How do public company audit committees cope? Their to-do list keeps getting longer and more complicated. Yet somehow, most audit committees still complete their tasks (which, by the way, include FCPA compliance oversight). Let’s peek inside.
This standing committee of the board of directors typically consists of five members, who each spend between two and five hours a week on audit committee work. NYSE and Nasdaq rules require each member to be “independent” and meet certain financial literacy requirements.
At least one member should be an “audit committee financial expert,” as defined by the SEC. That’s usually a CPA with industry knowledge and an understanding of internal controls, financial reporting, and accounting policies and practices.
And yes, corporations pay audit committee members to be there — usually between $200,000 and $300,000 a year at big public companies.
EY’s guide for audit committees is 80 pages, Deloitte’s is 65, and KPMG’s is 61. The guides collate rules from the SEC, NYSE and other exchanges, and the American Institute of Certified Public Accountants. Sarbanes-Oxley adds oversight of whistleblower programs and financial expert disclosure requirements.
More audit committee rules (formal and informal) come from the PCAOB, the 2013 COSO Internal Control — Integrated Framework, and the U.S. Federal Sentencing Guidelines. There’s also Dodd-Frank (mainly for audit committees from financial institutions) and court cases that impose fiduciary responsibilities on directors.
KPMG’s guide lists 106 audit committee agenda items (done annually, periodically, or quarterly). There’s no room for me to cover all 106 agenda items, so I’ll start with every fifth item from KPMG’s list. That’s enough to give a flavor of what oversight is required.
1. Meet with management and the independent auditor to review and discuss Annual Report on Form 10-K and proxy statement, including MD&A [management discussion and analysis]. Review how reported results compared to budget and forecasts.
5. Review and discuss with management any non-GAAP measures used in SEC filings or earnings press releases.
10. Recommend to the Board whether the annual financial statements should be included in the Company’s Annual Report on Form 10-K.
15. Discuss all significant accounting estimates and judgments, and management’s rationale for those judgments.
20. Review the Company’s antifraud, anti-bribery, and anti-corruption programs and controls.
25. Hold executive session with management and evaluate management’s overall effectiveness.
30. Meet with other management below the executive level to obtain their perspectives on the business.
35. Review the Company’s compliance with legal and regulatory requirements.
40. Discuss business and industry risk considerations.
45. Review and evaluate lead audit partner of independent auditor.
50. Confirm with the independent auditor that the audit was conducted in a manner consistent with Section 10A of the Securities Exchange Act of 1934.
55. Review other material written communications that the independent auditor discussed with management and any responses to the same by management.
There are 51 more agenda items on KPMG’s list (under three headings: Internal audit department, Whistleblower procedures, and Other audit committee matters and governance.) But I have limited space here, and I want to respect KPMG’s content; they generously provide public access to their audit committee guide, as do EY and Deloitte. (EY also supports Tapestry Networks, an independent firm that creates audit committee resources.)
What isn’t apparent from these sample agenda items is the rapid increase over the past few years of complex areas shoehorned into the audit committee’s purview – topics that require specialized knowledge, such as ESG and cybersecurity.
For example, the SEC has relatively new rules for public companies on cyber-related matters. Audit committees (and often risk committees) now need to review management’s plan to deal with cyber threats, response readiness, and disclosure requirements. Ransomware is a subtopic of cyber as well.
How can audit committees handle their growing workload?
We’ll assume KPMG’s list of 106 agenda items is complete, and each agenda item takes on average an hour of audit committee time. We’ll also assume about a third of the items need to be done once a year (annually), a third twice a year (periodically), and a third four times a year (quarterly). (For a third of 106, we’ll round down to 35.)
That means the audit committee has 245 agenda items a year (35 X 1 + 35 X 2 + 35 X 4), each needing one hour.
To deal with those 245 action items, audit committee members must spend just over 4.7 hours per week during all 52 weeks of the year. That’s possible, just barely; as mentioned, the average time spent by audit committee members is between two and five hours a week, so 4.7 hours per week works, with a bit of time to spare. (I’m not considering how audit committee members might divvy up work among themselves, thereby saving time.)
Can audit committee members understand each of their tasks? Many are experts in some or all relevant topics — accounting policy, the auditors’ work, disclosure rules, compliance, etc. So most issues are familiar. But as mentioned, there are new challenges with ESG and cybersecurity.
(When audit committees need help, they can hire their own outside counsel and other advisors and pay them from company funds. However, professional advice memos aren’t always easy to digest and may add to the work, not reduce it.)
There’s also some latitude for assistance from other standing committees of the board, such as executive, finance, governance, and nominating committees. Increasingly at bigger companies, risk committees summarize topics and issues for the audit committee (and vice versa). But most audit committee work is non-delegable. So even if other committees pitch in, a compliant audit committee will repeat the work.
Let’s conclude with this: No doubt most audit committees consistently function at a high enough level to perform all their required oversight. But with such a complex and expanding workload, some audit committees struggle, and others may fall short.
Incidentally, NYSE rules require audit committees of listed companies to perform annual self-assessments. That way, underperformers can make needed improvements. That’s good advice for all audit committees, not just those operating under NYSE rules.
Full Disclosure and Disclaimer: When I started typing this post, I expected it to show how today’s audit committees are hopelessly overburdened. Instead, it showed that our compliance overlords could still do the job. That surprised me.
Because I was on unfamiliar ground and making assumptions, I called in the cavalry — a friend who regularly works with boards and audit committees.
My friend offered valuable suggestions and advice and made some necessary corrections. I’m grateful for the help. But if any mistakes remain, they’re all mine.
Comments are closed for this article!