Tag Archives: CFO

What Insight Do Audit Committees Receive From Internal Audit – Not Enough Or Much – KPMG Survey

Posted on by

What insight to audit committees receive from IA

The above chart is from a new KPMG survey of audit committee chairs and CFOs. You can find the survey at

Click to access GM-OTS-1653_SeekingValueThrough_IAB_V1.pdf

.

The survey and the above chart identify ongoing challenges for internal audit to provide and prove enough value to audit committee members and CFOs. It is well-documented that these challenges have existed for years – basically forever. But let’s not over generalize – one size doesn’t fit all, and certainly there are internal audit functions that are up-to-speed and that are providing good value.

If there is a problem in this area, you must also ask the audit committee members, not just the audit committee chair but also the individual members who aren’t the chair, why they aren’t getting the information that they need from internal audit? There’s either a lack of common understanding, and that lack of understanding might also be the fault of the audit committee members if they are not expressing themselves sufficiently, or there is a problem with the internal audit function, or its funding, or the qualifications of its members. In theory, it also is possible that the audit committee or the CFO simply are asking internal audit to perform a task or to provide information that is unreasonable; however, that is like saying “I can’t do that for you,” which of course is a very bad approach.

You can also see Tate’s Excellent Audit Committee Guide (updated January 3, 2016), at http://wp.me/p75iWX-q

Dave Tate, Esq., San Francisco and California, http://auditcommitteeupdate.com

Audit Committee 5 Lines of Defense 02132016 David W. Tate, Esq.

DTatePicture_Square

Internal Auditors Not Giving Enough Risk Insights

Posted on by

CFOs and audit committee chairs are not getting enough insights into corporate risk management from their companies internal audit function, according to a new survey.

Click on the following link for the article: www.accountingtoday.com

Dave Tate, Esq. comment. The results of this survey really shouldn’t be surprising. There isn’t even agreement on what risk management is or a recommended process.

Risk management is a collaborative effort. If I’m on a board risk committee or on audit committee that has been delegated initial risk management oversight, yes, I’m going to request and expect executive management and internal audit to not only provide comments and evaluations about risk management, and also about the processes that are being used, and that should be updated and used.

However, as a risk or audit committee member, I’m also going to provide my comments about what I need to see and receive in that regard so that I am comfortable that what I am receiving allows me to perform my oversight responsibilities. Okay, so if internal audit isn’t giving enough risk insight as the article indicates, why is that, and what must be done to correct that dynamic? Those are questions that the risk or audit committee members must ask and act upon to satisfy their responsibilities as required by the business judgment rule, statutes, regulations, rules and the committee charter.

How Can Internal Audit Support the Growing Responsibilities of the Audit Committee?

Posted on by

Recent 2015 audit surveys report some interesting findings about the current role of audit committees. They highlight not only how complex the world of risk management and oversight has become in the corporate world, but also the enormous breadth of responsibilities that the audit committee is expected to bear.

Click on the following link for the article: corporatecomplianceinsights.com

Dave Tate, Esq. comments: although this is a very brief article, the topics and issues listed are large and complex. The article also offers no help at resolution. But, these issues are here to stay for boards and audit committees. Every internal audit function is different – some are qualified or partially qualified to help with these issues, whereas some are not. For some additional information, see Tate’s Excellent Audit Committee Guide (January 3, 2016, version, 183 pages) at http://wp.me/p75iWX-q.

 

Best. Dave Tate, Esq. (San Francisco and California. See also my other blog re trust, estate, conservatorship, power of attorney and elder abuse litigation and contentious administrations at http://californiaestatetrust.com, and my website at http://tateattorney.com.

Do You Have a Contrarian on Your Team?

Posted on by

A divergent opinion can lead to more creative and better decisions.

Click on the following for the article: www.gsb.stanford.edu

Dave Tate, Esq. comments – good for thought – every board and management situation is different anyway – but also, did anyone say that there shouldn’t be or can’t be contrarian views on a board or committee? Look at the business judgment rule – there’s nothing there about all having to agree. One vote per person. My website: http://tateattorney.com.

Audit Committee 5 Lines of Defense

Posted on by

Audit Committee 5 Lines of Defense 02132016 David W. Tate, Esq.

Making crisis simulations matter | Deloitte | Focus on | Crisis Management Services

Posted on by

This issue of Focus on discusses the importance of crisis simulation and how to manage a maturity-based approach. It offers insights for getting started as well as examples of simulations in action.

