Audit Committee Responsibilities Disclosed Since Sarbanes-Oxley

By Annemarie K. Keinath and Judith C. Walo

E-mail Story Print Story

The Study

The authors used an empirical approach to examine the audit committee practices of the Nasdaq 100 companies as of August 2002. These are the 100 companies with the largest market capitalization listed on the Nasdaq exchange. These are important companies that face significant scrutiny from the investing community, and a high level of audit committee oversight should be expected.

The authors obtained proxy statements for each domestic Nasdaq 100 company, both pre-SOX and post-SOX. (The authors
conducted a similar study after the passage of SOX; see “Audit Committee Responsibilities” in the November 2004 CPA Journal.) Two non-U.S. companies were exempt from filing a proxy, three companies were bought out in the period, and two companies merged (IDEC Pharmaceuticals bought Biogen, forming Biogen Idec). This brought the final sample size, post-SOX, to 94 companies.

The authors compiled a list of audit committee best practices, including required and voluntary characteristics and responsibilities. Because the sample was restricted to Nasdaq companies, only audit committee practices required by the SEC or Nasdaq were considered “required.” Other practices, including those required by the New York Stock Exchange (NYSE) and the American Stock Exchange (AMEX), and recommendations issued in 1999 by the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees (the BRC was formed in 1998 by NYSE and the National Association of Securities Dealers), were considered to be voluntary best practices and are labeled as such.

Pre-SOX audit committee charters were obtained from proxies filed closest to, but prior to, the enactment of SOX on July 30, 2002. For post-SOX charters, audit committee charters found in proxies filed closest to, but after July 30, 2002, were used. If a company did not file its charters in its 2003 annual proxy statement, its website was searched to obtain the charters. For pre-SOX data, the authors used audit committee charters, as well as audit committee reports and any other information reported in the company proxy. For post-SOX data, only audit committee charters were used. The authors believe that this is legitimate for this study, because audit committees should have been aware of the importance placed on audit committee oversight, and their post-SOX audit committee charters should have fully reflected their assumed responsibilities.

Best Practices and Results

The authors grouped audit committee best practices into six categories, then further broke down each category into “required” and “voluntary.” The results follow each category. Exhibit 1 shows the percentage of pre-SOX and post-SOX audit committees in the sample that adopted “required” practices. Exhibit 2 shows the percentage of pre-SOX and post-SOX companies that adopted “voluntary” audit committee practices in their charters.

Oversee the Financial Reporting Process

Required. Audit committees were required to review and discuss the annual audited financial statements with management and the external auditors pre-SOX. As would therefore be expected, the study showed that almost all pre-SOX and post-SOX charters complied with these requirements.

Voluntary. It is surprising that the SEC does not require audit committees to review or discuss financial reports beyond the annual financial statements. NYSE requires audit committees to review annual and quarterly statements, the Management Discussion and Analysis (MD&A), the company’s earnings press releases, and the company’s earnings guidance. SOX sections 302 and 906 require that both the CEO and CFO certify that the financial statements are accurate as part of a company’s annual and quarterly financial reporting. Although there is no requirement that audit committees review or discuss management’s certification, this is considered “voluntary” because the certification is part of financial reporting.

Post-SOX, more than 90% of audit committees review and discuss quarterly statements with management and the auditors. This is an improvement over pre-SOX practice, when 84% reviewed them and 68% discussed them with management and the auditors. More than 50% of the post-SOX audit committees review and discuss the MD&A—a big improvement over pre-SOX practice, when only 8% reviewed them and only 1% discussed them. Reviewing earnings press releases has increased dramatically to 64% post-SOX. Other oversight of financial reporting has improved, with some (less than a majority, however) post-SOX audit committees now reviewing earnings guidance, pro forma financial data, and the CEO/CFO certification letters.

Monitor Control Processes

Required. Monitoring internal controls directly affecting the reliability of financial statements is generally understood to be a function of audit committees. Nasdaq and AMEX require audit committees to review and approve related-party transactions. SOX section 301 directed the SEC to require audit committees to “establish procedures” to handle complaints on “accounting, internal accounting controls, or auditing matters” and to provide confidentiality to employees who submit complaints.

