The heat stays on.
Audit Committees Confront Risk
In the new environment, a four-part oversight frame-work offers a valuable methodology for understanding and monitoring key processes, and protecting the audit committee and the company from undue risk exposure.
It's a new world out there for audit committees. New regulations--including The Sarbanes-Oxley Act of 2002--have formalized the responsibilities of these panels, laying down specific duties for their members. This change is in sharp contrast to the way audit committees have historically organized, having evolved in response to developments in the current business environment.
Audit committees remain the guardian of investor and corporate accountability. But their new responsibilities place an added emphasis on risk concern, not only in the financial-reporting process but also throughout the company's operations.
The rapidity with which these new regulations have been imposed may have audit committee members' heads reeling, as they need to keep up with an ever-changing rulebook. At the same time, the complexities of these new regulations raise the potential for audit committees to become unduly focused on compliance, at the expense of ensuring that adequate risk-management procedures are being followed.
Audit committees can provide effective risk oversight by using a four-part framework, which addresses: 1) organization and operation; 2) financial reporting and risk assessment; 3) internal control; and 4) over-sight authority. This framework can help committee members better visualize the primary considerations that lie before them.
Organization and Operation
The organization and operation of the audit committee is the first part of the oversight framework. First and foremost, the board will necessarily want to ensure that the audit committee is composed of the right individuals and be satisfied that they are experienced, ethical, inquisitive and independent.
New regulations have raised the bar when it comes to independence. For example, Sarbanes-Oxley states that an audit committee member may not accept, directly or indirectly, any "consulting, advisory, or other compensatory fee" from either the company or any of its subsidiaries beyond the fee he or she receives from serving on the board, the committee itself or any other board committee. And, each of the three major U.S. stock exchanges--the New York Stock Exchange, Nasdaq and American Stock Exchange--have proposed independence rules applicable to their listed companies.
However, these new independence requirements are not without a number of gray areas, and questions need to be addressed with the assistance of skilled and experienced advisors. It is imperative that audit committee members seek counsel when such questions arise, as they invariably will.
In addition to independence considerations, Sarbanes-Oxley and the Securities and Exchange Commission's rules also require disclosure that at least one committee member be an "audit-committee financial expert." Besides consulting Section 407 of the act, which prescribes criteria for "financial expert" qualifications, audit committee members should also seek additional outside help and advice.
Most audit committee charters provide for an annual evaluation, which allows committees to review the membership and the committee's relationship with management and with the internal and external auditors. These formal assessments should include an audit committee self-assessment, as well as assessments by the board, the CFO, the chief executive and both internal and external auditors.
Within an organization, an audit committee's key priority is to create what some have called "a culture of dissent." In many well-meaning companies, there is often no definable risk structure, but a pattern of tacit communication between the audit committee and management and the audit committee and the internal and external auditors. The audit committee must set a tone that establishes its objectivity and independence, its expectations from the parties it oversees and those that support it, and its objectives.
Cultivating a culture of dissent can be the hardest task, because it can get in the way of otherwise collegial relations. Committee members might feel awkward questioning management on topics they hadn't questioned in the past. This is yet another reason why an established and clearly documented framework can be invaluable.
Financial Reporting Risk Assessment
The second part of the oversight framework for audit committees addresses the risks associated with external financial reporting and potential management misconduct.
As part of the financial reporting risk-assessment process, audit committees should cast a wide net. In particular, committees need to reflect on some of the more commonly documented areas, including: trading of company securities (insider trading, fraud); conflicts of interest; travel and entertainment; related-party transactions; and personal use of company assets.
Committee members can build a formal process around the financial reporting risk-assessment tasks that classify the nature, significance (from insignificant to catastrophic) and likelihood (remote to almost certain) of risks. They can then rank the risks based on their immediacy and impact, and focus on what response (avoidance, acceptance, transference, mitigation) and internal controls or processes have been put in place or need to be put in place to remediate the risks.
