Golden Rules for Audit Committees

June 2003

Audit committees of public reporting companies subject to the Sarbanes-Oxley Act of 2002 (SOX) and audit committees of all other organizations can satisfy their duties of care by following these “golden rules:”

  • Meet separately with each of the three critical participants in the audit process: (1) the CEO, CFO, the chief legal officer and others of management; (2) the internal auditor; and (3) the external auditor; and

  • Ask the same questions of each participant and ask each participant about the reliability and competence of the other parties.

Each of these questions is designed to determine the extent that the audit committee may satisfy its duties of care and loyalty in relying upon each of the key participants in the audit process. The first question goes to the reliance and competence of each participant, and the second question goes to the validation of that reliability and competence.

Duties of care and loyalty

Audit committee members, as with other directors of a board, have a duty of care to act as an ordinarily prudent person in a like position would under similar circumstances and have a duty of loyalty to act in a manner reasonably believed to be in, or not opposed to, the best interests of the organization. Under state law, boards and committees are to give “direction” to management through decision making and oversight. Audit committees are not charged by either state law or SOX with managing or participating in the audit. Under SOX and implied by state law, audit committees are responsible for making decisions regarding hiring, firing, compensating and determining the scope of work of the external auditor in the audit process. Their responsibility also includes providing “oversight” so they know what decisions need to be made.

The main participants in the process are described by the Blue Ribbon Committee on Improving Effectiveness of Corporate Audit Committees as a three-legged stool:

A proper and well-functioning system exists, therefore, when the three main groups responsible for financial reporting—the full board including the audit committee, financial management including the internal auditors, and the outside auditors—form a "three-legged stool" that supports responsible financial disclosure and active and participatory oversight.

Each leg of this three-legged stool is charged with conducting and managing the audit process.

Right of reliance on others

As with the board and other board committees, audit committees operate by delegating to others. Most states’ laws give audit committee members, and other directors of a board, a statutory right to rely upon:

  • Officers or employees as to matters for which the director reasonably believes they are reliable and competent;

  • Professionals such as lawyers or accountants as to matters that the director reasonably believes are within the person's professional competence; and

  • Duly established committees of the board as to matters within their designated authority that the director reasonably believes merits confidence.

Accordingly, a board is entitled to rely upon the audit committee as to matters within the audit committee’s designated authority, which is the purpose of the audit committee’s charter. In turn, the audit committee is entitled to rely upon the CFO and internal auditor on matters in which the committee believes the CFO and internal auditor to be reliable and competent and on the external auditor as to matters within the external auditor’s professional competence.

Determining reliability and competence

How can an audit committee have a reasonable belief that someone is reliable and competent? By asking questions.

Ask the same questions of all three legs of the audit-process stool: (1) the CFO and others in management; (2) the internal auditor; and (3) the external auditor. Then, compare the answers. The questions should be asked separately of each of the three legs. If the answers are consistent, a committee has strong evidence that it is entitled to rely upon the reliability and competence of each of the three legs. However, it is still advisable to validate reliability and competence by asking all three legs about their view of the reliability of each of the other legs.

If the answers are inconsistent, the audit committee likely has a duty to make further inquiries. First, the committee should review the inconsistent answer of one leg with the other two legs. For example, if an inconsistent answer was received from the CFO, ask the internal and external auditors something like, “Do you know what Mr. CFO may have had in mind when he told us . . . ?” Then, the committee should discuss the inconsistent answer with the CFO, by saying: “When we asked you about XYZ, you said 123, but when we asked the internal and external auditors, they said 789. Can you explain the difference between your answers and theirs?”

This will generally resolve the inconsistencies, especially if the committee validates the reliability and competence of all three legs. However, when in doubt, the committee would be well advised to consult with a lawyer or accountant experienced in audit matters.

