What Really Matters For Audit Committee Member Actions – Considering Updating & Publishing My Audit Committee Guide

I have been considering updating and publishing again my audit committee guide. The most recent publication was as a new chapter to the 2007 California Continuing Education of the Bar publication Advising and Defending Corporate Directors and Officers, which was an excellent publication with 17 chapters on the various topics. Unfortunately for whatever reason the sales were not sufficient and CEB later discontinued the publication. I have attached a copy of my initial 2007 chapter HERE.

A lot has changed from 2007 to now. And the materials that I cover in my blog have also changed considerably. But as I have been considering a possible update and the table of contents it strikes me how much of the material consists of lists of qualifications, issues and topic areas that an audit committee and its member are required to consider. And the list is growing as we speak. Considerable detail is being added as to how an audit committee member should evaluate the sufficiency of the external auditor – in other words, a deliberate evaluation where perhaps before in many cases there might not have been any significant evaluation. This will also change how the external auditor goes about performing the audit, the value that the external auditor might provide to helping the audit committee member perform his or her oversight duties, and somewhat the relationship between the audit committee members and the external auditor. On the whole I believe the change is good. But I have also written for some time that I have concern about the long list of issues and topic areas that an audit committee member is required to consider, and that all audit committee members really do need to understand what their duties are, including what is in the audit committee charter (e.g., if the charter says “risk management” that description is simply too broad – risk management of what?).

It strikes me, however, that at the end of the day, the performance of an audit committee member’s oversight responsibilities requires:

Audit committee member understanding and competency;

Agenda;

Timely and active diligence;

Putting in the time;

Reasonable reliance on competent other people (the CEO, the CFO, internal audit if there is one, the external auditor, culture, reputation and tone at the top, the accounting and financial reporting functions and professionals, legal counsel and others);

Sufficiency of information;

Deliberative decision making; and

Anticipation and thinking ahead.

In other words, we are primarily talking about the business judgment rule.

I’m not sure that I will put in the time to update the audit committee guide. If I had a crystal ball that decision would be easy – if the guide will be read and used by enough people, or if I could find a law firm that is interested in these topics, then it is worthwhile. If I do the update, most likely I will post the updated materials in blog posts and then add to the materials as they progress. That will get the materials out considerably earlier. I doubt that I will use a publisher – in addition to many published articles I have previously formally published two audit committee related materials. The process takes longer than I prefer. And, on my blog the materials also will be free and available to everyone.

Those are my thoughts this July 3, 2015, morning. More to follow on this.

Dave Tate, Esq. (San Francisco / California)

Advertisement

New Audit Committee Standard of Care – External Auditor Assessment Tool From NACD, NYSE Governance Services, Center for Audit Quality, and Others

Several influential organizations have issued External Auditor Assessment Tool, A Reference for Audit Committees Worldwide. Here is a link to a PDF of the Tool auditor_assessment_tool_worldwide.

The tool is presented by the NACD, NYSE Governance Services, the Center for Audit Quality, the Independent Directors Council, the Association of Audit Committee Members, and Tapestry Networks. And that is why, i.e., because of the stature of the presenting organizations, this document has or will present a standard of care, i.e., a standard in the relevant community, for audit committees on the topics that the tool covers.

Every audit committee member of a public company needs to read, digest and understand this document (it’s not very long – basically 10 pages in length and large type font). On its face the document provides sample questions and issues for audit committees to discuss and consider when assessing their organization’s external auditor. But the document provides more – as you analyze the questions and issues, they present sample questions and issues that the external auditor needs to have satisfied and that the audit committee needs to oversee.

Consider for example the following sample questions:

1. Did the lead audit partner discuss the audit plan and how it addressed company/sector-specific areas of accounting and audit risk (including fraud risk) with the audit committee?  Well . . . did this occur and in what detail?

2.  During the audit, did the auditor meet the agreed-upon performance criteria as reflected in the engagement letter and audit plan?  So . . . did the audit satisfy for example the applicable Statements on Auditing Standards?