Almost all audit committees surveyed consider these important areas of their oversight. The greatest change in responsibilities post-SOX was the 96% compliance with the whistleblower requirement. In addition, 77% of post-SOX companies acknowledged responsibility for reviewing and approving related-party transactions. Neither of these had been required before SOX.

Voluntary. Only NYSE requires audit committees to monitor compliance with legal and regulatory requirements and to discuss with management the company’s financial risk assessment and financial risk management policies. A proactive audit committee should ensure that the company’s risk is properly assessed and managed. NYSE requires an internal audit function and mandates that audit committees oversee that function. The BRC stressed the importance of the internal audit function in the internal control process, as well as its importance in assisting audit committees in monitoring the adequacy of the internal control process.

NYSE, Nasdaq, and AMEX require a code of ethics for all employees, although they do not specify who should oversee compliance. The audit committee would seem to be the logical choice to provide the oversight, given that the code of ethics is part of a company’s system of internal controls. SOX section 401 requires that annual and quarterly reports disclose all material off–balance sheet financing. Although audit committee oversight of off–balance sheet financing is not required, audit committees should assume this responsibility as part of their oversight of the financial reporting process. SOX sections 302 and 906 require that the CEO and CFO certify that disclosure controls are in place to ensure information filed with the SEC is timely and properly reported. Because this is also a part of the financial reporting process, audit committees should monitor compliance. Finally, SOX section 404 requires that management annually submit a report on its assessment of the effectiveness of the internal controls. The authors believe that audit committees should ensure that the reports are consistent with SEC requirements.

Although these items are not required for audit committees in the sample, the study shows that 70% or more of post-SOX audit committees have taken responsibility to monitor risk management, ensure compliance with legal/regulatory requirements, oversee compliance with ethical codes, and oversee the internal audit function. Among the companies surveyed, 40% or less review off–balance sheet financing, monitor disclosure controls, and review management’s certification letter.

Oversee Hiring and Performance of Independent Auditors

Required. To improve auditor independence, SOX section 301 includes a requirement that audit committees be solely responsible for all the aspects relating to selecting, hiring, and replacing external auditors. It also requires that external auditors report directly to the audit committee. Prior to SOX, auditors were accountable to both the board of directors and the audit committee. SOX section 202 requires audit committees to preapprove both audit and nonaudit fees and services. SOX section 301 requires that compensation to external auditors be approved by the audit committee. SOX section 203 requires that the audit lead partner (and concurring partner) be rotated at least every five years; according to SEC regulations, failure to do so results in the auditor not being independent. SOX section 206 requires a one-year cooling-off period, in which a former member of the audit team is prohibited from working for the company as CEO, controller, CFO, or chief accounting officer. In implementing this section, the SEC’s final rule went beyond that required by SOX and included anyone with a financial reporting oversight role; again, failure to do so results in the auditor not being independent. Finally, the auditors must provide a written statement on the auditors’ relationships with the company to the audit committee. This is required by Nasdaq, NYSE, and AMEX to assist audit committees in determining auditor independence.

SOX section 301 requires that audit committees discuss and resolve disagreements between management and external auditors. SOX section 204 requires audit committees to receive a report from the auditors on critical accounting policies, alternative principles, and written communications between the auditors and management. This study shows that significant changes have occurred post-SOX in the area of oversight of the external auditors and the audit. These changes should have enhanced auditor independence. Nevertheless, only 63% of the charters post-SOX reflect that the auditor is accountable solely to the audit committee—a significant change from pre-SOX practice that should be reflected in all charters.

A great change occurred in who hires the external auditor. Post-SOX, 91% of charters report that the audit committee alone selects and replaces the external auditors. Pre-SOX, 87% of the charters reported joint responsibility between the audit committee and board. These findings show a dramatic effect on audit committee responsibilities and authority after SOX.

Great improvement has occurred in preapproval of audit and nonaudit fees and services. Post-SOX, 88% reported preapproving audit fees and services, with 93% preapproving nonaudit fees and services. Post-SOX, 94% of the charters reported approving auditor compensation, a dramatic increase from only 38% of audit committees that reported having that responsibility pre-SOX.

