The new SEC rules, pursuant to Section 301 (“Public Company Audit Committees”) of Title III of SOA, prohibit national securities exchanges and national securities associations – the so-called self-regulatory organizations (SROs), of which the NYSE and Nasdaq are the most prominent – from listing any security of an issuer that is not in compliance with the following requirements:
- Each member of the audit committee of the issuer must be independent. Audit committee members are not allowed to accept any direct or indirect payments of consulting, advisory or other compensatory fees from the company or any subsidiary thereof, other than in the individual’s capacity as a member of the board of directors and any board committee. In addition, a member of the audit committee of any listed company that is not an investment company may not be an affiliated person of the company or any subsidiary of the company, apart from his or her capacity as a director. For most companies, the “audit committee” will be a separate committee established by the board of directors to oversee accounting and financial reporting processes and audits of the financial statements. If there is not a separate committee, the entire board of directors of the issuer shall be deemed “the audit committee,” which means each director is subject to the independence provisions.
- The audit committee must be directly responsible for the appointment, compensation, retention and oversight of the company’s independent accounting firm. With the authority to hire, fire and compensate the external auditor, the committee must work with the external auditors, internal auditors, and financial and executive management to make the independent audit process as effective as possible. How is that done? As a practical matter, audit committees continue to seek recommendations from management and act on those recommendations. Compensation is an area that audit committees are not equipped to address as they do not have access to comparable fees charged by other firms. So it is reasonable to expect them to seek input from management on such issues. Auditors continue to report to management with the understanding that they can go to the audit committee quickly if necessary. That all said, some committees have revised their charter to incorporate the language of the statute and specify the committee has “sole authority” (with a qualification in some cases that committee decisions are subject to shareholder approval). Further, committees are asking more questions about the competence of audit firms, including the lead partner and manager and their familiarity with the industry. Later, we comment on keys to an effective audit committee.
- The audit committee must establish procedures for the receipt, retention and treatment of complaints regarding accounting, internal accounting controls or auditing matters. This process includes procedures for the confidential, anonymous submission by employees or other “whistleblowers” of concerns regarding fraud or questionable financial matters. A future issue of The Bulletin will further discuss some of the considerations for audit committees and management in implementing this requirement.
- The audit committee must have the authority to engage independent counsel and other advisors as it determines necessary to carry out its duties. Our research indicates that 46 percent of audit committees have sought expertise, advice or training from outside advisors during the past six months.
An effective audit committee must have the necessary resources and authority to fulfill its function, including independent and objective advice on accounting, financial reporting, internal control or legal matters.
The company must provide appropriate funding for the independent accountant and for any advisors employed by the audit committee. The final ruling does not set limits on the level of compensation. In effect, the SEC made such funding, as ultimately determined by the audit committee, a cost of being public. Of course, audit committees must exercise their discretion responsibly and with care.
Based upon significant input from and dialogue with foreign regulators and foreign issuers and their advisers, several special provisions were included by the SEC in its rules. These provisions address certain circumstances and local laws of particular foreign jurisdictions, where applicable, such as allowing non-management employees to serve on audit committees (consistent with “co-determination” and similar requirements), and allowing shareholders to select or ratify the selection, termination and compensation of outside auditors. The SEC also allows alternative structures such as “boards of auditors” to perform auditor oversight functions as well as foreign-government shareholder representation on audit committees.
Most public companies must be in compliance with the new listing rules by the earlier of (1) the first annual shareholders meeting after January 15, 2004, or (2) October 31, 2004. Foreignprivate issuers and small-business issuers that are listed must be in compliance with the new listing rules by July 31, 2005.
With respect to independence, the SEC also allows for transition for new listing companies, as follows: one independent audit committee member at the time of initial listing, a majority of independent directors on the audit committee within 90 days of the initial listing, and a fully independent audit committee one year from initial listing.
