4 keys to a strong and effective audit committee

When it comes to company SOX committees, or audit committees, as they are referred to in the SEC and Sarbanes–Oxley Act literature, a great concept can expand into a sprawling mess and an expensive corporate burden.

Define each role and establish ownership.
At the establishment of an audit committee, a company will need to define what are the required roles needed to accomplish the objectives outlined in SOX. This should be detailed in the Audit Committee charter, defining each role from the audit committee chairman on down to alternates/deputies, and extended, non-committee member roles.

A good rule of thumb is to only include what you can define a role for which you can make a strong case for, or risk scope creep and unnecessary levels of approval. Each member’s final responsibility should be defined in the charter (that is, for which compliance areas the member is the final authority). Not only should you define the external audit firm, you should also define an alternate, and the internal audit firm.

Tap a financial expert.
The truth is, most of the people on the committee will be a board member or a board appointee. At least three of them should be, according the Sarbanes-Oxley Act of 2002. They may be appointed for different reasons, but the group must be advised by a “true” financial expert. Regardless of whether this person (or group of persons) is a CPA or a CFA, a solid history of forensic accounting, securities analysis & securities law, ledger architecting & bookkeeping, or audit must be evident for the expert to be successful on the committee. The financial expert on the committee should make every effort to keep the committee as financially literate as possible, driving the appointment of financially-minded board members, and informing the board of new regulation that impacts the committee’s objective. The board members on the audit committee should already have enough operations and management experience to provide a practical offset to the role of the financial expert. 

Keep the group small.
Aside from the required membership of the audit committee, there may be many stakeholders involved with compliance and risk management, and not all these parties need to be “in the weeds” of day-to-day activities. If they do not need to be involved, do not get them involved. People need to understand that work with the audit committee is a position of trust with the company; the profit-making enterprise of the firm is entrusted to the committee and its extended team.

Do not be afraid to rotate out the extended members of the audit team, such as accountants, risk managers, and IT administrators and revoking their authorities in the internal audit group. This is in the interest of keeping the group small, controlled, flexible, and streamlined. If not, internal controls could be rendered useless, as there are too many people with the “keys to the castle.” This is especially true of contractors, who may retain IT permissions well after their work is completed.

Establish codified controls that are easy to follow.
Once these basics have been implemented, it is up to the audit committee to issue guidance to the extended team to create business controls and IT controls, which by the way, need not be separate. These internal controls can be developed by the extended team, and should be reasonable to enforce. If they are not reasonable, and written in plain language, they will not be followed by most of the company; it’s as simple as that. While it may be useful to pull your list of controls from various control lists given in “big 4” templates, or used by other companies, it is worth noting that the control list adopted by your firm must fit the process flows of your company. Extra or outdated controls should be removed from the active list and marked inactive or as a depreciated version, so as to not cause confusion.