Only 35% of audit committees have assumed responsibility for ensuring that the partner-rotation rule has been met, only 2% monitored the one-year cooling-off period for hiring previous auditors, and only 67% reported discussing and resolving disagreements between management and auditors. All public companies are required to comply with these provisions.

Perhaps the greatest concern is the apparent inadequate communication with auditors on accounting principles. Only 60% of the post-SOX charters reported adopting responsibilities required under SOX section 204 to review auditors’ reports on accounting principles. One should expect to see this responsibility on all the charters, because this is required by SOX.

Voluntary. Generally Accepted Auditing Standards (GAAS) require various communications between the auditors and the audit committee. Although these are requirements that must be met by the external auditors, the audit committee should be proactive in its relationship with the auditors. Auditors are required to communicate issues related to the audit scope and plan to the audit committee, and 81% of the charters report this as an audit committee requirement. A failure to communicate on accounting principles (discussed above) is repeated in Exhibit 2, which shows that only 48% of charters require audit committees to review quality and appropriateness of the accounting principles with the auditors. SEC regulations section 10A(b) and GAAS require that auditors inform the audit committee of any illegal acts they found during the audit. Only 24% of the charters mention a requirement to determine if the auditors found any illegal acts.

To facilitate making the most effective external auditor hiring choice, an audit committee should evaluate the auditor’s qualifications, not just its independence. NYSE requires audit committees to review reports on the external auditor’s quality controls in order to determine if the auditor is qualified, and the authors advocate such a policy as a voluntary best practice for Nasdaq-listed companies. The study found that 62% of charters require audit committees to check the auditing firm’s qualifications (i.e., quality-control report), compared to only 2% pre-SOX.

Post-SOX, 57% of audit committees review rules for hiring former members of the audit firm and 16% consider rotating the audit firm performing the audit. Both of these tasks could improve auditor independence, and an audit committee should consider adding these to its responsibilities.

Ensure Open Communication Between Management, Internal Auditors, and External Auditors

Voluntary. NYSE requires audit committees to meet separately with management, internal auditors, and independent auditors. Separate meetings provide an opportunity for vital information to be conveyed privately to the audit committee.

More than 50% of the audit committee charters surveyed require the committee to meet separately with internal auditors, external auditors, and management at least periodically, or as needed. Most of the remaining charters show that audit committees meet separately with management, internal auditors, or external auditors. Post-SOX, 76% of the audit committees in the study meet separately with management, 62% meet separately with internal auditors, and 89% meet separately with external auditors. Audit committees are more likely to receive candid information in separate meetings, and audit committees should do more to encourage separate meetings.

Composition

Required. SOX section 301 requires that all audit committee members be independent and that one member have accounting or financial management expertise, with sections 406 and 407 requiring that the name of the financial expert be disclosed. Nasdaq, NYSE, and AMEX require that the committee have at least three members and that all members be financially literate. The survey results in this category indicate high compliance.

Voluntary. With its changing responsibilities and new requirements for financial statements, a proactive audit committee should make educational opportunities available to members and encourage them to participate. Audit committee members cannot effectively perform their duties without the requisite knowledge in accounting and auditing (i.e., either financial expert or financially literate).

Disappointingly, only 6% of the charters in the survey indicated that educational opportunities would be made available to audit committee members to obtain and maintain their qualifications.

Other Responsibilities

Required. Nasdaq, NYSE, and AMEX require audit committees to review their charters annually and to consider any proposed changes at that time. SOX section 301 requires that audit committees possess the authority and funding to use outside experts in their investigations. Finally, the SEC requires audit committees to prepare the report filed in the company’s annual proxy.

Results show high compliance in meeting these requirements. The largest change between pre-SOX and post-SOX is in the ability to use outside experts, with post-SOX compliance being 97%, compared to pre-SOX compliance of only 66%. Only 54% of pre-SOX charters reported their requirement to prepare the audit committee report for the annual proxy, with 90% reporting it post-SOX. The authors believe this is an example of audit committees increasing their documentation in the charter, rather than increasing their actual responsibilities. All (100%) of the pre-SOX proxies in the sample contained an audit committee report. Therefore, 46% of the audit committees had a report in the proxy but did not list the function in their charter.

