Director Professionalism Course
National Association Of Corporate Directors
Philadelphia, PA
June 8-9, 2010

The Audit Committee And Risk Oversight: Effectiveness In The New Environment

Ken Daly, President and CEO, NACD

Ken was formerly head of the KPMG Audit Committee Institute and a passionate former auditor.

As someone who has spent a lot of time in standards-setting for SOX-404, I'm loving this talk. It brings back memories of the GAIT effort, where I worked with Bill Powers at the PCAOB, the Institute of Internal Auditors, and all the Big 4 national practice leaders.

Ken is hilarious.

• I've been on audit committees, as well as hired by and fired by audit committees." (haha)
• Collected desired outcomes and desired answers from audience (nice touch)
  • Protocol between directors and external audit firms, CEOs
  • For non-financial experts, what is minimum skills needed to serve on audit committee
  • What should non-audit-committee members be asking from the audit committee
  • Relationship between audit committee and disclosure committee
• Framing some problem statements
  • Audit committees deal with accountants, and we wonder why communications are so bad: accountants are terrible communicators  (haha)
  • "the price of poker is very high": no one is smiling when they deal with SEC enforcement. lots of trust required. use tension in good stead. lots of tension between external auditors, internal auditors, audit committee, and management. job of audit committee is to manage that tension
• Today's discussion
  • overview: the audit committee
  • overseeing financial reporting and controls
  • risk oversight
  • managing interactions
• Overview: period of change, 2002-Present (SOX)
  • impact of corporate accountability (SOX)
    • "audit committee used to be most unpopular. now, it's comp committee, which is helpful." (haha)
  • emphasis on risk
    • "focus on compliance is a fool's errand. you'll never have enough time, and you'll eyes will leave the ball."
    • "policy woks think independent directors are full time -- if that were true, then we wouldn't be independent, would we?"
    • "a new tsunami of rules is coming your way. you will be more challenged more than ever staying on top of things."
  • economic issues
  • confidence and trust being questioned
  • heightened role and greater time commitment
  • new legislation, rules, expectations
  • connectivity with other committees
  • IFR and XBRL
    • "Extensible Business Rule Language: COSO, SEC was there. you're tagging information in the reports. how could it help you get info that you don't regularly get."
    • "doubts that IFRS will be a big issue because SEC has so many other things on their plate"
    • "In one afternoon, GM wrote of $38B of deferred tax assets. What did market do? Nothing. It's non-cash, so it doesn't matter. My point? All the stuff you'll be spending time on is compliance. Go to accounting standards board and complain: footnotes are like Armegeddon documents. As you increase data, you pay less attention."
    • "Pay attention to tone-at-the-middle. Lots of restatements is not due to CEO fraud, but due to tone-at-the-middle problems."
      • Questions: "what processes are putting in place to set tone-at-the-middle?"
      • "Go to call centers: they know everything about the company, despite lower wages. They are the vanguard of the company. They'll know whether product is worth a darn, whether there's a receivable problem, etc.  Suggest directors should hang out at call centers."
• Significant audit committee responsibilities
  • direct responsibility for external audit
    • "fool's errand to manage this relationship"
    • "don't negotiate the fees. audit committees have strong opinion and no facts."
    • "have CFO community do the negotiation"
    • "saying 'we want job cheap as possible' is dumb. in this case, we're using shareholder money to protect shareholder money."
    • your worries
      • how does management feel about them?  like cop doing customer satisfaction survey after giving driver a speeding ticket
      • how is auditor supporting audit committee goals?
      • how does the audit firm support audit committee chair?
        • "I wanna have dinner 2-3 days before the audit committee meeting. they'd then ask me about things I was concerned about. this helps focus the conversations."
        • "often wisdom is, if it's complex, has tons of risk, give it to the audit committee. not terrible."
  • oversight of internal controls, disclosure controls, and internal audit
    • disclosure committee composed of line managers: can't be external auditors, because it breaks independence
    • disclosure committees don't have minutes: 4 questions he'd ask
      • what will you be discussing? (should we disclose right away?)
      • was there significant discussion?
      • what are the areas of disagreement? (why did they disagree? what door did we come out of?)
      • is there anyone vetoing? (huge red flag: big matter, can't come to conclusion. Likely there was a veto at Tyco, Enron, etc.)
      • Question: "best practice is to keep minutes?"