Committee members should also factor the cost benefit of action over inaction into the equation, as well as the impact of residual, untreated risks--such as the remaining risk after management actions, processes and controls have been considered.
Some suggestions include:
* Determine the company's tolerance for financial reporting risks. Communicate that tolerance to operating and financial management and the internal and external auditors. Ensure that everyone understands and agrees and that management's attitude is consistent with the company's risk tolerance.
* Create a company culture that encourages open and candid discussion of financial reporting risk and processes, including expression of concerns by individuals at all levels in the organization.
* Consider the incentive/pressures and opportunities for fraud in the company, as well as the attitudes/rationalizations of management and employees related to fraud. Determine how the company's incentive programs affect risk management.
* Identify the risk owners. Establish controls to manage risks. Put in place the processes for measuring and monitoring risks. Seek the perspective of the person or department overseeing risk.
* Make financial reporting risk a priority consideration whenever business processes are changed or improved.
Audit committee members should be cautious about assuming their company has the necessary controls in place. Rather, audit committees need to be more circumspect and include "nontraditional" areas in their review.
Internal Control Over Financial Reporting
The third part of the risk oversight framework also addresses financial reporting, this time ensuring that the proper internal controls are in place with regard to regulatory demands. In executing this oversight role, the audit committee might want to seek to ensure management has thoroughly thought through its compliance:
* Insist the company has a detailed plan for the internal-control documentation and evaluation process. Ensure the company has dedicated sufficient resources to adequately document and evaluate internal control in sufficient detail.
* Determine the planned involvement of the internal auditor in the internal control documentation and evaluation effort. Make sure he or she has the appropriate training and resources to be effective in that role.
* See to it that in-house training is provided at the operational level to help ensure that employees performing internal control-related tasks understand the importance and impact of their function.
* Identify any significant internal controls deficiencies or material weaknesses. If they are not corrected, determine why not, and ask the external auditor if it agrees.
* Review the external auditor's planning for the audit of internal controls to ensure it is thorough.
* See to it that management and the external auditor have coordinated their plans and whether management and the external auditors will be able to meet the internal-control reporting deadlines.
Audit Process Oversight
The fourth and final plank of the risk oversight framework involves the authority of the audit committee.
As the audit committee reviews the results of both its internal and external auditors, it must be satisfied that the facts hold. To execute its charge, the audit committee must be empowered with the right authority--not only implicitly, but also explicitly. Implicitly, a direct reporting relationship must exist between internal audit and the audit committee, one that allows sufficient opportunity for the committee to approve the annual internal audit work plan and ensure that its scope and budget are adequate to address the financial reporting risks facing the company.
Explicitly, the committee should have veto power over the hiring and firing of the company's chief audit executive. Additionally, audit committees are directly responsible to hire, pay, and if necessary, dismiss the external auditor.
Under the new regulations, audit committees are also required to approve any non-audit activities performed by the external auditor. The external auditor now has a responsibility to go to an audit committee for pre-approval of all such services.
Without these powers, the audit committee's ability to enforce will lack weight.
Management, supported by internal audit, is charged with implementing, maintaining and monitoring the financial reporting process. Under this umbrella comes responsibility for the company's internal control structure and financial risk management policies. Then management, often supported by the internal auditor, is tasked with attesting to the adequacy and effectiveness of those controls. The external auditor, accountable to the audit committee, audits and reports on the financial statements and management's assertion on internal control over financial reporting. The audit committee, accountable to the board and shareholders, is left with oversight of all the preceding steps.
A risk-based framework can greatly support an audit committee in its understanding and monitoring of all these processes and can be a valuable element in protecting its company and itself from undue risk exposure.
Mary Pat McCarthy is Global Chair of KPMG LLP's Information, Communications and Entertainment practice. Timothy P. Flynn is Vice Chairman of KPMG LLP's Audit and Risk-Advisory Services. KPMG LLP (www.kpmg.com) is the U.S. member firm of KPMG International.
Holding Management's Feet to the Fire
In an interview, Peter Clapman, chief counsel for corporate governance at the giant pension fund TIAA-CREF, puts current issues of shareholder advocacy in context, both for his fund and the larger institutional investor community.
