on Oversight, Open Communication, and Best Practices
Annemarie K. Keinath and Judith C. Walo
first recommended that publicly held companies establish audit
committees in 1972. The stock exchanges quickly followed by
either requiring or recommending that companies establish
audit committees. Over the years, various initiatives to strengthen
and increase the responsibilities of audit committees have
1987, the National Commission on Fraudulent Financial Reporting
(the Treadway Commission) investigated ways to detect and
prevent fraudulent financial reporting. The Treadway Commission
made six specific audit committee recommendations aimed
at deterring fraudulent financial reporting.
1999, the Blue Ribbon Committee on Improving the Effectiveness
of Corporate Audit Committees (BRC) made 10 recommendations
for improving audit committees’ effectiveness. BRC
also provided five broad guiding principles for audit committees
to follow in devising company-specific policies. The BRC
recommendations resulted in changes by NASDAQ, the NYSE,
AMEX, and the SEC.
2002, the Sarbanes-Oxley Act increased audit committees’
responsibilities and authority, and raised membership requirements
and committee composition to include more independent directors.
In response, the SEC and the stock exchanges proposed new
regulations and rules to strengthen audit committees.
Committee Best Practices
authors obtained proxies for the 98 domestic companies in
the NASDAQ 100 as of August 2002, most of which are in the
technology, pharmaceutical, and communications industries.
The audit committee charters in the sample were filed before
the passage of Sarbanes-Oxley. The authors examined all
other areas of the proxies where responsibilities of the
audit committee could potentially be reported, and included
these disclosures in our evidence.
regulations, and recommendations have been made to strengthen
audit committee composition and authority, to increase audit
committee responsibilities, and to improve the audit committee’s
1 presents audit committee requirements specified by
2 presents disclosures required by the SEC in the audit
committee report filed in the annual proxy. Exhibit
3 presents preexisting and proposed NASDAQ rules beyond
those in Exhibits 1 and 2. Additional responsibilities not
required for NASDAQ companies are included as best practices
4. These additional items cover recommendations by the
BRC and Treadway Commission, along with current or proposed
regulations of AMEX and the NYSE. Exhibit
5 presents the compilation of best practices, organized
into seven general categories, and a comparison of best
practices to disclosures of actual audit committee practices.
5 presents the percentage of NASDAQ 100 companies asserting
responsibility for each item on the best practices list.
The results show that audit committees have to significantly
expand their responsibilities to just cover practices required
by Sarbanes-Oxley and NASDAQ. In addition, if audit committees
are to be proactive and effective, they should voluntarily
expand their responsibilities to include all best practices,
including those not required.
the financial reporting process. Annual and
quarterly financial statements are the primary means for
reporting the financial condition and operating performance
to stockholders. The BRC recommended that the audit committee
review these financial statements with management and the
external auditors. The NYSE proposal requires that the audit
committee review Management’s Discussion and Analysis
(MD&A), the company’s earnings press releases,
and earnings guidance provided to analysts.
of the companies reported that their audit committees are
responsible for reviewing annual financial statements, and
95% reported that they discuss these statements with management
and auditors. Only 84% of the committees or committee chairs
reviewed quarterly statements, however, and only 68% discussed
these statements with management and external auditors.
The SEC requires that audit committees discuss annual reports
with management and disclose this discussion in the audit
committee report. Although neither current nor proposed
NASDAQ rules specifically address this issue, audit committees
not discussing quarterly statements with management and
auditors are clearly not being proactive.
for the remaining items relating to the financial reporting
process, results show a need for major improvement. Only
8% of the audit committees reviewed the MD&A, and only
1% discussed it with management and auditors. Earnings press
releases were reviewed by only 14%, and none reviewed earnings
guidance provided to analysts and rating agencies.