Voluntary. NYSE requires that audit committees perform an annual self-examination. The BRC recommended that audit committees report annually on whether the audit committee has fulfilled its responsibilities as listed in the charter. This practice would serve to close any gap between what the audit committee discloses as its assumed responsibilities in its charter and the responsibilities it actually carried out. Less than half of post-SOX audit committees report that they are required to perform an annual self-evaluation, and only a small minority said they must evaluate and report on an annual basis whether they have fulfilled their charter requirements.

The BRC recommended that audit committees be authorized to investigate any matter related to their oversight of the financial reporting process. Audit committees have increased authority post-SOX, such that 76% have the authority to investigate any matter (compared to 69% pre-SOX).

Implications and Recommendations

Improvements in corporate governance have been mandated by SOX and the stock exchanges. Audit committees have been the beneficiary of increased authority and responsibilities that should make corporate governance stronger. A close examination of audit committee charters indicates significantly greater oversight over the financial reporting process since the enactment of SOX.

The results of this study are consistent with previous studies, in that audit committees are more likely to adopt required rather than voluntary best practices. NYSE audit committees are required to do considerably more in their oversight since SOX, as shown in Exhibit 2. Audit committees could improve their oversight by adopting at least the responsibilities required for NYSE audit committees. Because the tendency has been to do only what is required, perhaps Nasdaq should consider instituting the NYSE requirements for Nasdaq-listed companies’ audit committees.

More audit committees need to acknowledge their responsibility for performing required best practices. For example, reviewing and approving related-party transactions was reported in less than 80% of the charters. Given that this is a Nasdaq requirement, one should expect to see all audit committees noting it as a responsibility. This should be the case, too, for all of the required best practices.

The study results were mixed on external auditor oversight. The audit committees in the sample achieved high marks in adopting sole responsibility in hiring and replacing the auditors, preapproval of fees, and approval of compensation. They are highly compliant with assuring auditor independence. However, audit committees apparently do not recognize the possibility that auditor independence will be compromised if partners are not rotated every five years or if auditors are hired without a cooling-off period. A further threat to auditor independence is unresolved disagreements between management and auditor. Although it is a SOX requirement, one-third of the audit committees do not discuss and resolve auditor disagreements. Without the audit committee willing to address disagreements, undue pressure on the auditors might be applied.

The results suggest that audit committees communicate with their auditors less than what may be necessary for effective oversight. Only 60% of the charters indicated that audit committees review the auditors’ disclosures on accounting principles used (SOX section 204), and only 48% reported discussing the quality and appropriateness of accounting principles with the auditors. SOX section 204 requires auditors to provide the audit committee with alternate choices of principles and their own preference. Less than one-quarter of the charters surveyed require the audit committee to proactively ask the auditor if there had been any illegal acts discovered. Not committing to these best practices is clearly a deficiency in effective oversight.

The results indicate that some audit committees are being proactive. For example, audit committees have voluntarily adopted reviewing and discussing quarterly statements, and they meet separately with the auditors. Nonetheless, audit committees can and should be doing more. For example, the MD&A provides important information that an audit committee can use in evaluating the financial statements, and reviewing and discussing the MD&A with management and the auditors (a NYSE requirement) should be a requirement for all audit committees. This can easily be done when the annual and quarterly statements are reviewed and discussed.

Of particular concern is that more than one-quarter of the charters failed to mention internal audit. Only 74% of the charters reported that the audit committee oversees the internal audit, and only 62% reported having separate meetings with internal auditors. The authors would support audit committees adopting new policies to require internal auditors and to require audit committee oversight of the internal auditors. The BRC recognized the importance of internal audits to prevent fraud and to improve the quality of financial reporting. Audit committees may want to take precautions with internal auditors similar to those for external auditors (e.g., check for independence, discuss and resolve disagreements with management, and require a cooling-off period for staff).

The authors believe that it is important for audit committees to evaluate their own performance and report on whether they carried out the charter requirements. This could be done annually when the charter is reviewed. Audit committees could use this opportunity to consider ways to improve their oversight.

Finally, audit committees should make sure they document all of their responsibilities in the charters. Charters can serve as a reminder of what they are expected to do and can serve as an important disclosure to investors on the oversight the audit committee is committed to perform.

©2009 The New York State Society of CPAs. Legal Notices