Committee Responsibilities Disclosed Since Sarbanes-Oxley
Annemarie K. Keinath and Judith C. Walo
JUNE 2008 - The
Sarbanes-Oxley Act of 2002 (SOX) significantly increased the authority
of audit committees in overseeing their companies’ financial
reporting processes. With audit committees assuming such a key
role, it is important to determine the extent to which audit committees
have complied by adopting these new requirements. In this climate
of increased oversight, it is equally important to determine if
audit committees have taken the initiative and adopted voluntary
best practices that go beyond those imposed by regulation or exchange
rules. Studies conducted before SOX suggest that audit committees
readily adopt required practices but are less inclined to voluntarily
adopt recommended, but not required, practices.
used an empirical approach to examine the audit committee practices
of the Nasdaq 100 companies as of August 2002. These are the 100
companies with the largest market capitalization listed on the
Nasdaq exchange. These are important companies that face significant
scrutiny from the investing community, and a high level of audit
committee oversight should be expected.
obtained proxy statements for each domestic Nasdaq 100 company,
both pre-SOX and post-SOX. (The authors
conducted a similar study after the passage of SOX; see “Audit
Committee Responsibilities” in the November 2004 CPA
Journal.) Two non-U.S. companies were exempt from filing
a proxy, three companies were bought out in the period, and two
companies merged (IDEC Pharmaceuticals bought Biogen, forming
Biogen Idec). This brought the final sample size, post-SOX, to
compiled a list of audit committee best practices, including required
and voluntary characteristics and responsibilities. Because the
sample was restricted to Nasdaq companies, only audit committee
practices required by the SEC or Nasdaq were considered “required.”
Other practices, including those required by the New York Stock
Exchange (NYSE) and the American Stock Exchange (AMEX), and recommendations
issued in 1999 by the Blue Ribbon Committee on Improving the Effectiveness
of Corporate Audit Committees (the BRC was formed in 1998 by NYSE
and the National Association of Securities Dealers), were considered
to be voluntary best practices and are labeled as such.
committee charters were obtained from proxies filed closest to,
but prior to, the enactment of SOX on July 30, 2002. For post-SOX
charters, audit committee charters found in proxies filed closest
to, but after July 30, 2002, were used. If a company did not file
its charters in its 2003 annual proxy statement, its website was
searched to obtain the charters. For pre-SOX data, the authors
used audit committee charters, as well as audit committee reports
and any other information reported in the company proxy. For post-SOX
data, only audit committee charters were used. The authors believe
that this is legitimate for this study, because audit committees
should have been aware of the importance placed on audit committee
oversight, and their post-SOX audit committee charters should
have fully reflected their assumed responsibilities.
Practices and Results
grouped audit committee best practices into six categories, then
further broke down each category into “required” and
“voluntary.” The results follow each category. Exhibit
1 shows the percentage of pre-SOX and post-SOX audit committees
in the sample that adopted “required” practices. Exhibit
2 shows the percentage of pre-SOX and post-SOX companies that
adopted “voluntary” audit committee practices in their
the Financial Reporting Process
Audit committees were required to review and discuss the annual
audited financial statements with management and the external
auditors pre-SOX. As would therefore be expected, the study showed
that almost all pre-SOX and post-SOX charters complied with these
It is surprising that the SEC does not require audit committees
to review or discuss financial reports beyond the annual financial
statements. NYSE requires audit committees to review annual and
quarterly statements, the Management Discussion and Analysis (MD&A),
the company’s earnings press releases, and the company’s
earnings guidance. SOX sections 302 and 906 require that both
the CEO and CFO certify that the financial statements are accurate
as part of a company’s annual and quarterly financial reporting.
Although there is no requirement that audit committees review
or discuss management’s certification, this is considered
“voluntary” because the certification is part of financial
more than 90% of audit committees review and discuss quarterly
statements with management and the auditors. This is an improvement
over pre-SOX practice, when 84% reviewed them and 68% discussed
them with management and the auditors. More than 50% of the post-SOX
audit committees review and discuss the MD&A—a big improvement
over pre-SOX practice, when only 8% reviewed them and only 1%
discussed them. Reviewing earnings press releases has increased
dramatically to 64% post-SOX. Other oversight of financial reporting
has improved, with some (less than a majority, however) post-SOX
audit committees now reviewing earnings guidance, pro forma financial
data, and the CEO/CFO certification letters.