review and discussion of the MD&A, earnings press releases,
and earnings guidance is not required of NASDAQ companies,
audit committees should monitor all financial information
communicated to the public to ensure that investors are
not receiving misleading information. The NYSE proposal
includes these reviews as audit committee requirements,
and it urges audit committees to pay particular attention
to earnings releases using “pro forma” or “adjusted
non-GAAP” information. The SEC has expressed concern
that pro forma disclosures do not necessarily “convey
a true and accurate picture of a company’s financial
well-being.” Under the direction of the Sarbanes-Oxley
Act, the SEC has approved rules requiring that pro forma
results be reconciled to GAAP numbers. Audit committees
should ensure that the earnings releases are not in violation
of SEC requirements. The fact that so few audit committees
reported reviewing earnings press releases suggests that
NASDAQ audit committees need to assume much broader responsibility.
choice of accounting policies and principles.
The choice of accounting principles significantly affects
the financial statements. The Sarbanes-Oxley Act requires
that the audit committee receive a report from the auditor
about the principles used and the effects of alternative
choices on the financial statements. The NYSE proposal requires
that the audit committee review with management and the
external auditor the effects of estimates or judgment on
63% of the audit committees in the sample disclosed that
they were responsible for monitoring the choice of accounting
policies and principles. Only 54% specifically indicated
that they review the quality of accounting principles with
their auditors. The number of audit committees that actually
review quality may be greater than this, because the discussion
of the quality of accounting principles is a current requirement
under GAAS. Discussion of principles will be expanded under
Sarbanes-Oxley to include alternative principles, the ramifications
of principles used, and the auditor’s preferred principle.
is preferable that the charter explicitly state the responsibilities
required by GAAS. Audit committees not acknowledging responsibility
for discussing matters required by GAAS nor explicitly stating
their responsibilities on critical duties such as the choice
of accounting principles may be too passive in their oversight.
They might leave it to the auditors to determine what the
committee should know, rather than taking an active role
by asking probing questions and ensuring that all items
of importance are discussed.
internal control process. The audit committee’s
role is to ensure that management has developed and followed
an adequate system of internal control. The seven best practices
discussed below are important factors relating to internal
control. None of these functions are currently required
for NASDAQ companies, although the last two items are part
of NASDAQ’s proposed changes. All seven are recommended
or required as a best practice by at least one authoritative
all audit committees asserted responsibility for monitoring
the system of internal control. Oversight of the system
of internal control was an audit committee best practice
in the BRC report. The Sarbanes-Oxley Act elevated internal
control to such importance that it requires an annual internal
control report by management, including a statement about
the effectiveness of the internal controls over the company’s
financial reporting. In 2003, the SEC approved a rule to
implement this requirement.
compliance with legal and regulatory requirements is part
of the NYSE proposal. Only 60% of the audit committees in
this study acknowledged responsibility for this area, a
surprisingly low figure.
assessment and risk management have been of particular concern
since the Enron scandal. Corporate boards and their audit
committees must understand the business and financial risks
that may be threats to their company. An audit committee
of independent and knowledgeable directors is in a good
position to ask management the right questions to determine
whether the company is adequately managing risk. The BRC
identified risk assessment oversight and risk management
oversight as an audit committee best practice. The NYSE
proposal requires the audit committee to discuss with management
the company’s financial risk assessment and risk management
policies. It is imperative that audit committees determine
not just what management has done to identify the risks,
but also what they have done to monitor and control the
risks. Given the importance of this area, it is surprising
to find that only 39% of audit committees acknowledged responsibility
for this area.
Sarbanes-Oxley Act proposed that companies adopt a code
of ethics for senior financial officers. The SEC has approved
regulations recommending that the code of ethics include
both senior financial officers and senior executive officers.