This year's proxy season started with an enormous bang when more than 45 percent of shareholder votes cast at The Walt Disney Co. supported the ouster of longtime chairman and CEO Michael Eisner. Eisner soon stepped down as chairman, in favor of lead director George Mitchell, though he remained CEO.
Despite its indifferent performance in recent years, for a company with a proud history like Disney, the vote was undoubtedly a shock. But more such challenges to management--long-seated management, in particular--are likely in the months and years ahead, thanks in part to major institutional shareholders like the Teachers Insurance and Annuity Association-College Retirement Equities Fund (TIAA-CREF), which opposed the entire slate of directors at Disney.
TIAA-CREF and its bigger cousin, Calpers, the California state retirement fund, are challenging boards and management as never before, and with billions of investment dollars at stake, they get attention. New York City-based TIAA-CREF has $314 billion in assets, making it one of the largest non-mutual fund institutional investors.
Since the 1970s, TIAA-CREF has spearheaded reform on several important issues: apartheid in South Africa, seeking shareholder approval of "poison pills" and leading the effort to persuade the New York Stock Exchange and Nasdaq to institute listing requirements that make equity compensation plans subject to shareholder vote. The pension fund has an extensive, 28-page policy statement on corporate governance that it revised last year and uses as the basis for judging company policies.
Financial Executive Editor-in-Chief Jeffrey Marshall interviewed Peter C. Clapman, TIAA-CREF's senior vice president and chief counsel, corporate governance, to hear where the fund stands on various issues and to get a sense of the pervasiveness of the corporate governance groundswell. Lanky and thoughtful, Clapman spoke for the better part of an hour on a range of topics.
A lawyer by training, Clapman has been with the pension fund since 1972 and has served on a host of outside committees and panels weighing governance issues. He was a member of advisory boards for both the New York and London Stock Exchanges, and was chairman of the International Corporate Governance Network in 1999-2002.
Excerpts from the interview follow.
Q Please put the Disney vote in context in terms of the history of shareholder challenges to management.
CLAPMAN: Disney is really something of a special case. We filed a shareholder resolution in 1997, I think it was, to increase shareholder independence at Disney. At that time, Disney had a board of 19 members, of whom only five we would consider truly independent--but the company considered 11 to be independent. A lot of the difference in characterization had to do with information that, frankly, wasn't even disclosed to shareholders, and was uncovered a bit by the press, in terms of relationships--not entirely between directors and the company, but between directors and members of senior management, which we think are important.
So I think you have to go back over the whole history of Disney to really make sense of the vote.
Q So there had been considerable groundwork done before this vote.
CLAPMAN: Yes, and some of the company's steps, we would acknowledge, were positive--because the board had become more strongly independent than it was when we started that initiative. But, then were issues about their selection of the lead director, George Mitchell, who despite his distinguished public record as a judge, senator and diplomat, does not have that kind of record as a corporate director.
It was something of a perfect storm. There was a shareholder campaign underway that appeared to have some momentum, and people were also getting some sense of the significance that the shareholder access proposal at the SEC [Securities and Exchange Commission] was having. One of the premises of such a proposal is a question of whether [such access] matters; shareholders wanted to say that it did indeed matter. So there were a whole variety of actions, in a collective sense, which came to fruition in the vote at Disney.
Q It's been reported that your fellow pension fund giant, Calpers, has been withholding support from 90 percent of the directors at companies in which it holds shares. TIAA-CREF has not been that aggressive. What is your approach?
CLAPMAN: In our policy statement, we say that we will vote to withhold votes for any individual, or the collective board, when they act contrary to shareholders' interests. Where we are focusing our attention, where we're withholding in significant numbers, is where the board is not independent, by our definition--and there are definitional differences between ours and the way the exchanges define it.
We also look at those companies that have excessive dilution in their option and executive compensation plans. In effect, that fits the statement in our policy statement of acting contrary to shareholder interest. What we find is that the undue dilution we're seeing emanates from plans that were never submitted to shareholders for approval.
