In pre-Enron days, the role of the audit committee was less defined; typically, committees focused on approving year-end financial statements with the oversight of a certified auditor to make sure things balanced. In general, there was little emphasis on the supporting internal controls that ensured duties were segregated and opportunities to perpetrate fraud were mitigated.
The roles and responsibilities of audit committees have changed dramatically since 2001 when the U.S. energy and commodities company imploded on inflated financial statements. Back then, the head of Enron’s audit committee famously passed the buck, telling a U.S. House subcommittee “We do not work full time in this job. None of the members of the Audit Committee is an employee of Enron. We do not manage the company. We do not do the auditing. We are not detectives.”
WELCOME BACK, SHERLOCK HOLMES
The launch of the U.S. Sarbanes-Oxley Act in 2002 on the back of the Enron scandal changed how companies in North America report their financial standings. Canada followed suit in April 2003 when the Canadian government passed similar legislation, Bill 198, in 2003, now known as Canadian SOX or C-SOX. Today, audit committees are held more accountable and financial reporting touches all parts of an enterprise, from operations to governance.
However, the composition of audit committees often has not kept pace with an environment of increased demands for transparency and regulatory scrutiny. To ensure your organization’s audit committee is truly effective, consider the following:
A Broad Range of Skills: An effective committee must be able to assess and respond to risk at all levels, including regulatory. Accountants are key, but you also need committee members with a solid knowledge of your organization’s business and strategy, the company’s operating model
and organizational structure, who are financially literate, familiar with regulatory requirements and are tech-savvy. About 35 percent of internal audit plans currently focus on IT and operations, so it is critical to have someone who understands the risks associated with IT.
A Fearless Leader: Committees need people who aren’t afraid to ask tough questions and hold executives and management accountable. They have a strong understanding of business operations and strategy and can ask the right questions to management if they stray away from strategy or take on projects outside of the organization’s risk appetite.
Streamline the Process: Be more efficient and effective: develop an annual audit committee work plan, have an agenda with clearly defined objectives to meet each quarter, as well as recurring items such as financial results and training around emerging risks.
Dashboard Reporting: Avoid information overload with a high-level view of what has happened within the organization during the quarter under review. To get there, determine what information you need to meet your governance responsibilities and strategic goals for the fiscal year and to track performance against those goals. Include a list of Top 10 enterprise risks and track how they are trending, (i.e. if they are stable, rising or decreasing). Need more information? Call in management to get an answer.
Communication with Stakeholders: Quarterly reports from management teams are key to accurate risk assessment, as is keeping open communication with the chief audit executive or director of internal audit. They are embedded in the organization and can provide quarterly assurance on top risks and the controls in place to mitigate them. They can also give feedback on internal matters such as management changes and how company morale is.
Onboarding: A robust onboarding program will ensure new directors are fully informed about their role and help them clearly understand the financial risks and operations of the board they sit on, as set out by regulators and the executive. Provide the company’s strategic plan and copies of previous types of reporting the audit committee has received. Assist new members in understanding what are the organisation’s existing challenges and opportunities for improvement and make time for them to sit with the chief audit executive.
Cyber Savvy: Data privacy, financial impacts of cyber breaches, director and officer liability are increasingly important areas stakeholders and regulators demand transparency on. Your audit committee should be up to date on when breaches have occurred, what’s trending, how they are being addressed and what management are doing about ineffective controls.
Self Assessment: More and more, audit committees are undergoing annual self assessments, delivering a 360-degree view of the chair and the committee’s performance. Conduct an annual survey to see if the company’s internal audit team has been supported sufficiently by the committee to fulfil its obligation to remain independent and find out if they are confident the committee will take action if they raise concerns.
TAKE AWAYS
In the post-Enron world, audit committees are held more accountable for their actions, giving stakeholders confidence the executive suite has oversight of the organization and the committee is actively involved in ensuring internal controls are in place and are operating effectively.
An effective audit committee has members with a broad range of experience pertinent to your organization, who understand the business and aren’t afraid to hold executives, management – and each other accountable.
For more information on how MNP can help your organization, contact:
Alan Cosgrave, CPA, FCPA (IRL), CFSA, CRICP, CPSCP
Partner, Enterprise Risk Services
T: 604.685.8408