Companies would be required to disclose whether or not they
had adopted such a code, and if not, why not. All three
of the exchanges have proposed that companies adopt a code
of ethics. In addition, all three propose that the code
should apply to all employees.
for compliance is required by the SEC and all three exchanges,
but none of them specifically indicate who should perform
compliance oversight. The Treadway Commission stressed that
an ethical code of conduct cannot succeed without a monitoring
and enforcement mechanism. It also stated that it is the
board of directors’ responsibility to ensure that
a mechanism exists and functions as intended. The Treadway
Commission recommended that this responsibility be delegated
to the audit committee, supporting it as a best practice.
Only 40% of the audit committees in this study assumed responsibility
for this area.
BRC stressed the importance of the internal audit function
in the internal control process, along with its importance
in assisting the audit committee in monitoring the adequacy
of the internal control process and the extent to which
management follows the control procedures. The BRC stated
that it was essential for the internal auditor to be able
to approach the audit committee in private, confident of
receiving the necessary support and guidance. The Treadway
Commission recommended that the audit committee review the
internal audit’s scope of responsibilities, and the
NYSE proposal requires that all NYSE companies have an internal
audit function, with oversight responsibility from the audit
committee. Only 58% of the audit committees in this study
asserted responsibility over internal audit. Given the critical
importance of the internal audit function, audit committee
oversight should be required for all companies.
Treadway Commission emphasized the necessity of a mechanism,
perhaps within the code of conduct, to receive complaints
from employees and protect employees from reprisals. The
Sarbanes-Oxley Act and NASDAQ’s proposal will require
that audit committees establish procedures to handle complaints
on “accounting, internal accounting controls, or auditing
matters” and to provide confidentiality to employees
that submit complaints. None of the audit committees in
this study acknowledged responsibility for such a function.
Sarbanes-Oxley Act requires disclosure of related-party
transactions between management and principal stockholders,
but it does not specifically require audit committee oversight
of these transactions. Both the NASDAQ and AMEX proposals
require that the audit committee, or a comparable body,
review and approve related-party transactions, making it
a best practice. Only 4% of the audit committees in the
study asserted responsibility for this function.
open communication among management, internal auditors,
external auditors, and the audit committee.
The BRC recommended that the audit committee meet separately
with management, internal auditors, and external auditors.
The NYSE proposal requires that the audit committee meet
separately with all three groups. As stated by the BRC:
“Since the audit committee is largely dependent on
the information provided to it by management, the internal
auditor, and the outside auditors, it is imperative that
the committee cultivate frank dialogue with each.”
It is critical that the audit committee meet in private
with each group, both on a regular schedule and on an as-needed
percent of the audit committees in the study indicated that
they met in private with external auditors, 61% with management,
and only 46% with internal auditors. This last result may
be related to the low percentage of audit committees that
took responsibility for overseeing the internal audit function.
These findings lend support to the contention that audit
committees have underutilized the internal audit resource.
hiring and performance of the external auditors.
The passage of the Sarbanes-Oxley Act has greatly expanded
the duties of the audit committee in monitoring the external
audit. The audit committee will be responsible for selecting
and replacing auditors and preapproving audit and nonaudit
fees and services, as well as overseeing the external auditor’s
performance. Under Sarbanes-Oxley, the audit committee is
solely responsible for hiring and firing the auditor. Only
10% of the audit committees in this study assumed this responsibility,
while 87% of the committees shared the responsibility with
the full board. Only 9% preapproved audit or nonaudit fees.
respect to monitoring performance, 90% of the audit committees
surveyed oversee the external auditor’s performance
by reviewing the audit scope or audit plan along with the
audit results. Although NASDAQ has not specified this requirement,
it is a best practice that all audit committees should follow.
With the passage of SAS 99, Consideration of Fraud in
a Financial Statement Audit, external auditors will
be asking audit committees to discuss the company’s
risk of fraud. Assessing the risk of fraud will be included
in the audit scope, and the audit committee should satisfy
themselves that the external auditor is doing this.
addition to the above responsibilities, there are five audit
committee responsibilities related to oversight of the external
audit process itself:
The BRC recommended that the external auditor be accountable
to both the audit committee and the board. This is consistent
with the markets’ listing rules. Eighty percent
of the audit committees surveyed acknowledge this accountability.
