The Combined Code on Corporate Governance: The audit
committee
This article is based on UK law.
The role of the audit committee is so important to good
governance that it was subject to a separate review in 2003. The
Smith Guidance on Audit Committees, produced by Sir Robert Smith,
is annexed to the Code.
Composition of the committee
The Code provides that the audit committee should consist of at
least three independent non-executive directors, or two if the
company is outside the FTSE 350. And the board should “satisfy
itself” that at least one of those independent non-executives has
recent and relevant financial experience. The Code
is not specific about what constitutes “relevant experience”, but
Smith says it means a professional qualification from one of the
accountancy bodies. Note that Morrisons’ new audit committee
admitted to lacking the “recent and relevant financial experience”
required by the Code and had to recruit an independent firm of
accountants to advise it as a result.
Commonly, the “expert” may be a retired finance director from
another company or perhaps a former partner of an accountancy firm.
To comply with the Code’s recommendations for independence the
board should, of course, exclude its own former finance directors
and auditors. In any event, it must justify its choice in the
annual report.
Given the complexity of the issues usually faced by an audit
committee, it is essential that its members are given proper
induction and training.
Roles of the committee
The Code gives the audit committee four main roles.
- It is the guardian of the integrity of a company’s
financial statements and performance. It must, in short,
be satisfied that all figures presented to shareholders and the
outside world will stand up to scrutiny and can be relied upon.
This requires committee members not only to understand the
financial statements and how they are made up (no mean feat as
accounting standards get ever more complicated), but also to quiz
the finance director and the external auditors as draft accounts
are produced. Like all good non-executives, they must ask the right
questions and be persistent if a satisfactory and intelligible
answer is not forthcoming.
- This general oversight of the company’s accounts means that the
audit committee also has a role in checking the company’s
internal financial controls, reviewing them and their
operation and ensuring that necessary risk management
systems are in place. Where a company has an internal
audit function, the audit committee will need to extend its
monitoring role to the internal auditors. At least once a year, the
committee should meet the internal and external auditors on its own
(i.e. without management) so that any issues arising from their
work can be freely raised. Between meetings, the committee chairman
in particular needs to maintain communication on audit matters both
internally and with the external auditors. If there are no internal
auditors, the committee should review each year whether there is a
need for such a service; if it concludes there is not, it should
explain why in the annual report.
- The committee has some specific duties as regards the
external auditors. It recommends the appointment of
auditors to the board and approves their fees and the other terms
on which they are retained. If there is dissatisfaction with their
performance, it may recommend their replacement. In the very
unlikely event that the board disagrees with the committee, the
arguments on both sides need to be put forward to shareholders in
the annual report and AGM papers. Smith also says that the
committee should approve the appointment and removal of the head of
internal audit.
The committee must keep a close check on the external auditors’
independence and objectivity. Is it time for a change, if only to
get fresh thinking and a new perspective on some old issues? Are
the auditors getting too close to management?
Closely related to the second question is the issue of non-audit
services. The independence of the auditors may reasonably be
expected to be compromised if they also act as the company’s
consultants and advisers. Under the US Sarbanes-Oxley legislation
(see box below), non-audit services such as consultancy and
advisory work are severely limited. In the UK, it is left to the
audit committee to decide what other services the auditors can
provide. The committee needs to develop a specific policy on the
matter – it may, for example, rule against some services as raising
too many potential conflicts (e.g. advice on remuneration policy),
permit others (such as tax advice) and require a case by case
decision on everything else. It may also require non-audit work
above a certain financial limit to be approved by the
committee.
Where non-audit services are performed, disclosures are required in
the annual report, and the committee must explain how auditor
objectivity and independence are to be preserved. The need to
maintain independence and objectivity also means that the audit
committee should develop a policy regulating the employment of
former employees of the auditors.