We're also withholding on a case-by-case basis. We have an experienced staff of people who are trying to look at issues from a shareholder perspective, trying to understand where the legitimate management prerogatives go, and where we should make our voice felt.
Q Is it fair to say that this year will be your high-water mark in terms of overall challenges?
CLAPMAN: Yes. We try to take a fresh look at issues from time to time, and the revision to our policy statement took almost a year because we wanted to go back almost to ground zero.
We took into account the lessons of the scandals. We looked at what is now incorporated in the exchange listing requirements, and tried to analyze things [in terms of] starting from those events, where did we want to go? We determined that we should withhold [support] in greater numbers than we've done in the past.
It's also a product of a sense of exhaustion with some of the boards that seemed to disregard what we think are legitimate investor claims. For example, we had an initiative in 2001 where we asked that all equity compensation plans be subject to a shareholder vote, because we saw that dilution was increasing in alarming ways.
Then there were issues like repricing of options. And I learned from a task force at the New York Stock Exchange about things like "evergreen plans," which, in effect, provide that if executives exercise options, the plan automatically gives them new options in the same amount. So you'd never have to go to shareholders for approval.
We also saw something that had escaped a lot of attention. In order to disguise what was going on with option grants, companies were buying back shares in the market in order to have shares available for options. When that was going on between 2000 and 2002-3, and the market was going down, to the extent that companies were buying back shares for option programs, they were overpaying.
Q The whole issue of shareholder access and shareholder democracy probably means different things to different people. What does it mean to you?
CLAPMAN: We supported the shareholder access proposal at the SEC, largely as proposed. The rationale is that certain companies--I'll call them outliers--under normal dialogue and interaction between shareholders and the company, are just going to dig in their heels. In those situations, you really need another remedy, and the best one is to give shareholders lever-age--if they are large shareholders, responsible shareholders.
The primary result of such a rule would be a better basis for dialogue. I'm willing to predict that if the rule were adopted as proposed, the number of actual campaigns where directors are challenged--where those are actually on the ballot--would be relatively small. Companies would do what they can to avoid that result.
If you look at who could put up an actual nominee, you would need 5 percent of shareholders. That's a very high threshold. It's quite difficult, and you would need a broad base.
Q There's certainly been criticism of the mutual fund industry as being fairly passive shareholders. Do you sense that this may change at some point?
CLAPMAN: There is a dynamic which will encourage change, and that is that voting results will become a matter of public record. If you go back a year or two, mutual funds, for the most part, did not publish guidelines on how they would vote. You had no way of knowing how they actually voted.
They claimed that this actually preserved independence, but I think it did not because companies know how their shareholders vote. Only 20 percent of companies in the U.S. have confidential voting; [otherwise], the mutual fund or anyone else has sent in their vote to the company's tabulator. The fund industry was voting in ways that companies knew, so the argument that there was confidentiality to be preserved didn't work.
Q It was reported recently that the board of Eurotunnel was going to be replaced after a 63 percent negative shareholder vote. Is there any precedent for that in the U.S.?
CLAPMAN: Not really. Eurotunnel has been a cause celebre for many years. The fact that you could amass that number of negative votes suggests that this company had really lost credibility with shareholders.
In Europe, more so than here, companies are willing to say that if shareholders give them a vote of no confidence, it's their responsibility to resign. Here, companies often get very significant votes against their wishes on serious corporate governance issues, and act as if they don't have to do anything.
Q We're starting to see some separation of the chairman and CEO positions in the U.S., though it's still far more prevalent in Europe. How does TIAA-CREF view that issue?
CLAPMAN: Our policy statement, which has been consistent on this for years, says that it is a [matter of] discretion for a board whether they want to split the positions--but if they choose to combine them, the board should have a lead director or a presiding director with real authority.
In England, you had combined roles in 1992, and then a series of commissions recommended a splitting of the roles. A typical English company has fewer independent directors than a typical company in America, and after 12 years, Britain has evolved into having a non-executive, independent director chairing the company.
