I want to refer you to two pieces. The first is a set of 10 questions for audit committees from PwC. It’s the 2012 version of their annual publication. The second is a challenging interview on BBC with governance and board thought leader Lucy Marcus.
PwC has a fairly vanilla, traditional set of questions, and I have no problem with any audit committee and their advisors making sure these are addressed.
But, is this enough?
Lucy and the BBC interviewer, rightly, address the question of whether boards (and audit committees) are doing enough to represent stakeholders and their interests. I suggest that is a question every board and committee should be asking.
In other words, go beyond the tactical questions such as in the PwC piece, and take on the strategic issue of audit committee performance.
I suggest audit committees consider these questions:
- Do the members and the committee as a whole have sufficient expertise and understanding of the issues facing the company and the committee to provide effective oversight? Is everybody an active or former CEO, except for a single retired CFO who fills the ‘financial expert’ requirement? Does that really meet the needs for a diverse committee with an understanding of the business environment (including regulatory matters); risk management; how to ensure quality external audit (more below) and internal audit performance; ethics; information technology; and compliance?
- Does the committee have sufficient, timely, reliable, and current information? As Lucy and the interviewer ask, are you reliant solely on the information provided by top management? Is that sufficient? How will you know if it is incomplete? Are you getting the information you need when you need it to meet your governance responsibilities?
- Is the committee sufficiently active, asking appropriate penetrating questions of management – and following-up to ensure actions are taken? Referring back to the BBC interview, are members of the committee willing to challenge the CEO, CFO, and general counsel?
- Does management have effective risk management programs in place that provide reasonable assurance that risks (including opportunities) will be identified, assessed and evaluated, and then treated promptly to ensure they remain within acceptable limits? Ask clarifying questions about whether (a) the company is sufficiently nimble and agile so that it can respond when conditions in the market change, and (b) risk is an integral part of how decisions are made – including how strategy is set by executives and approved by the board. Unfortunately, the PwC commentary on risk management focuses on disasters and preparedness rather than the management of risks across the organization.
- How can the committee ensure that the external audit team is (a) objective, (b) comprised of quality individuals in every geography, (c) basing their work on a solid understanding of the company’s financial reporting risks, and (d) working effectively with management and leveraging the insights of the internal audit team? Rather than wait for and rely on SEC actions, the committee should consider whether it has the means to evaluate the above and how the external audit firm measures up. There have been too many ‘audit failures’ over the last year or two for this not to be on the audit committee agenda.
- Are the organization’s external reports driven solely by the need to comply? Do they meet the needs of the stakeholders for clear information? How far should the organization go to improve transparency and the use of plain English? Will the company disclose social responsibility and other information that is not yet required by regulation, but is increasingly sought by investors, the community, and other stakeholders?
- Is the committee getting the most from internal audit? Does internal audit understand and provide assurance on the more significant risks? Do you get an annual opinion? Is internal audit helping you understand and address the maturity and effectiveness of governance and risk management processes?
- With so many changes in economic conditions, indicators of a risk in fraud, and a continuing emphasis by so many on short-term results, how does management – with your oversight – monitor the culture of the organization? Consider not only the risk of fraud (in all forms), but the risk-taking culture of managers. Are they rewarded (at all levels, not just at the top) for success without being penalized for failure? Are they always penalized for failure and barely rewarded for success?
- Are the systems and processes used to run the business, monitor and optimize its performance, and report its results ready for the future? Does management rely on old information to make decisions, or does it have real-time information (including risk information) so it can make quality decisions?
- How are you measuring the performance and effectiveness of the finance function?
What do you think of these 10 questions? What would you change or add?