Editor's Note

Because financial literacy is often a required competency, I thought I would offer my perspective to introduce this particular chapter.

My experience in assessing and training both non-Audit Committee directors on the board and Audit Committee members is that there frequently can be (i) a lack of financial literacy on the board and Audit Committee; (ii) inadequate functioning of the Audit Committee in its oversight of the auditors (external and internal), financial reporting, risk management (including technology), conduct, and whistleblowing; and (iii) inadequate reporting from the Audit Committee to the board.

There is also a tendency even now for management to crowd out or unduly influence the Audit Committee—external auditor, internal audit, risk and compliance function relationships.

I want to make a few remarks and then introduce this chapter. In responding to the above and reader requests since the first edition, I have asked an Audit Committee expert, Jason Masters, to write a chapter for new and even as a refresh for seasoned directors and Audit Committee members in an inviting, best practice, and easy-to-read format on Audit Committee and board oversight and relationships. Jason has exceeded my expectations.

A few remarks at the outset to frame and position the chapter that follows:

Each director serving on any board must be financially literate. With the development of competency-based recruitment (see my competency matrix in Chapter 8), there are, understandably, individuals coming onto boards who are not literate financially, although this has always been the case (the most famous being O. J. Simpson serving on an Audit Committee). One can acquire financial literacy and should make this investment (I estimate 100—200+ hours) to become financially literate if one is serving on any board.

If a director, and certainly an Audit Committee member, is not financially (and increasingly, technology) literate, they put their board colleagues and the entire organization at risk. I have had to recommend Audit Committee members either stand down or acquire financial literacy because they admit being fundamentally ignorant and not being able to read or interpret basic financial statements. This omission is prevalent across all sectors, but especially within association, sporting, not-for-profit, health-care, state-owned, and stakeholder-appointed boards. Although financial and technology illiteracy on Audit Committes and boards has also occurred on financial services, large, and public company boards also.

Many directors simply pretend or fake financial and technology literacy, for reasons of hubris. Management knows and can exploit this. Director financial (and, increasingly, technology) literacy development should be funded by the organization.

The entire board (i.e., each director) is responsible for approving financial statements, the risk appetite framework, the recommendation of external auditor to shareholders (or members), the approval of the internal auditor, the exceptions (if any) to the code of conduct, the conflict of interest policy and occurrences, related-party transactions, and the whistleblowing reporting and remedying.

Financial literacy is a precondition for all of the foregoing collective powers of the entire board, on recommendation of the Audit Committee.

At a minimum, financial literacy means an ability to read and interpret balance sheets, statements of cash flows, and income statements, and importantly apply this interpretation to the company, its performance, and the industry, including in ratio interpretation, peer and industry practices, and trends.

Each director should fully understand the business or revenue model of the organization—how the organization generates revenue, products, or services—and the accounting policies that are invoked by the business model and recommended by the Audit Committee.

If a director is a member of the Audit Committee, the director should further understand how the use of subjective assumptions, beliefs, estimates, and judgments employed by the CFO and other financial management may give rise to potential manipulation or fraud within financial statements and reporting.

The foregoing financial and Audit Committee literacy skills are all acquirable, but many committees and boards—and directors—simply lack this level of proficiency—by choice. See the chapters by Rosen and Hunter within this Handbook for the dire consequences of this financial and Audit Committee literacy gap.

I have therefore asked Jason Masters to provide an overview of some of the key elements of the work of an effective Audit Committee, including all of the following:

• The need for all directors to have basic financial literacy.
• The selection and appointment of the independent or external auditor.
• The relationship with the external auditor.
• The oversight of internal audit and the importance of the structure of the Audit Committee to assist with the independence of the internal audit function.
• The interrelationship between external and internal audit.
• The role of the Audit Committee in the oversight of the organization's enterprise risk management framework and the importance of the risk appetite statement.
• As with the chief audit executive (head of internal audit), the importance of the right organizational structure for the chief risk officer.
• Culture is one of the emerging issues cutting across all activities within an organization and the Audit Committee's role in the areas of ethics, culture, and sustaining an effective whistleblower process.
• Technology and cybersecurity are core to the operations of most organizations, and in the absence of a specialist board committee, the role an Audit Committee may take around technology assurance.

We shall now begin with Jason's “Financial Literacy and Audit Committees: A Primer for Directors and Audit Committee Members.”

The Board and Audit Committee's Financial Literacy and Oversight of Financial Reporting and External Audit

It is important that each director has a basic understanding of financial literacy. At the end of the year, the board collectively authorizes a small number of their own to sign the financial accounts. But each board member is equally responsible for the financial reports.

A board needs to carefully consider the structure and composition of their Audit Committee:

• Whether the board chair will be a member of the Audit Committee (the board chair should not be the chair of the Audit Committee).
• Usually a minimum of three directors, all of whom would be classified as independent nonexecutive directors.
• There should be at least one director with strong financial literacy experience.
• The Audit Committee should not be limited to those with strong financial literacy, and it is worthwhile considering having a member who has a strong understanding of the business. This member can then provide useful insight to the Audit Committee from a business perspective and the implications to the financial transactions of the business.

