Home > Risk > Who should be on the Audit Committee?

Who should be on the Audit Committee?

Recently, Deloitte worked with the Center for Audit Quality (which is affiliated with the AICPA, although they say they are autonomous and non-partisan) in a survey of 164 large pubic companies focusing on the audit committee. Their report was discussed in separate pieces by Deloitte on their web site and in the Wall Street Journal.

They tell us:

The scope of audit committee oversight continues to creep. Given the rapid rate at which risks are emerging and evolving, many boards are taking a fresh look at committee structures and practices to determine whether they are keeping pace with shifting responsibilities and priorities. For audit committees, this can mean expanded responsibilities that go beyond overseeing financial reporting and internal controls, ethics and compliance programs, and external and internal audit. Today, many audit committees are charged with overseeing additional areas of emerging and intensifying risk, such as cybersecurity; enterprise risk management (ERM); and environmental, social, and governance (ESG) reporting.

The expansion of the audit committee’s role has in turn raised questions about audit committee composition, prompting us to examine it more closely in this year’s survey. Audit committees may need more expertise in certain areas, but they are simultaneously wary of bringing on narrowly-focused subject matter specialists. Despite having more topics on their agendas, audit committees still must perform their core oversight duties as well as understand the interrelationships among the various areas of risk. For these reasons, boards often prefer to compose their committees with strategic thinkers, who may or may not have deep expertise in a particular area.

They continue with:

An overwhelming 92% of respondents deem their audit committees to have the appropriate collective experience needed. Despite having confidence in their skill sets, many audit committees are still planning to expand and/or change their committee composition. In the next 12 months, one-quarter of respondents anticipate making changes to the composition of the audit committee, including increasing its size.

When respondents were asked how they plan to change their audit committee composition, 28% anticipate replacing the current audit committee chair in the next 12 months. Furthermore, a portion of those expecting to change the chair (19%) plan to do so with a current audit committee member and 3% with a current director who is not an audit committee member.

The WSJ version reports:

Seventy-four percent of respondents do not have a policy, either formal or informal, to rotate the chair and/or members off their audit committees. Furthermore, only 4% require new directors to serve on audit committees and just 17% recommend it. Considering these statistics, much of the anticipated composition change appears to be driven by necessity. It may stem from the need to keep pace with expanding responsibilities and to combat fatigue and attrition, in addition to filling specific experience and knowledge gaps, according to the survey report.

The respondents who believe they may not have the appropriate blend of experience and skills on the audit committee emphasize two areas of additional knowledge that could be helpful. That group pointed to cybersecurity and technology as additional areas of expertise that could enhance their committees’ effectiveness.

That is followed later by:

Amid a rapidly changing risk landscape, it is important to assess the necessary skillsets of the audit committee against expanding areas of oversight on a regular basis. This includes staying abreast of new risks and understanding how financial reporting and other areas of committee responsibility are evolving to determine if changes in composition are warranted.

While audit committees may need more expertise in certain areas, they should be wary of bringing on too many narrowly focused subject matter specialists.

Despite having more topics on their agendas, audit committees still must perform their core oversight duties as well as understand the interrelationships among the various areas of risk. For these reasons, boards often prefer to compose their committees with strategic thinkers, who may or may not have deep expertise in a particular area. To help identify future candidates, audit committees may consider giving new board members an opportunity to observe a cycle of audit committee meetings to become better informed about the committee’s role, processes, and topics at hand. The audit committee can also afford new directors an opportunity to learn the business.

Overall, the survey findings suggest that audit committees should be deliberate about their succession plans and intentional in evaluating candidates’ experience, which should be done in alignment with overall board refreshment strategies. While the nominating and governance committee may have formal responsibility for succession practices, the audit committee chair should have a voice in the needs of the audit committee, suggests the survey report.

I find this to be somewhat reassuring.

I have heard a lot of talk about the need for the board to add people with technical knowledge and experience in areas like cyber and risk management. Earlier in my career, the call was to add directors with experience in China and derivative trading.

I focused on this portion of the WSJ article, with my emphasis added:

Despite having more topics on their agendas, audit committees still must perform their core oversight duties as well as understand the interrelationships among the various areas of risk. For these reasons, boards often prefer to compose their committees with strategic thinkers, who may or may not have deep expertise in a particular area.