Click on the following link for Deloitte’s discussion (I’m a Deloitte alum): www2.deloitte.com

Dave Tate, Esq. comments – I’m passing this along as food for thought. It is fairly basic, but I like the second paragraph, which you might want to use to help you consider simulations that might be useful from the audit committee, board, and management perspectives. And here is the link to my website which contains links to my two blogs (this blog, and the blog for trust, estate and elder abuse litigation): http://tateattorney.com.

Trados: What Happens When Venture Capital Interests and Director Fiduciary Duties Collide | Woodruff-Sawyer & Co.

Posted on by

Some sales of private companies are terrific events. Big valuations can lead to all investors getting paid, not to mention dancing and high-fives all around. But what happens when the sale is a sad one?

Click on the following link for the article: wsandco.com

Dave Tate, Esq. comments. This is a Woodruff Sawyer December 2014, article, but it remains timely for director of private company fiduciary duties. It’s a very good read. And I have to add, obviously after reading this, if you are a private company director, you need to be sure that you have a good lawyer.

What do you do if you are an audit committee member or a director and you don’t know a relevant subject matter area?

Posted on by

The answer to this question might seem easy – you could say (1) “learn the area” or you might say (2) “reply upon other people” or you might say (3) “learn the area and rely on other people.” But learning the area even with a good faith effort isn’t necessarily easy or quick, and you need to ask whether relying on other people will satisfy your responsibilities? Many audit committee and board relevant subject matter areas are difficult or complicated.

Based on the business judgment rule, I recommend the third approach. I say that because you might well in part rely upon other people, but you must do so intelligently, and I would ask, other than simple complete trust or deferral, can you intelligently rely on other people if you don’t have sufficient background to gather information and ask questions, let alone evaluate the information and make decisions?

Let me also add, if it’s a specific subject matter area in which you have an oversight responsibility, such as, for example, for audit committees, oversight of the independent or external audit and of the external auditor, oversight of internal controls, oversight of the internal audit function, oversight of significant accounting practices, policies and principles, and oversight of anonymous reporting, and there are also many other specific areas, then for those areas you really do need to have or obtain (yes, it can be okay to “obtain”) the necessary background knowledge about those areas as they are core areas of your responsibility.

Below is a summary of the business judgment rule that I have taken from Tate’s Excellent Audit Committee Guide (in the Guide I have stated the rule in three different ways, because the business judgment rule is so important), and you can find the January 3, 2016, version of the Guide (183 pages) at the following link (note, I do try to update the Guide every 2-3 months, and please tell other people about this blog and the Guide as they are only worthwhile if people read them) – the link for the January 2016 version of the Guide is  http://wp.me/p75iWX-q

  1. THE BUSINESS JUDGMENT RULE

The business judgment rule provides a director with a defense to personal liability, holding that as a general principle of law, a director, including a director who serves as a member of a board committee, who satisfies the business judgment rule has satisfied his or her duties. Thus, the business judgment rule provides one standard of care, although other standards may very well also apply to specific tasks and responsibilities. I have started with the business judgment rule because it provides a very good overall approach for directors and audit committee members to follow, although lacking in specific detail. In some states the business judgment rule is codified by statute while in other states the rule is established by case law (see, i.e., Cal. Corp. Code §309 for California corporations, Del. Gen. Corp. Law §141 for Delaware corporations, in addition to relevant case law). The rule also applies to directors as board committee members.

In summary, as a general principle the business judgment rule provides that a director should undertake his or her duties:

-In good faith, with honesty and without self-dealing, conflict or improper personal benefit;

-In a manner that the committee member believes to be in the best interests of the corporation and its shareholders; and

-With the care, including reasonable inquiry, that an ordinarily prudent person in a like position would use under similar circumstances.

Reliance Upon Other People Under the Business Judgment Rule

In the course and scope of performing his or her duties, a director must necessarily obtain information from and rely upon other people. The director is not involved in the day-to-day operations of the business. The director provides an oversight function. Pursuant to the business judgment rule, a director is entitled to rely on information, opinions, reports or statements, including financial statements and other financial data, prepared or presented by any of the following:

-Officers or employees of the corporation whom the director believes to be reliable and competent in the relevant matters;

-Legal counsel, independent accountants or other persons as to matters that the director believes are within the person’s professional or expert competence; or

-A committee of the board on which the director does not serve, as to matters within that committee’s designated authority, so long as the director acts in good faith, after reasonable inquiry as warranted by the circumstances, and without knowledge that would cause reliance to be unwarranted.