The Sarbanes-Oxley Act requires the external auditor to
report directly to the audit committee, which may potentially
change future accountability.
Ensure auditor independence. The three exchanges and the
SEC require that audit committees get a written statement
from the external auditors on their relationships with
the company, consistent with ISB 1. There is no requirement
that the audit committee make a statement about the committee’s
conclusions concerning the external auditors’ independence;
however, they are required to have a discussion with the
auditors regarding their independence. As required by
the SEC, all audit committees in this study reported that
they had received ISB 1 from their auditors, and nearly
all of the audit committees indicated responsibility for
oversight of the auditor’s independence in their
Ensure auditor qualifications. The NYSE proposal requires
that the audit committee receive a report from the external
auditor describing the auditor’s quality-control
procedures, any material issues raised by the auditor’s
most recent internal quality-control review or peer review,
and any investigation by governmental or professional
authorities within the preceding five years. Although
only the NYSE has proposed this requirement, it is included
in audit committee best practices. Only 2% of the audit
committees in our sample asserted responsibility for this
function, a disappointing result.
The Sarbanes-Oxley Act requires that the audit committee
not only discuss disagreements between management and
the external auditors, but also resolve those disagreements.
Only 1% of audit committees indicated that they both discuss
and resolve disagreements. Thirty-five percent indicated
that they discuss the disagreements, but took no responsibility
for resolving them. Because discussing the disagreements
is required by GAAS, 35% may be an understatement. Many
audit committees included a disclaimer that they were
not responsible for resolving disagreements.
Audit committees and external auditors are required to
discuss various matters required by GAAS. All of the audit
committees reported discussing GAAS with the external
auditors in the audit committee report, as is required
by the SEC. Nonetheless, many did not explicitly list
this as a responsibility in their audit committee charter,
leaving open the possibility that this is the external
auditor’s responsibility only. A proactive audit
committee should explicitly state their responsibility
for this function in their charter.
The Sarbanes-Oxley Act requires that all audit
committee members be independent and that one member have
accounting or financial management expertise. NASDAQ, the
NYSE, and AMEX all proposed independence criteria similar
to the SEC rule changes. The NYSE added a waiting period
before a former officer or employee may be a director. In
addition to the expertise requirement, the three stock markets
require that the committee consist of at least three members
and that all members be financially literate.
all of the audit committees surveyed required all audit
committee members to be independent, although a few indicated
that one nonindependent member would be allowed under exceptional
circumstances. Over 90% indicated that the committee would
include at least three members. Almost 90% stated that one
member must have accounting or financial management expertise
and that all members must be financially literate or become
financially literate within a reasonable time after appointment.
Some companies were explicit regarding independence and
financial knowledge, while many companies merely stated
that committee members were required to meet the qualifications
required by NASDAQ.
fact that all requirements were acknowledged by the vast
majority of the companies is reassuring. Sarbanes-Oxley
has tightened the criteria for independence. Therefore,
NASDAQ companies must review the criteria they are currently
using. In addition, the NASDAQ proposal requires that audit
committee members must be financially literate at their
time of appointment, with no opportunity to become financially
literate on the job.
requirements. The following are additional
best practices of audit committees:
Sarbanes-Oxley requires that the audit committee have
the authority and funding to use outside experts in their
investigations. The NASDAQ, NYSE, and AMEX proposals all
include this requirement. The study results indicate that
63% of audit committees already have this authority. It
is essential that companies not currently granting this
authority to their audit committees do so as soon as possible
in order to be in compliance with both the Sarbanes-Oxley
and the NASDAQ listing requirements.
The audit committee charter should disclose the scope,
structure, and audit committee process. This is required
by all three stock exchanges. All of the audit committee
charters surveyed met this requirement and are in compliance
with NASDAQ requirements.
