Steve Poss, Co-Chair of the Corporate Governance and Securities Litigation Group at Goodwin Procter LLP, participated in the presentation on counseling the audit committees of corporate boards of directors. Mr. Poss first took the audience through the evolution of corporate governance over the last 40 years. He explained that the law for many years did not require members of a corporation's board of directors to install systems to ferret out wrongdoing at a corporation unless they had cause for a suspicion. Under the corporate governance rules as they have evolved over the years, directors now must assure themselves that information and reporting systems exist in the corporation that are adequate in design and effective in operation, so that critical information will "bubble up" to the attention of senior management and to the board of directors, as appropriate. He explained that the Sarbanes-Oxley Act has taken this evolution one step farther by adding even more requirements. Mr. Poss emphasized that these new developments place "a bullseye on the audit committee" as the focal point for new expectations and regulations.
Mr. Poss warned that Sarbanes- Oxley has created something of a corporate "hot potato" game for potential problems, played out among outside auditors, the audit committee, and company management. He noted that the only real winners in this game are the prosecutors and the plaintiffs' lawyers, so it pays to get things right.
Mr. Poss noted that for the first time in the history of American corporate governance, members of a board of directors have by law been given direct management responsibility because Sarbanes-Oxley provides that the members of the audit committee are directly and solely responsible for the appointment, compensation, and oversight of the company's outside auditors. He noted that audit committees should build a record demonstrating that they did a careful job with the selection process because, "if the wheels fall off" in the future, people will look back in hindsight and ask "who hired these guys?" He also noted that audit committees must not only do their job, but should leave "footprints" evidencing that they were prudent and careful in their activities. He noted that the old corporate litigator's advice to "never write anything down" has given way to a new need to build a record, a need which audit committees must be particularly keyed into.
Mr. Poss provided the following tips for audit committees in fulfilling their duty to select the company's independent auditors:
- Don't just pick a firm. An audit committee should inquire about the background and experience of the members of the outside auditor's team.
- Ask for and review resumes, and call references. The committee should ask the same questions that Sarbanes-Oxley Section 102 asks of outside auditors.
- Document the evaluation process, not simply to protect the audit committee, but also to protect shareholders and corporate management.
Mr. Poss also noted that under Sarbanes-Oxley and associated SEC regulations, audit committees will receive reports from outside auditors, and from the company CEO and CFO, concerning accounting practices and policies, alternative treatments, and deficiencies in internal controls. Audit committees must not merely receive these reports, but must also ask questions:
- How were determinations of deficiencies and weaknesses made?
- How were the operation or the controls evaluated?
- What standards and procedures were used for assessing effectiveness?
- Was testing done?
An audit committee should document that the right questions were asked, and that the proper information was assessed, so that if things go wrong the committee members can say, "We did our job carefully."