Sunday March 21, 2010
Home > Articles & Research > Accounting & Audit > Gumshoes in the Boardroom

Gumshoes in the Boardroom

Audit committees aren’t just about auditing
anymore. Today, they have responsibilities
that go far beyond review and acceptance of
the company’s financial disclosures. Audit
committees play an increasingly important
role during crisis situations—particularly
those that involve allegations of fraud.

October 1, 2008 by Richard H. Girgenti
Share ...
  • email
  • Google Bookmarks
  • Facebook
  • Twitter
  • Digg
  • LinkedIn
  • RSS
Print Print

Audit committees aren’t just about auditing anymore. Today, they have responsibilities that go far beyond review and acceptance of the company’s financial disclosures. Audit committees play an increasingly important role during crisis situations—particularly those that involve allegations of fraud. Having the responsibility for dealing with allegations of misconduct or other illegal acts is one matter; understanding what must be done when a crisis arises is another.

Among a committee’s most important responsibilities in the post-Sarbanes-Oxley era is handling allegations regarding improprieties or irregularities with accounting, internal accounting controls over financial reporting, or auditing matters. The audit committee’s additional responsibility is to establish a process to accept confidential submission of employee concerns about questionable accounting or auditing matters —the so-called whistleblower hotline. These areas can be particularly tricky for directors. While every allegation should be taken seriously, numerous unsubstantiated claims are par for the course, making the job even more difficult.

  • Audit committees will face numerous questions related to improper corporate behavior, including but not limited to:
  • Allegations of illegal acts, such as cooking the books through improper accounting or misappropriation of assets.
  • Allegations raising concerns about the integrity of members of senior management.
  • Events or circumstances, if publicly known, that could potentially cause damage to the organization’s or brand’s reputation.
  • Questions regarding the organization’s solvency or liquidity, and whether it can continue to function as a going concern.

Among the most challenging circumstances an audit committee may face are an allegation of an illegal act brought against the company as an entity itself, or individually against members of senior management.

Examples of illegal acts include fraudulent financial reporting through improper accounting, improper or intentionally inadequate disclosures, and violations of corruption and bribery laws—including the U.S. Foreign Corrupt Practices Act (FCPA). In a down economy, concerns over fraudulent reporting generally increase. FCPA cases have been on the rise for the last few years.

An Ounce of Prevention

An audit committee can play a key role in mitigating potential crises due to allegations of illegal acts by requiring the appropriate “tone at the top” from senior management. It can also act as an overseer of management’s efforts to design, implement, and evaluate a system of internal controls over financial reporting, as well as an integrated anti-fraud program to prevent, detect, and respond to allegations or instances of fraud or misconduct. Such an integrated anti-fraud program may include a code of conduct, a fraud risk assessment, training for employees, and process-specific preventative controls. In addition to the preventative elements, an effective antifraud program usually has complementary detective elements designed to uncover fraud and misconduct when they occur. Examples of these detective elements include:

  • Channels that accept anonymous complaints or allegations of fraud, misconduct, or illegal acts. These are referred to as “whistleblower hotlines,” but the reporting mechanisms are not necessarily limited to call-in telephone numbers.
  • Auditing activities (an evaluation of past events) and monitoring activities (an evaluation conducted in real time) tailored to the nature and degree of risk involved, with higher-risk issues receiving priority scrutiny.
  • Proactive data analysis that uses sophisticated analytical tests, computer-based cross-matching, and non-obvious relationship identification to highlight potential wrongdoing.

Practically speaking, no audit committee maintains day-to-day oversight of the operations of its company. That job belongs to management. There are means, however, by which audit committees can enhance the effectiveness of existing detective controls by being actively engaged in their oversight responsibilities.

A well-prepared audit committee could have a pre-approved response plan or protocol for addressing allegations of fraud and could obtain and review periodic activity reports of anonymous reporting channels for misconduct. In addition, by maintaining direct lines of communication with multiple members of senior management, the audit committee ensures that it will not rely on any one source for information about important management issues.

Other recommendations include conducting executive sessions with external and internal auditors or general counsel to seek advice and guidance or to solicit candid feedback on management’s actions, and obtaining and reviewing the results of detective programs, such as continuous auditing or other procedures that may identify management override of controls.