- The audit committee has a role in fraud
prevention. It needs to be confident that there are
opportunities throughout the company for employees to act as
“whistleblowers” and report improprieties and abuses. This may mean
giving employees contact details for committee members for use if
other avenues fail. Many companies have introduced confidential
fraud hotlines for employees; others use an outside agency that can
take calls and forward the information given to the right person. A
fraud response plan will be needed to guide investigations into any
allegations of wrongdoing.
The Companies Act 2006 has for the first time allowed
accountancy firms to limit their liability on company audits but
the limitation must first be agreed with the company and
subsequently by the company’s shareholders. No doubt negotiation of
the limitation, and presentation of that agreement to shareholders
for approval, will be a new task for the audit committee.
Case study: The Sarbanes-Oxley Act
No examination of corporate
governance would be complete without reference to the
Sarbanes-Oxley Act (SOX), passed in the aftermath of the Enron,
Tyco and other corporate scandals, and an acknowledgment that there
are a few circumstances where it may affect UK companies and their
directors.
SOX applies to all companies,
whether incorporated in the US or elsewhere, that publicly issue
securities in the US and file reports with theUS Securities and
Exchange Commission (SEC). It has no direct application to other
companies. US and non-US subsidiaries outside the terms of the Act
may, however, be indirectly affected if their parents have to
comply.
Examples of UK companies that
are directly affected include Cadbury Schweppes and British
Airways, which have securities traded on the New York Stock
Exchange.
SOX has a broad application,
and much of the detail has been left to the SEC to work through.
Among other things, the Act requires the chief executive officer
and chief financial officer of a company to certify the annual and
quarterly reports under separate civil and criminal provisions.
Both must confirm that they have reviewed the reports and that
there are no material mis-statements. Individuals who knowingly
sign false certificates can face fines and severe criminal
penalties. They can also end up forfeiting cash bonuses and share
awards.
In addition, SEC rules
require management to include a report on their internal controls
and procedures for financial reporting in their annual reports
filed with the SEC. Management must evaluate the effectiveness of
those controls and procedures, and the company’s auditors must
issue a report on the assessment.
These requirements are likely
to have a knock-on effect on directors and managers in UK
subsidiary companies, who may be asked to provide similar
certificates and confirmations in respect of their own financial
reporting and internal controls. Such reports will give reassurance
and perhaps some legal protection to US officers and management; at
the very least, they will demonstrate that the US officers have
asked the right questions and received replies that it is
reasonable for them to rely on.
Because directors and
managers of a UK subsidiary are not directly subject to the SOX
provisions nothing they do or fail to do should constitute a breach
of the Act or the SEC rules. Even if it did, the US authorities
would have no jurisdiction to bring a prosecution in the UK
(although the threat of extradition cannot be ignored).
Of course, giving a
negligent, reckless or fraudulent certificate or report to the
parent company may be regarded as a disciplinary offence and, in
the worst cases, mean summary dismissal. It is also conceivable
that the parent company and/or a US director or manager who relied
on a certificate or report from a UK director or manager may
attempt to claim against them if some liability in the US had
resulted. The threat of such a claim cannot be discounted; any
reports and certificates requested from the US should be prepared
and verified with the highest standards of care.
The risks can be minimised if
internal controls and procedures in a UK subsidiary mirror those in
the US parent. Budgets and resources should be made available for
such controls and procedures and, where necessary, for external
advice and reports.
Resources and rewards for committee members
The audit committee needs to be adequately resourced. It should
have access to outside advice when necessary. And the Smith
guidance accepts that committee members should be paid further
remuneration in addition to other fees to reflect the onerous
nature of their duties and responsibilities. The chairman should
command a higher level of remuneration than his colleagues.
Relations between the committee and management
The effectiveness of the committee is obviously closely linked
to the effectiveness of senior managers. Management should not wait
for the audit committee to ask for information. It needs to ensure
that the audit committee is kept informed at all times and to take
the initiative in supplying information to it.