3.  In private sessions, did the auditor discuss sensitive issues candidly and professionally?

4.  Did the auditor adequately discuss the quality of the company’s financial reporting, including the reasonableness of accounting estimates and Judgments?

5.  Were there any significant differences in views between management and the auditor?

6. Is the external auditor responsive and communicative (e.g., by soliciting input relative to business risks or issues that might impact the audit plan, identifying and resolving issues in a timely fashion, and adapting to changing risks quickly)?

7. Does the external auditor proactively identify opportunities and risks (e.g., by anticipating and providing insights and approaches for potential business issues, bringing appropriate expertise to bear, and by identifying meaningful alternatives and discussing their impacts)?

And the suggested questions and issues continue.

Although many of these suggested questions and issues already are covered in various Statements on Auditing Standards, how often do you hear Statements on Auditing Standards discussed in the context of audit committee responsibilities? They have been in my published materials for years (including for example, many audit committee guideline and evaluation discussion papers; Audit Committee Functions and Responsibilities, Chapter 5A for the California Continuing Education of the Bar publication, Advising and Defending Corporate Directors and Officers (October 2007); and Accounting and Its Legal Implications, A Guide for Managers, Business Owners, and Entrepreneurs (Irwin Professional Publishing, Business One 1994).

This audit committee assessment tool, presented by high-stature organizations, puts the spotlight on the topics that the document discusses.  Some people will think this is good, and some will think it is bad. Some people will believe that the document goes too far, and other people will identify the many questions and issues that it does not cover. Nevertheless, most of these questions and issues have already existed for years.

Dave Tate, Esq. (San Francisco/California), http://directorofficernews.com

California Nonprofit Board and Director Standards of Care

This blog post includes a video about California nonprofit board and director standards of care including discussions about the business judgment rule, the Nonprofit Integrity Act, risk management, audit committees, and board and committee self-evaluation. Below the video you will also find a link to my paper discussing those topics in detail. Please pass this blog post to everyone who would be interested in these materials. Thank you. Dave Tate, Esq. (San Francisco and California).

Click on the following link for the paper discussing California nonprofit board and director standards of care, Nonprofit Board and Director Standard of Care David Tate Esq 05252015

Social Security Risk Management – Congress and President Get a “D” and a NIST Tier 1 or 2 Rating

I’m going to rant a little in this “fun” post. Another week, another article about social security going broke, about tweaks to “fix” it by payroll tax increases, cutting benefits, taxing benefits, and/or raising the age to receive benefits. The following is another disheartening article about the doom of social security, about beginning in 2017 and thereafter new increases in the age to receive benefits, that even those reductions in benefits won’t “fix” social security, and that those increases originated way back in 1983.  For the article Click Here.  The point is, 1983 was over 30 years ago, and even before that it was known that social security was failing. The options are not good for anyone who has paid for social security for all of their working life, or even just for a significant number of years, for younger people (in their 20’s and 30’s) who are new or relatively new to the mandatory social security payment program, or for people who are somewhere in the middle (in their 40’s). I suspect that few people would voluntarily pay into such a system if they were allowed to vote on it today.

I don’t fault elected representatives who speak up and propose new fixes, because social security has to be fixed. It’s just that none of the options are good. I have already lost when you consider the amounts that my employers and I have paid into social security over my working life. And that was money year after year that could have been better used for many other things.

The President is the CEO of social security. Congress, the Senate and the House, are the Board of Directors. That means whomever is in office at the time, and in the case of the social security system, that means year after year, decade after decade.  Let me just say that if social security was a company the CEO and the Board would all be fired, or the program would have been terminated or really fixed or altered decades ago.

