The heat stays on.

• Author: McCarthy, Mary Pat
• Position: Corporate Governance - Sarbanes-Oxley Act of 2002 - Cover Story

As the rollout of The Sarbanes-Oxley Act continues, the pressure on corporate governance has been unrelenting. The following articles look at different aspects of that phenomenon: advice to audit committees on how to deal with risk; an interview with a leading institutional investor activist to assess the impact of reform efforts, and a discussion by the top governance executive at the "new" Tyco International about how the company has changed its policies and procedures--and how he thinks the seeds of scandal in corporate American were sown.

Audit Committees Confront Risk

In the new environment, a four-part oversight frame-work offers a valuable methodology for understanding and monitoring key processes, and protecting the audit committee and the company from undue risk exposure.

It's a new world out there for audit committees. New regulations--including The Sarbanes-Oxley Act of 2002--have formalized the responsibilities of these panels, laying down specific duties for their members. This change is in sharp contrast to the way audit committees have historically organized, having evolved in response to developments in the current business environment.

Audit committees remain the guardian of investor and corporate accountability. But their new responsibilities place an added emphasis on risk concern, not only in the financial-reporting process but also throughout the company's operations.

The rapidity with which these new regulations have been imposed may have audit committee members' heads reeling, as they need to keep up with an ever-changing rulebook. At the same time, the complexities of these new regulations raise the potential for audit committees to become unduly focused on compliance, at the expense of ensuring that adequate risk-management procedures are being followed.

Audit committees can provide effective risk oversight by using a four-part framework, which addresses: 1) organization and operation; 2) financial reporting and risk assessment; 3) internal control; and 4) over-sight authority. This framework can help committee members better visualize the primary considerations that lie before them.

Organization and Operation

The organization and operation of the audit committee is the first part of the oversight framework. First and foremost, the board will necessarily want to ensure that the audit committee is composed of the right individuals and be satisfied that they are experienced, ethical, inquisitive and independent.

New regulations have raised the bar when it comes to independence. For example, Sarbanes-Oxley states that an audit committee member may not accept, directly or indirectly, any "consulting, advisory, or other compensatory fee" from either the company or any of its subsidiaries beyond the fee he or she receives from serving on the board, the committee itself or any other board committee. And, each of the three major U.S. stock exchanges--the New York Stock Exchange, Nasdaq and American Stock Exchange--have proposed independence rules applicable to their listed companies.

However, these new independence requirements are not without a number of gray areas, and questions need to be addressed with the assistance of skilled and experienced advisors. It is imperative that audit committee members seek counsel when such questions arise, as they invariably will.

In addition to independence considerations, Sarbanes-Oxley and the Securities and Exchange Commission's rules also require disclosure that at least one committee member be an "audit-committee financial expert." Besides consulting Section 407 of the act, which prescribes criteria for "financial expert" qualifications, audit committee members should also seek additional outside help and advice.

Most audit committee charters provide for an annual evaluation, which allows committees to review the membership and the committee's relationship with management and with the internal and external auditors. These formal assessments should include an audit committee self-assessment, as well as assessments by the board, the CFO, the chief executive and both internal and external auditors.

Within an organization, an audit committee's key priority is to create what some have called "a culture of dissent." In many well-meaning companies, there is often no definable risk structure, but a pattern of tacit communication between the audit committee and management and the audit committee and the internal and external auditors. The audit committee must set a tone that establishes its objectivity and independence, its expectations from the parties it oversees and those that support it, and its objectives.

Cultivating a culture of dissent can be the hardest task, because it can get in the way of otherwise collegial relations. Committee members might feel awkward questioning management on topics they hadn't questioned in the past. This is yet another reason why an established and clearly documented framework can be invaluable.

Financial Reporting Risk Assessment

The second part of the oversight framework for audit committees addresses the risks associated with external financial reporting and potential management misconduct.

As part of the financial reporting risk-assessment process, audit committees should cast a wide net. In particular, committees need to reflect on some of the more commonly documented areas, including: trading of company securities (insider trading, fraud); conflicts of interest; travel and entertainment; related-party transactions; and personal use of company assets.

Committee members can build a formal process around the financial reporting risk-assessment tasks that classify the nature, significance (from insignificant to catastrophic) and likelihood (remote to almost certain) of risks. They can then rank the risks based on their immediacy and impact, and focus on what response (avoidance, acceptance, transference, mitigation) and internal controls or processes have been put in place or need to be put in place to remediate the risks.

Committee members should also factor the cost benefit of action over inaction into the equation, as well as the impact of residual, untreated risks--such as the remaining risk after management actions, processes and controls have been considered.

Some suggestions include:

* Determine the company's tolerance for financial reporting risks. Communicate that tolerance to operating and financial management and the internal and external auditors. Ensure that everyone understands and agrees and that management's attitude is consistent with the company's risk tolerance.

* Create a company culture that encourages open and candid discussion of financial reporting risk and processes, including expression of concerns by individuals at all levels in the organization.

* Consider the incentive/pressures and opportunities for fraud...