The “audit committee financial expert” must be disclosed
The SEC has approved rules pursuant to SOA Section 407 requiring public companies to annually disclose whether they have at least one “financial expert” on their audit committees, and if so, the name of the expert and whether he or she is independent of management. The final rules define an "audit committee financial expert" to mean a person who understands GAAP and financial reporting, is able to assess the handling for accounting estimates and reserves, has experience with financial reporting and internal accounting controls, and understands audit committee functions. Directors who have experience in preparing or auditing public company financial statements – as well as those who were actively engaged in supervising these activities – qualify for this role.
A company that does not have an audit committee financial expert will be required to disclose this fact and explain why it does not have one (e.g., the board may opt to use an independent advisor). This new disclosure requirement creates a visible metric against which all public companies will be measured. It will influence corporate behavior to ensure top-flight financial talent sits on the board and serves on the audit committee, possibly as the chair. These disclosures apply to annual reports for fiscal years ending on or after July 15, 2003, with small-business issuers required to disclose for periods ended on or after December 15, 2003. Of the 300 companies in our survey, 65 percent reported that they have designated a “financial expert,” as defined by the SEC, for their audit committees, with another 23 percent planning to do so.
Audit committees must pre-approve audit and non-audit services
The SEC also requires audit committees to pre-approve audit and non-audit services provided by auditors. The SEC rule adopts the following list of prohibited non-audit services as set forth in Section 202 of SOA: (i) bookkeeping services, (ii) financial information systems design and implementation, (iii) appraisal services, (iv) actuarial services, (v) internal audit outsourcing, (vi) management functions, (vii) human resources services, (viii) broker-dealer services, (ix) legal services, and (x) expert opinion services provided as an advocate of management. The SEC rule is generally applicable to services performed on or after May 6, 2003. They do not apply to services provided on or before May 6, 2004, if (a) the services are pursuant to a contract in existence on May 6, 2003, and (b) the services are not otherwise prohibited by SEC rules or by some other authoritative or professional body. The requirements apply fully to foreign private issuers. If there is no audit committee or equivalent body, the full board must perform the preapproval function.
With respect to the services noted in (ii), (iii), (iv) and (v), the SEC provided an exception for circumstances in which “it is reasonable to conclude” that the results of these services will not be subject to audit procedures during a financial statement audit. Because engaging accounting firms on the basis of these exceptions is not without risk, audit committees should insist that these determinations be conclusive and beyond question, and not based on a borderline assessment. The committee should formulate its own assessment and not rely solely on the judgment of management and the auditor. There is also accountability to investors if the audit committee pre-approves non-audit services. The nature and amount of such fees must be reported in the proxy disclosures in the annual proxy statement to investors for fiscal periods ending on or after December 15, 2003, with the SEC encouraging early compliance.
Because the ultimate objective is to preserve the external auditor's independence, some audit committees have chosen to avoid non-audit services altogether. Our survey notes that nearly 13 percent of audit committees for large companies prohibit all non-audit services. Nearly three out of four audit committees – 72 percent – have adopted formal procedures governing nonaudit services rendered to their companies by external auditors.
The SEC staff is of the view that pre-approval policies and procedures must be specific enough that management is not in the position of making judgments about whether a given service meets the committee’s definition of pre-approved services. The use of monetary limits, schedules of services without detailed explanation, or "broad, categorical approvals" is inadequate.
Audit committees should evaluate their pre-approval policies and procedures accordingly so they understand precisely what they are approving.
The exchanges have also weighed in
The SEC rules both complement and are complemented by the SRO listing requirements. The SRO rules are broader in scope, covering the entire board of directors and other committees, and are more stringent with regard to standards of independence. After NYSE and Nasdaq published several revisions to their listing standards, the SEC approved them in November 2003. With certain exceptions, the timing of these final rules mirrors the new Section 301 rules. Both NYSE and Nasdaq companies will generally have until the earlier of (a) the company's first annual meeting occurring after January 15, 2004, or (b) October 31, 2004, to comply. Companies with staggered boards will have longer periods of time within which to comply.
