Out-Law Guide | 05 Jul 2007 | 11:18 am | 8 min. read
This article is based on UK law as at 1st February 2010, unless otherwise stated.
The role of the audit committee is so important to good governance that it was subject to a separate review in 2003 (See: The development of the UK Corporate Governance Code, an OUT-LAW guide). The Smith Guidance on Audit Committees, produced by Sir Robert Smith, is annexed to the UK Corporate Governance Code. Many of the provisions described below overlap with similar requirements in the FSA’s Disclosure and Transparency Rules, which makes them mandatory, rather than just subject to the Code’s more liberal comply or explain regime.
(Note: the Code does not apply to all companies. See: The reach of the UK Corporate Governance Code, an OUT-LAW guide)
The Code provides that the audit committee should consist of at least three independent non-executive directors, or two for companies outside the FTSE 350. The chairman of a smaller company may be an additional member of the committee provided he was regarded as independent when he was appointed chairman, but he should not chair the committee.
The Code also says that the board should ‘satisfy itself’ that at least one member of the committee has recent and relevant financial experience.The Code is not specific about what constitutes ‘relevant experience’, but Smith says it means a professional qualification from one of the accountancy bodies. Failure to satisfy this requirement is one of the more common disclosures in company reports when detailing their compliance with the Code.
Often, the ‘expert’ will be a retired finance director from another company or a former partner of an accountancy firm. To comply with the Code’s recommendations for independence, the board should, of course, exclude its own former finance directors and auditors. In any event, it must justify its choice in the annual report.
Given the complexity of the issues usually faced by an audit committee, it’s essential that its members receive proper induction and training.
Main principle C.3 says:
"The board should establish formal and transparent arrangements for considering how they should apply the corporate reporting and risk management and internal control principles and for maintaining an appropriate relationship with the company’s auditors."
The audit committee’s main roles are elaborated in the Code principles, which can be summarised as:
They are discussed further below.
The audit committee is guardian of the integrity of a company’s financial statements and performance. It must, in short, be satisfied that all figures presented to shareholders and the outside world will stand up to scrutiny and can be relied upon. This requires committee members not only to understand the financial statements and how they are made up (no mean feat as accounting standards get ever more complicated), but also to quiz the finance director and the external auditors as draft accounts are produced. Like all good non-executives, they must ask the right questions and be persistent if a satisfactory and intelligible answer is not forthcoming.
This general oversight of the company’s accounts means that the audit committee also has a role in checking the company’s internal financial controls, reviewing them and their operation and ensuring that necessary risk management systems are in place. Where a company has an internal audit function, the audit committee will need to extend its monitoring role to the internal auditors. Some of these roles may be performed by a risk committee, particularly following the recommendations in the Walker Report – the two committees will need to work closely together.
At least once a year, the committee should meet the internal and external auditors on its own (ie without management) so that any issues arising from their work can be freely raised. Between meetings, good communication must be maintained – particularly by the committee chairman. If there are no internal auditors, the committee should review each year whether there is a need for such a service; if it concludes there is not, it should explain why in the annual report.
The committee has some specific duties in relation to external auditors. It recommends the appointment of auditors to the board and approves their fees and the other terms on which they are retained. If there is dissatisfaction with their performance, it may recommend their replacement. In the very unlikely event that the board disagrees with the committee, the arguments on both sides need to be put forward to shareholders in the annual report and AGM papers. Smith also says that the committee should approve the appointment and removal of the head of internal audit.
The committee must keep a close check on the external auditors’ independence and objectivity. Is it time for a change, if only to get fresh thinking and a new perspective on some old issues? Are the auditors getting too close to management?
Closely related to the second question is the issue of non-audit services. The independence of the auditors may reasonably be expected to be compromised if they also act as the company’s consultants and advisers. Under the US Sarbanes–Oxley legislation (see the case study on the Sarbanes-Oxley Act below), non-audit services such as consultancy and advisory work are severely limited. In the United Kingdom, it is left to the audit committee to decide what other services the auditors can provide. The committee needs to develop a specific policy on the matter – it may, for example, rule against some services as raising too many potential conflicts (for example, advice on remuneration policy), permit others (such as tax advice) and require a case-by-case decision on everything else. It may also require non-audit work above a certain financial limit to be approved by the committee.