In the U.S., it's really just coming up about now. There are people who have the skills to do both jobs well, and there are companies that have individuals who are better suited for one or the other. Companies are going to have to sort that out for themselves.
Q Do you think this issue has gained traction in this country because of the perceived excesses of the "imperial CEO?"
CLAPMAN: Yes. One cause of the scandals was the passivity at the board level--that boards did not really perform the role that corporate law demands of them. That often happened because there was so much ebullience in the late '90s and 2000 that the CEOs in some companies could do no wrong, and they were not subject to the kind of appropriate oversight that a board should have.
The reaction some people have to that is to call for an independent chairman. That's not the only way to do it. The listing requirements state that you could alleviate a lot of the concern by having boards with lead directors, companies that really function--we've seen a lot in the past couple of years, with companies publishing their charters, setting executive sessions among board members. You could minimize the concern about imperial CEOs, going forward.
Q Looking at compensation issues, the ratio of CEO pay to that of the rank-and-file worker has been getting a lot of notice in recent years. Do you think that's a fair measure of excessive compensation, or at looking at CEO compensation in general?
CLAPMAN: We approach it from a different point of view. If we get the process right, the executive compensation will come out fairly. The problem with ratios is the suggestion that one size fits all. Some of the problems that developed emanated from the fact that compensation committees did not do their job effectively. They relied unreasonably on the experts brought in by company management, and have not made the right comparisons and, above all, have not really paid for performance.
We believe that if an executive team really produces superior performance, that ought to be appropriately compensated. We also believe that there is a "Lake Woebegon" ratcheting effect, where if every company believes it should reward its executives at the 75th percentile [of the market], you will ratchet up the overall compensation.
We also feel that all option plans should be expensed, the reason being not only is it better disclosure, but it will encourage more pay-for-performance-type plans. If you talk to compensation experts, they will tell you, not on the record, that they have been rebuffed in encouraging more pay-for performance plans by the disparate accounting treatment--where those plans are expensed, and fixed-price options are not expensed. So, on the illusion that shareholders can [judge] the true effects of the plans in their earnings reports, they've adhered to the wrong kinds of plans.
Q It's been reported that TIAA-CREF has opposed a third of the compensation plans up for vote this year on the grounds that they weren't sufficiently performance-based.
CLAPMAN: Right, and they've been excessive in terms of shareholder dilution.
Q As you view a regulation like Sarbanes-Oxley, how do you see it affecting companies' control and governance?
CLAPMAN: In the long run, it's going to be fairly routine stuff. I've heard a lot of arguments that much of Sarbanes-Oxley is unneeded and expensive. I've tried to find out what people are really saying. When you look at the expense, it's come in the area of significantly upgrading internal audit. Interestingly, when Sarbanes-Oxley was being debated, you had people saying, "We don't need this." So implicit in that [response] is that you have sufficient internal controls. Now, the [response] is that we're being forced to do things that are expensive. I look at it as money well spent for shareholders.
A lot of companies were doing these things already, as best practices. I think the certifications are healthy; they induce stronger processes within the organization.
Q Board expert Ralph Ward wrote recently that the tide of reform is rising rapidly, and that governance reformers are winning big in this proxy season. Do you agree?
CLAPMAN: I wouldn't use a phrase like "winning big." I think the point of this season--and it was happening last season as well--is that shareholders began to appreciate the relevance of corporate governance to shareholder return. There's been kind of a rolling scandal in the market, which started with a few companies and extended to the independent advisors; now, people are trying to assess the significance of that.
You do see other landmarks along the way. Vanguard [Group] announced that they were withholding in a large number of cases, far more [than] in the past. And [compensation] plans not being put up for approval--now, exchange rules require approval. So, shareholders have much more effective rights, and this is before the shareholder access proposal even gets dealt with at the SEC.
But, I think it's critical that shareholders stay on this. The indifference and the passivity that enabled the problems--if shareholders get sanguine and just watch the market go up, all the problems we've had could come roaring back.
