Most public company CFOs would want audit committee members to be available, aware, and undistracted. Unfortunately, audit committees, in general, are drowning in information and data, having been handed an almost endless list of oversight responsibilities. That trend may endanger the quality and oversight of financial reporting and external audits.
In a comprehensive framework that the National Association of Corporate Directors (NACD) and KPMG published on May 2, an independent director described the audit committee he sat on meeting 12 times a year, at a minimum, to get its work done. The standard advice for a board of directors is to meet six or seven times a year.
Groups like the NACD are not trying to circumscribe audit committees’ duties. The NACD/KPMG framework, unironically, describes 10 “critical” areas for an audit committee’s focus going forward.
Along with an audit committee’s core responsibilities, the framework included ESG risk and disclosures, finance organization talent, climate, cybersecurity, and human capital management.
“Audit committees need to understand and assess the soundness of the methodologies and policies that management is using to develop its metrics and disclosures” in those areas, according to NACD and KPMG. “In a world that seems less governable, the quality of board governance will be increasingly vital to the sustainability of enterprises and trust in [the] market economy.”
Taking on all the responsibilities in the framework would put a lot of pressure on the three- to five-person groups of directors responsible for overseeing external audits. Audits and auditors have drawn a lot of attention in the past few years with the sudden collapse of large companies from causes that some insist the external auditors should have spotted much earlier.
At the Baruch College Financial Reporting Conference on May 4, Paul Munter, the chief accountant of the Securities and Exchange Commission, warned that enterprises were expecting too much from audit committees.
Audit committees have to make sure they are not delegating their responsibilities to management. — Paul Munter, SEC
“More demands are being put on audit committees, sometimes on topics outside their core responsibility,” Munter said. “Audit committees need to be continually vigilant that they have enough time to focus on their core mission — protecting investors — and don’t let other topics cloud that out.”
The primary responsibility of the audit committee is oversight of the financial reporting process and the independent audit and its processes. For example, said Munter, the audit committee is supposed to closely examine the performance and compensation of the external auditor — it alone should choose the external auditor and decide whether the lead audit partner is qualified.
Audit committees, no matter how overworked, also have to deal with items such as auditor changes in the audit plan, the audit budget, staff turnover, the engagement team’s workload (including any overtime), and audit fee negotiations.
“Audit committees have to make sure they are not delegating their responsibilities to management,” said Munter. This may be tempting, given all the other tasks added to a committee’s oversight obligations.
When audit committees don’t do their jobs, fraud can occur — like an auditor relying on management representations when checking items like a goodwill impairment or an auditor letting the issuer do its own testing or sizing of the audit sample. (Those infractions are drawn from the SEC’s roster of enforcement cases in 2022.)
The essential duties of the audit committee align directly with some of the weaknesses in external audit relationships found by the SEC and the Public Company Accounting Oversight Board (PCAOB) over the last few years. For example, the responsibility to actively engage with the external auditor to understand the team’s qualifications is essential. In the case of a global company, the auditor may be using the work of component teams worldwide, and the quality of audit work may be below U.S. standards in other geographies, Munter said.
“That puts a lot of responsibility on the lead auditor to check the auditing is high quality,” Munter said, and for the audit committee to ensure the lead auditor is transparent on these issues.
Auditor independence is also part of the audit committee’s concerns. The PCAOB added a new section on auditor independence in inspection reports released last month.
On a different Baruch panel, Jonathan Wiggins, senior associate chief accountant under Munter in the SEC’s Office of the Chief Accountant, called auditor independence a “shared responsibility.” Wiggins said that issuers contemplating a transaction must check to see if the transaction would impact auditor independence “so that they don’t close a transaction and then find out there is a conflict.”
For audit committees that are too busy to spot problems like independence, the NACD/KPMG framework listed several ways they may be able to handle their burgeoning workloads more efficiently.
Among the recommendations: “Streamlining committee meetings by insisting on quality pre-meeting materials (and expecting pre-read materials to have been read) and making use of consent agendas,” and “spending time with management and the auditors outside of the boardroom to get a fuller picture of the issues and develop strong relationships.”