Sarah Johnson, CFO Magazine
September 1, 2010
Audit committees have expanded their scope, and new rules may force them to broaden it even further.
Audit committees used to press veteran CFO Christine Russell on why her cash investments weren't earning higher yields. Now, after witnessing liquidity freezes in once-safe havens like auction-rate securities, they are less concerned with making money than with hanging on to it.
Scrutinizing a routine cash-management issue is just one of the new items on top of audit committees' agendas these days. As companies across all industries reassess their risk appetites, their audit committees are conducting similar self-evaluations — and often reordering the priorities they deem worthy of their worry.
That has resulted in broader mandates, more discretion in agenda-setting, and many more questions for company executives, particularly CFOs. Certainly audit committees still have to pay attention to compliance and other tasks related to Sarbanes-Oxley, but "the emphasis has changed to strategy, operations, and managing financial risk," says Ed Thompson, former CFO of Amdahl who chairs four audit committees, including those at ShoreTel and InnoPath Software.
Finance executives should expect to hear from audit-committee members more frequently and answer more-probing questions. Many already do. "There's been a shift, and audit committees have had to become more proactive," says Ed Terino, a former finance chief who heads three audit committees, including that of Phoenix Technologies. He says he often speaks weekly with the CFOs of those companies.
Somewhat surprisingly, what's not high on the new list is heightened concern about financial-statement fraud, which was the big hot-button issue following the last crisis. For the most part, in fact, "the number of financial-reporting failures has been relatively small given the magnitude of the latest downturn," says Joseph Carcello, an accounting professor at the University of Tennessee.
What has risen to the top of the priority list for many audit-committee members is monitoring the safety of cash investments, thanks to lessons learned from such events as Lehman Brothers's rapid demise, the freeze-up in the commercial-paper market, and lack of confidence in credit ratings. "Audit committees are taking more seriously the types of investments their companies are allowed to make with their cash," says Russell, who is CFO of Evans Analytical Group, which runs a
network of laboratories, and chairs the audit committee for semiconductor company QuickLogic.
Likewise, the financial crisis and its accompanying controversy surrounding banks' "fair-value" valuations of assets such as mortgage-backed securities, plus accounting-standard-setters' attention to the matter, have forced audit committees to ask more questions surrounding nonfinancial companies' valuations of their securities. These estimates "involve tremendous judgment, and they're hard to do well," Carcello says.
Audit committees have also become a prime source of risk-management oversight, in ways that go far beyond the direct risk to financial statements. Nearly two-thirds of audit committees are now responsible for some type of risk oversight; of those, 36% now track strategic and emerging risks, double last year's number, according to a recent survey of executives by the American Institute of Certified Public Accountants and North Carolina State University.
Piling It On
While it is still rare to see companies give audit committees primary responsibility for overseeing their enterprise's overall risks, a new Securities and Exchange Commission rule requiring companies to explain their board's role in overseeing risk has prompted some companies "to delegate this role to the audit committee in order to avoid embarrassing disclosure that they didn't have a risk oversight role in place," says Frederick Lipman, a partner at Blank Rome and president of the
Association of Audit Committee Members.
This change doesn't sit well with more–traditionally minded audit-committee members, who believe oversight of enterprise risk management should rest with the full board. J. Michael Cook, former CEO of Deloitte & Touche who chairs Comcast's audit committee, believes audit committees' oversight of risk should stay focused on the possible issuance of inaccurate or misleading financial statements, rather than general operational risks. "There's been some confusion about the role of audit
committees that is still being sorted out," he says.
That task will not be simple, given that it's getting harder to draw distinctions between general business risks and those that may hit the financial statement, particularly as the SEC asks for more disclosures about previously private corporate decisions. Some audit committees, for example, have been asked to weigh in on corporate pay practices, following new SEC rules asking for explicit discussion about the risks that compensation structures might incentivize.
Audit committees may, in fact, see their mandates increase even further, thanks to a proposed rule from the Public Company Accounting Oversight Board (PCAOB).
In practice, corporate finance executives play a significant role in communications with the audit firm — a habit the new rule would curb. To emphasize independence and encourage a culture in which auditors answer to audit committees rather than management, the proposal would have auditors indicate whether two-way communication is occurring between them and the audit-committee members, and assess how well management communicates accounting issues to auditcommittee
members. "Too often, it's [just] the auditors sharing information they feel compelled to share, either by a standard or by their own internal policies, to an audit committee that passively receives it," says Professor Carcello.
If passed, the new rule will no doubt be received unenthusiastically. Just as they did with the "to-do" lists that were part and parcel of Sarbanes-Oxley, board members and corporate executives alike fear the changes will create more work for them, possibly raise audit fees, and blur the lines between management, auditors, and audit committees. The PCAOB is now reviewing nearly three dozen comment letters on the matter. In one, Arnold Hanish, Eli Lilly's chief accounting
officer, stated that some of the new requirements "are overly prescriptive and could result in increased audit costs with little or no benefit."
Whether you are a CFO who sits on an audit committee or simply deals with one, the workload seems certain to increase. Ironically, CFOs interested in landing board spots may find that the changing landscape actually works against them. "Boards need financial experts," says William Hernandez, retired CFO of PPG
Industries who now sits on the audit committees of USG and Black Box, "but some of the best questions come from people [with general management experience] who never worked a day in finance."

Sarah Johnson is senior editor for regulation at CFO.
By the Numbers: Audit Committees
86% of companies require their audit-committee members to demonstrate financial literacy
3/4 of audit committees view risk management as a top concern
26% of audit committees receive reports on the company's liquidity position every month
20% of audit-committee chairs hold a financial-management position, such as CFO or treasurer (up from 3% in 2002)
8% of the top 500 companies' CFOs moonlight as audit-committee chairs