Mapping a Response

Just like a highway map may not provide turn-by-turn driving directions that a detailed street map would, a response plan may not give the audit committee complete guidance on how to address every type of allegation. A good response plan will, however, keep the audit committee focused toward the general direction of resolution and will highlight key decision points along the way. Audit committees should consider having a well-thought-out plan in advance so they don’t need to scramble the first time a serious allegation surfaces. Examples of the key decision points to be addressed when handling such allegations include:

  • Who is responsible for assessing if the allegation is credible? n Who is responsible for deciding whether an investigation is warranted? What criteria does this party use when making this decision?
  • Who will investigate the allegation? What are the roles of various departments, such as internal audit, human resources, general counsel, finance and accounting, and operations? Do these roles vary depending on the nature of the allegation or the parties potentially implicated?
  • If no investigation is warranted, what documentation and support will be prepared to support this conclusion? n Under what circumstances is the audit committee notified immediately?
  • What degree of oversight should the audit committee exert over the investigation? Are there situations where the audit committee should directly supervise an investigation instead of management?
  • What powers does the audit committee have to engage external advisors or additional legal counsel?

Depending on the nature of the allegation and the results of the investigation, what notifications or disclosures need to be made to auditors, analysts, media, regulatory bodies, stock exchanges, law enforcement, shareholders, or the general public?

Overseeing/Monitoring Investigations

Whether the audit committee takes direct responsibility for overseeing an investigation or actively monitors the investigation of allegations of fraud, misconduct, or other illegal acts, there are some basic steps to consider.

  • Time is of the essence. External parties such as auditors or regulators can be extremely critical if an allegation is not dealt with in what they consider to be a timely manner.
  • Select an appropriate law firm and partner. The audit committee may feel more comfortable hiring an external party, generally an independent law firm, to conduct the investigation, instead of having it conducted internally or by regular corporate counsel. In this situation, the audit committee usually selects and retains the law firm. When making this selection, audit committees generally consider such factors as the amount of prior work the candidate firm has done for the company and the prospective work that will be done in the future. Large amounts of prior or future work may create an appearance of a lack of independence, even though there may be no conflict of interest. Audit committees should realize that their selection of a law firm will be scrutinized by interested parties such as external auditors, regulators, or the state or federal law enforcement.
  • Consider the use of forensic accountants. For particular types of allegations that are related to the areas of fraudulent financial reporting, misappropriation of assets, corruption and bribery, or money laundering, the audit committee, in consultation with its counsel, will usually consider augmenting the legal team with forensic accountants who have specialized skills in financial analysis, account or transaction reconstruction, asset tracing, or electronic data mining.
  • Ensure the cooperation of management and employees. Since the investigative team, whether it is internal or external, is operating without subpoena power, its success in uncovering facts is dependent on the cooperation of management and employees in providing information and data. The audit committee should realize that some individuals in the company may be reluctant to cooperate with the investigative team because they may fear retaliation. As a result, the audit committee needs to be sure that management communicates to all employees that their full cooperation with the investigative team is expected and that instances of non-cooperation will be reported by the investigative team to senior management as well as to the audit committee.
  • Limit information flow to those who need to know. The audit committee should inform management that the investigative team will exercise prudence and discretion about the amount of information it releases until such time as all investigative procedures have been concluded and all facts have been carefully considered.
  • Keep the lines of communication open with external auditors. There is a saying that bad news doesn’t get better with age. Your external auditors would probably agree. Auditors have specific professional responsibilities they must adhere to when they become aware of allegations of illegal acts. Even though you may be tempted to hold off communicating or involving your auditors until you feel you fully understand the situation, it is advisable to let your auditors know if an allegation has been made.
  • Be sure you understand the issues of attorney/client privilege. Documentation and communication to and from the investigative team may be covered by attorneyclient privilege. However, there may be questions or requests by parties in the investigation such as external auditors, regulators, or law enforcement to waive such privilege.
  • Decide whether to request an oral or written report. If the audit committee is the recipient of the investigative report, it should consider if it would like to receive a written report or an oral report. The benefits of a written report are that the findings are memorialized in writing. An oral report is sometimes requested over a written report for cost or discovery concerns. The drawback to an oral report is that the content of the report is limited to people in the room and subsequent recall by attendees may not mirror content and findings of the original report.
  • Discuss remediation options. When considering the outcome or facts uncovered in an investigation, an audit committee should also consider remediation steps that have been proposed. Are the proposed steps adequate to prevent something like it from happening again? Have the implicated parties been appropriately disciplined?
  • Determine disclosure details. The last consideration the audit committee usually addresses is what to disclose to regulators, company personnel, investors, the media, or other interested stakeholders. Often, audit committees consult with their external disclosure counsel and auditors to evaluate what disclosures are appropriate.

Leave a Reply