Most importantly, the Audit Committee members should have a quiet self-confidence to be the “naive enquirers” or, more directly, be willing to ask the simple or “dumb questions,” even if they consider that the other directors around the table would expect them to know the answer or that level of detail. One of the greatest assets of a director is to be willing to be the naive enquirer, willing to let go of their ego and acknowledge the limits of their understanding in a specific area. This is critical for the members of the Audit Committee.

Financial statements can have a considerably technical element: The accounting firms have a unit of specialist technical accountants advising the partners. Therefore, it is reasonable that no director will have the technical understanding of every accounting standard and their application to your organization.

When joining a board, all directors should spend some time identifying:

• What is the key business process of the business?
• What are the key risks associated with those business processes?
• What are the associated internal controls, both financial and nonfinancial?
• What are the likely financial transactions that are associated with those business processes?
• How will the strategy of the business be visible through the financial accounts?

One of the recommended activities that all new directors should undertake (and one that should be revisited when joining an Audit Committee) is to spend time with the organization's chief financial officer (CFO) and have them walk through the accounts, asking them to pay particular attention to:

• Key balance sheet items
• Valuations of any intangible assets
• Funding arrangements (loans, equity, and other instruments)
• Areas of key judgment
• Methodologies for any provisions
• Application of depreciation by class of asset
• The financial risk management tools that are in place (such as hedging, derivatives, insurances, etc.)

The Audit Committee has an important role to ensure that the board is receiving financial information in a way that helps the directors:

• Have clear visibility of the organization's financial position.
• Be able to provide regular reviews as to the solvency of the organization.
• Be a conduit between the board and management to ensure that the regular board management financial reports are done in a way that assists the directors with their oversight of the business and presenting financial information in a variety of ways beyond data, such as in graphs, traffic lights, and the like.
• Test management's key assumptions and judgments.

As directors are aware, there is only one absolutely true statement within the financial accounts and that is the Statement of Cash Flows as it can be tied back to the transactions at the organization's financial institutions. The Statement of Comprehensive Income (Income Statement or Profit and Loss Statement) and the Statement of Financial Position (Balance Sheet) both have elements that are based on judgment and assumptions.

The appointment of the CFO, a tier-two executive, is one that the board should have some visibility on, and this is often through the Audit Committee. It is not unreasonable for the chair of the Audit Committee to be involved in the interviews of the short-listed candidates, and for the preferred candidate to meet with the members of the Audit Committee prior to their final offer. Apart from wanting to ensure that the CFO has the requisite technical accounting expertise, the Audit Committee will most likely consider other aspects:

• Communication skills: the ability to tell the story of the financial accounts to the board members in a way that they understand (i.e., to demystify the accounting jargon), as well as to external parties to the organization, such as shareholders in the for-profit case, and members or grantors in the case of a not-for-profit.
• Integrity, ethics, and the ability to drive ethical and strong cultural behavior through the organization.
• A strong understanding of internal controls.
• Leadership skills, not only of the finance function, but as the number-two executive within the entity, across the entire organization.
• Strategic insights: being able to take the strategy and work with the board and management to develop the financial framework to deliver the strategy.
• Confidence to work in a creative tension with the CEO to provide one of the checks and balances within the executive team.
• Have an ability to work constructively, and appropriately challenge the external auditor when needed, and to provide the Audit Committee and director with technical accounting advice when required.
• Have a broad understanding of the wide range of advisors that the organization may require to support assumptions and judgments within the financial accounts. This is from property and brand valuers, actuaries, and the like.

Usually the board recommends the appointment of the independent or external auditor to the shareholders or members. The external auditor will normally be invited to attend all Audit Committee meetings.

The appointment of the external auditor should be overseen by the Audit Committee for the board. It is also important that the Audit Committee oversees the request for proposal and evaluation documentation, and participates in at least the presentations from short-listed providers. Better practice would be for an Audit Committee member(s) to be a member(s) of the evaluation panel. Of key interest for the Audit Committee would be:

• Technical expertise for the industry
• Balance of relationship between the executive, Audit Committee, and the board
• Level of effort to the risk profile of the organization (i.e., boards should not simply accept the cheapest external audit with the lowest number of hours of effort)
• Value adds to the board

There is a cycle to the external audit process that the Audit Committee should take the board through:

