The days when the main function of Audit Committees was to put a “stamp of approval” on companies’ financials are long gone. Heightened risk awareness and increased regulation means that Audit Committees must now take on a much more proactive role in detecting, understanding and acting on risk – be it financial, macroeconomic, regulatory, legal or cybersecurity-related.
That will increase the pressure on them for years to come, even if data analytics offer new ways to help them master the growing complexity of their task. If Audit Committees are to succeed in this challenging environment, companies must focus on selecting top talent from both financial and operational backgrounds to serve on them – and nurture those members’ skills in leadership, people engagement, and data analysis.
Our insights come from an extensive global survey of Audit Committee Chairs undertaken by Egon Zehnder’s global Financial Officers Practice. We conducted personal interviews with approximately 50 heads of Audit Committees of leading companies, in 20 countries across all continents. (We highlight some of their key insights in quotes throughout this paper.) Our purpose was to identify the evolving challenges facing Audit Committees worldwide – and to share leadership approaches and innovative ways of working that can address those challenges.
A radical change in the Audit Committee’s role
The Chairs we interviewed agreed that Audit Committees’ roles had changed fundamentally in the past decade. One trigger for this change was the introduction of the International Financial Reporting Standards (IFRS) in 2006, which laid down a single set of accounting standards. The IFRS are now mandated for use in more than 100 countries. In the United States, the IFRS added to the oversight requirements already laid out in the Sarbanes–Oxley Act of 2002 (Exhibit).
“There will be more regulatory pressure. There will be greater accountability. There will be more vigilance in general and a great emphasis on judgment.”
The financial crisis of 2008-09 added further impetus to the change. In many regions, the crisis revealed companies’ risk preparedness as inadequate – and demonstrated that the business environment is much more volatile and uncertain than many had assumed. As a direct result, Audit Committees, along with Risk and Compliance functions, were given more clout in many companies.
In the last few years, several high-profile corporate crises have reinforced this trend – and provided a stark reminder that a single risk event can knock billions off a company’s share price, or even destroy it as an independent entity. Audit Committees must now oversee not just financial risk but also enterprise risk more broadly – including risk related to operations, technology, reputation, fraud, tax or litigation. In many cases, Audit Committees must also oversee financing and refinancing decisions.
Increasing regulatory pressure and oversight requirements have put greater demands on Audit Committees
We heard variations on this theme in our meetings across the globe.
- In United States, the shift to a focus on broader enterprise risk has considerably increased the volume of work for Audit Committees – but also created richer and more dynamic conversations round the committee table.
- In Canada, Audit Committees are increasingly having to involve themselves in operational and management issues.
- In Europe, Chairs reported that more stringent regulation – including an increase in directors’ liability – had been matched with greater demands from shareholders and other stakeholders, as well as greater nervousness on the part of external auditors to sign off on company accounts. All this put even greater pressure on Audit Committees.
- In Asia-Pacific, the scene of some recent major accounting scandals, both China and India have introduced stricter regulations which make committees’ jobs tougher.
“Asking yourself the question, ‘If the 1 percent probability occurs, are we still alive?’ is the right thing to do.”
We asked Chairs how they expected the Audit Committee’s role to evolve in the decade ahead. The widespread view was that, although many fundamental changes have already occurred, the trend to broader risk oversight would continue. In the words of one Chair, the Audit Committee is becoming “an extended arm of the regulator” – at a time when regulation is becoming more intrusive in many markets. Others warned that the ever-expanding role and responsibility of the committee is making it less attractive to join: with so many areas of oversight, a lapse in just one of them has the potential to destroy the career of the Chair and the members.
There is a glimmer of hope that digitization and data analytics might reduce pressure on Audit Committees and give them new tools to master the growing complexity of their task. Several Chairs we interviewed believed that technology-driven solutions can replace some of the work currently done manually by committees and Internal Audit and Risk functions – and that algorithms might help them sift through mountains of data to spot potential problems and prioritize issues. But the jury is still out on what the true impact of these technologies will be, and nobody expects them to deliver substantial change for Audit Committees in the short term.