RELATED ARTICLE: Restructuring Tyco
At the very least, it was a "distraction," as Eric M. Pillmore describes it: Having to face a daily drumbeat of negative headlines as the alleged misdeeds of the former CEO and CFO of Tyco International were scrutinized during their trial in the fall and winter.
While those proceedings ended in a mistrial, there's been no letdown for Tyco's current management, which has been busily turning the company infrastructure upside down. Pillmore, a career finance executive and CFO at a number of companies, has been Tyco's senior vice president of corporate governance since August 2002, having been named directly by the current CEO, Edward Breen, who he had worked for at General Instrument Corp.
He described the change process and offered some broader thoughts about governance during an April presentation at New Jersey's Fairleigh Dickinson University.
Pillmore quipped that the "new" Tyco has been almost like a "$38 billion startup" in terms of priorities and organization. "Tyco has a great set of businesses. We realized that very early," he said. "But it was not really as much an operating company as a holding company," with little interaction between top management and the subsidiary companies.
Former CEO Dennis Kozlowski was kissed by celebrity in the late 1990s as Tyco's merger-driven model sent its earnings and stock soaring. While he was a "brilliant" M & A architect, Pillmore said, subsequent events have brought character flaws into sharp relief. And character, he said, is one of the key qualities that the current Tyco looks for in its leaders.
Pillmore detailed a series of lessons he said he's learned from the rebuilding process at Tyco, and from studying other troubled companies:
The need for functional leadership and mentoring. Very often, the CFOs of weakened companies were merger experts who didn't have a mentor or role model and consequently "didn't understand all the dimensions of the job." Pillmore, who spent his formative years in the finance function at General Electric Co., said the importance placed on finance leadership there has stayed with him in his subsequent jobs.
Leaders need a "web of accountability." When the tone at the top is set and controlled solely by the boss, the requisite checks and balances may be lacking. This "web," he said, can extend well beyond the company itself to include a spouse, other relatives or friends, or a priest or pastor.
Boards need ways to evaluate the character of senior managers--and character, he emphasized, is different from reputation.
Leaders must model ethics from the top down and effectively communicate what they want and expect. More than that, Pillmore said, the best companies have what he termed a "servant leadership" culture in which leaders realize they must serve employees, customers and suppliers.
Multiple "open" communication outlets are necessary. Too seldom, he said, is there an interactive dialogue about governance-related issues.
Ethics and character matter, and can't be glossed over. In fact, Tyco now monitors nine separate behavioral characteristics and makes them a key to advancement, he said.
Pillmore confessed that he originally approached Breen about taking the CFO post, but when that didn't happen, realized he had a "great opportunity to learn" about governance and to help build the necessary infrastructure, including a new management team and a new board.
His title of corporate governance officer, which is becoming more common, has an unusual place in the company hierarchy: He reports to the lead director, John Krol, the former CEO of the DuPont Co. Reporting to Pillmore are the vice president of audit--who heads an expanded staff of 110--and a corporate ombudsman, who receives and monitors complaints or ethics questions that bubble up through the organization, both in the U.S. and overseas.
There's far more process at Tyco now, Pillmore suggested. A "president's council" of the operating businesses meets every two months to discuss plans and ideas, for instance, and the company Web site, www.tyco.com, lists an extensive set of governance policies and procedures, meant to be both educational and promotional.
Still, as much has been done, the change to a new culture isn't yet a fait accompli. Says Pillmore: "We will have to live with this for a long, long, time."
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Corporate Governance; Sarbanes-Oxley Act of 2002|
|Article Type:||Cover Story|
|Date:||Jun 1, 2004|
|Previous Article:||Six essentials for the strategic treasurer: treasurers are encouraged to go beyond their traditional role and 'think out of the box' as a way to earn...|
|Next Article:||How Sarbanes-Oxley affects merger considerations: two attorneys analyze the ways in which the law could impact companies' merger activity--inciuding...|