• Audit engagement process
  • Do the areas of focus of the external audit program fit with the financial risk of the Audit Committee?
  • Is the timetable proposed by the external auditors for all schedules (which can be pages and pages) practical, and can management actually deliver to the timetable?
  • Does the broader timetable for the process meet the Audit Committee and board schedule? If not, can the external auditor fit into the existing meeting schedule or will additional meetings need to be arranged?
  • Is the materiality (the level of errors that do not need to be corrected) reasonable and based on appropriate income statement or balance sheet items?
  • Is the external auditor taking a reasonable approach to technology and the opportunity to place reliance on financial systems?
  • Are there issues from the previous external audit that should be revisited and tested?
• Interim audits
  • Many organizations undertake the preparation of interim financial statements (often at the nine-month mark). These statements are used to reduce the amount of testing at year-end when both the financial staff and the external auditor are at their busiest, but also to deal with complex issues of judgment, such as building and property reevaluations, and the like.
• Year-end audit—Client Management Letter
  • The external auditors will seek “management representation letters” from management to cover matters such as fraud, full disclosure, access, and the like. The external auditors will often provide management a draft for them to base their letter upon. The Audit Committee should review these letters to ensure they are reasonable, and to obtain assurance from management regarding the business process to provide such representation.
  • The client management letter will provide to the Audit Committee (and ultimately the board) a number of insights:
    • Whether the auditor will sign the accounts with or without qualifications.
    • What errors have been identified and whether they were material enough to be corrected or left uncorrected.
    • Statement on independence from other audit or consulting activities.
    • Recommendations for improvements on internal controls.
    • The better firms will provide a narrative of the accounts, the key reporting risks and how the external auditors addressed those risks.

Before signing the financial statements, there are a number of questions that an Audit Committee (or board) may consider asking of management and the external auditor (adapted from various sources):

• Is there a belief that the financial statements fairly present the organization's net assets and activities in accordance with the generally accepted accounting standards and relevant organization's legislation/regulations?
• Is anyone aware of any situations where management has overridden internal controls (as it relates to financial reporting) within the organization?
• Have there been any activities that would be considered to be a significant breach of laws, regulations, contracts, grants, or a departure from the accounting standards?
• Have there been any actions within the organization that cause discomfort or would be considered unusual that the Audit Committee/board should consider for further review?
• For the independent/external auditor, has there been any bias as a result of the audit test (with respect to accounting estimates made by management) that may have a material impact on the financial statements?
• Last, a question for the independent/external auditor: Based on the work you have undertaken and your knowledge of the organization and the industry more broadly, are there any questions we should have asked that we have not addressed prior to finalizing our deliberations on the financial statements?

Before finalizing the signing of the financial statements, the Audit Committee and the board must actively consider the following:

• What process are we using to ensure that:
  • The financial statements are true and fair?
  • The financial statements comply with the relevant accounting standards?
  • The organization has the ability to pay its debt when they fall due (usually a 12-month-forward window)?

Post the signing of the financial statements, it is appropriate for the Audit Committee to undertake a performance review of the independent/external auditor, which may cover the following:

• Executing the work to the timetable accepted
• Continuity of team members
• Timeliness of raising and addressing key issues
• Working relationship with management, the Audit Committee, and board
• Value-added information
• Fees to budget

Finally, one of the emerging issues is the rotation of independent/external auditors. Countries such as the United States and Australia have been following the path of retaining the firm and rotating the lead partner at least every five years. In the UK and Europe, there is a move to rotating the firm based on a number of years. It is the experience of the author that, while not globally statistically valid, when the external audit firm is changed, the prior-year accounts have had to be restated.

Audit Committee Oversight of Internal Audit

Next, internal audit is a function that can (if established and overseen correctly) add considerable value to the organization and also to the board through the Audit Committee.

The tone for internal audit is best set through the Audit Committee. This tone is set via a number of mechanisms:

• Ensuring that the oversight of internal audit is clearly stated in the Audit Committee Charter approved by the board, which would include as a minimum that the Audit Committee:
  • Approves the appointment of the chief audit executive (CAE) or head of internal audit
  • Independently reviews the resignation and/or promotion of the CAE
  • Oversees any disciplinary review or dismissal of the CAE
  • Oversees the budget and structure of the internal audit function (such as in house, co-sourced or outsourced)
  • Approves the internal audit plan
  • That all assurance reports (not just internal audit) are tabled at the Audit Committee
  • That Audit Committee oversees the recommendations and action plans of internal audit (and all assurance programs) with particular focus on action timetable and requests for extension of recommendation implementation
  • The reporting lines of the CAE, with direct functional accountability to the Audit Committee
  • The Audit Committee's involvement in the performance review of the CAE and the internal audit function
  • Review and approval of the Internal Audit Charter, paying particular attention to any attempts by management to limit the scope of the work of internal audit
  • The Audit Committee's oversight of professional standard reviews, such as the requirement by the Institute of Internal Auditors for an independent quality assurance review of the internal audit function at least every five years

Once these structures are in place, there is less emphasis on the internal administrative reporting arrangements within the organization, as the functional reporting and oversight processes are established and clear. What is critical is that the CAE is independent in mind, supported by appropriate reporting relationships.

Internal audit provides assurance to the board via the Audit Committee around the management and controls of the highest risks within the organization. This may mean that:

• Internal audit may require different skills to that of the independent/external auditors, who are focused on the key risks around material misstatements of the financial accounts. These skills may be having a strong focus on the operations of the business, technology, and the like.
• Internal audit may not undertake any financial audits, as the major internal controls/risk are nonfinancial statement–related in nature.
• It may be a false economy to divert the limited internal audit resources to assist the external audit process, which may be of a significantly lower risk.