Broader talents, deeper skills
The increasing complexity of the Audit Committee’s role has had a huge impact on talent requirements. Whereas committee members have traditionally been drawn from accounting backgrounds, companies must now look at a broader pool of talent including people with relevant experience in other areas, such as operations or sales and marketing. To be sure, mastery of the relevant accounting rules is still a core requirement for Audit Committees, perhaps even more so in companies where CFOs are drawn from non-accounting backgrounds. In addition, though, committee members must be able to dig deeper and pinpoint the economic realities and risks behind the numbers. They must also be ready to delve into uncommon patterns and exceptional results, which might be signs of incorrect sales practices or even fraud.
“The perfect person for an Audit Committee unfortunately does not exist in today’s complex world. Diversity is key.”
Just as important is the need for Audit Committee members to possess psychological insight. When problems arise, the instinct of most executives is to report that everything is under control. Committee members must be able to see beneath the reassurances, raise questions, engage with multiple stakeholders, and crystallize the true issues facing the company. One Chair told us: “You get a ton of paper, but not always a lot of interpretation. You need to ask the same question to many different people to find out what’s going on.” One way to cultivate greater engagement between the Audit Committee and company operations is through “Board Connect” events: several companies we interviewed have created in-depth sessions for board members to interact with a range of executives and managers across the company.
All in all, this broad range of requirements makes it increasingly difficult to find the right people to serve on the committee. Indeed, one Chair we interviewed argued that it is now impossible to capture all the necessary roles in a traditional Audit Committee. He said it may now be necessary to include ad hoc or “ambulant” members of the committee so that all the necessary specialist skills – such as cybersecurity – can be represented. Moreover, as companies draw on a broader pool of candidates, they can bring greater diversity of experience to the Audit Committee. Some deliberately recruit “wild card” members who can bring fresh perspectives. As another Chair noted: “Our role is to ask questions – and sometimes a person from a non-traditional background will ask the best questions.” For example, the Audit Committee of a mainline bank would benefit from appointing an executive from a technology firm.
“Audit Committees must remain humble, they must never stop learning, and they must share their knowledge.”
The increasingly complex demands on Audit Committee members also make it essential that companies effectively induct new members into their roles and provide ongoing training once they have been appointed. However, most of the Audit Committee Chairs we spoke to conceded that their companies’ induction and training programs were still rudimentary. Although new members are typically provided with documentation about the company and the committee, in most cases it is left up to those members themselves to reach out to executives and other stakeholders. Several Chairs said there were opportunities to make induction more systematic and comprehensive. For example, a newly appointed Audit Committee Chair could be asked to shadow the outgoing Chair for a period. Committees could also include educational topics on the agendas of some of their meetings – both updates on latest accounting practices and issues and on broader risk topics.
Balancing prudence and entrepreneurship
The Audit Committee’s role is unlikely to become easier anytime soon. How, then, can committees be effective? Among the Chairs we spoke to, there was widespread agreement that Audit Committees must avoid getting caught in the quicksand of ever-increasing risk oversight. It is critical that the committee strikes the right balance between scrutiny of risk and support for entrepreneurship.
“Boards should acknowledge that they cannot build perfect defenses but are expected to implement the right response mechanisms.”
As several Chairs pointed out, the danger is that Audit Committees, in response to increasing regulation, become too prudent and too careful – and thus inhibit entrepreneurship in the business. This is a recipe for overload for the committee, and for growing mistrust and frustration between it and executives. As one Chair emphasized: “If openness and trust are lacking between the Audit Committee and the executive, the committee will become very prudent – and that won’t help the business.”
Building the right level of trust and understanding is not easy, but it helps if the Chair has operational business experience, so they can balance practical business insights with regulatory requirements. To gain the necessary breadth of experiences and skills, several companies are positioning the Audit Committee as a training ground for new directors, as well as for executives aspiring to future non-executive director roles. People from diverse operational and functional backgrounds are invited to join the committee for a yearlong assignment before moving on to other roles. In some companies, every new Board member is required to serve on the Audit Committee for a time. Some ask members of other Board committees, such as the Strategy Committee, to join meetings of the Audit Committee.