Validating reliability and competence

Ask each leg their views on the reliability and competence of the other legs of the stool. Ask the internal auditor, “Based upon your experience, what is your view of the reliability and competence of management in complying with internal controls and preparing financial statements?” Also ask, “Is there anything you think we should know about management or how it is complying with internal controls and preparing financial statements?” Ask the same questions of the external auditor regarding management.

Similarly, ask the external auditor and management about the reliability and competence of the internal auditor. Ask them, "What is your view of the reliability and competence of the internal auditor in carrying out the internal audit function, and is there anything you think we should know about the internal auditor or how it is carrying out the internal audit function?”

Finally, ask management and the internal auditor about the reliability and competence of the external auditor. Ask, “What is your view of the reliability and competence of the external auditor in carrying out the audit function, and is there anything you think we should know about the external auditor or how it is carrying out the audit function?”

Sample agenda for year-end meeting of the audit committee

Review Prior to the Meeting:

  • Statement of the independent auditor’s independence pursuant to Independence Standard No. 1 Independent Discussions with Audit Committees. Note all reported services other than audit services for and relationships other than as independent auditor with the Company.

  • Financial statements. Note critical accounting policies applied.

  • Audit report on the financial statements. Note the form of the report. Note any variances from an unqualified report, including reliance upon other auditors; changes in accounting principles; qualifications regarding a going concern; and other conditions.

  • Independent auditor’s report attesting to management’s evaluation of internal controls. Note any deficiencies reported and recommendations made and management’s follow-up on those deficiencies and recommendations.

  • Independent auditor’s management or internal control letter.

  • Management’s Discussion and Analysis (MD&A) of financial condition and results of operations. Note whether the MD&A is consistent with directors’ understanding of the business.

  • CEO’s and CFO’s certifications on the accuracy of financial reports and the fair presentation of financial statements.

  • CEO’s and CFO’s evaluation of internal controls and any report of deficiencies. Note any reported deficiencies and actions taken to correct those deficiencies.

Meet with Management to:

  • Review with the CEO and CFO their certifications on the accuracy of financial reports and the fair presentation of financial statements. Ask about actions taken by management to assure accuracy. Also ask about management’s definition of materiality for testing purposes.

  • Review with the CEO and CFO their evaluation of internal controls and any report of deficiencies. Ask about any deficiencies and actions taken to correct those deficiencies. Ask about the nature, timing and extent of the procedures undertaken by management to support its evaluation regarding the effectiveness of internal controls.

  • Have management review key performance measures from each of the financial statements, comparing results to budget, prior year results, analysis expectations and measures used for incentive compensation. Ask about the effect of nonrecurring transactions or events. Ask about adjustments made as a result of the audit and the reasons for such adjustments.

    • With respect to the balance sheet, have management review policies for such items as deferred costs, inventory, receivable reserves, investments, derivatives, acquisitions, fixed asset capitalization and depreciation, intangible assets and goodwill. Have management describe the results of any impairment testing. Have management explain any significant accruals and reserves, and note any changes over time. Ask about any financings, both on and off the balance sheet, and about compliance with any debt covenants.

    • With respect to the income statement, have management describe any significant judgments and estimates that might impact reported results. Have management explain revenue recognition policies. Ask about the effect of any nonrecurring transactions, related party transactions and non-cash transactions.

    • With respect to the cash flow statement, have management analyze the company’s liquidity position and projected cash flow relative to cash requirements. Have management review the company’s current and historic ratio of net income to cash flow from operations.

    • With respect to the statement of changes in shareholders’ equity, have management review any significant changes, especially with respect to issuance of securities, including derivatives and stock options.

    • With respect to the footnotes, have management review significant accounting policies and any changes therein. Have management explain alternative policies, especially policies used by peers, and the impact those policies would have on the company’s results. Have management review material commitments and contingencies and explain factors that could result in such contingencies being reflected as an adjustment to earnings. Have management review related party transactions; disclosures regarding acquisitions and investments; federal income taxes, especially variations from statutory rates and the impact of any tax contingencies; assumptions in accounting for pension and post-retirement benefits; litigation; guarantees and indirect obligations; purchase and sale commitments; options and warrants; and derivatives.