An important matter for the Audit Committee to consider is the independence of the internal audit function from the organization's risk function. This is critical for the following reasons:

• One of the internal audits that may be in the program from time to time is Enterprise Risk Management, and this cannot be undertaken independently if there is an organizational connection between internal audit and risk.
• In certain jurisdictions and industries, such as the finance sector, there may be regulatory requirements for risk and internal audit to be separate.
• Internal audit should be using the Enterprise Risk Management risks as input into their internal audit plan. If they are not and they develop their own view of risk for an internal audit plan, this can be an indicator that the risk schedule may not be as effective if internal audit is not relying upon it.

Some of the key financial risks that an internal audit function may have on their program that would not appear on the external audit program may be:

• Compliance with modern slavery and child labor requirements, particularly if your organization has significant supply chain operations
• Fraud and corruption
• Technology audits (while there may be a limited review by the independent/external auditor, they are focused solely for the purpose of the financial statements)
• Cybersecurity audits
• Compliance with climate change/CO₂ emission reporting
• Compliance with regulatory reporting
• Assessment of culture, a significant control factor being increasingly relied upon by boards

There are differences in the public sector and not-for-profit sectors in relation to internal audit and the importance of Audit Committees:

• For government agencies that often don't have independent boards, the use of Audit Committees with a majority of independent members helps provide the processes of independence for the internal audit function and independent feedback for the agency head (secretary/chief executive) on the effectiveness of the internal controls within the agency.
• For not-for-profit, with limited resources (with the exception of the largest NfPs) there is often little, if any, internal audit. There can be considerable value with one annual internal audit, delivered through outsourced arrangements. These can be delivered relatively cost effectively, and have a significant cultural benefit on the importance of internal controls within the organization.

Other key areas that the Audit Committee may consider in relation to internal audit include:

• Professional development of the CAE (and broader internal audit staff).
• Succession planning for the CAE.
• Philosophy as to whether the CAE is a professional internal auditor and if the internal audit function is used as a broad-based education role for targeted future executives.
• Who provides the secretariat function for the Audit Committee? The author's preference is that this is provided by the company secretariat function of the organization so that internal audit can be fully focused on the meeting rather than recording the meeting.
• Does internal audit provide consulting services to the organization? This can be a very legitimate use of internal audit. What are the consequences to the internal audit program and their independence where there are significant internal audit consulting activities?
• Who is accountable for reporting on the action items from internal audit, the CAE or the line manager? What resources are provided to internal audit to validate the effectiveness of the implementation of agreed internal audit recommendations?

The Audit Committee should have closed or in-camera sessions with the internal auditor (and separately the external auditor), and in this session, the following matters may be covered (but not limited to):

• The independence of the role of internal audit and any attempts to limit the function's independence
• Internal audit's views on the Enterprise Risk Management and associated governance systems
• Their observation on the performance and effectiveness of the independent/external auditor
• The culture of the organization and the tone set by management
• The effectiveness of the “three lines of defense model”
• Emerging issues that may be facing the organization(s)

Internal audit can be one of the most important functions to provide assurance to the Audit Committee and the board on risk management and the associated internal controls.

Audit Committee Oversight of Risk Management

The board has ultimate responsibility for risk management, but just as with external audit, financial statements, and internal audit, risk management is an area where a board committee can provide significant value to the board through additional oversight of the risk management function.

There have been different approaches of board committees; some Audit Committees focus on finance and audit, leaving risk as a minor element; some jurisdictions have broader Audit and Risk Committees, and in some sectors, such as the financial sector in Australia, the regulator has mandated the separation of these committees into dedicated Audit Committees and Risk Committees. This later direction came from a view that Audit Committees were not spending sufficient time overseeing the risk management functions.

As previously stated, Audit Committees should be made of independent nonexecutive directors. If there is only an Audit Committee, then the skills of the members must also encompass risk management, broader than just financial and accounting skills.

Where an organization has a preference for a dedicated Risk Committee, the majority of the committee should be made up of independent nonexecutive directors; however, compared with an Audit Committee, there is room for executive directors to also be members.

Whichever committee is responsible for the oversight of risk, they need to have a charter in place that considers the following:

