Added value or just box-ticking?

Undoubtedly, some companies will opt for form over substance and just tick the appropriate boxes.

However, audit committees at companies looking to implement sound governance strategies will have to take a hard look at how to respond to the new challenges.

In July, the Financial Reporting Council approved the new UK combined code on corporate governance, which will apply to all UK-listed companies in respect of financial years beginning on or after 1 November 2003.

For many UK companies, this means that they will need to comply with the code as from 1 January 2004. Together with the US Sarbanes-Oxley Act – which applies to about half the companies in the FTSE100 – it transforms the corporate governance regime for listed companies.

While the public debate has centred on the particular recommendations made by Derek Higgs, much less attention has been given to the impact of Sir Robert Smith’s report on audit committees.

Published at the same time as the Higgs review, it has been incorporated relatively unchanged into the new combined code.

In the introduction to his review, Smith stated that the new requirements would put the spotlight on audit committees and give them the authority they might otherwise lack.

He has also predicted that it will lead to a real upgrading in authority and transparency and will change the way boards work. In turn, this will lead to audit committees becoming a source of strength for the company.

Perhaps not surprisingly, the Smith requirements for audit committees are similar to those imposed by Sarbanes-Oxley. In some cases, the Smith requirements are more extensive.

In other cases, Sarbanes-Oxley imposes additional obligations. This is particularly true in relation to so-called section 404 reports and to a lesser extent in relation to ‘whistleblowing’ where audit committees have very specific responsibilities to establish procedures. Section 404 reports require management to evaluate and report on internal controls – innocuous-sounding perhaps, but with huge implications for the way in which controls are implemented and monitored and reported information is reviewed.

Sarbanes-Oxley is also prescriptive in specifically prohibiting external auditors from providing certain services, whereas in the UK the combined code simply requires audit committees to develop and implement a policy on such services, ‘taking into account relevant ethical guidance’. The relevant ethical guidelines allow scope for judgement in these areas.

The combined code specifically requires audit committees to monitor the integrity of financial statements, review internal financial controls and monitor and review the effectiveness of internal audit. Although less onerous than full compliance with Sarbanes-Oxley, this requires audit committees to take substantive steps.

Companies face a strategic choice similar to that faced by companies subject to Sarbanes-Oxley. Some companies are opting for implementation through a compliance-centred approach, leading to a ‘paper chase’ of forms, process-mapping, box-ticking and upward certifications.

Others are trying to reduce the cost of compliance by using it as an opportunity to improve the control environment through reinforcing a culture of communication and continuous improvement, establishing consistency of controls and enabling earlier resolution of problems. This usually involves regular discussions and upward reporting through minuted meetings, rather than through certification alone.

So what are the implications for audit committees? And how can they be used as a source of strength for the company? The best audit committees will be very close to meeting all the requirements of the combined code and Sarbanes-Oxley. However, for many it will require a steep change.

Public expectations have changed and audit committees need to ensure they have the time and resources to fulfil their new responsibilities properly. There can be few audit committees left like the one identified by a former SEC chairman, which convened only twice a year before a regular board meeting for 15 minutes and whose duties were limited to a perfunctory presentation.

In fact, it is becoming apparent that the minimum recommended in the combined code of three times per year is unlikely to be sufficient to enable full debate on the breadth of issues with the committee’s remit.

A more realistic minimum is four times per year, two of which are away from the pressures of reporting deadlines. Companies reporting quarterly will probably need six meetings.

It is perhaps worth drawing attention to two substantive changes arising from the combined code.

First, external auditors now formally report to the audit committee.

The audit committee is therefore responsible for oversight of both the external audit process and the preparation of the financial statements and related disclosures. This means they are both dependent on and responsible for the oversight of management reporting and the external auditors, creating a potential point of tension.

To manage this, an open and constructive dialogue between all parties both at and between audit committee meetings is essential. The audit committee also has an explicit obligation to evaluate annually the effectiveness of the external audit process.

As the SEC observes, an audit committee is not likely to be ‘equipped to self-advise on all accounting, financial reporting or legal matters’.

The combined code guidance also recommends that audit committees should be prepared to engage outside advisers where necessary.

Audit committees are understandably concerned about how to manage their new responsibilities. At the same time, as the chairman of one FTSE100 audit committee recently put it, ‘we need to get value for money from governance’.

Although some companies do have the resources to support audit committees in these new responsibilities, many will have to take additional steps, including following the code’s recommendation to take training and other external advice to ensure that they become and remain effective.

Those that do will be better placed to add value by engaging in substantive debate on major accounting issues, reviewing ways to strengthen internal audit and identifying ways in which to improve risk management.

John Morgan is a partner at Independent Audit Limited SMITH REPORT Sir Robert Smith’s report on the role of the audit committee entered into the code almost unchanged, but is no less significant for that. Its recommendations included: – An audit committee should contain no less than three non-execs with at least one of them possessing ‘recent and relevant financial experience’ – Committee should act independently from the executive board, its main duty being towards the shareholder – Responsibility goes to audit committees for recommending external auditors for appointment – Development and recommendation of policy relating to provision of non-audit services by the auditor should be handled by the committee – Role and actions of audit committee should be described in annual reports.

Related reading