As specified in Exhibit 2, the SEC requires an audit committee
report to be included in the company’s annual proxy.
All of the companies provided this report, and all included
the required disclosures. Only 49% of the audit committees
acknowledged responsibility for this item in their charter.
The charter should be reviewed annually; the SEC requires
that it be provided to stockholders at least every three
years. NASDAQ, the NYSE, and AMEX all require an annual
review of the charter.
percent of the audit committees indicated that they were
responsible for reviewing their charter annually.
remaining items are neither required nor proposed by any
regulator, but are considered to be best practices:
The BRC recommended that the audit committee have the
authority to investigate any matter considered necessary.
Just 69% of audit committees surveyed had the authority
to investigate any matter within the scope of their responsibilities.
In order for them to be effective monitors of the financial
reporting process, this authority should be granted to
all audit committees.
The NYSE proposal requires an annual performance evaluation
of audit committees. Only 2% of audit committees asserted
responsibility for performing an annual evaluation of
BRC recommended that the audit committee report annually
about whether it has fulfilled its responsibilities as
listed in its charter. None of the committees studied
said they were responsible for reporting annually as to
whether or not they had fulfilled the responsibilities
assumed in their charter.
committees are not assuming all of the responsibilities
that would lead to effective, proactive oversight. Very
few of the best practices surveyed were assumed by all of
the audit committees, and the practices with the highest
reported percentages were those that were required. With
the passage of the Sarbanes-Oxley Act and the proposed NASDAQ
listing requirements, audit committees will be required
to provide even greater oversight.
study’s results indicated that audit committees currently
are not fulfilling oversight responsibilities for which
they will soon be responsible. Audit committees reported
little or no authority for providing a mechanism to report
whistle-blower complaints, approving related-party transactions,
and preapproving audit and nonaudit fees. Audit
committees should be proactive in complying with the new
requirements, and should seek any necessary advice and training
in order to fulfill these new responsibilities.
audit committees should consider adopting all of the audit
committee best practices that apply to their situations,
even those that are not required, such as oversight of internal
audit, oversight of company compliance with the code of
ethics, and increased monitoring over financial reporting.
The results imply that audit committees are very good at
taking on responsibilities when required. On the other hand,
their record for assuming nonrequired best practices is
mixed, at best. If audit committees do not voluntarily assume
best practices, regulators may find it necessary to intervene.
The effectiveness of the audit committee should be evaluated
at least annually in order to ensure continued compliance
with best practices requirements and recommendations.
the audit committee is accountable to the shareholders it
represents, and must make significant improvements in their
communication and disclosure to shareholders. They must
disclose responsibilities that they have assumed, and they
also must disclose the extent to which they have fulfilled
these responsibilities. In order to ensure that shareholders
can easily determine audit committee responsibilities, all
audit committee responsibilities should be disclosed in
a single place in the proxy, preferably in the audit committee
charter. The findings suggest that the audit committee charters
do not always include all of the assumed audit committee
responsibilities, which are sometimes listed in the audit
committee report, sometimes in the description of the board
committees, and sometimes with the information on the audit
fees. The audit committee should disclose all of its duties
in its charter. Boilerplate charters should be not be used;
charters should be written to address the individual needs
of the specific company.
to improve accountability to the shareholders, as recommended
by the BRC, the audit committee should report whether the
responsibilities assumed in the charter have actually been
carried out. The current audit committee report required
by the SEC mandates only minimal disclosure and does not
provide complete and adequate disclosure of audit committee
responsibilities actually performed. In order to provide
complete disclosure, audit committees should follow the
BRC’s advice and communicate to shareholders both
their assumed responsibilities and the extent to which these
responsibilities have been carried out.
K. Keinath, PhD, is an associate professor of accounting
at Indiana University Northwest, and
Judith C. Walo, PhD, CPA, is a professor of accounting
at Central Connecticut State University.