Monitoring internal controls directly affecting
the reliability of financial statements is generally understood
to be a function of audit committees. Nasdaq and AMEX require
audit committees to review and approve related-party transactions.
SOX section 301 directed the SEC to require audit committees to
“establish procedures” to handle complaints on “accounting,
internal accounting controls, or auditing matters” and to
provide confidentiality to employees who submit complaints.
audit committees surveyed consider these important areas of their
oversight. The greatest change in responsibilities post-SOX was
the 96% compliance with the whistleblower requirement. In addition,
77% of post-SOX companies acknowledged responsibility for reviewing
and approving related-party transactions. Neither of these had
been required before SOX.
Only NYSE requires audit committees to monitor compliance with
legal and regulatory requirements and to discuss with management
the company’s financial risk assessment and financial risk
management policies. A proactive audit committee should ensure
that the company’s risk is properly assessed and managed.
NYSE requires an internal audit function and mandates that audit
committees oversee that function. The BRC stressed the importance
of the internal audit function in the internal control process,
as well as its importance in assisting audit committees in monitoring
the adequacy of the internal control process.
and AMEX require a code of ethics for all employees, although
they do not specify who should oversee compliance. The audit committee
would seem to be the logical choice to provide the oversight,
given that the code of ethics is part of a company’s system
of internal controls. SOX section 401 requires that annual and
quarterly reports disclose all material off–balance sheet
financing. Although audit committee oversight of off–balance
sheet financing is not required, audit committees should assume
this responsibility as part of their oversight of the financial
reporting process. SOX sections 302 and 906 require that the CEO
and CFO certify that disclosure controls are in place to ensure
information filed with the SEC is timely and properly reported.
Because this is also a part of the financial reporting process,
audit committees should monitor compliance. Finally, SOX section
404 requires that management annually submit a report on its assessment
of the effectiveness of the internal controls. The authors believe
that audit committees should ensure that the reports are consistent
with SEC requirements.
these items are not required for audit committees in the sample,
the study shows that 70% or more of post-SOX audit committees
have taken responsibility to monitor risk management, ensure compliance
with legal/regulatory requirements, oversee compliance with ethical
codes, and oversee the internal audit function. Among the companies
surveyed, 40% or less review off–balance sheet financing,
monitor disclosure controls, and review management’s certification
Hiring and Performance of Independent Auditors
To improve auditor independence, SOX section 301 includes a requirement
that audit committees be solely responsible for all the aspects
relating to selecting, hiring, and replacing external auditors.
It also requires that external auditors report directly to the
audit committee. Prior to SOX, auditors were accountable to both
the board of directors and the audit committee. SOX section 202
requires audit committees to preapprove both audit and nonaudit
fees and services. SOX section 301 requires that compensation
to external auditors be approved by the audit committee. SOX section
203 requires that the audit lead partner (and concurring partner)
be rotated at least every five years; according to SEC regulations,
failure to do so results in the auditor not being independent.
SOX section 206 requires a one-year cooling-off period, in which
a former member of the audit team is prohibited from working for
the company as CEO, controller, CFO, or chief accounting officer.
In implementing this section, the SEC’s final rule went
beyond that required by SOX and included anyone with a financial
reporting oversight role; again, failure to do so results in the
auditor not being independent. Finally, the auditors must provide
a written statement on the auditors’ relationships with
the company to the audit committee. This is required by Nasdaq,
NYSE, and AMEX to assist audit committees in determining auditor
301 requires that audit committees discuss and resolve disagreements
between management and external auditors. SOX section 204 requires
audit committees to receive a report from the auditors on critical
accounting policies, alternative principles, and written communications
between the auditors and management. This study shows that significant
changes have occurred post-SOX in the area of oversight of the
external auditors and the audit. These changes should have enhanced
auditor independence. Nevertheless, only 63% of the charters post-SOX
reflect that the auditor is accountable solely to the audit committee—a
significant change from pre-SOX practice that should be reflected
in all charters.
A great change
occurred in who hires the external auditor. Post-SOX, 91% of charters
report that the audit committee alone selects and replaces the
external auditors. Pre-SOX, 87% of the charters reported joint
responsibility between the audit committee and board. These findings
show a dramatic effect on audit committee responsibilities and
authority after SOX.
has occurred in preapproval of audit and nonaudit fees and services.