Of course, the Audit Committee cannot achieve the right balance between prudence and entrepreneurship unless this balance is also reflected in the outlook of the executive and the rest of the organization. The relationship between the CEO and the CFO is critical here. The CFO, who must exercise fiduciary responsibility for the business, must provide a counterbalance to the CEO’s strategic and entrepreneurial role. Yet the CFO must also be strategically aligned with the CEO. Finding the right balance can be difficult, and Audit Committee Chairs can often play a valuable counselling role to the CFO in this regard.
What makes an Audit Committee effective? Some practical pointers
We also asked Chairs to share their approaches to operational questions such as committee size, frequency of meetings, and modes of interaction.
Committee size and composition
Broadly, there was agreement that that Audit Committees should ideally consist of between three and five members (subject to local regulations), with larger committees of up to seven members being found only in more complex sectors such as financial services. Typically, at least three of the members should be independent.
Frequency of meetings
Depending on the country, the Chairs we spoke to said that Audit Committees typically meet in person between four and eight times a year – and that the meetings tend to be adjacent to the company’s main board meetings. There were a few countries where the reported frequency of meetings was quite different: in Brazil, the Chairs interviewed said their committees met monthly, whereas in China some committees meet only twice a year. In all countries, though, Chairs
“It is very important that there are informal interactions and a strong personal relationship between the Audit Committee Chair and the CFO, and hence frequent contact, on a more informal or quick call basis.”
emphasized that frequent informal discussions between committee members were essential; these feed into formal meetings. Several Chairs stressed that it is essential for Audit Committees to have an annual working plan or calendar.
Interacting with executives
Much discussion focused on how the Audit Committee can interact most effectively with the CFO and other executives. Chairs agreed that having the CFO present in committee meetings is essential. Other key executives, including the heads of Internal Audit and Risk, and even the head of IT, should also be present, at least at the Audit Committee’s main quarterly meetings. It is also advisable to have the Company Secretary or equivalent administrative head present in the meetings. Beyond these formal meetings, strong informal relationships and frequent contact are needed between the Chair of Audit Committee and the CFO – as well as with the head of Internal Audit and other executives.
That points to the need for a high degree of trust, openness, and collegiality between the Chair and the CFO. But as several Chairs emphasized, that engagement must be “friendly but not chummy”: the Audit Committee must still be ready to question and challenge the CFO when required. Likewise, committee members must be comfortable with fielding criticism from the executive.
Level of disclosure
We asked Chairs what level of disclosure they expected from the Executive Committee (ExCo) to the Audit Committee. Although everyone agreed that full transparency to the Audit Committee was required, we discovered two schools of thought on how much information should be shared. One view was that the CFO should be trusted to filter the most important information for the Audit Committee, thus avoiding information overload. In this school of thought, Chairs believe the onus is on ExCo to share the right information; for example, the practice in one professional services firm we interviewed is for the CFO to share executive summaries from ExCo, along with all unsatisfactory internal audit reports. In such cases, however, there is also an onus on the Audit Committee to ask the right questions and seek out the most relevant data.
The role of Internal Audit
Many of the Chairs we interviewed emphasized the need for the Internal Audit function to work closely with the Audit Committee. But there were competing viewpoints on the reporting structure. Some said it was important that Internal Audit have a very clearly delineated reporting relationship, with the head of the function reporting directly to the CEO or CFO. Another view was that the head of Internal Audit should report directly to the Chair of the Audit Committee, and so have complete independence from the executive. Whatever their reporting line, there was agreement that the head of Internal Audit should have access to the Chair of the Audit Committee at all times, and should meet with the Chair ahead of meetings of the committee.
We also heard strong views on the competencies required in Internal Audit, which should combine the best finance talent and operational business experience. As one Chair noted, Internal Audit should be an aspirational role: every senior executive should work in this function at some stage in their career. Although many companies are placing greater importance on Internal Audit, in others the role remains underappreciated and underpaid. In some companies the function is even being outsourced, but most of the Chairs we spoke to said Internal Audit should really be a strong internal capability. The Chair of the Audit Committee, together with the CEO, should help ensure that Internal Audit is given the appropriate budget and attention.
