Every Thursday, Compliance Week invites readers, pundits, academics, advertisers, governance gurus, and other GRC players into our office in Boston.
The conversations are informal, one-hour sessions from 9 a.m. to noon, which typically yield back-to-back-to-back sessions, separated only by coffee refills and bio breaks.
(You should schedule a briefing and come in, if you haven’t already. Just contact me at editor@complianceweek.com and I’ll send you our guidelines.)
Anyway, I learn a ton from those sessions.
Sometimes the meetings are purely promotional—an advertiser, for example, will come in to discuss a new product, or an industry association will present some survey results. And that’s fine, but I prefer the honest conversations that get us out of the “ivory tower” and into the trenches and the boardroom. The best sessions, of course, are the conversations we have with chief governance, risk, and compliance officers. Only then do we really hear the fun stuff, like how ineffective a certain board has been at addressing oversight of enterprise risk or how obstreperous an outside auditor has been at accepting what are clearly mitigating controls to perceived deficiencies. Unfortunately, most of those executives insist we keep the conversation off-the-record, but they are a great source of editorial ideas to pursue on any given week.
The Big-4 and Second-6 tier of accounting firms also visit us on a pretty regular basis, and our conversations with them are typically illuminating, as well. A few months ago, for example, we were joined by Kenneth Daly, a 30-year audit veteran who now runs KPMG’s Audit Committee Institute. The ACI, as it’s known by the boardroom cognescenti, gathers audit committee members and corporate directors in various forums to advance effective audit committee processes. Thousands of corporate directors—most of them at companies audited by one of the other Big 3—have attended these KPMG roundtables to discuss oversight of risk management, creation of sustainable compliance programs, audit committee fundamentals, and more.
During our conversation with Daly, he provided a wealth of information gathered from surveys that had quietly been conducted by the ACI. Among his findings: Audit committees are not satisfied with what they’re getting from management (uh, that’s you).
According to Daly, the thousands of audit committee members whom he’s met over the past few years have consistently complained about a few key annoyances. One of them is management’s propensity to FedEx an 800-page board book to the directors’ homes three days before an audit committee meeting. Another: Management’s failure to accurately communicate—or, in some cases, even identify—major risks to the enterprise. To wit: According to ACI survey data communicated to Compliance Week during their visit, about 20 percent of audit committee members were “not fully confident that the company’s chief audit executive (internal audit) would report controversial issues directly to the audit committee.”
About the same percentage of audit committee members were only “somewhat satisfied” or “not satisfied” with the interaction and support received from the company’s chief audit executive. In-house counsel, the corporate governance officer, and the corporate secretary didn’t fare much better: About 30 percent of audit committee members were not entirely satisfied with the interaction and support received from those positions.
The upshot is clear: There’s a lot that management can do to increase communication with the audit committee.
But a few weeks after our conversation with KPMG’s Ken Daly, we were visited by Anthony Zecca, the partner-in-charge of Cohn Consulting Group, a division of J.H. Cohn, the well-respected and rapidly expanding regional accounting and consulting firm based in Roseland, N.J. Tom Marino, the firm’s CEO, joined us by phone. According to Zecca, management isn’t the only cause of the communication breakdown—audit committees could do a better job, as well. Specifically, Zecca notes that many audit committee members don’t take the initiative in talking with management; in some cases, they don’t even know what questions to ask. In addition, they do not typically seek out data to help them stay informed about key business risks in real-time.
For example, says Zecca, an audit committee whose company’s gross margins waiver minimally from month to month should be getting real-time updates from the company’s financial systems, so that, for example, should margins jump four percent at an Italian subsidiary one month, the committee can know to ask why.
The same goes for regulatory risks, not just financial risks. For example, an audit committee could track the financial statement close process of business unit CFOs, so that if the CFO at our hypothetical Italian unit falls two weeks behind, the audit committee could be informed and react accordingly. After all, the accelerated filing deadlines for 10-Ks and 10-Qs are relatively unforgiving; most auditors consider inability to close the books on time a material weakness.
So, yes, management needs to do a better job communicating with audit committees about significant risks. But committee members also need to be more vigilant about requesting (and getting) key real-time metrics that will enable them to both oversee the financial reporting process and monitor key accounting and internal control policies.
Ironically, that actually points back to management: Executives need to identify the most useful metrics for the board, explain in plain English why they are crucial, and deploy the necessary “business intelligence tools” (God, I hate that phrase) to give audit committees a real-time snapshot of some of the company’s current risks.
It’s all about communication, and most agree that management can do better.
No comments yet