ABA Section of Business Law

Building a better audit committee

What they need, what they must do

Kessel is a partner at Shearman & Sterling in New York City.

The board of directors of the company you're advising has adopted golden parachutes and has taken other unpopular actions. In an attempt to deal with shareholder criticism, the company decides that enhancing the stature of its audit committee will send the right signal and seeks your advice in tapping someone to become a new director as well as chair its audit committee.

The new member must become fully conversant with the committee's duties and make certain that he or she and fellow directors know how to discharge them. But there is a tangled web of laws and regulations touching on the workings of this committee in particular.

To begin with the more obvious, there are securities laws, environmental laws, labor laws, antitrust laws, the Foreign Corrupt Practices Act and the Internal Revenue Code. Further complicating the oversight function of the audit committee, today's large, geographically dispersed business organizations are dependent on electronic information systems that have created enormous complexities and unprecedented challenges when it comes to monitoring corporate behavior.

Add to that the fact that the business environment is under increased scrutiny and business practices are more likely to be exposed to examination by outsiders, with prosecutors looking for headlines, whistleblowers looking for vengeance or bounty, journalists looking for corporate scalps en route to their Pulitzers, and shareholders and the ever-present plaintiff's counsel looking to recoup lost value.

Lately, heightened public scrutiny and the emphasis on the rights of shareholders have shed light on several lapses in oversight that have resulted in poor financial performance for several corporations. Take the troubled Sunbeam Corp., whose method of booking sales has been the focus of several shareholder suits. Sunbeam is primarily accused of failing to adequately disclose to its shareholders that it had engaged in "early buy" and "bill and hold" sales promotions with retailers in 1997. The promotions enabled Sunbeam to sell $50 million worth of seasonal items, namely barbecue grills, to retailers at bargain prices with the understanding that the merchandise would be delivered later. The shareholders contend that these promotions artificially boosted Sunbeam's sales in 1997. The SEC is also investigating various accounting irregularities, some of which may be attributable to the sales promotions. Sunbeam, in the meantime, is conducting its own investigation of its accounting practices.

Shareholders are becoming increasingly intolerant of questionable accounting practices and restated earnings and are beginning to hold audit committees responsible. Waste Management Inc. (before its acquisition by USA Waste Services Inc.), in an effort to retain its status as a Wall Street favorite, developed increasingly aggressive accounting methods to conceal its declining earnings. After an investigation of its accounting practices, Waste Management wrote off $3.5 billion. Shareholders have blamed the managers, auditors and the audit committee for failing to monitor the accounting practices.

Livent Inc., a theater production company, is also the subject of numerous shareholder class-action suits because of accounting problems that will likely result in millions of dollars in reported losses and the restatement of earnings for 1996, 1997 and the first quarter of 1998. The accounting irregularities alleged in the suits include inflating revenues, shifting expenses between reporting periods and productions, and keeping two sets of books. Both the Ontario Securities Commission and the SEC have launched investigations into the allegations.

The consequences of the failure of oversight can be disastrous, both for individual directors and the companies they serve. Even the most wary and well-intentioned director can lose his or her way in this maze of pitfalls and tiger traps. The actions of a single rogue executive or a small group of errant employees can severely cripple or even bring down a company. Is it any wonder, then, that a growing number of companies and directors have placed a renewed emphasis on oversight and compliance?

Directors who fail in their oversight duties are also being held personally accountable, and are incurring inestimable damage to their reputations. For example, the audit committee of Cendant Corp. released a report in August 1998 that found that its subsidiary, CUC International, improperly used funds allocated to cover the cost of the merger last December of CUC and HFS Inc. to form Cendant.

The committee report also cited the failure of the former chairman of CUC to set the proper "tone at the top" — by creating a corporate culture that was intolerant of inaccurate financial reporting, by establishing controls and procedures to catch such problems, and by keeping himself adequately abreast about the sources of the company's profits. Further, the report cited deceptive accounting methods that created approximately $500 million in fictional revenue over a three-year period by primarily inflating operating income, decreasing expenses and adjusting the balance sheet to show a greater cash balance than the company actually had.

These disclosures resulted in a steep drop in Cendant's share price and sparked a number of shareholder suits, which criticize the audit committee and corporate officers for not vigilantly following the corporation's practices and performance. Cendant is also the target of investigations by the U.S. attorney's office in New Jersey and the SEC. To ensure that these accounting improprieties would not occur in the future, Cendant's new chairman implemented an improved system of financial controls and the Cendant board selected a new audit committee.

It is well known that a properly functioning audit committee serves shareholder interests and that, acting as corporate watchdog, it can help companies avoid a host of problems. What is less well known is that the law places the committee in a front-line defensive position when it comes to protecting companies and boards against damaging lawsuits.

