Board audit committees are the pillar of successful corporate governance in public-listed companies (PLCs), as boards are dependent on their audit committees to provide effective oversight of the annual audit process. Audit committee members do their best quality work when members are independent and objective. Almost all audit committees, irrespective of their expertise, have room to improve especially in emerging areas of regulation, sustainability and climate change, and digital literacy and leadership.
Based on the recent experiences of many public-listed companies, the following are several recommendations for improving the structure and performance of board audit committees within corporate entities to improve audit and financial reporting assurance, and forthwith to achieve heightened governance and public trust:
Restrict tenure of audit committee members
It is prudent to restrict the tenure of the audit committee boards in a corporate organisation to avoid complacency and situations that may endow more control, ownership, and entitlement to long-serving members. For instance, currently in Malaysia, there is no stipulation of audit committee tenure by the authorities. Companies will follow the terms of reference in the audit committee charter or tenure of independent directors as prescribed in the Malaysian Code of Corporate Governance (MCCG) 2017 (Practice 4.3). However in the United Kingdom (UK) for example, appointment of audit committee is restricted to a period of not more than three years, which is extendable for another period of three years (Para 2.5, Guidance on Audit Committees of the Financial Reporting Council, UK).
Develop the audit committee’s competencies
Audit Committee members should be independent of mind and have the necessary skills, experience, personal characteristics and diversity of thought for the position. They should have the experience, expertise and intuition to pick up on attempts to manipulate the financial reports. Members of the audit committee must be able to communicate with management and auditors and be willing to challenge and ask questions about the risk management and control systems, accounting and financial reporting of the organisation.
Conduct Formal Induction Services/Onboarding
Formal induction services for new audit committee and board members familiarises them with their duties as well as the current issues and specific circumstances of the organisation. The onboarding requirements for new members can vary, however, depending on a number of factors, including the background and experience of the committee members and the position that they are expected to play on the board and audit committee. All new members of the audit committee should be prepared to take responsibility for their own induction programmes and work with management and others to determine how best to accelerate and build a strong foundation for informed oversight.
Applying the concept of “Fraud Triangle Theory” in identifying the possibilities of fraud or financial distress
The audit committee can easily dissect the accounting fraud that may occur using the theory of fraud triangles (encompassing pressure/motivation, opportunity and rationalisation), which is commonly used to describe criminal behaviour in auditing and forensic accounting. A clear understanding of the fraud triangle allows a company to formulate tactics to battle actions and minimise fraud effectively.
Ensure that the independence of the audit committee is both real and perceived
It is critical that members of the audit committee not only have formal independence in compliance with defined requirements, but also independence of thinking, judgement and practice, so that independence is not only interpreted or seen, but is actual and implemented. Representatives of the audit committee should express their own views and not allow their trust in or relationships with management to undermine their continuing show of impartiality and objectivity.
The audit committee’s function is to evaluate, report and recommend, and in some cases authorise, review and duly approve the position of a board. However once the chair or member of an audit committee is interested in the “doing” part of the decision, by offering advice, there is an inherent conflict when one checks one’s own job, or a decision in which the chair or other member has engaged, even in a subtle manner.
In this regard, audit committees need to exercise great care, especially at a psychological level, in offering concrete advice to management, even the top management.
Describe the role and evaluate the performance of the chairs of the audit committees
It is unlikely that an audit committee will be effective without an effective chair. A detailed job description (or the equivalent) should be available for the chair of the audit committee, adapted to individual circumstances if necessary and used as a basis for recruitment, succession planning, assessment and remuneration. Many regulators in big countries have been advised to recommend job details for the president of the board and all members of the central committee. The audit committee chair’s position description should include best practices and regulatory requirements.
Subsequently, perform a thorough evaluation of the chair’s effectiveness, such as taking into account the job requirements and the skills and competences that the chair is expected to bring, providing feedback and reporting, taking prompt, corrective action as required, and reporting on the complexity of the review process in appropriate method.
Equip audit committee members with understanding of the reasoning behind the choices made by management and the consequences for financial abuse
At a minimum, the business model and how the business makes money must be understood by all directors. But audit committee members need to understand how these transactions require management to make judgements and choices, including the selection and application by management of critical accounting policies, judgements and estimates, and the potential for manipulating financial statements. Critical accounting policies require complex, subjective judgement and critical accounting estimates that require uncertainty assumptions where different assumptions can have a material impact.