• Makeup of the Committee, with a majority of independent, nonexecutive directors.
• Decision on the chair with best practice indicating that the Committee chair should not be the board chair.
• Ensuring that the oversight of the process of Enterprise Risk Management is clearly stated in the Committee Charter approved by the board, which would include as a minimum that the Committee:
  • Approves the appointment of the chief risk officer (CRO) or head of risk management
  • Independently reviews the resignation and/or promotion of the CRO
  • Oversees any disciplinary review or dismissal of the CRO
  • Oversees the budget and structure of the risk management function to ensure it is adequately funded for the risk complexities of the organization
  • Oversees the recommendations and action plans of the risk management function
  • Oversees the reporting lines of the CRO, with direct functional accountability to the Committee
  • Is involved in the performance review of the CRO and the risk management function
  • Oversees the establishment of an enterprise risk framework
  • Oversees the effectiveness of the enterprise risk framework by the senior executives, including but not limited to risk culture, risk identification, risk remediation, risk reporting, and the like
  • Reviews and challenges constructively managed proposals and decisions in relation to risks arising for the organization's operations
  • Regularly scans the environment for new and emerging risks and changes to existing organizational risks
  • Regularly reviews the organization's current and emerging risks and the agreed mitigation actions and associated internal controls
  • Reviews specific industry-based risks
  • Engages management and other expert advisors on the development of, and advise the board on, the organization's risk appetite for its review and approval
  • Reviews the organization's insurance plans and policies and ensure that they are aligned to the organization's risks and risk appetite
  • Ensures that internal audit is using the Enterprise Risk Management framework and resulting risk profile and internal controls to develop their internal audit plan, and test the key internal controls over major risk areas
  • On a regular basis, meets “in camera” (i.e., without other management) with the chief risk officer
  • Where required, reports to regulators on risk management/events
  • Recommends relevant updates and education as part of the board's ongoing education and development program
  • Ensures appropriate and effective communication with other board committees, particularly the Audit Committee and Technology Committee (if one exists)
  • Oversees and reviews business continuity or business resilience planning
  • Has the power to engage its own advisers independently to management to assist in exercising its functions

One of the most critical decisions a board makes is the risk appetite of the organization, which sets the bar regarding how much risk the organization is willing to take in pursuit of its strategy. The interaction of strategy and risk is a critical lens that the board needs to continually review, particularly as external factors impact on the organizations such as economic, competitive, and regulator factors.

For organizations that don't have a risk appetite statement, this is considered to be one of the most important activities for a board to undertake, and it is important to appreciate that it can take several years and iterations of a risk appetite statement for it to be fully effective in guiding the board on decisions and the interaction with strategy.

There are a number of challenges in developing an effective risk appetite statement:

• Would the organization respond more effectively with a quantitative statement (most commonly seen in the finance sector) or a qualitative statement (often seen in the health and public sector)? Given that effective communication of the organization's risk appetite statement is a cornerstone to effective risk management, developing a statement in a language style that is appropriate for the organization and more likely to be accepted and understood is fundamental.
• A risk appetite statement is not just about avoiding risk; it will also clearly enunciate the level of risk that an organization is willing to accept in achieving the organization's objectives.
  • In quantitative language, an element might sound like: “The company communicates its risk appetite for loan impairment losses by stating that such losses should not exceed 0.25 percent of the loan portfolio.”
  • In qualitative language, an element might sound like: “The organization's lowest risk appetite relates to safety and compliance objectives, including employee health and safety, with a marginally higher risk appetite toward its strategic, reporting, and operations objectives.”
  • In some cases, organizations can present their risk appetite statement diagrammatically.

The Committee should have clear visibility of the model that is being used. For most of the world the ISO31000 standard is the framework that is best to work from, while in the United States (and subsidiaries of U.S. entities) the COSO risk framework is more commonly used.

There are a number of risk mitigation techniques available to an organization. At the highest level these can be summarized as:

• Accepting the risk and taking no further action (a conscious decision).
• Reducing the risk by reducing the likelihood of the risk occurring. There will generally be a cost involved in reducing the likelihood.
• Reducing the risk by reducing the consequence of the risk when it occurs. There will generally be a cost involved in reducing the consequence.
• Avoiding the risk—that is, to discontinue the activities that generate the risk. This may have an impact on the organization's strategy, and such a decision must be made in concert of the organization's strategy and risk appetite. It is important to note that in the public sector, there are risks that are outside the organization's risk appetite that they cannot avoid or options for an effective risk treatment.
• Sharing the risk—this could be through insurance or outsourcing business activities to organizations that have superior capabilities to manage the risk. There will generally be a cost involved in transferring risks.

It is important to understand that in reducing risks, there comes a point where the cost of reducing the risk outweighs the benefits of the risk reduction. When an organization moves a risk, there are very few exceptions where it is not expending funds.

From a risk perspective, there are a number of critical mindsets that the Committee can assist the board with decision making: primarily, the concept that risks are more than what can go wrong; often more importantly, how can our organization embrace a risk, manage the risk, and assist the organization to achieve its strategic objectives.

No discussion on organization risk for directors would be complete without a brief discussion on personal risk for the director. Personal risks that directors should consider may include:

• Lack of skills/ability to contribute to the board and committees
• Ability to understand key issues in the organization/sector
• Time impact—sufficient availability to adequately prepare to contribute at meetings
• Reputation:
  • An individual's reputation by joining or not joining a particular board
  • Inability of the board to function effectively
• Lack of information to make informed decisions and management's unwillingness or incapability to provide timely and reliable information
• Insolvency:
  • Personal liability
• Jail:
  • Ineffective processes to manage legislative obligations
• Inability to manage conflicts of interest
• Ineffective director's and officer's insurance coverage

Audit Committee Oversight of Business Conduct, Ethics, and Whistleblowing

The area of ethics and whistleblowing appears to be one of the areas of greatest dilemma facing the modern Audit Committee.