A Delaware Chancery Court decision recently drove home the point of the importance of high-level oversight. In a case involving Caremark International, shareholders sought recovery from directors for the $250 million paid by the company after pleading guilty to making illegal payments to doctors. The court concluded that directors could be shielded from liability if the board had taken active steps to ensure compliance with the legal requirements governing its operations. This included setting up an internal audit plan monitored by the audit committee, naming a senior executive as compliance officer and adopting a code of ethics. The Delaware decision stated that even though that mechanism ultimately failed to detect and prevent the wrongdoing, the directors were not liable, because they had made a good-faith effort to ensure the adequacy of their corporate reporting, control and information systems.

The U.S. Sentencing Guidelines likewise emphasize the importance of a preemptive, good-faith strategy for corporate oversight and compliance. The guidelines include provisions for organizations subject to federal criminal prosecution and cover penalties that are assessed against businesses if they are convicted of felonies and misdemeanors. These provisions make it extremely beneficial for a corporation to exercise due diligence in seeking to detect and prevent criminal activity within the corporation.

According to the guidelines, two factors influence the fines: the seriousness of the crime and the culpability of the company. On the other hand, two factors can mitigate a company's culpability: First, the company detects the offense and reports it to the authorities; and second, the company put an effective compliance program into place before the crime was committed. In fact, a proactive approach when dealing with the issue of adequate oversight by boards of directors, including the establishment of an effective audit committee, can be important in demonstrating the high-level oversight recommended by the guidelines.

How to ensure that an audit committee is functioning effectively and how best to direct its efforts are complicated tasks. The following procedures may prove helpful to companies seeking to improve their oversight and control functions.

The audit committee chairman should start by enlisting the assistance of the corporation's chief financial officer and general counsel. Outside consultants may be beneficial to survey the legal landscape, to add objectivity and to help identify benchmarks against which the audit committee can evaluate its performance. Inquiries at this stage should be designed around a series of basic questions:

• Does the board have the right people on the committee?

• What are their responsibilities?

• How do they fulfill those responsibilities?

• Do they have the resources to do the job?

• How is the committee performing?

The above issues should be examined in light of current law, standards and "best practices" of other companies similar in size and scope to your own. What should evolve from the team's effort is a comprehensive "Practice Guide," detailing what actions the audit committee should take to fulfill its responsibilities. The guide should not be a theoretical overview of responsibilities and actions, but a practical document, tailored to the company's specific needs.

When the guide is complete, the team should meet with the entire audit committee to review what the committee does in each practice area, and how it measures up to the standards. The chairman can then report on the process to the board of directors. As a practical matter, the end product of this process should be a detailed description of each action with which the audit committee is charged, an evaluation of the committee's performance and, most important, a list of follow-up steps to be taken by the committee to improve its effectiveness.

With a process like this in place, the audit committee, the CEO and other board members will have a much clearer idea of how — and where — best to employ the committee, how to improve its effectiveness, and how to address recent developments that have the potential to dramatically change the landscape for directors and audit committee members in particular.

The audit committee is first and foremost charged with the oversight of the company's financial reporting process and internal controls. It also serves as the primary communications link between the board, the company's independent auditors and the director of internal auditing. The audit committee should be composed solely of independent directors, with the size of the committee reflecting the complexity of the company and the responsibilities that are delegated to it. Typically, the committee has from three to five members.

It is highly recommended that at least some members have both experience and training in accounting practices and concepts. Other important qualifications include familiarity with the company's industry, as well as knowledge of the company's history, organization and operational policies.

Traditionally, the audit committee has been responsible for recommending which firm serves as the company's independent auditor and when to terminate that relationship. The committee's work with the independent auditors should encompass joint planning of the scope of the audit and joint review of the audit report and the accompanying management letter if one is determined necessary. In addition, the outside auditors should be able to help the audit committee evaluate the adequacy of internal accounting controls and personnel, and pinpoint areas of improvement in the corporation's accounting practices and internal controls.

In addition to working with the outside auditors, the committee must keep abreast of any important new pronouncements from the accounting profession and other regulatory bodies that may have an impact on the company's accounting policies. In proposed material acquisitions, it is the committee's job to determine whether any accounting or financial issues are raised. And it falls to the committee to consider whether special analytical work needs to be undertaken with respect to reserves to cover contingent obligations such as taxes, environmental liabilities, etc.

But all of the foregoing are not enough to ensure effectiveness if an audit committee's knowledge and training are out of date. Far too many compliance plans have been on "cruise control" for decades, even as the hazards companies face have increased exponentially. Today's committee must be thoroughly conversant with increasingly complex and constantly changing financial, tax, audit and accounting issues. The SEC recently advised that asking tough questions and conducting detailed discussions with management on a frequent basis are critical to improving the performance of audit committees. This may seem obvious enough, but when officers of a company throw up their hands in dismay and blame the company's derivatives fiasco on their bankers — then it's time for some serious self-examination in the board and committee rooms.

In the late 20th century, moreover, compliance and control have taken on meanings that extend far beyond the traditional "financial" preserve. As that territory grows, so too might the mandate of the audit committee. In compliance, for example, the audit committee (unless another committee is charged with the responsibility) should review the company's operations and determine whether management has established and maintains effective programs pertaining, to the extent relevant, to the following:

• antitrust laws and policies
• conflicts of interest
• sensitive payments and political contributions
• insider trading
• the use or misuse of corporate funds and confidential information
• environmental practices
• employment practices, including discrimination and sexual harassment.