        • "most disclosure not keeping minutes, because of litigation risk. proof is in the disclosure document. if there's a discovery action, you've just handed over roadmap."
  • oversight of financial reporting
  • oversight of risk management
  • oversight of legal and regulatory compliance
• Keys to audit committee effectiveness (most important slide)
  • setting agendas and priorities; making the most of the meetings
    • "I don't believe we can sustain the level of effort required around compliance. Current legislation being considered will hold directors will be held personally liable. Not worth any fees collected as director."
    • "only 1 Powerpoint presentation. 1 slide. You can educate, persuade, or call to action. No longer time to be educated -- that has to happen beforehand. Spend all your time on the call to action. Send me the PPT (all 500 pages), but in meeting, 1 slide about what decisions we need to make. If we don't discuss, then things will start going bump in the night."
    • "You need information architecture."
    • "The key risk: management risk that they cannot/will not supervise the activities of the corporation. They won't bother with it, or they are clueless. Treasury went into small unit of AIG, and found that they had no idea what was going on, not even the nature of the transactions. Spend 50-60% of time in dialogue."
  • setting clear expectations for each participant in the financial reporting process
  • supporting the CFO and other financial reporting participants
  • coordinating and communicating with the full board and other committees
  • ensure continuous improvement (education and self-evaluation)
  • Dialogue -- not presentations
    • "use consent agenda: review a doc and pass it on. no dialogue."
• Top concerns in 2010
  • Regulatory/legislative matters
  • key financial risks: liquidity, access to capital, cash flow
  • exposure to third parties: customers, vendors, lenders
  • tone at the top and tone at the middle
  • fraud
  • SEC proxy disclosure enhancements: compensation
    • how does compensation create incentives that affect company risk
    • situations that could trigger discussion/analysis
      • a business unit that carries a significant portion of company risk profile
      • a biz unit with significantly different compensation structure
      • a biz unit with significantly more profitable
      • a biz unit with compensation expense is higher
      • a biz unit where risk/reward balance is significantly different
    • "BRAC controls: you can speed up and slow down so quickly, your competitors will slam into the wall." (tweet)
  • FASB 166 & 167
  • pensions (huge problem: we're not doing a good job on this: "raise hand if you think your pension fund will have 8.5% return. where did you get these numbers? these pensions are going to blow up in our faces."
    • "if it moves, tax it. if it keeps moving, regulate it. if it stops, bail it out." (tweet)
• environmental issues challenging effectiveness
  • complex biz environment and part-time directors
  • inadequate support resources
    • Your assets as an audit committee
      • good agenda setting: enough time for dialogue
  • • • CFO
      • CIO: totally underutilized: tell me about information architecture and how you can make my job better: most CIOs have never been in audit committee room. huge mistake
      • internal audit
      • want "advice and consent"
      • disclosure committees
      • tone at top/middle
      • emerging problems: 
  • assymmetrical info
  • looking at all the "right stuff"
  • compliance-oriented agendas
  • insufficient discussion time
  • inadequate time/support
  • information architecture
  • external audit
• Financial restatement trends
  • "this is insanity: 1800 restatements in 2006. 675 in 2009. Now smaller companies. Number of double-dippers dropping."
  • Source were not fraud, instead wrong accounting principle
• Critical accounting policies, judgements, estimates
  • Potential questions to ask
    • how do you feel about the accounting process?
    • skip a level
    • what stupid mistakes were made in the past?
    • what is absolutely required to get this right?
    • go to CFO, do you have enough time to check the numbers before we send them out. If answer is "we barely have enough time to complete", then a huge risk (tweet)
  • people are cutting expenses to restore profitability: but cutting finance staff increases probability of error
  • "asymmetrical information risk: the risk you have when bulk of info is coming from one source." (tweet)
    • "what are other companies doing?" "hell if I know. I have enough trouble getting my stuff done"
• Evolving role of CFO
  • CFO turnover is unprecedented: higher than ever. (turnover)
    • why? 
      • they don't understand expectation of audit committee
      • role has changed significantly
      • they don't trust you (fed up with the audit committee) (stunning: tweet)
  • increased pressures
    • volatile capital markets
    • increased regulatory/stakeholder demands
    • business complexity
  • expanding responsibilities
    • enforcing compliance