Post-SOX, 88% reported preapproving audit fees and services, with
93% preapproving nonaudit fees and services. Post-SOX, 94% of
the charters reported approving auditor compensation, a dramatic
increase from only 38% of audit committees that reported having
that responsibility pre-SOX.
of audit committees have assumed responsibility for ensuring that
the partner-rotation rule has been met, only 2% monitored the
one-year cooling-off period for hiring previous auditors, and
only 67% reported discussing and resolving disagreements between
management and auditors. All public companies are required to
comply with these provisions.
greatest concern is the apparent inadequate communication with
auditors on accounting principles. Only 60% of the post-SOX charters
reported adopting responsibilities required under SOX section
204 to review auditors’ reports on accounting principles.
One should expect to see this responsibility on all the charters,
because this is required by SOX.
Generally Accepted Auditing Standards (GAAS) require various communications
between the auditors and the audit committee. Although these are
requirements that must be met by the external auditors, the audit
committee should be proactive in its relationship with the auditors.
Auditors are required to communicate issues related to the audit
scope and plan to the audit committee, and 81% of the charters
report this as an audit committee requirement. A failure to communicate
on accounting principles (discussed above) is repeated in Exhibit
2, which shows that only 48% of charters require audit committees
to review quality and appropriateness of the accounting principles
with the auditors. SEC regulations section 10A(b) and GAAS require
that auditors inform the audit committee of any illegal acts they
found during the audit. Only 24% of the charters mention a requirement
to determine if the auditors found any illegal acts.
making the most effective external auditor hiring choice, an audit
committee should evaluate the auditor’s qualifications,
not just its independence. NYSE requires audit committees to review
reports on the external auditor’s quality controls in order
to determine if the auditor is qualified, and the authors advocate
such a policy as a voluntary best practice for Nasdaq-listed companies.
The study found that 62% of charters require audit committees
to check the auditing firm’s qualifications (i.e., quality-control
report), compared to only 2% pre-SOX.
57% of audit committees review rules for hiring former members
of the audit firm and 16% consider rotating the audit firm performing
the audit. Both of these tasks could improve auditor independence,
and an audit committee should consider adding these to its responsibilities.
Open Communication Between Management, Internal Auditors, and
NYSE requires audit committees to meet separately
with management, internal auditors, and independent auditors.
Separate meetings provide an opportunity for vital information
to be conveyed privately to the audit committee.
50% of the audit committee charters surveyed require the committee
to meet separately with internal auditors, external auditors,
and management at least periodically, or as needed. Most of the
remaining charters show that audit committees meet separately
with management, internal auditors, or external auditors. Post-SOX,
76% of the audit committees in the study meet separately with
management, 62% meet separately with internal auditors, and 89%
meet separately with external auditors. Audit committees are more
likely to receive candid information in separate meetings, and
audit committees should do more to encourage separate meetings.
SOX section 301 requires that all audit committee
members be independent and that one member have accounting or
financial management expertise, with sections 406 and 407 requiring
that the name of the financial expert be disclosed. Nasdaq, NYSE,
and AMEX require that the committee have at least three members
and that all members be financially literate. The survey results
in this category indicate high compliance.
With its changing responsibilities and new requirements
for financial statements, a proactive audit committee should make
educational opportunities available to members and encourage them
to participate. Audit committee members cannot effectively perform
their duties without the requisite knowledge in accounting and
auditing (i.e., either financial expert or financially literate).
only 6% of the charters in the survey indicated that educational
opportunities would be made available to audit committee members
to obtain and maintain their qualifications.
Nasdaq, NYSE, and AMEX require audit committees to review their
charters annually and to consider any proposed changes at that
time. SOX section 301 requires that audit committees possess the
authority and funding to use outside experts in their investigations.
Finally, the SEC requires audit committees to prepare the report
filed in the company’s annual proxy.
high compliance in meeting these requirements. The largest change
between pre-SOX and post-SOX is in the ability to use outside
experts, with post-SOX compliance being 97%, compared to pre-SOX
compliance of only 66%. Only 54% of pre-SOX charters reported
their requirement to prepare the audit committee report for the
annual proxy, with 90% reporting it post-SOX. The authors believe
this is an example of audit committees increasing their documentation
in the charter, rather than increasing their actual responsibilities.
All (100%) of the pre-SOX proxies in the sample contained an audit
committee report. Therefore, 46% of the audit committees had a
report in the proxy but did not list the function in their charter.
NYSE requires that audit committees perform an annual self-examination.