* * * * *

Unicorns, Down Rounds, and Independent Directors | Woodruff-Sawyer & Co.

Posted on by

It’s 2016, and frankly, people are concerned about the valuations of venture-backed private companies. More than 140 “unicorns” exist today–private companies that have been valued at more than $1 billion. …

Click on the following link for the discussion: wsandco.com

Dave Tate, Esq. comment. A good article from Priya Cherian Huskins, and she suggest in these situations, consider having independent directors sooner rather than later.

Does Your Audit Committee Charter List Risk Management?

Posted on by

If you are an audit committee member of a public company your audit committee charter might and in some cases must in some manner list risk management oversight as a responsibility.

If you are a nonprofit, private business or company, or governmental entity, and if you have an audit committee charter, your charter also might list risk management oversight, and if it doesn’t, then that oversight is the sole responsibility of the entire board.

In relevant part for example the NYSE Listed Company Manual states under Audit Committee Additional Requirements that the audit committee’s purpose in part at a minimum must be to:

  1. Assist board oversight of (1) the integrity of the listed company’s financial statements, (2) the listed company’s compliance with legal and regulatory requirements, (3) the independent auditor’s qualifications and independence, and (4) the performance of the listed company’s internal audit function and independent auditors (if the listed company does not yet have an internal audit function because it is availing itself of a transition period pursuant to Section 303A.00, the charter must provide that the committee will assist board oversight of the design and implementation of the internal audit function); and
  2. Discuss policies with respect to risk assessment and risk management.

And under related Commentary with respect to risk assessment and management: While it is the job of the CEO and senior management to assess and manage the listed company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the listed company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee.

The Listed Company Manual also states that each listed company must have an internal audit function.

And under related Commentary with respect to the internal audit function: Listed companies must maintain an internal audit function to provide management and the audit committee with ongoing assessments of the listed company’s risk management processes and system of internal control. A listed company may choose to outsource this function to a third party service provider other than its independent auditor. While Section 303A.00 permits certain categories of newly-listed companies to avail themselves of a transition period to comply with the internal audit function requirement, all listed companies must have an internal audit function in place no later than the first anniversary of the company’s listing date.

Further, General Commentary to Section 303A.07 states: To avoid any confusion, note that the audit committee functions specified in Section 303A.07 are the sole responsibility of the audit committee and may not be allocated to a different committee.

From an audit committee member perspective, here’s the issue that I have with risk management oversight – it’s whether the audit committee and the board primarily, and possibly other necessary stakeholders or people involved, really have reached an understanding about what that “risk management” oversight means, both in terms of substantive risk oversight areas that are (and therefore also that aren’t) included in your oversight responsibilities, and exactly what you are expected to do to satisfy that oversight? And then, how those areas and responsibilities are described in the charter. Without clarification the term “risk management” is or can be vague and potentially extremely broad.

As risk management oversight has grown, or you might say, exploded, in importance for the board and its committees, over the past several years I have regularly received materials from risk management professionals discussing and disagreeing about exactly what risk management is, what terms and criteria to use, and how to go about performing risk management. I’m not trying to duplicate their efforts. But risk management can be a complicated area requiring a substantial investment of oversight effort and time. Obviously it’s an important area for the board, and for an audit committee or risk committee to which that oversight has been delegated. Even with delegation to a committee, the board should still maintain risk management oversight.

And risk management also is an area that relates to other areas of oversight such as internal controls (COSO 2013), personal safety, anonymous reporting processes and investigations, compliance with laws, and other areas.

You as an audit committee member, and other stakeholders need to understand what is involved, and what is expected of you, so that hopefully, to the extent possible (because it isn’t possible to avoid all surprise or unexpected situations) the important possible risks or surprises and related processes that are under your oversight have been and are being evaluated, addressed (designed and implemented), monitored and updated as necessary, including what to do and how to act to mitigate and remedy the situation if a surprise or unexpected situation does occur.

You can find additional discussions on this blog and on Tate’s Excellent Audit Committee Guide, the January 3, 2016, version of which can be found at http://wp.me/p75iWX-q

Wishing you the best.

Dave Tate, Esq. and CPA licensed in California (inactive), San Francisco and California

DTatePicture_Square