    • playing a leadership role
  • Commentary
    • "complaining about inadequacy of IT systems to support reporting. Staff being cut. CIO reporting to CFO. CFO problems dripping down onto the CIO." (whoa: tweet)
• Risk oversight framework
  • clarify risk oversight objectives
  • understand strategy/risk link
  • align risk oversight responsibilities
  • consider BRC's 10 guiding principles of effective
  • reassess and adjust
• Five areas of risk
  • capital
  • do you have right systems in place
  • expectations of investors
  • regulatory matters
  • risk tolerance
• Primary responsibility: financial reporting risk vs every other risk
  • you can't handle all other risks if you're firefighting financial reporting risks
  • what % of directors understanding strategy: 11% (from McKinsey)
• Quiz: pursuant to NYSE regs, is the audit committee solely responsible for the oversight of risk?
  • Of course not.
  • But, Conference Board said that 66% of Fortune 500 thought it was.
• Red flags
  • "too good to be true": 
    • "AAA paper in 5% interest env making 17%"
    • "MCI is only company making money. Just capitalizing expenses. Works for us"
    • "Imperial defense. Defrauded by agriculture note operation. Always heard, 'you can't bug them. they're making so much money. can't be bothered."
    • "unusual behaviors" "kozlowski having toga parties" "chief lending officer was supposed to be picked up, but drunk from party on lawn"
    • "whitewashed" "use all time presenting, 3 minutes for questions"
    • "close calls"
• Elements of a proper audit committee risk oversight process
  • right environment: the right people with appropriate leader
  • structure and responsibility: who is authorized to make calls?
  • information and communication: identify risk categories
  • control system: are boundaries set?
  • incentives: where is the balance of risk and reward?
  • monitoring: monitoring process, not monitoring done by the process (tweet)
• What does the risk conversation sound like?
  • the objective of the conversation:
    • satisfy the board that management can --and does-- identify, assess and manage risk
  • test stuff: talk about how you test it?
  • conversation
    • what to ask
    • what to listen for
    • what to test (<------ excellent)
    • the need for third-party input and validation
  • "don't be so arrogant to say "you don't know"
    • doing exercise around loss reserves? CFO says, "we're using forward loss triangulation." had no idea what that was. Mathematician came in and presented to the whole board. Not even listening to him anymore.
    • everyone praising doctor.
    • Code name for project was "argot", but no one knew that it was actually "secret language used by thieves to hide the truth."
• As part of your risk conversation
  • have the person in the right room at the right room: example: tax risks: CFO will never know, likely, might as well ask about nuclear reactors.
  • insist that management
• Improving communications about risks
  • map risks to managers
  • map committee oversight responsibilities
  • identify significant non-financial risks
  • educate directors about financially sensitive risks
  • consider overlapping committee memberships/attendance
  • ensure committee reporting (including minutes) to full board
    • lessons from Disney: record time, data available to you, what you actually looked at, participants, demonstration of independence (to imaginary hostile meeting minute reader) ("have you thought about bringing in experts"), consideration of other input and source data
  • encourage informal discussion among directors
• Issue: information quality
  • "there is desire to talk to CIO or IT guy."
    • accurate
    • complete
    • relevant
    • transparent
    • fresh/current
    • available
    • secure
    • satisfied legal/regulatory requirement
    • cost effective
  • there's no one guy who will know
  • "why are corporations relying so much on manual controls?"
    • "because we never had time to turn on automated controls?"
    • "go back to CIO and turn on automated controls" (tweet)
• top red flags/indicators that IT is starved
  • 60% of installations bring no value: no one sure where value: IT people love gadgets,
  • ask CIO, "are we starving?"
  • Question: "what is audit committee responsibility to IT projects?"
    • "definitely on the whole board. things are late. big conversions like Hershey and Halloween. responsibility depends on systems, and financial reporting cares about audit committee"
    • "purpose of computing is insight numbers. Purpose of computers is not in sight."
• Poll: are you satisfied that board can conclude that management can identify/assess/mange meaningful risk?
  • 67% yes
• Question: "what is protocol with external audit?"
  • "are our application processes commensurate with the industry?"
• Question: "what is protocol with CEO?"
  • "I want CEO there, and hear him/her say that they've heard issue before and that they agree."
• Question: "what should other committee members ask?"
  • "what did you spend your time on and what do you see as next big thing?"