• How do directors set the ethical perspective for the organization effectively?
• How do they monitor the ethical values throughout the organization?
• When things go wrong, as they inevitably will from time to time, are there robust mechanisms to bring these matters to the attention of the right people in an appropriate time frame?
• What is the response in the boardroom when ethical and cultural issues come to the board's attention and does that response set and reinforce the tone from the top that the board is responsible for setting?

Ethics is a hard area to provide a concrete to-do list; however, regular conversations on ethics are important in the boardroom, and encouraged and more deeply explored in the Audit Committee. Some of the questions for consideration include:

• Whose ethics are we applying?
• What model are we considering? (Google “ethical model” and see the wide range of ethical models).
• Is our ethical model valid in every jurisdiction we operate?

As directors, we employ the CEO and have visibility (or a role) with the employment of the senior executive ranks (the C-suite), and it is critical that the ethics we state in the boardroom are visible to the C-suite, reinforced, and that we have a process in place to receive feedback on the ethics and culture of the organization.

In the Australian Stock Exchange (ASX) Corporate Governance Council's document, “Corporate Governance Principles and Recommendations, 4th Edition,” Principle 3 is about acting lawfully, ethically, and responsibly. The commentary on this principle states:

The board should approve an entity's statement of values and charge the senior executive team with the responsibility of inculcating those values across the organization. This includes ensuring that all employees receive appropriate training on the values and senior executives continually referencing and reinforcing those values in their interactions with staff (i.e., setting the “tone at the top”).

Ethics and compliance become intertwined activities: If we set a low bar in relation to ethics, it is possible that the organization will have a poor compliance culture for policies and procedures and regulatory obligations. In a paper by Athol Yates of the Institute of Engineers Australia at an Australian Institute of Criminology symposium:

• While it was considered that Turkey had a sound and appropriate building code, around 12,000 people died in the 1999 earthquake as buildings collapsed, but when built in accordance with the building standards, such deaths would not be likely.
• In India, an appropriate code for earthquakes and the design and construction of buildings existed, yet in the 2001 earthquake, some 20,000 people died, 183,000 houses were completely flattened and around 420,000 were severely damaged.

In subsequent investigations of these two events, experts posited that there had been lax enforcement of codes by government authorities and significant noncompliance by the private sector, something recently repeated in building regulatory code breakdowns in NSW Australia.

How might we as an Audit Committee proceed in the area of compliance for our organizations? The following are some suggestions, but by no means a full list.

• Ensure that the Audit Committee (and board) reinforce the importance of compliance. Tokenism in the Audit Committee will lead to tokenism (or worse) in the workplace, exposing the organization generally and potentially the directors personally.
• Ensure the Audit Committee actively links compliance with the ethical values of the organizations.
• Ensure the board education program includes updates on legislative compliance issues and compliance management within the organization.
• Create and ensure a culture exists where employees and contractors are encouraged to report breaches of compliance or ethics, either through their chain of command or to an internal group that can receive information on breaches or to an external hotline service, and that these matters are promptly and actively independently investigated.
• Invest in a process to identify and document all legislation and regulations applicable to your organization. Your legal or accounting firm will no doubt be happy to assist, and there are other organizations that provide services and data feeds in this domain.
• Recognize the breadth of potential compliance areas, not only the company's code, work health and safety, but emerging areas such as privacy, data access, anti-bribery and corruption.
• Having identified all the areas of compliance, develop a strategy to have compliance managed. There are a number of ways this can be achieved, but one method the author prefers is to have a central record of all compliance requirements, allocate these to accountable persons, link them to policies and procedures (remembering that some pieces of legislation may require multiple accountable persons depending on the section and numerous policies and procedures), and have a reporting mechanism that is appropriate for the type of compliance activity. Some reporting can be achieved by building compliance into automated systems; others require thorough regular review and signoffs.
• Invest in a process to ensure that the compliance register is maintained up to date with changes to, deletion of, or additional legislation.
• Invest in training (initial and ongoing) for all persons who have obligations under the compliance program.
• Ensure that policies and procedures are formally reviewed on an appropriate cycle for the nature of the policy/procedure, and have the review cycle formally tabled at each Audit Committee meeting for those policies and procedures that do not require board review and approval.
• Ensure that compliance obligations are met even when activities are contracted or outsourced to third parties. When outsourcing, you cannot outsource your obligations.
• Consider a multi-strand internal audit program, so that as a key internal control is being tested, matters of compliance, ethics, and culture are also being tested and reported upon.

One of the techniques that organizations can use to assist in identifying ethical or compliance breaches is the use of a hotline and having a whistleblowing policy. In various jurisdictions, there is legislation to protect people who make legitimate whistleblowing complaints, which may or may not be effective in supporting whistleblowers.

