Training the audit committee
The article below was first published in the Internal Auditor magazine in 2003, winning the Thurston Award for the best feature of the year.
I believe it is just as meaningful today and am interested in your views.
TRAINING THE AUDIT COMMITTEE
Because internal auditors must stay current on trends, legislation, regulations, and risk management, they are the ideal organizational resource to develop and manage an education program for directors.
By NORMAN MARKS
“WHERE WAS THE AUDIT COMMITTEE?” has been a question asked by many over the past few years. With their next breath, those same people should be asking why gilt-edged audit committees with members acknowledged as having financial accounting and reporting expertise and who were often directors, chief executive officers (CEOs), or chief financial officers (CFOs), allowed management to take aggressive accounting positions or, even worse, falsify financial statements.
Some point to the limited time that directors are able to spend attending to their duties, and to their reliance on management and the external and internal auditors to provide the information they need to do their jobs. Others say that directors will always be at risk of unethical practices by management. Yet, investors and regulators look to the directors — and especially those on the audit committee — to be the watchdog for shareholders.
Clearly, more is expected from today’s audit committees. The U.S. Securities and Exchange Commission (SEC) may say that the new rules and business climate do not impose any additional legal liability on the committees, but directors cannot assume that to actually be the case and continue with business as usual.
Audit committees — with management’s assistance — need to examine not only their practices as a committee but also as individuals. Each director needs to assess whether he or she has the knowledge, experience, dedication, and time to perform the job effectively. Looking at some of the recent accounting scandals, one must ask whether audit committee members, individually or collectively:
• Had a sufficient understanding of their responsibilities. For example, why were some officers allowed a waiver from the ethics policy?
• Had a sufficient understanding of the key accounting and financial rules affecting their company’s financial statements?
• Understood the company’s business, including not only how it made money but also how it monitored and measured success?
• Had discussed and understood the more significant risks to the company’s financial statements, its business, and its reputation?
• Had sufficient knowledge and understanding to ask the right questions and to assess the adequacy of the answers they obtained?
Every corporate board should examine the need for training its members. New listing standards from the New York Stock Exchange (NYSE) and NASDAQ require continuing board member training. Additionally, there is public pressure for boards to keep up with their training. For example, Institutional Shareholder Services (ISS), a provider of proxy voting and corporate governance services, has developed a well-publicized measure for “evaluating the quality of corporate boards and the impact their governance practices may have on performance.” ISS’ Corporate Governance Quotient, announced in June 2002, bases its calculations — for the top 3,000 U.S. companies — on seven core categories, one of which is “director education.”
Although every director needs to understand the changing nature of corporate governance, the needs of audit committee members are broad and therefore more difficult to meet. According to KPMG’s Audit Committee Quarterly Fall 2003 issue, “while audit committee members value the depth and breadth of myriad external programs and seminars available, an increasing number of audit committees are also asking for tailored in-house programs.”
Because internal auditors must stay current on trends, legislation, regulations, and the risk management process to effectively perform their duties, they are the ideal organizational resource to develop and manage such an in-house program. Solectron Corp., a $12 billion global provider of electronic manufacturing services, used its internal audit department to develop a program to meet the specific needs of the company’s audit committee. Although internal auditors may need to tailor the specifics of the program depending on how their audit committee is organized, the basics can be used for any committee, regardless of its composition.
At Solectron, the audit committee recognized early the need for tailored training for its four members in addition to the training program already in progress for the full board. However, especially after the U.S. Sarbanes-Oxley Act of 2002 was passed, the committee already had a very full agenda and little time to dedicate to training sessions. The committee chairman asked me, the vice president of internal audit, for assistance.
Initially, we thought each audit committee member should have training focused on understanding the accounting standards and how they apply to the company. However, as we delved deeper, we realized committee members needed to understand not only accounting, but also risk management, the work of the external and internal auditors, and more.
The audit committee charged me with developing a training needs assessment program and meeting with each member. As a result, I compiled a list of topics, broken down according to areas of concern, to review with each member of the committee. The topics were driven by the committee’s charter and what I, with over a dozen years’ experience working with audit committees, believed each director required to be effective.
We immediately recognized that the directors do not need to be experts in every area. Instead, they need sufficient knowledge to be able to access pertinent information, ask the right questions, and assess the answers they receive. Rather than requiring detailed explanations and analyses for every new Statement of Accounting Standards (SAS), members need only understand the broad sense of the SAS and its implications, so they can ask management and the auditors the right questions about its adoption. [Note: SAS have now been replaced by PCAOB Standards.]
I sent the list to each member and met with them one-on-one to either complete or discuss their responses. Their responses helped us decide what type of training the audit committee members needed and in what areas they felt they had a sufficient level of knowledge and understanding.
Area of Concern 1: Roles, Responsibilities, and Relationships
- The audit committee’s charter, the committee’s responsibilities, the expectations of investors and regulators — including related laws and regulations — the role the committee plays in corporate governance, and the relative responsibilities of the board as a whole and company management. This first topic provided an opportunity to discuss and confirm that each member had a good understanding of his or her job, especially in light of recent changes in expectations. One issue for directors to consider is how much detail they are expected to dive into and what decisions require their oversight and approval. Where does governance end and management begin?
- The responsibilities of the external auditors to the company, the board, and the committee, including the type and scope of work they do, the extent of assurance they provide to the company and the committee, and the limitations to that assurance. The investing public has great expectations of public accountants, but are they justified? The external auditor’s opinion in the annual financial statements is limited, because its work is risk based and only provides assurance that the likelihood of material error is low. Directors need to understand how much work the external auditor does and, especially, the limitations of the assurance the auditor provides.
- How the external auditors do their work, and how they reach their conclusions on the company’s financial statements and related disclosures and internal controls. How many directors understand how much — or little — testing of internal controls is done by the external auditors? How many transactions do they review to confirm the controls are in place and effective? How do they decide which locations’ inventory to audit? What is the level of experience of the staff performing the work in the field, and is it sufficient? How does the partner decide, at the end of the day, that he or she can sign off on the accounts?
- The responsibilities and obligations of management to the audit committee. Is there a clear understanding of when management has to bring issues to the board and how much information will be provided? Is there too much reliance on management’s integrity?
- The role and responsibilities of internal auditing, including the scope of its charter, how it performs its work and reaches conclusions on internal controls (and the limitations thereto), how it works with the external auditor, and its reporting relationships to management and the audit committee. Today, directors, especially those on audit committees, should be placing more and more reliance on the company’s internal auditors. They should know whether or not the internal auditors have an open, unimpeded line of communication to them. Is internal auditing sufficiently independent? For example, can the auditors audit the CFO and CEO and report their conclusions to the audit committee without personal risk? Does internal auditing provide a report on the overall system of internal control? If so, how do the auditors make their assessment? Does internal auditing use a generally accepted internal controls model or framework?
Do the internal auditors work effectively with the external auditor, so that total quality is enhanced without unnecessary duplication of effort? If used correctly, the internal auditor provides directors with an independent set of experienced and knowledgeable eyes into the company’s operations.
Area of Concern 2: Risk Management and Internal Controls
- The principles of enterprise risk management (ERM). Few U.S. companies — except in financial services — have embraced ERM as a way to manage the business. However, ERM provides an excellent framework for audit committees, management, and external and internal auditors to assess the adequacy of internal controls. It is impossible to evaluate and test every control, but ERM helps directors determine whether the controls most likely to prevent or detect a major problem have been assessed. The American Institute of Certified Public Accountants (AICPA) requires external auditors to base their audit on a risk assessment, and The Institute of Internal Auditors (IIA) mandates the same for internal auditors.
- The principles of internal controls, the internal controls model used by the company, including controls that provide reasonable assurance of the efficiency and effectiveness of operations, the integrity of financial reporting and disclosures, and compliance with applicable laws and regulations, whether the committee is responsible for all internal controls, whether the external and internal auditors review them all, and what constitutes a “major” internal controls weakness or deficiency? The principles of internal controls extend beyond simply accounting or financial reporting — the audit committee’s primary responsibility at most organizations. Audit committees need to decide whether they have oversight responsibility for all controls or just financial reporting and ethics. At Solectron, we have chosen The Committee of Sponsoring Organizations of The Treadway Commission’s (COSO) model as a company standard, not only for financial reporting and Sarbanes- Oxley Section 404, but also for all controls assessment. Only through an understanding of internal controls can directors understand and evaluate the comments by management and the two sets of auditors on internal controls. The COSO model provides a common language among management, directors, and auditors in assessing controls and managing risk.