How much to share with the full Board?
Typically, the Audit Committees we surveyed share information with the full Board only on salient topics that have financial or governance implications, and where resolution is not straightforward or differs from the recommendation of the internal or external auditors. In addition, issues on which the Audit Committee has failed to achieve full alignment are also typically escalated to the full Board. This information sharing must be underpinned by a strong relationship between the Chair of the Board and the Chair of Audit Committee.
Evaluating the effectiveness of the Audit Committee
We asked Chairs to share how they evaluate the Audit Committee’s effectiveness. Typically, they conducted an annual internal review, often as part of the overall Board of Directors review. Some companies also ask external organizations such as ours to review the composition of the Audit Committee, either annually or more infrequently. Generally these external evaluations are driven by statutory compliance, however – they are more “tick box” exercises than truly meaningful assessments of the committee’s impact. There are opportunities to make the evaluation of the Audit Committee both more regular and more meaningful.
How next-generation Audit Committee members can prepare
We asked Chairs to share their advice to CFOs, heads of Internal Audit, and other senior executives who aspire to future roles on the committee. Several Chairs emphasized that being appointed to a Board is very difficult, so aspiring future members should think carefully about what experience or special skills they can cultivate. For example, they might play up their international experience or their expertise in digital or cybersecurity. They can also look for opportunities to serve on internal committees – and so build their skills in preparation for an Audit Committee role.
“Boards want to help you. If you find a way for them to help they will. If you don’t they will find their own way, whether helpful or not.”
Chairs also advised aspiring Audit Committee members to be selective about which board role to accept. As a rule of thumb, an active executive should serve on only one external board. As one Chair said: “If you’re a full-time executive and you have too many mandates on top of your executive role, you have a problem.” The time pressure on Audit Committees has increased exponentially, and members can be called to ten more meetings a year, formal and informal. A lot of hard work is required to prepare for each of those meetings.
For CFOs, several of the Chairs we spoke to had some specific advice. They observed that successful CFOs can sometimes disappoint in a Board role, as they are overly detail-oriented. “It’s not in their DNA to step back,” in the words of one Chair. To succeed on the Audit Committee, many CFOs must also strengthen their relationship and engagement skills alongside their existing technical strengths. Learning these new skills and mindsets is worth the effort: the current or former CFOs we spoke to all said that serving on the Audit Committee made them a much better CFO.
Audit Committees have a vital role in protecting their companies from both financial and broader enterprise risk, in supporting the executive to strike the right balance between prudence and entrepreneurship, and in mentoring CFO and Internal Audit functions to succeed in a more complex operating environment. But the committee’s own role has become increasingly complex as well. It’s time for Audit Committees and the companies they serve to systematically invest in finding and nurturing the diverse talent needed to master risk in an uncertain world.
Checklist for building an effective Audit Committee
Ten questions that Chairs and members can ask themselves:
- Do you have the right balance between process focus and really understanding the drivers of the economics and risks of the business? Has business judgment become a slave to process and regulatory requirements?
- Does the CFO act sufficiently independently of the CEO?
- Does the Audit Committee gather information from informal channels and engagement with the business – and not just from formal management channels?
- Do the skill sets on the Audit Committee match the nature and challenges of the business?
- Is the composition of your Audit Committee sufficiently diverse?
- Does the Audit Committee regularly discuss non-financial risks such as reputational risk, cyber security risk, and macro-economic risk?
- Is your CEO fully embracing the added value of the Internal Audit function by assigning high potentials to it, properly rewarding Internal Audit staff, and giving them real access to the top management?
- Do you evaluate the effectiveness of your Audit Committee on a regular basis?
- Have you installed a specific on-boarding and ongoing educational training program for Audit Committee members?
- Are you thinking about CFO succession planning in a robust way – and do you have a good sense of the talent level below the CFO in the finance organization?