I am tired of seeing nonsense written about the responsibilities of the audit committee when it comes to their oversight of risk, especially cyber risk. The latest (members-only, which may be a relief) is from Compliance Week; it says the audit committee must have an in-depth understanding of cyber risk – and pays no attention to whether a breach might affect either the integrity of the financial statements or the achievement of enterprise objectives. It also confuses the roles of management and the board.
McKinsey has a far better article, but still misses the mark.
It’s time to go back to basics!
What are the responsibilities of the audit committee of the board?
In 2018, Deloitte published a sample audit committee charter designed for US public companies. It said that:
The audit committee is established by and among the board of directors for the primary purpose of assisting the board in:
- Overseeing the integrity of the company’s financial statements [NYSE Corporate Governance Rule 303A.07(b)(i)(A)] and the company’s accounting and financial reporting processes and financial statement audits [NASDAQ Corporate Governance Rule 5605(c)(1)(C)] • Overseeing the company’s compliance with legal and regulatory requirements [NYSE Corporate Governance Rule 303A.07(b)(i)(A)]
- Overseeing the registered public accounting firm’s (independent auditor’s) qualifications and independence [NYSE Corporate Governance Rule 303A.07(b)(i)(A) and NASDAQ Corporate Governance Rule 5605(c)(1)(B)]
- Overseeing the performance of the company’s independent auditor and internal audit function [NYSE Corporate Governance Rule 303A.07(b)(i)(A)]
- Overseeing the company’s systems of disclosure controls and procedures
- Overseeing the company’s internal controls over financial reporting
- Overseeing the company’s compliance with ethical standards adopted by the company
Note that there is no legal requirement (yet) in the US for the audit committee to oversee the management of risk, but we can certainly add that to the list above.
Let’s add to the above with the important section from COSO’s Internal Control Framework (2013) on effective internal control:
An effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives.
I will return to that definition at a later date.
Let me keep my advice for audit committee members and their advisors simple.
I will start with what we all know:
- The role of the board is not to run the organization. The role is to ensure it has the right management team and they are running the organization effectively. They have a governance and not a management role.
- The board and its committee should be focused on obtaining assurance that management prepares accurate financial statements and makes other required disclosures not only to the regulators (SEC, etc.) but also to other stakeholders (banks, etc.).
- In addition, it needs assurance that management has an effective system of internal control in place, not only for financial reporting and other disclosures, but also for the achievement of the objectives approved by the board for the organization.
- It also needs assurance that management is properly addressing the risks and opportunities (as called out in the King IV and other corporate governance codes) that might affect the achievement of enterprise objectives.
- Finally, the board needs assurance of the effectiveness of both the internal and external auditors.
Now here are my specific recommendations. They recognize the true role of the board as a governance body and not a management body, and the specific duties of the audit committee as described above.
When it comes to specific sources of risk of whatever color ask:
- Will this significantly affect the reliability and integrity of the financial statements?
- Will this significantly affect our compliance with required disclosures, including the effectiveness of disclosure controls?
- Will it significantly affect the effectiveness of internal control over financial reporting?
- Will it significantly affect the effectiveness of the system of internal control for other enterprise objectives?
- Will it significantly affect the likelihood of achieving our objectives?
- Is there a significant problem with relying on our systems and processes for managing risk to objectives?
- Will this have a significant adverse effect on our reputation?
- If this source of risk is not significant, given the answers to questions 1-7, why is it being brought to us for discussion? Why can we not rely on management to handle it?
I welcome your thoughts.
Apparently, there are legal minds who disagree with my statement that “The role of the board is not to run the organization.”. They point to the obligation of the board under Delaware law: “The business and affairs of every corporation organized … shall be managed by or under the direction of a board of directors.”
There is a difference, as every lawyer would tell you, between the words “run” and “manage”.
Clearly, members of the board can be held liable (although I am not an attorney so its not a legal opinion) if the organization fails in some way.
But I am not talking about that. I am talking about running the company, and that is something the management team does with oversight by the board.
The board only has periodic involvement (at least the independent members) and it is totally unreasonable (in my lay experience and opinion) to expect them to run the company.
Instead, they appoint a management team and are entitled (given reasonable processes for hiring, reviewing, and terminating them) to rely on them to run the organization. However, they need (not a legal requirement in the US but a practical one everywhere) to have assurance on things like internal control and risk management.