In recent years, audit committee members have seen the scope of their responsibilities expand in all directions—but none so much as in their oversight of ethics and compliance.
Considering that regulators “are on steroids in this new environment,” ethics and compliance issues are now critically important, says Timothy Lupfer, a director for Deloitte Consulting. “We’ve reached a point where things can be magnified very quickly, and a company’s brand can be impacted very significantly.”
To some extent, the information about compliance that audit committees received in past years was simply a reflection of the incomplete scope of their companies’ compliance functions, says Bobby Kipp, leader of the ethics and business conduct practice at PricewaterhouseCoopers. Prior to the 2000s, compliance programs were generally confined to a Code of Conduct, an ethics hotline, and maybe a few specific areas of corporate compliance for the highly regulated, Kipp says. Hardly any covered the “full universe of compliance risks” audit committees must monitor today.
There is no shortage of critics who say board directors still aren’t fulfilling their oversight role. Joseph Murphy, director of public policy for the Society of Corporate Compliance and Ethics, says directors aren’t making enough of an effort to discover what’s happening in their companies and aren’t asking the difficult questions. “They are simply not trying,” he says. “I’m sure there are exceptions, but exceptions are rare.”
Kipp is somewhat more forgiving. The U.S. Sentencing Guidelines explicitly state that boards need more training on ethics and compliance, but many companies confuse briefing the board on the ethics and compliance program with training the board on ethics and compliance, she says. “I’m still not convinced that most companies have taken that on in a truly meaningful and robust way,” Kipp says. “I think there’s some really interesting and unique ways where boards can be much better prepared and good board members,” says Kipp.
And who should lead that education effort? Enter the chief compliance officer, “who is the liaison between what’s happening with the company and the board,” Murphy says. The compliance officer should be reporting to the board personally about any criminal matters, and at least annually—but ideally, quarterly—on implementation and effectiveness of the compliance program, he says.
The audit committee should also assure that the person discussing compliance matters with directors is the same person who runs the compliance program on a daily basis, Murphy says. “There’s something wrong if it’s the general counsel,” he says, since most can’t devote the time and attention needed to serve in the compliance officer role effectively.
Ethics Versus Compliance
Lupfer says audit committees also need to distinguish between ethics and compliance. He defines ethics as “the overall set of principles that should guide the behavior of everyone in the organization.” Compliance, he says, is the set of specific rules that are applied to specific actions. So while ethics and compliance are complementary, they are not identical—and audit committees should consider each in turn, Lupfer says.
Lupfer
Given that “regulators are on steroids in this new environment,” ethics and compliance issues are more important than ever.
—Timothy Lupfer,
Director,
Deloitte Consulting
On ethics specifically, directors should be briefed on, say, the number of people reporting problems through the ethics hotline, and the sorts of issues those problems involve. When an ethics issues rises to the level of an investigation, committees must also know what steps the company is taking or what changes should be made as a result of the investigation’s findings, Lupfer says.
Kipp says audit committees should not focus so much on the numbers, but more on the key trends within the data, and how the company is responding to those trends. To oversee compliance functions, they should start with a risk assessment. In general, the audit committee “should get enough information—and the right information—to give them the confidence to know that the key risks are understood and managed properly in the company,” she says.
Audit committees should also deeply understand how the compliance function actually works, Lupfer says: what responsibilities business-unit leaders have, and what other responsibilities might be assigned to “process owners” further down the chain of command.
Audit committees in particular—and more generally, boards as a whole—should be trained to consider the ethics and compliance implications of all the company’s major business strategies and decisions, Kipp says. Occasional evaluations of the overall compliance program, either by internal audit or just by self-assessment of the compliance officer, is a good idea too.
Murphy
“You can’t realistically expect board members to be experts on the detailed level of the company … but they should be getting the expertise to check on this stuff,” Murphy says.
Receiving accurate, useful information about the corporate culture is also critical. For example, does the audit committee hear what issues are raised in employee surveys? Another question that Lupfer likes: Are exit interviews collated and analyzed for any useful insights? “That’s an excellent source for understanding the impact of these types of programs,” he says.
BEST PRACTICES
The following are some best practices for audit committees provided by Timothy Lupfer, a director of Deloitte Consulting:
Audit committees should …
Clearly distinguish between ethics and compliance.
Focus not just on the numbers, but also on key trends.
Start by performing a compliance risk assessment.
Understand where the responsibilities are assigned within compliance, in terms of process owners and business unit leaders.
Perform periodic evaluations of the overall compliance program, either by an internal audit or a self-assessment by the compliance officer or a third party.
Take a look at compensation and rewards and goal-setting processes.
Get information about the corporate culture.
Recruit onto the audit committee a sitting compliance officer from another company.
Constructing a culture where workers believe their complaints are heard increases the chance that whistleblowers will step forward and alert management to problems, instead of first reporting it to regulators—which has been a growing fear among companies, given the proliferation of “bounty programs” that reward people for bringing their concerns to the government.
Murphy cites two sure ways to make employees go to a regulator. First, retaliate against the whistleblower who calls the company hotline. Second: “Ignore the call and don’t do anything.” Therefore, any time an employee raises a concern, let him or her know that the company has at least looked into the matter and taken appropriate action. It’s also wise to publicize disciplinary cases, especially where executives have been held accountable.
Murphy recommends one final best practice: Recruit a compliance officer from another company to serve on your audit committee. “They will know the questions to ask. They will know what a good program should include, and they can help inform the rest of the board,” he says. “There are plenty of well-qualified compliance officers out there, and just about none of them have been asked to do this.”
No comments yet