There should be clear agreement that when an accounting procedure is open to interpretation or needs a decision or has a significant impact on the company’s finances, there should be sufficient documentation of the essence of this calculation, such as its reliability or fragility, based on the management’s current assessment of future events being wrong, in previous experience, or its equivalent.
Recruit, direct, inform and educate members of the audit committee
For all members of the audit committee, thorough succession planning should be in progress to ensure their continuing relevance and effectiveness. This includes:
- providing a systematic and transparent process with due consideration by the selection committee;
- identifying differences in existing member competencies or abilities and committee requirements; and
- ensuring a pool of managers with suitable credentials to serve on and chair the committee and, where necessary, retaining a recruitment firm to select these managers.
Additionally, the audit committee’s financial experience should be current, applicable, meet regulatory requirements and suit the company’s future needs for financial oversight, such as capital and balance sheet management, accounting, financial control and insurance, financial markets, treasury, fund management, investment banking, taxation, risk management, and the like as and when needed.
A detailed, structured and personalised induction should be given to all incoming audit committee members, including: committee charter, past agendas, documents, minutes and reports, key accounting standards and treatments, administrative, risk and control structure, auditor and other insurance provider work plans, and in-depth sessions with reporting management and auditors.
To maximise their contribution to the audit committee, all members of the audit committee should obtain and show commitment to continuous education on leading practices. Members should refresh or improve their knowledge of applicable accounting, auditing, business and other regulatory requirements through management briefings, auditors and subject experts, sponsored external opportunities and member preferential site visits. This last item, site visits, is particularly important because audit committees will regularly visit the company’s operations and obtain first-hand information, such as seeing the results, talking to people, and hearing business unit managers’ complaints about the control climate. Successful companies always consider site visits particularly useful as part of their broader management education system.
Have a “mapping” agenda and effective committee documentation and reporting from the audit committee to the board
There should be sufficient time between the meeting of the audit committee and the meeting of the board to enable any work that occurs before reporting to the board, such as reviewing minutes, follow-up activities and creating material, recommendation or policy matters, within the timeframes for financial reporting, other committee meetings and members’ schedules.
The audit committee chair should also report to the board in a timely, thorough, substantive and focused manner. Meeting minutes provided / available should be clear, accurate, consistent, complete, timely and include the appropriate details, including supporting materials and due diligence on the basis of the recommendation to the board by the audit committee.
Ensure clear communication channels between the management and the audit committee
The audit committee should have good working relationships, interactions, monitoring and confronting with senior management staff, in such a manner that these managers are truthful, open, clear, attentive, proactive and accountable to the audit committee. If not, this issue must be addressed. The level of honesty in management of financial reporting, for example, should be high for the CFO and reporting team. They should maintain confidentiality, recognise, disclose and handle conflicts of interest; act in a manner that would withstand scrutiny; promote responsible, ethical decision-making, led by example; and instil a culture of accountability, transparency, and consistent financial reporting across the business.
Bad news should be recognised and reported promptly to the audit committee. These usually contain warning signs or red flags, such as contradictory industry practices, analysts and institutional investors’ concerns, inappropriate identification of profits or capitalisation of assets, management constraints or fraud opportunities, material lawsuits or non-compliance issues.
The audit committee should also have similar positive working relationships with all assurance providers as needed, such as the lead external audit partner, the head of internal audit, appointed actuaries, regulatory auditors, compliance, IT, quality and other specialist auditors, so that these assurance providers are equally open, transparent, sensitive, proactive and directly responsible.
Effective monitoring of risk management by the audit committee
The board audit committee and management should have a mutual commitment to an efficient risk management programme, which ensures that it is wide-ranging, comprehensive, incorporated into activities, real-time, continuous and culturally ingrained, reacting to, detecting, assessing, tracking, managing and minimising the company’s material business risks. The risk management framework will improve the audit committee’s review process to demonstrate and should guide the internal audit programme, external audit process, insurance agreements, and other business processes, such as recognising key risks and enforcement requirements where independent monitoring is needed.