The BRC recommended that audit committees report annually on whether
the audit committee has fulfilled its responsibilities as listed
in the charter. This practice would serve to close any gap between
what the audit committee discloses as its assumed responsibilities
in its charter and the responsibilities it actually carried out.
Less than half of post-SOX audit committees report that they are
required to perform an annual self-evaluation, and only a small
minority said they must evaluate and report on an annual basis
whether they have fulfilled their charter requirements.
The BRC recommended
that audit committees be authorized to investigate any matter
related to their oversight of the financial reporting process.
Audit committees have increased authority post-SOX, such that
76% have the authority to investigate any matter (compared to
in corporate governance have been mandated by SOX and the stock
exchanges. Audit committees have been the beneficiary of increased
authority and responsibilities that should make corporate governance
stronger. A close examination of audit committee charters indicates
significantly greater oversight over the financial reporting process
since the enactment of SOX.
of this study are consistent with previous studies, in that audit
committees are more likely to adopt required rather than voluntary
best practices. NYSE audit committees are required to do considerably
more in their oversight since SOX, as shown in Exhibit 2. Audit
committees could improve their oversight by adopting at least
the responsibilities required for NYSE audit committees. Because
the tendency has been to do only what is required, perhaps Nasdaq
should consider instituting the NYSE requirements for Nasdaq-listed
companies’ audit committees.
committees need to acknowledge their responsibility for performing
required best practices. For example, reviewing and approving
related-party transactions was reported in less than 80% of the
charters. Given that this is a Nasdaq requirement, one should
expect to see all audit committees noting it as a responsibility.
This should be the case, too, for all of the required best practices.
results were mixed on external auditor oversight. The audit committees
in the sample achieved high marks in adopting sole responsibility
in hiring and replacing the auditors, preapproval of fees, and
approval of compensation. They are highly compliant with assuring
auditor independence. However, audit committees apparently do
not recognize the possibility that auditor independence will be
compromised if partners are not rotated every five years or if
auditors are hired without a cooling-off period. A further threat
to auditor independence is unresolved disagreements between management
and auditor. Although it is a SOX requirement, one-third of the
audit committees do not discuss and resolve auditor disagreements.
Without the audit committee willing to address disagreements,
undue pressure on the auditors might be applied.
suggest that audit committees communicate with their auditors
less than what may be necessary for effective oversight. Only
60% of the charters indicated that audit committees review the
auditors’ disclosures on accounting principles used (SOX
section 204), and only 48% reported discussing the quality and
appropriateness of accounting principles with the auditors. SOX
section 204 requires auditors to provide the audit committee with
alternate choices of principles and their own preference. Less
than one-quarter of the charters surveyed require the audit committee
to proactively ask the auditor if there had been any illegal acts
discovered. Not committing to these best practices is clearly
a deficiency in effective oversight.
indicate that some audit committees are being proactive. For example,
audit committees have voluntarily adopted reviewing and discussing
quarterly statements, and they meet separately with the auditors.
Nonetheless, audit committees can and should be doing more. For
example, the MD&A provides important information that an audit
committee can use in evaluating the financial statements, and
reviewing and discussing the MD&A with management and the
auditors (a NYSE requirement) should be a requirement for all
audit committees. This can easily be done when the annual and
quarterly statements are reviewed and discussed.
concern is that more than one-quarter of the charters failed to
mention internal audit. Only 74% of the charters reported that
the audit committee oversees the internal audit, and only 62%
reported having separate meetings with internal auditors. The
authors would support audit committees adopting new policies to
require internal auditors and to require audit committee oversight
of the internal auditors. The BRC recognized the importance of
internal audits to prevent fraud and to improve the quality of
financial reporting. Audit committees may want to take precautions
with internal auditors similar to those for external auditors
(e.g., check for independence, discuss and resolve disagreements
with management, and require a cooling-off period for staff).
believe that it is important for audit committees to evaluate
their own performance and report on whether they carried out the
charter requirements. This could be done annually when the charter
is reviewed. Audit committees could use this opportunity to consider
ways to improve their oversight.
audit committees should make sure they document all of their responsibilities
in the charters. Charters can serve as a reminder of what they
are expected to do and can serve as an important disclosure to
investors on the oversight the audit committee is committed to
K. Keinath, PhD, is an associate professor of accounting
in the school of business and economics of Indiana University Northwest,
Judith C. Walo, PhD, CPA, is a professor of accounting
in the school of business of Central Connecticut State University,
New Britain, Conn.