Where non-audit services are performed, disclosures are required in the annual report, and the committee must explain how auditor objectivity and independence are to be preserved. The need to maintain independence and objectivity also means that the audit committee should develop a policy regulating the employment of former employees of the auditors.
The audit or risk committee also has a role in fraud prevention. It needs to be confident that there are opportunities throughout the company for employees to act as ‘whistleblowers’ and report improprieties and abuses. This may mean giving employees contact details for committee members for use if other avenues fail. Many companies have introduced confidential fraud hotlines for employees; others use an outside agency that can take calls and forward the information to the right person. A fraud response plan will be needed to guide investigations into any allegations of wrongdoing.
The Companies Act allows accountancy firms to limit their liability on company audits, but, as we have seen in the opening chapter, the limitation must first be agreed with the company and subsequently by the company’s shareholders. Such agreements continue to be rare, but if they gain in popularity, negotiation of the limitation, and presentation of that agreement to shareholders for approval, is likely to be a new task for the audit committee.
A detailed examination of the US Sarbanes–Oxley Act of 2002 (SOX), passed in the aftermath of the Enron and Tyco affairs and other corporate scandals, is outside the scope of this book. But no examination of corporate governance would be complete without reference to SOX and an acknowledgement that there are a few circumstances where it may affect UK companies and their directors.
SOX applies to all companies, whether incorporated in the United States or elsewhere, that publicly issue securities in the United States and file reports with the US Securities and Exchange Commission (SEC). That will include many large UK corporates with securities traded on the New York Stock Exchange. The Act has no direct application to other companies. However, US and non-US subsidiaries that fall outside its terms may be indirectly affected if their parents have to comply.
Among other things, the Act requires the chief executive officer and chief financial officer of a company to certify the annual and quarterly reports under separate civil and criminal provisions. Both must confirm that they have reviewed the reports and that there are no material mis-statements. Individuals who knowingly sign false certificates can face fines and severe criminal penalties. They can also end up forfeiting cash bonuses and share awards.
In addition, SEC rules require management to include a report on their internal controls and procedures for financial reporting in their annual reports filed with the SEC. Management must evaluate the effectiveness of those controls and procedures, and the company’s auditors must issue a report on the assessment.
These requirements are likely to have a knock-on effect on directors and managers in UK subsidiary companies, who may be asked to provide similar certificates and confirmations in respect of their own financial reporting and internal controls. Such reports will give reassurance and perhaps some legal protection to US officers and management; at the very least, they will demonstrate that the US officers have asked the right questions and received replies that it is reasonable for them to rely on.
Because directors and managers of a UK subsidiary are not directly subject to the SOX provisions nothing they do or fail to do should constitute a breach of the Act or the SEC rules. Even if it did, the US authorities would have no jurisdiction to bring a prosecution in the United Kingdom (although the threat of extradition cannot be ignored).
Of course, giving a negligent, reckless or fraudulent certificate or report to the parent company may be regarded as an internal disciplinary offence and, in the worst cases, mean summary dismissal. A claim against the mis-reporting UK employee for any loss suffered in the United States cannot be discounted; reports and certificates requested from the United States should be prepared and verified with the highest standards of care.
The risks can be minimised if internal controls and procedures in a UK subsidiary mirror those in the US parent. Budgets and resources should be made available for such controls and procedures and, where necessary, for external advice and reports.
The audit committee needs to be adequately resourced. It should have access to outside advice when necessary. And the Smith guidance accepts that committee members should be paid further remuneration in addition to other fees to reflect the onerous nature of their duties and responsibilities. The chairman should command a higher level of remuneration than his colleagues.
The effectiveness of the committee is obviously closely linked to the effectiveness of senior managers. Management should not wait for the audit committee to ask for information. It needs to ensure that the audit committee is kept informed at all times and to take the initiative in supplying information to it.