Making audit make sense

The past few years of upheaval have underscored a fact that anyone serving on an audit committee well knows—the array of potential risks facing each and every company today is simply too vast and varied for any board to cover in full. How, then, to get enough of a handle on the full spectrum of concerns to ensure that the company is as prepared as it possibly can be—at least for those deemed most crucial?

It’s a question audit committees have been wrestling with for some time, agreed directors participating in a recent roundtable co-sponsored by Corporate Board Member and RSM, several of whom remarked on the boundless nature of the role. “Over the years, we’ve spent more and more time on cyber security, because the threats change, and the amount of industrial equipment that could be attacked goes up every day,” said Neil Novich, a director at W.W. Grainger. “We’re looking at ESG metrics, not just collecting them, but what will it mean if we have to report on them? We spend time on the world—what if the war in Ukraine escalates?—on inflation, on talent. It’s a little bit of everything. Basically, if no one knows where to put it, it ends up in the audit committee.”

By their very nature, risks continually evolve, unfolding in new ways and reordering themselves in importance, added Allison Egbert, partner, audit services, and SEC practice leader, Boston and Northeast region at RSM. “One of the things audit committees struggle with is marrying the reporting risks and the enterprise-level risks,” she noted. “Then at the board level, how much information do you need? Which risks are most important this quarter? How are they evolving year over year?”

Cybersecurity and IT are perennially top-of-mind. However, companies’ ability to attract and retain talent, comply with new reporting requirements, and adapt to operate in inflationary times are now also primary areas of concern, agreed participants, several of whom ex-pressed frustration about the ever-growing list of priorities.

“Board members need to start to be concerned about information overload,” said John Baily, lead director at RLI. “I just read the first draft of one of my companies’ ESG disclosure documents guessing where the SEC will end up in terms of mandatory disclosure, which is a project all by itself. Meanwhile, all boards are focused on IT and how to get and stay informed. I don’t think you can add enough board seats to cover all the topics on which we need expertise."

Ensuring expertise

Concern over the widening array of risks is shining a spotlight on board composition. However, some directors view CEO experience rather than expertise with a specific risk as what truly best equips boards to navigate emerging risks. “It’s a given that we keep up with things impacting our companies, but there’s a skill to being a board member that doesn’t have to do with being a subject matter expert,” said Greg Serio, a director at Radian Group. “That’s as a skilled scrutinizer for the purpose of promoting and developing shareholder value. This is why companies like C-Suite people on boards because they’ve done that with all the people underneath them. You don’t have to be an expert in a subject if you’ve got the skill of inquiring.”

Boards can, and should, question management closely, agreed Hussain Hasan, principal and national leader of technology risk consulting at RSM, who notes that audit committees must ensure that management is tech savvy enough to see and dissect the value of emerging technologies. “With AI, I would ask. how do you know the AI engine is working and was designed properly? How do you tell your regulators that it’s doing the right thing—because knowing is one thing. and convincing the regulator is another.”

Still, many boards continue to explore building expertise into the current board or finding ways to bring it in from outside. At Radian, for example, the board called on a director from each committee to adopt and watch over a functional area. “It allows each person to take a deeper dive in an individual area and really know what’s going on,” Serio explained. “We also don’t hesitate to hire external experts. We spend time with cyber auditors and have experts in compliance come in every two to three years. So there are ways to get it done.”

Some audit committees chose to adjust their meeting practices to cope with the workload. “We broke our audit committee meetings into two separate one-day sessions in order to cover everything,” noted Kathleen Camilli, a director at Unifirst. “We have very deep dives where management comes in and very deep dives with internal and external experts. Meetings also go on longer and longer.”

Board members also need to walk in prepared, noted Samantha Holroyd, lead director and an audit committee member at Chord Energy. “I’ve been challenging my board members to educate themselves outside of our boardroom,” she said.

“The culture has to be perpetual learning,” agreed Jeff Geygan, a director at Wayside Technology and Rocky Mountain Chocolate and CEO of Global Value Investment. “I tell people when they join the board, ‘This is a roll-up-your-sleeves kind of assignment. You’ll get paid pretty well, but you’ll do some homework at night, for sure. And if you don’t want to take that on, this is probably not the right place for you to sit."

Shifting to subcommittees

In some cases, recognition of the significance of a particular risk has led audit committees to hive off subcommittees devoted to a single area of concern. For example, healthcare company Ensign’s audit committee formed a separate entity focused on cybersecurity. “A healthcare data leak impacts every single aspect of the business, regulatory, financial, compliance—the criticality was so big that to have it buried by other matters would not be right,” explained Swati Abbott, a director at the company. “So we spun out a committee where we have internal audits for regulatory and compliance, for how we bill patents, how we protect privacy, and then that committee reports up to the board and the audit committee.”

The shift enabled more effective oversight of the broad spectrum of cyber risk. For example, Ensign’s board was able to look more closely at billing risk, at the regulatory environment, and at the role technology and data analytics can play in privacy. “We can have those interactive discussions, and then the audit committee gets the shout-out reporting,” explained Abbott.

For other boards, the solution entailed taking a hard look at scope creep for the audit committee. “As chair, I try to keep our focus on reporting risk,” explained Ellen Masterson, director, and audit committee chair at both Insperity and Westwood Holdings. “What are the systems and processes that build the information, and are they auditable? Are we using internal audit now to build the platform so that when these things do require an auditor’s report, we’ll be there? So when someone says, ‘Oh, the audit committee is responsible for ESG,’ I say, ‘Wait a minute, we’re responsible for the reporting and auditability, but not for the performance.”

While audit committees have historically taken a triage approach to prioritizing competing risks, assessing and agreeing on the levels of various risks has become more complex. “We use dashboards to identify the top 10 financial risk items each year and then set our agenda to make sure we get through them all during the year,” said John Kurtzweil, director and chair of the audit committee at both Axcelis Technologies and SkyWater Technology Foundry, whose audit committee regularly brings in outside expertise both with management present and for private sessions. “Management always gets concerned, but I’ve told my CFOs, ‘Just get over it.’ Because we’re the audit committee; we’re not management. So we’re going to do independent research, and we’re going to ask independent questions.”

Ultimately, it’s that challenge today’s audit committees must navigate: having the willingness to continually dig in, learn and evolve along with the company and its industry enough to be able to ask the right questions about the right risks. “We’re all brought onto boards to scrutinize, ask probing questions, take in the information we are provided—or not provided, as the case may be—and challenge management,” said Serio. “We don’t need to be, and we never will be, the subject matter experts. We’re never going to be able to afford all the subject matter experts we want.

“So we have to focus on: Is management handling this information well? Are they responding to things in the marketplace? Despite everything that’s emerged the past few years and that will emerge as time goes on, the job is still the same job. At the end of the day, the question that will come from a shareholder, from a regulator, from a lawyer, will be: Was the board asking the right questions?”

This article appeared in the Q1 2023 issue of Corporate Board Member. Reprinted with permission.