Having established the ethical values for the organization, put in place compliance frameworks; when activities go wrong and a whistleblower feels they need to take action, unfortunately it is usually the whistleblower that is treated poorly and comes off worse out of the process. Patricia Patrick, PhD and Certified Fraud Examiner, undertook a review of the outcomes for whistleblowers and published some of the outcomes in the Associate of Certified Fraud Examiners' Fraud magazine in 2010.¹ The findings challenge us as directors in our response to how our organizations respond to whistleblowers. Some key findings from the study included:

• 74 percent of whistleblowers in her review were terminated. A further 6 percent were suspended and another 5 percent were transferred against their wishes. Some 85 percent of the whistleblowers in this study had significant negative impact on their employment. The remaining 15 percent were subsequently provided with poor evaluations, demoted, or harassed. Ultimately, 100 percent of whistleblowers in this study suffered significantly in some way.
• There can be financial consequences for an organization that terminates a whistleblower. Patrick refers to an example of a public housing authority employee who reported cases of leaking confidential tendering information. The whistleblower was terminated, but was awarded USD1.3 million in damages. In a private sector case, a scientist was terminated after providing information that his employer, a large U.S. oil refinery company, was supplying petrol containing high levels of benzene. He raised his concerns with his Japanese managers, as their state laws and international treaties prohibited the marketing of petrol with unsafe levels of benzene. Upon returning from Japan, his employment was restricted and two weeks later was terminated. He took action under the U.S. Conscientious Employee Protection Act, and was awarded USD2.5 million in compensatory damages, USD0.875 million, for emotional distress, and USD3.5 million in punitive damages.

As directors, we need to decide what our personal and organizational ethics are and how we support or destroy whistleblowers. At the end of the day, however, each director needs to consider their own position based on these facts.

What we do know is that there is unethical behavior at the executive level, types of activities² such as:

• Anti-bribery laws
• Aggressive accounting treatment
• Conflicts of interest, and the like

A significant number of these are identified through whistleblowers, whom we subsequently treat badly. Is this because

• We have a vested interested in the senior executive?
• We become blinded by a sense of trust or duty that we have failed to see some of the signals in advance?
• We have been supportive of lack of transparency in decision making, unwillingness or avoidance in answering questions, or seeing an attitude that ethics and rules don't apply to those at the top?
• The profit delivery overrides ethical and cultural values of the organization?

Whistleblowing processes are a very important mechanism to identify fraud and corruption in the higher parts of the organization, but this is not the only process directors should ensure are in place. The Audit Committee should ensure that programs are in place such as:

• Developing effective managers
• Ethics and compliance program training for all layers of the organization, including the board
• Incorporating ethical and compliance questions in annual staff surveys
• Whistleblowing hotlines or web services with external professional investigating support services
• Regular reporting to the Audit Committee (in camera, if necessary)
• Policies in relation to disciplinary and police actions in the event of fraud, corruption, and the like, being identified

In the past, reputation was considered a primary reason to keep fraud and corruption “under wraps.” Now in many jurisdictions, an organization's reputation can be considerably damaged if they don't appropriately act on reports of fraud and corruption and do not take action to protect the whistleblowers.

Audit Committee Oversight of Technology and Cybersecurity

To conclude this chapter on Audit Committees, for some organizations, the issues of technology and cybersecurity are of such critical importance to the organization that from a strategic and risk perspective the board may establish a specialist board Technology Committee.

In the absence of such a committee (and perhaps even a separate Risk Committee) the Audit Committee has a significant role in the oversight of technology and cybersecurity.

Where an organization has a significant exposure to technology or cybersecurity risks, the board's Nomination Committee should ensure that technology and cybersecurity skills are included in the board's skill matrix and persons with the relevant skills are members of the board. Some of the skills that may be considered are:

• Experience in governing technology to deliver business performance and competitive edge
• Expertise on the process for technology-related judgements and quality decision making
• Overseeing technology selection and implementation to achieve returns and provide the returns on investment

The makeup of the Audit (and Risk) Committee in an organization that has these technology exposures is likely to require having those skilled board members on the Audit Committee.

The issue of cybersecurity is not new. In the research I co-authored and published in 1986,³ we commended that only two of the 392 survey respondents⁴ met what was determined as the minimum acceptable level of security. It is interesting looking back at the results in the light of our 2015 perspectives as the major risks identified in 1986 were:

• Inadequate fire protection
• Threat of terrorism
• Absence of effective contingency plans
• Inadequate program and data security
• Poor identification control procedures
• Ineffective EDP audit.⁵

Some key recommendations from the research were:

• Computer security standards should be developed and their usage enforced. This may require government legislation.
• Upgrade the technical expertise and effectiveness of the EDP audit function.
• Disclose information relating to computer fraud [which may encompass data breaches as a current example].
• Organizations should either commission an independent security review or provide a forum whereby DP managers can convey their concerns on computer security to senior management.
• Secondary sites are considered an essential part of an effective contingency plan…. This may be cost prohibitive; hence consideration should be given to sharing secondary sites with other organizations [enter the cloud!].⁶

The Audit Committee should ensure that its Charter (assuming there is no specialist technology or risk committees) includes:

• Review of major business investments [this is very broad and not limited to technology]
• Review of major technology selection processes
• Review of major technology implementations
• Review of the IT Audit Capability of Internal Audit
• Review of cybersecurity threats and treatments
• Review of technology business continuity

Common problems and risks associated with information technology projects can be summaries as:

• Reduction in scope to meet financial or time limitations.
• Scope creep (scope not fully understood at the commencement leading to extra cost also noting that repair costs are proportionally more expensive than original development costs, or some of the scope hidden to achieve board approval).
• Project does not meet stakeholders' needs.
• Business is not ready to utilize new systems and processes (lack of change management investment).
• Project is not forward thinking enough and other market participants leapfrog technology, gaining a significant competitive advantage.