The audit committee charter must cite the “rules of the road”
The audit committee charter, which must be posted on the company’s website, must address the committee’s purpose, which at a minimum must be to:
- Assist board oversight of (1) the integrity of financial reporting, (2) compliance with laws and regulations, (3) the external auditor’s qualifications, independence and performance, and (4) the performance of the internal audit function
- Prepare the report required by the SEC’s proxy rules for inclusion in the company’s annual proxy statement.
The charter must require an annual performance evaluation of the committee, meaning the committee should assess its performance and report the results to the full board. It must also address the committee’s duties and responsibilities which, under the NYSE’s approved listing requirements, include:
- Obtain and review, at least annually, a report from the independent accountant describing (a) the accounting firm’s quality control procedures, (b) any material issues arising from the most recent internal quality control review, peer review, or inquiry or investigation by governmental or regulatory authorities within the past five years, and (c) all relationships between the firm and the company
- Discuss the annual and quarterly public reports (including the MD&A) with management and the independent accountant
- Discuss, at least generally, with management the types of information disclosed and the types of presentations made in earnings press releases and with respect to earnings guidance provided to analysts and rating agencies
- Discuss policies with respect to risk assessment and risk management
- Meet separately with management, the internal auditors and the independent accountant
- Review with the independent accountant any disagreements with management and their resolution by management.
- Set hiring policies with respect to employees and former employees of the independent auditors
- Report regularly to the board of directors
The NYSE standards state that the above functions cannot be allocated to another committee. With respect to duties and responsibilities, the Nasdaq standards are not as robust as the NYSE rules. However, the above summary provides guidance to audit committees of all listed companies.
Keys to an effectively functioning audit committee
Are there best practices that all audit committees should follow? Attorneys, consultants and special commissions alike compose lists of what audit committees should be doing. Combining sound practices with what is legally mandated can leave directors confused as to what they are required to do. “Best practice,” whatever that means, is not the standard of performance audit committees are required to follow. Directors should consult with counsel and advisors as to the standard of due care and business judgment expected of them. The quest for the illusory list of best practices can be distracting as there is no “one size fits all.” Each committee must understand the company’s unique facts and circumstances, e.g., its business, structure, size, industry, complexity and shareholder mix.
Everyone knows audit committees must meet frequently, establish focused agendas, record minutes and foster appropriate interaction between meetings. While not intended as yet another “best practice” list, we suggest the following keys to an effectively functioning audit committee:
- Understand and respond to the legal and regulatory requirements. Compliance with the exchange listing requirements and SEC rules provides the foundation on which everything else builds. These requirements affect the committee’s composition, responsibilities and charter. Understand them and align committee practices with them.
- Qualify directors on the committee and ascertain they are able to devote the necessary time. In today’s environment, audit committee members must understand financial and public reporting. With respect to time, the NYSE standards specify that if a member serves on the audit committee of more than three public companies, the board must make a determination whether such simultaneous service impairs the ability of the member to effectively serve on the committee. This determination must be disclosed in the company’s annual proxy statement.
- Insist on continuous improvement of disclosure controls and internal control over financial reporting. Audit committees should be aware of what the company is doing in meeting the quarterly and annual reporting requirements, including the Section 302 executive certification and Section 404 internal control reporting requirements of SOA. They should pay close attention to the evaluation of controls and procedures, and to reporting of gaps and deficiencies by management and auditors. Inefficient processes and overemphasis on manual “detect and correct” controls are symptoms of an environment in which financial reporting is often a monthly “fire drill.” Audit committees should insist on more repeatable and better defined and managed processes in high-risk areas. A good start is asking the company and its outside advisors to report not only on the adequacy of the control environment, but also on the quality and maturity of the underlying business processes and internal controls. This practice would serve as a basis for understanding the sustainability of financial processes and the control environment in meeting the certification standards. It would provide a benchmark against which future improvements can be measured.
- Expect reliable financial reporting and quality earnings. Recent financial restatements have often resulted from revenue recognition, expense capitalization, asset impairment, off-balance-sheet reporting and other common issues. Audit committees should ask management, the independent auditor and other independent advisors to periodically identify key accounting and auditing issues in the industry, and discuss differences between the company’s accounting policies and industry practice. The committee should expect management to take a conservative approach to accounting and reporting matters, and ask CFOs about earnings quality and whether certain issues encountered within the industry or at other entities apply to the company. They should understand the impact of significant judgments inherent in the financial-reporting process, the extent and resolution of disagreements between the auditor and management, and the rationale for the auditor’s passed adjustments, if any. They should ask management for more details on how they made significant accounting estimates, and ask the auditors to explain how they evaluated those estimates. They should review non-GAAP metrics that are disclosed by the company to ensure they are fairly presented and are appropriately reconciled to the comparable GAAP measures. In addition, the committee should ensure management establishes and enforces a code of conduct that emphasizes fair financial reporting.
- Encourage the auditors to increase the effectiveness of the audit process. In the past, audit firms often used a similar audit plan where management generally knew what to expect. Audit firms may have also allowed management to provide substantial input on audit scopes. Audit committees should encourage variations in plans each year, with less input from management. They should encourage auditors to be more skeptical when corroborating management representations. They should expect to receive more information from the external auditors, such as an analysis of reserve levels, judgmental issues, passed adjustments, changes in accounting principles and areas of disagreement with management. They also should set the ground rules with auditors for defining and reporting a “disagreement.” For example, some auditors are interpreting “disagreements” narrowly to include only those matters requiring an exception in the audit report. Many directors want to know about any disagreements, whether resolved favorably or not.
- Establish and increase the focus on an internal audit function. Public companies without an internal audit function are destined to become outliers and possibly even targets of criticism. The approved NYSE listing standards state that “each listed company must have an internal audit function.” In its commentary to that requirement, the NYSE notes that the function must provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control. Audit committees should encourage management to establish a function if there isn’t one and understand why if management doesn’t take action. If there is a function, the committee should evaluate whether the internal audit budget is aligned with the company’s risk profile, and inquire as to whether the department’s internal staffing and cosourcing of specialized skills from outside providers are adequate to execute the audit plan.
In closing, we expect that during the next 12 months, protocols and procedures will be more clearly developed and defined. At this time, it may make sense for audit committees to evaluate where their compliance activities stand relative to the timetable of legal and regulatory requirements they must address. Based on the completed evaluation, audit committees should act upon the results. We hope that the points covered in this issue of The Bulletin, including the following key questions, provide a useful starting point.
Key Questions to Ask
- Is the audit committee compliant with the independence guidelines set forth by the SEC and the applicable listing requirements? Is the committee’s charter compliant with its expanded mandate? If not, is there a plan to align the committee composition and charter with the applicable requirements?
- Has the audit committee taken concrete steps to exercise its mandated responsibility to oversee the independent auditor? Have the committee and management worked out how they will operate in a positive, constructive manner?
- Has the audit committee worked out the policies and procedures for approving non-audit services with sufficient clarity that management is able to proceed without having to exercise judgment as to whether a given non-audit service is “approved” or not?
- Where does the audit committee stand with respect to compliance with the various legal and regulatory requirements? Is the committee satisfied with company support and funding of the outside advisors it chooses to employ in meeting these requirements?
- Does management involve the audit committee in a timely manner with respect to significant issues impacting the quality of earnings and reliability of financial reporting?
- Are there procedures in place for reporting to the audit committee significant deficiencies and material weaknesses in a timely manner?
- Are disagreements between management and outside auditors reported timely to the audit committee?
- Is the CFO allocating sufficient time to traditional accounting and reporting duties? Is there at least one technician on the CFO’s staff who is an expert in generally accepted accounting principles and SEC reporting, and who is highly familiar with the company’s operations?
- Has the company formed an internal audit function that is adequately resourced, sufficiently competent and objective, and properly focused on assisting with risk management and internal control evaluations?
The Bulletin (Volume 1, Issue 9)