Second, the audit committee should have a clear understanding of the nature of risk supervision. The risk profile developed by the board should take into account the material business risks, financial reporting and otherwise as defined by the company’s risk management programme, and the board should exhaustively and holistically delegate oversight of such risks to itself and the board committees; it should be properly recorded, including monitoring and transparency within management and subordinates.
The risk appetite set by the board, such as reasonable amount and type of risk, should be clearly articulated for each material business risk, subject to review by the audit committee. Risks should be graded, for example, and consistent tolerance thresholds or boundary limit metrics should be set in strategic management criteria and direct risk mitigation action. These should be notified in the meetings of the audit committee, as well as private sessions.
In addition, frequent, accurate, informative, and objective information on risk effects should be highlighted to the audit committee, such as reports on existing, ongoing, mitigated and tracked risk scores, such as extreme, moderate, medium or low categories. In addition, include “ownership” risk and control, allowing the audit committee to evaluate, informatively, the consistency between the current performance of risk management and the management’s established risk appetite.
Have a strong internal audit feature reporting to the audit committee directly
The audit committee will seek to ensure that the internal audit director is independent from management and external audit and is impartial when reporting accurate results to the committee. The internal audit director (including senior staff) should not participate in organisational or non-internal audit or oversight activities and should have direct access to the chair of the audit committee.
In response to an internal audit report, the audit committee should also ensure that management follows up on corrective actions. Major findings for each report should be documented, including exceptions, differences, disputes and risk profile implications; a register of recommended changes should be maintained for each report received; resources and accountability should be allocated; and issues raised should be tracked, resolved promptly and reported to the audit committee.
Make effective use of “in camera” or executive sessions with the audit committee
Particularly important are private sessions with the internal audit director and the external auditor. Major issues to be addressed extensively with the internal auditor include: internal audit views on areas of high risk, judgement and responsiveness, potentially aggressive accounting practices, IT manipulations, control check automation, enforcement deficiencies, alleged fraud or irregularity, and any questions regarding independence, budget, resource or personnel.
Private sessions with the external auditor should also take place to discuss all major issues in a comprehensive way, including any disputes with management. There should be an open, transparent, honest dialog as a ‘safety valve’ on all substantive and material issues of concern, such as the external auditor’s views on the application of accounting principles to specific transactions or events, the basis for judgements on estimates, audit scope, disclosure in financial statements or footnotes, etc.
Regularly assess the effectiveness and contribution of the audit committee
A thorough evaluation of the efficacy and involvement of the audit committee should be carried out, taking into account the structure of the audit committee and the roles that it is required to perform and, with regard to best practices, providing feedback and reporting to the committee and its members, taking prompt and corrective action if appropriate. This self-examination may be carried out internally or with the help of a third-party specialist, depending on the preferences of the audit committees.
- Malaysian Code of Corporate Governance 2000
- Malaysian Code of Corporate Governance 2012
- Malaysian Code of Corporate Governance 2017
- The Star. (24 April 2012). Heated Silver Bird AGM.
- Financetwitter. (27 September 2007). Silver Bird might be yelling Give-Me-5, High-5
- Canadian National Policy. (30 June 2005). Corporate Governance Guidelines. National Policy. Section 3.5, pp 58-201.
- AICD, AUASB, IIA. (2012). Audit Committees: A Guide to Practice, 2nd Edition. Australian Institute Company Directors.
- Dan A. Bavly. (1999). Corporate Governance and Accountability: What Role for the Regulator, Director and Auditor. Quorum Books, Chapter 11-13
- Briotta Jr. Louis, R. Trent Gazzaway & Robert Colson (2010). The Audit Committee Handbook, 5th Edition. Wiley.
- Anupam Mehta. (2016). Toshiba: Accounting Fraud. Richard Ivey School of Business Foundation, Version 2016-06-27.
- Annual Report (2013). High-5 Conglomerate Berhad, Bursa Malaysia.
The above article is condensed from a doctoral case study on board audit committees and their impact on corporate governance by Rima Melini Md Tamin C.A(M) 15459, and Prof. Dr. Wan Nordin Wan Hussin, Universiti Utara Malaysia