Other areas where the audit committee is called on to stand in judgment include the review of management remuneration, especially perquisites, and the review of settlements, claims, litigation and lawsuits as they affect financial statements.

If entire new areas of oversight have opened up for the committee in the compliance arena, so too have they multiplied with respect to the control function, especially with regard to technology issues. The committee should carefully consider special investigations or regular reviews of the controls surrounding electronic data processing and computer security. As the importance of the information in computers grows, so do the unauthorized ways of getting at it. And so do the nasty consequences of not properly protecting it.

Another area in the computer realm that is demanding increased committee attention is disaster recovery. With the very real threats of both international and domestic terrorism, floods in the Midwest, ice storms in the North, earthquakes in California, and so on, it is entirely possible that a manager might suddenly have to announce that the company has lost its ability to do business for a couple of months or has missed out on a multi-billion dollar order because of a shutdown at some critical facility or juncture. The audit committee should satisfy itself that adequate disaster-recovery programs are in place with regard to the storage and retrieval of electronic information critical to the company's operations. The committee should also review the company's insurance programs to determine whether enough protection is in place for the business and its assets.

As if these duties weren't enough, the coming years promise to further complicate matters for the already burdened audit committee. In the years ahead, new issues and unprecedented challenges will conspire to keep the committee busy. In particular:

• The Year 2000: One of the most important and potentially damaging issues on the horizon as we approach the new millennium, is, quite literally, the 2000 problem. It is now widely known that for many corporations, the upcoming millennium change will pose important information-processing challenges. Recently, the SEC stated that the anticipated costs, problems and uncertainties linked to the millennium bug require appropriate disclosure in the relevant SEC filings. The accounting profession also considered the issue, and determined that these costs must be charged as expenses as they are incurred. Many auditors offer a variety of services to help their clients face the Y2K challenge. The SEC warned that in some cases, auditors' independence may be threatened as a result of the provision of such nonaudit services. In these cases, watchdog duty falls to the audit committee.

• Independence: With the creation of the Independence Standards Board, the SEC made clear its concerns about the increasing diversification in the accounting industry. Even if ultimately auditors bear most of the consequences, audit committees should be careful to determine whether, in light of the most recent developments in accounting standards, the amount of nonaudit services the company's auditors provide impairs their independence. With the growth of the multi-disciplinary professional services firms, in particular, there is a danger that the auditors, if they provide consulting or legal services in addition to auditing, may come to see themselves as business partners to the company and compromise their independence.

• Increased focus on derivatives: The SEC recently adopted new rules that clarify and expand existing disclosure requirements for derivative financial instruments. The amendments require enhanced disclosure of accounting policies for derivatives in the footnotes to financial statements. In addition, qualitative and quantitative information about market risk inherent in market risk-sensitive instruments must now be disclosed.

• Increased focus on aggressive accounting: The chairman of the SEC in September 1998 said that the agency will scrutinize aggressive accounting practices used by companies to enhance earnings. Among the more controversial accounting discussions he highlighted were the so-called "bag bath" restructuring charge; creative acquisition accounting related to writeoffs of research and development; "cookie jar" reserves that squirrel away accruals to be used in future periods; premature revenue recognition; and abuse of the "materiality" accounting standard to record errors under a defined-percentage ceiling.

These are but a few of today's pressing issues, and new issues will always spring up. Another complication is that since board duties have become so onerous, there is a shortage of good directors to choose from, with many qualified candidates simply refusing to serve. Further contributing to that reluctance is a concomitant increase in director liability. However, conscientious directors, if they do their jobs well, should have little to fear on the liability front. Given the pace of change, the audit committee should complete a rigorous self-assessment periodically to assist in this endeavor. This review should be discussed privately in committee and then reported to the full board of directors. A well-tailored self-assessment guide is an excellent tool for conducting the review, and will yield consistent and comparable data on a continuing basis.

Reactions to the Delaware decision in Caremark have ranged from jubilation in the boardroom to skepticism in shareholder circles that the court may be setting a low standard for directors and encouraging the creation of hollow and toothless compliance systems. Both are missing the larger point that the case is bringing a renewed spotlight to bear on compliance issues and standards.

Has the time come for a renewed emphasis on compliance and control? Just ask the former shareholders of Barings about how a firm with a net worth of approximately $500 million at the end of 1994 became insolvent by the end of February 1995 — before its 1994 annual financial statements were completed. The collapse resulted from the activities of one rogue derivatives trader in Singapore whose investments ultimately lost about $1.4 billion, which decimated Barings' capital and forced the firm to declare bankruptcy. This is a clear example that inadequate internal controls coupled with reliance on annual audits and reporting alone is a recipe for disaster.

Companies now have a weapon in their arsenal if they elect to use it. They can buy an extra degree of protection for board members and for the company through a judicious use of the audit committee. It will come as welcome news to all stakeholders in the corporation that a court has given companies a compelling reason to strengthen their compliance systems.