Have you seen the NIST – National Institute of Standards and Technology – Framework for Improving Critical Infrastructure Cybersecurity? The Framework originated in 2014, as a U.S. Government recognized outline for risk management steps in cybersecurity. The following is an August 31, 2014, blog post discussing the Framework, Click Here. You will note that the Framework includes a Tier rating system for how developed an entity’s risk management system is, Tier 1 being the worst and Tier 4 being the best. Below I have copied and pasted the four Tiers. Based on the NIST Tier descriptions, I rate social security system design and risk management at Tier 1, or perhaps a Tier 2 rating. You give it your rating. Social security is not even close to the Tier 4 rating that it should have given that payments into social security are forced on people, the astronomical amount of money that is withheld and paid into the system each pay period, and how people really are entirely dependent on the honesty and integrity of the system’s operation, management and risk management, including the honesty and integrity of the President as CEO and Congress as the Board. Below are the NIST Tiers. Enjoy.

Dave Tate, Esq. (San Francisco/California).

NIST Tiers:

Tier 1: Partial (first and lowest level of risk management practices) – Risk management practices are not formalized.  Risk is managed on an ad hoc and sometimes reactive manner. There is limited awareness of cybersecurity risk at the organizational level.  An organization may not have the processes in place to participate in coordination or collaboration with other entities.

Tier 2: Risk Informed (second level of risk management practices) – Risk management practices are approved by management but may not be established as organizational wide policy.  The organization knows its role in the larger ecosystem but has not formalized its capabilities to interact and share information externally.

Tier 3: Repeatable (third level of risk management practices) – The organization’s risk management practices are formally approved and expressed as policy. There is an organization-wide approach to manage cybersecurity risk. The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.

Tier 4: Adaptive (forth and highest level of risk management practices) – The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity is part of the organizational culture and evolves from an awareness of previous activities, information share by other sources, and continuous awareness of activities on their systems and networks. The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.

* * * * *

Audit Committee Self-Evaluation Form For Your Use

Audit committee self-evaluation form for your use, click on the following: Audit Committee Self-Evaluation Form David Tate Esq 10302014
Dave Tate, Esq. (San Francisco/California)

Lessons Learned from the Transition to COSO 2013

Protiviti has shared with us a useful Top 10 Lessons Learned from Implementing COSO 2013. I especially like this section: It is presumed that everyone understands that a top-down, risk-based approa…

Click on the following for the discussion: normanmarks.wordpress.com

A good COSO 2013 discussion from Norman and Protiviti.

Dave Tate, Esq. (San Francisco/California)

My other blog: trust, estate, conservatorship and elder abuse litigation, http://californiaestatetrust.com

Addressing Cybersecurity Oversight in Audit Committee Charters | JD Supra

Cybersecurity continues to emerge as a key risk that is attracting the attention of regulators and boards of directors. Companies take different approaches regarding how the board…

Click on the following link for the discussion: www.jdsupra.com

Click on the link, which contains a short JD Supra update from Wilmer Hale discussing KPMG’s 2015 Global Audit Committee Survey. The survey is long and contains useful information (over 80 pages). I am making this post because of the discussion about audit committees being given responsibility for cybersecurity oversight. That’s fine, but I suggest that the overall board still must be actively involved in this oversight, you need to be sure that the audit committee members are qualified and have the time to take on this area of oversight, and the audit committee members and other stakeholders should have a good understanding about just what the oversight involves and how the committee should go about that oversight.

As we all know, cybersecurity is an important area of oversight that can significantly effect all businesses. Enjoy.

Dave Tate, Esq. (San Francisco/California)

My other blog: trust, estate, conservatorship and elder abuse litigation, http://californiaestatetrust.com

SSARSs Clarity Project

The standard eliminates the need for the accountant to determine whether they?ve prepared financial statements by drawing a clear line between preparation and compilation.

Click on the following for the article: www.cpa2biz.com

Why is this important?  Well . . . if you are an accountant who performs review and compilation services, it should be important to you. And if you are someone who depends on information and representations provided in reviews or compilations, it should be important to you, if you care to know whether a compilation or review provides you with any useful information. Speaking of the subject, I never hear anyone discussing whether a quarterly review for a public company provides any useful information. I believe that at least in theory they do, but, if not, then why continue with the expense?  Dave Tate, Esq. (San Francisco)

My other blog: trust, estate, conservatorship and elder abuse litigation and administrations, http://californiaestatetrust.com