As part of their oversight of technology, directors should enquire as to the tools and methodologies that the organization has employed to manage risks within the information domain. While not going into detail of them here, the following are some key methodologies and standards that boards and Audit Committee may use as reference points and include on the board education program:

• ISO38500—IT Governance Standard: At the outset it is important to state that this standard is not a standard for certification. There are six principles within this standard, and they form the basis of useful discussions among directors and between the board and management:
  • Responsibility
  • Strategy
  • Acquisition
  • Performance
  • Conformance
  • Human behavior
• The Information System Audit and Control Association (ISACA) and their related IT Governance Institute have developed a number of useful governance and control models. The key model, CobIT⁷ (Control Objectives for IT), is internationally recognized. CobIT provides support in relation to audit and assurance, risk management, information security, regulatory and compliance concerns, and the overarching governance of the organization's enterprise IT.
• Project management should be an enterprise approach, where technology projects are just one of the delivery vehicles to deliver a particular investment. Even predominately IT-related projects are in reality business projects, and the investment in understanding needs, business process reengineering, and change management can often dwarf the direct IT investment. Prince2⁸ and PMBOK⁹ are two internationally recognized project management methodologies. Supporting these methodologies organizations should consider implementing a version of the Gateway Review process, which is a formal process to review projects at key “gates” in the project's lifecycle. The longer a project has been underway, the harder it is to “kill it off.” This is often due to a misbelief that the “project will turn around very soon,” the sunken costs are so much that “it can't cost much more to finish,” and a personal aspect of having supported the decision to approve a project which has now been found wanting and reflecting badly on our own judgment.
• ITIL (Information Technology Infrastructure Library)¹⁰ is an internationally recognized method to assist in the management of the technology infrastructure. This level of detail should not be in the domain of the board; however, it is important that the board ensure methodologies such as ITIL or the international standards equivalent (ISO 20000).¹¹ ITIL covers areas such as:
  • Service Strategy
  • Service Design
  • Service Transition
  • Service Operations
  • Continual Service Improvement
• Information Security Standards: The most common reference to information security standards is ISO27001¹² and its related documents. This is a standard that organization can undertake certification. However, from a practical level, directors need to be careful with the scope and use of this standard. The positives in relation to this standard are that it focuses on information security, not technology security, but also paper-based information and other information recorded (such as voice and video information). On the downside, what is in scope is always the question. When your executives come to the board with a proposal around an IT partner and announce they are ISO27001 certified, directors needs to ask, “What are they certified for—what is the scope of their ISO27001 certification, does it cover the services being provided to our organization?”
• Service Organization Reports: Under international accounting principles, organizations can provide or receive Service Organization Control (SOC) reports under the U.S./Canadian Statement of Standards for Attestation Engagements (SSAE) No. 16 or the international or jurisdictional equivalent. It is important that directors critically understand the differences in the type of SOC reports, and as with ISO27001 the Security Standard, it is important not only to ensure that the right SOC is being considered, but also to understand the scope of the SOC report if you are relying upon an SOC report from a technology provider partner.

Conclusion

It is hoped that this chapter on Audit Committees will be of use to all directors, not just Audit Committee members. The chapter has covered financial literacy; oversight of the external auditor; oversight of financial reporting; oversight of the internal audit function; oversight of risk management; oversight of business conduct, ethics, and whistleblowing; and oversight of technology and cybersecurity.

About the Author

Jason Masters is a chair and nonexecutive director with over 10 years of nonexecutive experience gained through serving on the boards of approximately 20 private, public, and not-for-profit organizations. His primary NED experience is in Governance, Audit, Risk, Technology, and Finance. He chairs audit or audit and risk committees in the financial services sector and government sector and is a member of audit and risk committees in the health sector and local government.

Jason is a fellow (and graduate) of the Australian Institute of Company Directors (where he also facilities many courses in finance, strategy, and risk), a Professional Fellow of the Institute of Internal Auditors Australia, Certified in Risk Management Assurance from the Institute of Internal Auditors, Certified in the Governance of Enterprise IT from ISACA, and a Certified Fraud Examiner. He has a Bachelor of Economics with a sub-major of Computer Science. He co-authored the landmark study, “Computer Security in Australia” through RMIT University. He is formerly the chief audit executive for two major corporations in Australia.

Jason has held roles in numerous sectors: Utilities and Infrastructure: Transport and Logistics; Technology; Manufacturing and Maintenance; Financial Services; Public Sector; Health; and Start-up. He is a frequent domestic and international speaker on director development, technology, audit, risk, finance, and procurement.