  • Have management review the independent auditor’s management letter and management’s response. Ask management’s action in response to deficiencies noted or recommendations made by the independent auditor.

  • Have management review Management’s Discussion and Analysis. Ask about any statements or omissions in the MD&A that are inconsistent with the directors’ understanding of the business. Ask whether the independent auditor reviewed the MD&A and whether that review raises any concerns that should be brought to the attention of the audit committee.

  • Review with the Company’s in-house and, if appropriate, outside legal counsel the Company’s compliance with applicable laws including securities l aws, and ethical standards. Ask about any legal matter that could have a significant impact on the Company’s financial statements.

  • Review with appropriate members of management their assessments of the performance by the Internal Auditor and the Independent Auditor.

Meet with the Independent Auditor to:

  • Review with the independent auditor its statement of independence pursuant to Independence Standard No. 1 Independent Discussions with Audit Committees. Ask about any services other than audit services provided to the Company and relationships other than as independent auditor with the Company.

  • Have the independent auditor review its engagement. This review would include the scope and timing of its work; its objectives for the engagement and the extent those objectives were achieved; its responsibilities and those of the internal auditor and management in the process, including the management representations discussed with management and the representations actually made by management; and any limitations on the scope of its engagement. Ask the independent auditor whether it has issued or is contemplating issuing any statement pursuant to:

    • Statement of Auditing Standards, as amended by SAS 90, relating to the conduct of the audit; or

    • SAS 61, as amended by SAS 90, concerning the independent auditor’s judgment about the quality of the Company’s accounting principles.

  • Review with the independent auditor its report attesting to management’s evaluation of internal controls. Ask about the nature, timing and extent of testing performed and the results of such testing. Review with the independent auditor any recommendations made and management’s follow-up on those recommendations. Ask whether any deficiencies are of such significance to constitute a condition required to be reported by the independent auditor to the audit committee.

  • Have the independent auditor review its audit report. This would include a review of the measures used to determine materiality and the considerations for using that measure; the risks that it assessed and the result of those assessments; the audit's areas of emphasis, such as which accounts or transactions it found subject to material judgments or estimates by management; the types of testing performed, both as to transactions and account balances as well as to internal controls; and the adjustments proposed, those actually made as a result of the audit, and those passed; whether such adjustments were for reason of errors, or variance in judgments or estimates or other reasons, and why any proposed adjustments were passed. Ask the independent auditor whether it encountered any unexpected difficulties during the course of the audit. Ask about the independent auditor's judgment as to the quality, and not just the acceptability, of the accounting principles being used.

  • Have the independent auditor review its management letter and management’s response. Ask about deficiencies noted or recommendations made by the independent auditor to management and management’s action in response to such deficiencies and recommendations.

  • Review with the independent auditor its assessments of the performance by the internal auditor.

Meet with the Internal Auditor to:

  • Review with the internal auditor any deficiencies found in the internal audit process and the actions of management necessary to correct any internal audit findings.

  • Review with the internal auditor its assessment of the performance by the independent auditor.

Conclusion

Although audit committees are not charged by either state law or SOX with managing or participating in the audit, the audit committee is responsible for giving “direction” to management, the internal auditor and the external auditor through decision making and oversight. The audit committee is expected to delegate to officers, employees and professionals. However, in order to be entitled to rely upon these others, the audit committee must reasonably believe that these officers, employees or professionals are reliable and competent.

The best way to determine reliability and competence is to repeatedly ask questions of all the audit participants and compare answers. The best way to validate the committee’s assessment of reliability and competence is to ask each of the audit participants about the reliability and competence of the others and, again, compare answers.

The committee may not be able to prevent fraud, but asking these questions may allow the committee to detect fraud early enough to prevent harm to shareholders.

More Board and Executive Governance articles ...