By George Williams, Director of Risk Advisory Services at BDO
Audit committees are an organisation’s primary resource for oversight of the financial reporting process, the audit process, the company’s system of internal controls and compliance with laws and regulations.
However, recent corporate failures, and some of the revelations emerging from the Zondo Commission of Inquiry, indicate a disconnect between audit committees and boards.
My field of specialty is the audit committee space, and it has been my privilege to sit in hundreds of audit committee meetings. While corporate risk is seldom as flagrant as the Zondo allegations, one can identify certain systemic flaws in the audit committee practice, which hamper these committees’ ability to perform their function.
COMPLEXITY AND VOLUME OF INFORMATION
One reason is the complexity of modern businesses. The volume of information that needs to be communicated to boards by the audit committees can be so great, that it becomes impractical. At times, board members can even battle to get their minds around the summaries.
The ideal process is for the chair of the audit committee to compile a synopsis of the information, highlighting significant risks and then send it through to the board for feedback. However, situations are increasingly occurring where significant risks raised at an audit committee aren’t elevated to the board.
One wonders if this may have happened at VBS Bank, at Steinhoff, and at other large organisations that have failed.
The question is how to strengthen the communication between audit committees and boards, so that risks identified by the committee can be effectively communicated to the board and timeously addressed.
A core issue lies in communicating with non-executive board members. Executives who sit on the audit committee will probably have a good idea of the goings-on within the company. However, non-executive directors are only there once a quarter – although they have the same fiduciary responsibilities as an executive director.
Some of the challenges in communicating risk between audit committee and board lie in the ability of non-executive directors to process and take on board the data they are presented with. Factors that prevent this are often relatively prosaic, though no less dangerous.
Directors may come to meetings ill prepared. They may lose concentration. Some may not have engaged with their board packs in advance of the meeting…
The reasons for this, in turn, may be systematic. If one hopes to have directors engage with the board pack, these should at least be sent out on time – a week or two ahead of the meeting at least.
Another systematic challenge is the sheer number of boards that certain directors serve on. It’s not unheard of for people to serve on more than ten boards, and I have met gentlemen who served 30.
This is pushing the boundaries of what an individual can realistically be able to apply their mind to.
Another issue is that non-executive board members tend to be chosen from the accounting profession. Typically, they are former partners from audit firms. This background equips them to engage brilliantly with the financials of a business, but they may have less understanding of the operational issues of a particular company – be it an insurance company, a bank, an engineering firm or a retailer.
RISKS NOT BEING MANAGED ADEQUATELY
However, the risks a company can face are just as likely to be operational as financial. The fact that non-executive board members are generally former auditors may make them less able, or less inclined to evaluate operational risks.
Today, many operational risks emerge from the information technology and digital realm. Again, auditor non-executives may not be ideally equipped to evaluate such risks, be they hacking, data-leakage or other cyber-security concerns.
It is recommended that boards find an optimal blend of skills that suits the operations of their company. An engineer non-executive for a construction firm. An actuary at an insurer.
During a board meeting, committee chairpersons are expected to present their report thoroughly. In practice, this doesn’t always happen, or because of time constraints, the report is presented verbally, which risks information being presented in incomplete form.
The sheer technical complexity of the information reported can be intimidating for auditors at the best of times. It can be even more so for board members. The upshot is that directors may simply not engage with the data, or fail to ask questions for fear of appearing to be out of their depth.
Tragically, it’s the non-executives for whom something doesn’t quite make sense, who are most likely to spot fraud or malpractice. They are meant to act as a counterweight to executive overreach. But by failing to challenge or interrogate, they are abrogating this responsibility.
Another practical issue is that typically the discussion of risk management comes at the end of a board meeting. Unfortunately, by then, meeting attendees are exhausted, and they spend a mere five minutes on risk. And risk should be the most crucial topic discussed.
The solution to these systemic challenges lies in organisations hiring competent and varied non-executive directors. Proper references should be solicited from other committees, as one would do with any senior hiring.
These days, bodies such as the Institute of Directors offer chartered-director and governance professional qualifications that provide the skills expected of the director and committee member. As uptake of these broadens, companies should consider making these qualifications a requirement for their directors.
A second tactic is that we should also look at how information is reported to these committees and in what format. Succinct, but accurate, summaries of information will ensure that material risks don’t slip though amidst a deluge of information.
A third, non-negotiable point is that there must be adequate preparation for these meetings. If directors are not prepared, they can’t ask the right questions. This may seem obvious, but there is certainly room for improvement in governance at committee and board level.
Upskilling and training of aspiring directors is a potential growth area for governance specialists, and an area that companies should look to address, in their own best interests.
Finally, directors should be held accountable for failures at the companies they govern. When we start to see prosecutions of directors following a corporate failure, perhaps we will also see directors begin to approach their responsibility with the seriousness it requires.