Another important point is what constitutes a “significant” or “material” weakness or deficiency. Both the external and internal auditors are required to report to the audit committee all weaknesses in the systems of internal control that they consider to be significant. But, what does that mean? Do the directors want to be informed of weaknesses that do not meet that threshold? Frequently, the internal and external auditors have different interpretations of what should be reported, and that may be of concern to audit committees.
- Accounting basics, including the principles of accruals, reserves versus write-offs, etc. Because audit committee members are required to be financially literate, with the ability to read and understand financial statements, some will need at least a refresher in these subjects. Certainly, many reported cases of earnings management involved companies’ use of reserves and accruals to smooth earnings from period to period. For example, the company might inflate reserves — whether for inventory, receivables, or goods received not invoiced — when times are good, and draw the reserves down when operating results are not as positive.
- In broad terms, the more significant laws, regulations, and accounting rules that have to be observed in preparing and filing the company’s financial statements and disclosures. Generally, the external auditors will provide the audit committee with a summary of new accounting rules as they arise, and the general counsel or external auditor will discuss new laws and regulations of significance. However, committee members need a broad understanding of the more significant rules applicable to their business to enable a quality review of the financial statements and questioning of management and auditors before the quarterly and annual reports are filed with the SEC.
Area of Concern 3: Consolidating, Clarifying, and Reporting Financial Results
- The organization’s processes for consolidating financial results — starting from the site, through region and business unit, to corporate level — and the nature and extent of any adjustments that may be made at each stage. This background information will help the audit committee understand the process and therefore the risks associated with financial and SEC reporting. It will enable the directors to ask penetrating questions not only of management but also of the auditors.
- Each topic and line item in the financial statements and other SEC filings, including the Notes, MD&A, etc. There are several sources of training, particularly from colleges and business schools, that will enable directors without any financial background to acquire the necessary knowledge. A review of the 10-K and explanation by an expert can be very useful. The National Association of Corporate Directors — an association for boards, directors, director-candidates and board advisors — is one organization that offers, through a consultant, on-site training for audit committees on this topic. An experienced director who is also an ex-CFO talks the members through a review of the financial statements.
- What is “material” to the financial statements. The external auditors provide an opinion as to whether the financial statements are free of material error, but what is material? There cannot be assurance that the financial statements are 100 percent correct, but the audit committee needs to understand the level of tolerance. The committee needs to question both groups to ensure they are comfortable with the judgments on whether that tolerance level has been exceeded.
Area of Concern 4: Recognizing Risks
- The major risks to the accuracy of the financial statements. This topic flows from the others: understanding the business, the process of developing the financial statements, and the legal and accounting requirements. The directors’ review and questions by the directors should be focused on the areas where there is more risk to the integrity of the financial statements. In addition, the directors should ensure that both the external and internal auditors are devoting sufficient resources to the major risk areas. This will include those areas where there is a greater degree of judgment (e.g., reserves), complexity (e.g., derivative transactions), or less-than-robust systems.
- The major risks to the success of the company’s business. Directors need to be concerned with the possibility that management is tempted to cover up problems in the business. Understanding where a company is most at risk allows the audit committee to be alert and ask for detailed analysis and additional information in areas that matter. Committee members can also provide better oversight of the auditors, verifying that their planned scope will address these critical areas.
- The “red flags” that may indicate a problem with the financial statements. Research has shown that most financial statement frauds could have been detected if attention had been paid to certain changes in trends — red flags. The audit committee should receive a list of these red flags and may require a focused discussion on which are most significant to the company. The directors may require the financial statements to include additional information, such as trend and fluctuation analyses.
- The legal risks presented by the company’s business operations, including risks pertaining to compliance with international tax, trade, human resources, and business practices laws and regulations. In some industries — such as chemical and banking — this is a significant issue. The committee should ensure not only that these risks are addressed, but also that the departments responsible for auditing those areas provide reports to the committee. For example, in many companies, groups other than internal auditing perform audits of environmental, health, and safety compliance.