I look at this issue from the perspective of somebody who has worked with boards and their members, most of whom were pretty effective, for a great many years. In my view:

  • The primary job of the board is to make sure they have the right management team, one they and other stakeholders can reply on to serve the interests of the owners and (to an increasing but still lesser extent) the public interest.
  • They cannot be experts in every facet of the organization and its current and future operations.
  • They need to ask the right questions rather than know the right answers.
  • They need to be able to discern when management doesn’t have the right answers.
  • The board needs to be sufficiently active to replace members of the management team who are not effective.
  • The board supports the management team with advice and constructive challenges.
  • The board should not think their job is to run the organization, that is achieved through the management team that they oversee. “Noses in, fingers out”.

A partner at the Australian law firm of Mellor Olssen said this a few years ago (with my highlights):

The key to a successful organisation is a respectful and productive working relationship between the board and its CEO. One factor that will always upset the apple cart in this relationship and inevitably lead to a dysfunctional and overall poor performing board and business is a board that concerns itself with operational issues.

The phrase “noses in and fingers out” is one of the most commonly repeated in Corporate Governance. It is simply just that.

A board’s role is to govern the affairs of the company or association, not to meddle or involve itself in the operations of the business. But what exactly is the difference between governing and operating?

A board focussed on governing always has the strategy of the company at the forefront of its mind. It sets a clear direction. It has a clear understanding of the framework which underpins the environment that the company operates within. It manages the strategy of the business, not the business itself. Management is allowed to flourish under the direction and guidance of the board.

On the flip side, operational boards often find themselves running projects, being hands on with the banking and finances and its reporting (as opposed to serving the Financial and Risk Management committee), handling key relationships with stakeholders and funders and getting involved in the day to day running of the business.

The board is there to coach or support management, to set the strategic direction, provide management with the resources to achieve this, monitor the performance of the company and ensure compliance.

Let’s take the issue of cybersecurity expertise.

  1. No director, even one that used to be a CISO or CIO, will have a perfect understanding of the organization’s current and future cyber risk or the effectiveness of their cybersecurity. Threats and vulnerabilities, as well as the hackers’ tools and methods, are constantly changing. I have spoken to several board members who style themselves as cyber experts; perhaps they were at some point, but they quickly lost touch when they were no longer involved in leading the practice.
  2. However, any CEO or CIO (current and former) should have the ability to ask the right questions and gauge the management team’s (which includes their CEO, CEO, COO, CIO, CISO, CRO, and CAE) competence in this area.
  3. The board should be able to rely on the internal audit team to a great, if not total extent.

Another issue that keeps popping up is the need for diversity on the board.

Sorry, but while there are advantages in having diverse experiences, expertise, and so on (and in avoiding a “boys’ club that protects their own”), this is a political point for me.

I prefer that the board be composed of the best people for the job, regardless of their color, race, ethnicity, gender, or religion. I’ll leave it at that.

But there is another point I would like to make.

In order to ask the right questions and make sure the board has individuals able to respectfully challenge management, as well as advise and support it, boards should consider these pools of experts (in addition to retired CEOs and CFOs):

  • Retired CROs who have a broad perspective on the business
  • Retired CAEs, whom I far prefer to retired audit firm partners because of their business, risk, governance, compliance, and operational insights. They are experts in asking the right questions! The audit firm partners are not, in my opinion, experts beyond financial reporting
  • Retired CIOs, especially those who consider technology and its potential, as well as cyber and other technology-related risks, as part of their broader view of the business.

If technical experts are required on specific topics to advise on related strategies, etc., boards should work with management to hire them for consulting engagements. They don’t have to be on the board.

I welcome your thoughts.

#risk #boards #governance #technology #cyber #audit

  1. Norman Marks
    March 13, 2023 at 8:58 AM
  2. Joseph Kassapis
    March 13, 2023 at 10:10 AM

    Once again, at the end of a post of yours, which i took a few more minutes to read with a ‘heavy heart’ after 9 hours of more or less non-stop work, I feel as if it was time very well spent, learning really useful things from somebody who knows what he is talking abut and can tell it so that others get to know too. I compare the Deloitte stuff and yours and as we say in Greek from earth to heaven (or in a sense the opposite: theirs so abstract and generically &diffusedly atmospheric, yours so solidly down to earth); a preference of mine analogous to yours for Internal Audit CAEs over External Audit Partners.

    Simply one more excellent article.

    • Norman Marks
      March 13, 2023 at 10:41 AM

      Thank you so much!

  3. William
    March 14, 2023 at 8:38 PM

    Excellent post as always. Agree with everything. Your new book is supposed to arrive tomorrow. I look forward to reading it.

  1. March 13, 2023 at 9:19 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: