How Audit Committees Can Help with Third-Party Risks

The role of audit committees continues to expand to keep pace with the modern business operating environment. In addition to responsibility for a company's financial reporting and management, audit committees increasingly take an active role in an organization's risk management strategy.

Audit committees can be instrumental in helping their organizations implement procedures to address the challenges they face. They can also assist with addressing internal and external audit findings or with exploring best practices for addressing areas of operations that may be vulnerable to disruption or extraordinary risks.

One key area that audit committees should be examining is risks and threats from third parties. From activist investors to cybersecurity, outside threats and interests can present significant obstacles to an organization's day-to-day functioning if the right safeguards are not in place. Additionally, shifts in the regulatory environment may also bring renewed scrutiny on risk management, and organizations should be prepared to address these challenges. By considering the hot topics in third-party risks, audit committees can improve their oversight of the company's governance and risk management.

Activist Investors

Shareholders with a significant stake in an organization who try to influence company policy are frequently called activist investors. Shareholders who gain decision-making control or influence may try to use their influence for a range of functions, from altering the company's strategic mission to attempting to oust a member of the board of directors. Activist investors may try to influence a company to take actions that will most benefit his/her investor group, and sometimes, these actions may not result in improvements or be in the best interests of all shareholders.

Activist investors became more common during the economic recession. As companies struggled in the difficult operating environment, investors searched for opportunities to insert themselves on the board of directors of various companies to make changes. Though the economy is recovering, activist investors remain part of the operating environment. Activist hedge funds controlled roughly $122 billion in assets at the end of 2015, according to an analysis by Hedge Fund Research, and that only accounts for a portion of the activist investor activity.

Audit committees can help their organizations take steps early to reduce their risk of becoming subject to activist investors. They should encourage their organizations to reexamine their policies. One of the first steps an organization could take would be to evaluate the kinds of controls and procedures that surround the shareholders' rights and responsibilities in the organization's corporate governance. Voting rights could be examined to determine if there are powers or requirements that would make a company more vulnerable to an activist investor disrupting its operations. For example, the company's governance documents might be amended to redefine the percentage of votes required to remove a board member or to limit the types of decisions that require shareholder approval.

The audit committee can also influence the tone at the top to ensure a company considers transparency in its disclosures to shareholders. An organization that has a robust set of disclosure procedures in place regarding shareholder communication may be able to help its shareholders understand its strategy, why management is electing to make certain decisions, why those decisions are in the best interests of all shareholders and to provide stakeholders with an avenue to communicate their concerns to leadership. A robust and transparent communication strategy may significantly reduce the risk that an activist shareholder would be successful in rallying support for actions that contradict or conflict with management and the board of directors' plans.

Assessing Audit Quality

One of the most important tasks audit committees undertake involves selecting and monitoring their organization's audit firm. Finding a quality auditor can be complicated because each audit poses unique risks and considerations, so a one-size-fits-all set of audit quality criteria cannot be applied.

Nevertheless, the global regulatory environment has shown that audit quality is a concern that organizations are focused on. Recent studies by almost all of the global regulators, including in the U.S., the Department of Labor (DOL) and the Public Company Accounting Oversight Board (PCAOB), found high rates of deficiencies among audits they reviewed. These findings have led regulators to take a closer look at whether a comprehensive set of audit quality indicators could, or should, be developed.

Audit committees should be driving the conversation around audit quality indicators. Today, there are very few published sources of information or statistics available that an audit committee can look to in order to assist in making determinations about the relative quality of one audit versus another or one audit firm versus another. The regulators and professional service groups are leading the charge in an effort to develop this type of information and to make it available to audit committee members. Indeed, how to define audit quality and what specific metrics are indicative of quality are very subjective. As a result, audit quality has been judged by the audit committees using company-specific criteria to determine whether the audit committee has made a good choice in auditor selection and received a high quality audit.

The AICPA's Center for Audit Quality and the PCAOB have both proposed certain audit quality indicators to help audit committees with their selection process. Audit committees should familiarize themselves with these resources and other recommendations on how to evaluate audit quality while keeping in mind that these are meant to be guides to consider in auditor selection rather than rules.

In order to appropriately evaluate audit quality indicators, it is important to have context. Otherwise, blanket comparisons between audit firms of any particular statistic may not yield a fair result when applied to a company's specific environment or operation. Audit committees should be engaged in a meaningful conversation with their audit firm representatives to understand how various metrics of audit quality impact the audit firm as well as their own organization and the risk that circumstances could potentially reduce quality if not appropriately managed.

Cybersecurity

Cybersecurity presents one of the largest threats in the modern business environment. Audit committees should be assisting their organizations in evaluating their level of cybersecurity risk. A breach of a company's systems can be very costly to remediate and result in significant reputational damage, and to avoid this, organizations need to be sure their information technology systems and data are adequately protected.

Audit committees should be knowledgeable about the internal controls management has put in place related to network access, server access and vendor management and how effective those controls are expected to be. Stronger environments generally have multiple levels of protection around each entry point, so that if a breach occurs at one level, the outside user does not have unfettered access to all of an organization's sensitive information.

Another reason audit committees should be up-to-date on cybersecurity principles is that cyber controls are increasingly becoming focal points for auditors as well, particularly controls around protecting financial data and information subject to the various privacy laws. External auditors may raise questions about how financial statement data are protected in the current environment, and audit committees may be able to help ensure these risks are addressed.

Ethical Compliance

Fraud is another common risk in the modern business environment, and regulators have continued to focus on punishing those who participate in such activities. One such example has been in some of the recent activities and enforcement actions that have involved violations of the Foreign Corrupt Practices Act (FCPA). The FCPA contains a number of provisions, one of which is designed to prevent U.S. companies from engaging in actions that would constitute bribes of foreign officials. A number of recent SEC enforcement actions and settlements demonstrate that this area cannot be left to chance. As can be seen in these recent settlements, companies can be subjected to, among other things, censure, large fines, and the requirement to return any profits that arose from engaging in the illegal activities. In these actions, the SEC has focused on the lack of internal controls to prevent the actions from occurring or identifying and correcting them in a timely manner when they did occur. Some allegations have also involved the failure to respond to information that would suggest that problems exist (e.g., tips from a whistleblower hotline or claims by employees). Audit committees need to understand how their organizations are equipped to deal with these risks and what controls are in place to monitor compliance and to address issues as they arise as well as whether those controls are effective.

Risky Business

There is no shortage of risks facing the modern company, and as such, audit committees have their work cut out for them. Being proactive in addressing emerging risks, particularly those that involve third parties, is essential to mitigating or even preventing larger consequences.

For more information about how your audit committee can help the organization better face its key challenges, please contact your local MHM professional.

Published on May 03, 2016