Area of Concern 5: Understanding and Assessing the Business
- The principal businesses the company is engaged in, and how the company achieves and then measures success in each. Although directors will probably have a broad understanding of the business, their knowledge may not be sufficient for them to understand all the risks and opportunities and ask the right questions of management and auditors. Directors should visit and be familiar with the company’s principal business locations. Without that personal, firsthand knowledge, it is questionable whether they can fully understand and evaluate the financial statements, ensure the disclosure of key nonfinancial information, or assess the auditors’ performance.
- The nature — in broad terms — of the more significant information technology (IT) systems and infrastructure, with particular reference to how they impact the financial statements. Companies are dependent on their financial IT systems. Not only do these systems accumulate the transactions and perform many calculations, but they also provide most of the analytical information — reports — needed to review the financials. The directors should know whether any of the IT systems are fragile and question the auditors on the level and quality of their IT audit work. A study by the Public Company Accounting Oversight Board’s Panel on Audit Effectiveness of the quality of external audits highlighted as areas of concern a lack of adequate IT understanding of many accounting-firm partners, a failure to adequately consider IT risks in audit planning, and insufficient attention to IT systems during the audits.
- The company’s philosophy and approach to ensuring ethical business practices and compliance with all applicable laws and regulations, and the significance of the tone at the top. One of the issues at Enron was the audit committee’s waiver of a conflict of interest under the company’s code of ethics. The audit committee should understand not only what the company’s ethics policy says, but how the company “walks the talk.” The way top management conducts its business and demonstrates day-to-day ethics — the tone at the top — has great influence on the way other management operates. The directors should understand the importance of tone at the top and have a sufficient knowledge of the subject to ask the appropriate questions of both management and auditors.
- How to assess the competence of financial management, the external auditor, the internal auditor, the corporate ethics officer (or equivalent), and others, as necessary. Audit committee members have to rely on what they are told by those they see at meetings: management and the two sets of auditors. However, the committee is also expected to be the watchdog and guardian for the shareholders against inappropriate acts and incompetence by the auditors. Thus, it needs to exercise professional skepticism at all times, ask the right questions, and assess the adequacy of the answers it receives. Assessing the competence of these key individuals is not easy, but the committee should seek help from those who are experts in each field. This may require external reviews, for example, of the internal auditor’s work. The external auditor should report on its own quality assurance practices and on quality assurance reviews by its peers. A process should be developed, typically led by the internal auditor, to help the committee assess the external auditor’s work.
Delivering the Training
I compiled the results of the interviews and the responses to the survey into a summary training needs analysis. It included recommended delivery methods for each subject where a need was identified — such as presentations during meetings, additional reading materials, books or studies, and off-site training. I then reviewed the analysis with the chairman and later discussed it with the full committee. We reached an agreement on the priorities and developed a schedule for the next three meetings.
The needs analysis confirmed that the members of the Solectron Audit Committee already had most of the knowledge required to be effective. That finding was of value by itself, and it contributed to the self-assessment the members performed later. At the same time, opportunities were identified for improvement.
Much of the additional training was delivered by expanding on presentations already scheduled by auditors and management. For example, the external auditors were asked to review their risk assessment, general audit methodology, and staffing profile when they reviewed their annual audit plan with the committee. I included a discussion of internal controls and the COSO framework as part of my annual report and plan. Emphasis was placed on efficient delivery, because the number and length of meetings had increased significantly.
Each board of directors is different, with varying needs for training. The “areas of concern” list was effective in both identifying where Solectron Audit Committee members would benefit and in serving as a basis for the plan to deliver the required information and training. The list confirmed that a tailored program would be much more effective than sending committee members to generalized seminars.
Audit committee training is a continuous process. Solectron has now completed the first year of its training program and delivered in the areas identified through its needs analysis. Attention is now focused on maintenance, including discussions of new laws and regulations such as Sarbanes-Oxley and accounting rules.
The needs analysis will be repeated at some point to identify any specific area where the members believe a refresher would be useful. The analysis has enabled the training to be delivered, in areas where it was needed, without taking too much of the committee’s valuable and limited time.