Who’s in charge: The audit committee’s role in ethics and compliance oversight has been saved
Perspectives
Who’s in charge: The audit committee’s role in ethics and compliance oversight
On the audit committee’s agenda, April 2023
By Krista Parsons and Robert Biskup
Background
Corporate compliance and ethical behavior (or their absence) are not new topics; corporate scandals and misdeeds have generated media and public interest for decades. However, beginning in the 1990s, a series of court decisions reminded boards and managements alike that their duties include oversight of these areas and that they can be held responsible when the lack of oversight results in ethical and compliance lapses.
The audit committee’s role
The court decisions referred to above and in more depth in the full-length publication make it clear that the board’s oversight duties extend to compliance and ethics. However, those cases have not focused on where in the board structure these duties should reside.
To some extent, that governance gap has been addressed by statute and regulation. Specifically, the Sarbanes-Oxley Act of 2002, enacted to a large degree in response to a series of financial reporting scandals in the late 1990s and early 2000s, made it clear that at least some of these duties belong to the audit committee.
The audit committee’s responsibilities and resources
While it may have ultimate oversight of such matters, the audit committee has extensive responsibilities other than those associated with compliance and ethics. Accordingly, it is appropriate for the committee to consider whether it is the proper committee to oversee a particular area of compliance. For example, there are certain types of risks—generally not involving financial and accounting matters—that may more properly be overseen by the compensation or nominating/governance committee, thereby conserving the audit committee’s resources for matters that more directly relate to its key areas of risk management oversight.
Foundational elements—risk as a starting point for ethics and compliance oversight
The audit committee’s remit with respect to ethics and compliance is broad and deep and may be difficult to address without a focus on the most important risks. Thus, the first questions that an audit committee might consider in overseeing compliance and ethics may include “What are the greatest areas of ethical and compliance risks we face?” “Are we looking at the right risks, and if not, what risks should we be looking at?”
The audit committee should consider its oversight of ethics and compliance in the context of the company’s existing risk profile, including its enterprise risk management process and policies designed to address specific risks. However, relying upon existing processes and policies may not suffice, particularly for companies that have just become publicly held or are initiating a product/service or geographical expansion or other departures from historical businesses and operations. And even companies that are mature and/or relatively stable may benefit from a fresh look at the risks that need to be addressed. This fresh look can be implemented through a number of approaches, such as peer company benchmarking or evaluations or assessments conducted by independent third parties.
Next steps and the critical importance of employee communications
Assuming that the relevant risks have been identified, the committee should seek management’s assistance in determining whether the company’s ethics and compliance policies, processes, and procedures optimally address those risks. The following are some of the key questions the audit committee can ask about the company’s ethics and compliance policies:
- Do we have the right policies in place? Are there key risks for which we don’t have policies?
- Have existing policies been updated to address recent developments, including changes in the company, in law or regulation, and otherwise?
- Do we have the right management resources to monitor and enforce compliance with our policies? How are we using technology to monitor and enforce our policies?
Wrapping it up
The importance of corporate ethics and compliance is not diminishing; if anything, given the current focus on environmental, social, and governance issues and a growing focus on corporate responsibility and so-called “stakeholder capitalism,” it seems likely that ethics and compliance will continue to grow in importance. Consequently, audit committees will likely need to maintain or increase their oversight efforts of these matters. In that environment, it is important that audit committees view their ethics and compliance responsibilities holistically, taking into account the above and other factors, maintain an open posture to keep what is working, and consider new approaches as needed.
Recommendations
On the Audit Committee's Agenda
Top of mind topics for audit committee members
Emerging trends in ESG governance for 2023
On the audit committee’s agenda, January 2023