Strained audit committee agendas are a growing concern of the corporate governance community. In addition to the already weighty oversight responsibilities over financial reporting, internal controls, and the qualification and independence of a company's independent auditor, audit committees are increasingly tasked with taking a larger role in corporate risk management. Nasdaq asked Angela Brock-Kyle, an experienced risk and governance consultant and audit committee veteran, to share her insights on this topic. She described the warning signs of potential audit committee overload and outlined strategies to mitigate it.
Q: Are audit committees overloaded and if so, what is causing this trend?
A: Yes, some audit committees are overloaded and overwhelmed, but the causes depend on the particular situation.
One factor causing this trend is that audit committees are often viewed as the natural place for boards to move items that are new or of concern, whether from a risk perspective or understanding a new regulation. That practice may be driven by the fact that boards often rely on the audit committee to be a "committee of experts" that can quickly slice and dice to get to the core of new issues and come back with either a plan of attack or some reassurance that things are well in hand.
Another factor is that business changes seem to, immediately or long term, drive new issues toward the audit committee. As companies grow and evolve, they offer new products or new services, enter new geographic regions, or they begin dealing with new suppliers. In addition, the paradigm shifts that all companies are dealing with, for example in the technology space, means boards must examine cyber risk, understand big data, and become familiar with any number of other technology-related issues.
Like many organizations, audit committees in and of themselves are subject to inertia. If you compare what was on their docket five years ago to their agenda today, they may not have made necessary changes to the pace of meetings or the intervals between meetings, or taken a "white board" approach to thinking about how to do things differently or what other resources might be brought to bear on the situation.
Q: What are some red flags that an audit committee may be overtaxed?
A: A number of signs may indicate that an audit committee is struggling to address the scope of its assigned workload in the proper level of detail:
- Meetings that are consistently rushed, because a committee is still allocating the same hour or 90 minutes to cover double the number of topics that were covered before.
- Board books that are edited right up to the start of the meeting or sometimes during the meeting. Although that can happen from time to time, it shouldn't happen at all. If there isn't predictability, deadlines and order to the process of updating board books in advance of meetings, that is one indication of being overwhelmed.
- Too many one-off or sidebar conversations, where some audit committee members are muttering amongst themselves or reaching out to the audit chair to express concerns that issues aren't being handled properly because there isn't enough time during the meeting.
- A board assessment result that indicates board members aren't confident the audit committee is doing its job properly.
- Lack of a structured board refreshment process to identify who should be on the audit committee and what skills and knowledge they bring to the table.
- No time or effort to access expertise outside of the company, either for director education or industry education.
Q: What strategies can the board implement to effectively manage a robust audit committee agenda?
A: Start with a clean perspective. Don't rely on the way the committee has done things in the past: focus instead on what needs to be done, what issues the audit committee should be handling and how they should handle them. Look across that broad landscape to develop strategies to ensure the audit committee is effective.
In my experience, there are several strategies that work well:
Delegate work to other board committees or audit subcommittees.
A good first step is to examine the audit committee "kitchen sink" and talk through whether all agenda items properly belong there. Some items may belong under the purview of another committee, or a subcommittee should be convened to better handle certain topics. Subcommittees are an effective way to compartmentalize issues and have a subset of the audit committee work on problem A, and a different subset of the committee work on issue B.
"Right size" the audit committee meeting schedule.
It's critical to look at the calendar to ensure there are enough official audit committee meetings scheduled to support the audit agenda and any special situations that arise. The committee can also consider scheduling more meetings between the official board meetings, with relevant experts. For example, if there's a technology issue that's arisen and you don't have that expertise on your audit committee—which is a regular occurrence these days—there should be room in the meeting schedule to tap outside resources that can help the committee understand those issues or bring things back online without over-burdening the agenda.
Tap outside expertise to fill in knowledge gaps and triage agenda items.
Many corporate boards view themselves as being time constrained and don't reach out to a wider than normal array of resources (both inside and outside the company) to get a holistic perspective of how the company is doing. Taking the time to gain additional insights helps the audit committee to focus meeting time on the right topics for the right amount of time.
Although there may be ten different issues on the agenda, they should not all receive the same weight or attention. And some of them can drop off for a while, and then come back. For example, there are often issues a board may think are critically important, but once they get outside information on those topics, they realize they have it better covered than they thought. Or, they become aware of other simmering issues. I've had more of the latter experiences, where with the help of outside resources we identified issues that had not fully developed and nipped them in the bud.
Building time into the calendar for regular engagements with experts inside the company, like the CFO, internal audit, the CRO, the CISO, and other folks who have important perspectives frequently proves as helpful as meetings with outside experts like external auditors.
Be flexible on the spot to fully accommodate agenda items.
I once participated in an audit committee meeting that had a crowded agenda and a new audit committee member. That meeting absorbed not just the time that was allocated to the audit committee, but also the time that was allocated to the board meeting immediately following. While it took much more time than expected, after the meeting a few committee members expressed that it was one of the best audit committee meetings that they had participated in. When it's possible, an on-the-spot extension of a meeting time to sufficiently cover a crowded agenda helps ensure committee members are satisfied that critical issues are well in hand.
Q: Is the audit committee the right place for risk management?
A: No, I don't believe that the audit committee is the right place for risk concerns to land, unless they are related to the audit process. While the audit committee can handle certain risk issues, enterprise risk is a subject that everyone on the board needs to engage in and share their perspectives. There are three topics that the entire board owns: dealing with the CEO and compensation issues, strategy, and risk management.
A collective effort should be made by the board to gather information from many resources (inside and outside the company), to engage with accounting firms and law firms, to read about all sorts of governance issues and current events. They should position themselves to understand, at a minimum, as much about the company as the CEO understands. Then board members can lift their heads above the treetops and survey the landscape from that perspective to get a sense of the range of risks, and put their heads together as an entire group (not a subset!) to strategize how to address and mitigate those risks.
Angela Brock-Kyle is founder and CEO of B.O.A.R.D.S., a privately held governance, strategy and risk advisory firm. In addition, Angela sits on public and non-profit boards. She serves as audit chair and member of the nominating and governance committees of Infinity Property and Casualty Corporation (NASDAQ: IPCC); a trustee of Guggenheim's Rydex Funds on the audit, governance and risk and compliance committees; a trustee of the YMCA Retirement Fund on the investment and compensation committees; and formerly served on the audit committee of the United Way. Angela enjoyed a 25-year career with TIAA, where she served as a senior leader in the asset management and risk management organizations.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.