RSM Resources

In recent years, few business leaders would deny there’s a strong link between the Sarbanes-Oxley Act of 2002 (SOX) and increased workloads for public-company audit committees.

However, after challenging management and outside auditors on key accounting, internal control and compliance issues, some company boards do not have a review process to assess the effectiveness of their audit. Experts say that can be a costly oversight.

"In the litigious world we live in,it’s important for an audit committee to go through a formal review process to protect itself," says Jack Henry, president of the Arizona chapter of the National Association of Corporate Directors (NACD) and chair of the audit committee for two midsized companies. "But having said that, the most important reason is not SOX or litigation. It’s to ensure that the committee is doing the best job possible."

A post-audit review usually occurs in two stages. In the first segment,audit committees should follow up with company management and outside auditors on key findings, including:

• Audit adjustments that could have a significant effect on the entity’s financial reporting process.
• Any significant variances that appeared in financial statements from one fiscal year to the next.
• Changes in accounting standards or policies that had an effect on the company’s financial statements.
• The process management used in formulating particularly sensitive accounting accruals or estimates.
• Any income tax issues that have been or might be disputed by the Internal Revenue Service.
• Any substantial financial reporting issues, and how those problems were resolved.

In addition to observing those general guidelines, audit committees also should schedule a private session with the outside auditor to review:

• The quality of the company’s internal financial and accounting staff.
• Any legal issues raised by internal or external counsel that may have an adverse effect on financial statements.
• The level of cooperation given by the chief executive officer and chief financial officer.
• The outside auditor’s greatest concerns and how to address those concerns.

Asa final step in this segment, a savvy audit committee will then meet with the company’s leadership team to discuss the management discussion and analysis (MD&A) portion of the annual report, with particular attention to how the information squares with the company’s overall financial statements and disclosures. Audit committee members also should ask management if the outside auditor read the MD&A before publication.

"In smaller to midsized companies, these kinds of reviews can be harder to conduct, because you don’t have the same level of resources available in large firms," Henry says. "On the other hand,midsized companies tend to be less complex, so it’s easier for an audit committee to get its arms around the key issues."

Once an audit committee has completed its due diligence with management and the outside auditor, it can move on to assess its own performance.Templates for audit committee self-assessments are available from NACD and the American Institute of Certified Public Accountants (AICPA).

In a reversal from the first segment, where the audit committee asks the questions, the self-assessment is more introspective. For his committees, Henry says he schedules meetings with the company’s chief executive and financial officers, as well as the lead partner from the outside auditor and any other outside resources that worked on the company’s SOX Section 404 compliance. The goal: to get an inside-out view of how the audit committee did its job.

Following those meetings, Henry suggests that the full audit committee use its chosen self-assessment tool to pinpoint the team’s strengths and weaknesses. This step could include leadership and peer reviews of all audit committee members, a team discussion on the effectiveness of the audit committee chair, and a meeting with the chair of the full board to discuss the audit committee’s performance. Those steps, he says,provide crucial direction to help the committee pinpoint where it can add the most value.

For example, Henry says, most modern-day audit committees spend a disproportionate amount of time seeking to ensure their companies comply with SOX regulations. That intense focus,while necessary, can deter the committee from making more-strategic contributions.

"With SOX, an audit committee can spend a lot of time checking off required boxes and not enough time on questions like,"Is the company headed in the right direction? Does it have the right strategy? Does it have the right bench strength?" he says. "What an effective self-assessment does is help the committee figure out if it’s spending enough time tending to the guts of the business."