THE UK AND THE US: The In 1992, the Cadbury Committee issued the Code of Best Practice that recommended that boards of U.K. companies include at least three external directors and that the positions of chief executive officer (CEO) and chairperson of the board be held by different individuals. Similarly, the U.S. Securities and Exchange Commission (SEC) and the New York Stock Exchange (NYSE) recommended the establishment of corporate audit committee with a view to reinforcing oversight.
During the last two decades, the requirements for audit committees have become more detailed. In both countries oversight is expected to be strengthened by including more external directors, but analysts in the U.S. (where the CEO typically remains the chairman of the board) question the effectiveness of the latter if they are involved in too many boards. The Sarbanes-Oxley Act of 2002 contains mandatory measures for audit committees covering the following areas: (i) management notification of significant internal control deficiencies and any instance of fraud involving management; (ii) the receipt of reports from auditors on critical accounting policies and practices; (iii) direct responsibility for the appointment, compensation, and oversight of external auditors; (iv) the establishment of procedures for receiving and dealing with complaints regarding the company's accounting and internal controls for auditing matters; (v) the setting up of procedures for handling employee concerns-whistle blowing-on accounting issues; and (vi) the inclusion of members that are financially literate. Regarding the latter, the SEC requires that at least one member observe the financial expert definition, while both NYSE and NASDAQ require all members to be financially literate. In the U.K., the Smith group published "Audit Committees Combined Code" in January 2003, where listed companies not following these guidelines must explain why, while noting that (1.5): "All directors remain equally responsible for the company's affairs as a matter of law."
GERMANY: The German corporate structure is an example of a two-tier board structure, which is used in several other European countries. A supervisory board (Aufsichtsrat) comprising mainly external members, and sometimes employees is the highest authority and oversees the management board (Vorstand). The supervisory board is also involved in making strategic decisions, but the degree to which it should be involved in these decisions, as they become more tactical, is often debated. One of the challenges is the interaction between the two boards. Since management (and the CEO) plays a role in nominating members of the supervisory board, there is a need to ensure that the supervisory board has full access to all relevant information from management. To address this, the German corporate governance code (the Cromme Code) prescribes that a supervisory board shall set up an audit committee (5.3.2), that the chairman of the supervisory board must not be the chairman of the audit committee (5.2), and that the latter must not be a former member of the management board (5.3.2).
JAPAN: In Japan, both types of corporate governance models (single and two-tier board structures) now exist for listed companies. Historically, Japanese corporate law has used a two-tier board structure, consisting of a board of directors and a board of corporate auditors (kansayaku). The distinguishing feature of the Japanese approach is that the two boards are of equal hierarchy vis-à-vis the shareholders, to whom they report directly, though in parallel. Although the statutory board of auditors comprises non-executive directors, in practice, the relationship between management and board members remains fairly close. Amendments to the Japanese company law are thus directed toward strengthening the definition of a non-executive director, effective 2005. Other reforms give Japanese companies the option, as of 2003, to adopt a unitary board configuration, provided they establish committees for nomination, audit, and remuneration, each comprising three or more members, half of which must be outside directors. The Japanese law is fairly prescriptive about the role of the board of auditors and the scope of their oversight. It stipulates their fiduciary duty to the shareholders is to audit the activities of the business through a business audit and a financial audit. The business audit is similar to a compliance audit and does not cover the integrity of decisions made by the board of directors, unless they believe that there has been a breach of their 'duty of care' to the shareholders. The financial audit is an audit of the financial statements and is performed by a specialist company elected at the shareholders meeting. The recommendations of the Treadway Commission in 1987 were followed by those of the Blue Ribbon Committee in 1999 (most recently updated in 2004) and the Sarbanes-Oxley Act of 2002. For an elaboration and interpretation, see, for instance, Emmerich, Racz, and Unger (2005) or Chapter 3 OECD (2004).
GOOD GOVERNANCE IN PUBLIC SECTOR: With a widespread trend toward decentralisation, outsourcing and private-public partnerships, governments are devoting greater attention to public sector accountability. By public sector accountability, the OECD means 'the obligation of those entrusted with particular responsibilities to present an account of, and answer for, their execution' while control is defined as 'a process designed to provide reasonable assurance regarding the effectiveness and efficiency of operations, reliability of reporting and compliance with applicable laws and regulations' (OECD,2005). Issues of corporate governance thus extend beyond commercial corporations. Since government entities are accountable to citizens for the proper management of their taxes, they may be expected to be governed by equivalent or even higher standards than their private counterparts. Recent public sector reforms in industrialized countries were directed toward the internal control function, holding decision makers accountable on how public funds are managed and reflecting a shift from ex-ante control of funds (i.e. before spending is authorized) to ex-post assessments of the efficiency with which resources were allocated. In fact, performance indicators are increasingly adopted in budget and management systems in OECD member countries, some of which are also implementing risk management approaches in internal control. This approach, pioneered by Australia and the U.K., also stimulated interest in Ireland and Japan. For more details, see OECD (2005).
Enterprise risk management is defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." (See p.2 of the COSO integrated framework on risk management).
The greater desire for accountability toward stakeholders has led to the establishment of public sector oversight bodies in a number of countries. More than half the countries participating in the World Bank/OECD 2003 Survey on Budget Practices and Procedures stated that they established a centralized body for internal audit oversight, a third of which are located in an independent government organization. Underlying this governance structure is the desire to reinforce the impartiality of internal control, separate it from day-to-day management, and address duplication between internal and external control.
Some governments have developed specific guidelines for audit committees in ministries, agencies, or departments. The handbook developed by the U.K. Treasury, for instance, is designed to help the audit committee elaborate a strategy for briefing the accounting officer or the board prior to their reporting to the parliamentary Public Accounts Committee (PAC). Accounting officers and boards cannot be expected to know all the operational details of the organization but will still need to have the assurance that governance mechanisms are in place, since they will be held to public account. Responsible for the availability and accuracy of information, the audit committee is an integral part of the formal accountability procedure and provides the required assurance of efficient, effective, and economic control systems. The good practice guidelines clearly state that the PAC will not accept any lack of knowledge of internal control vulnerabilities as a justification for poorly managed or realized risk.
The public audit committee's lines of accountability and members' personal incentives differentiate it from that of a commercial corporation. The difference in government departments is being held accountable by ministers, and/or parliament rather than an annual meeting of shareholders, and unlike boards in commercial corporations, policy responsibility is split between decisions taken at ministerial level and the provision of agency or departmental advice. Moreover, the non-executive members of the audit committee act as advisers or consultants and do not have the same incentives as their private sector counterparts. In representing the government rather than the shareholders, they do not share the liability of a corporate board member and may be dismissed with a change in the administration at the end of an electoral cycle. To ensure that independent external membership does not unduly represent third-party interests or expose privileged information, governments typically issue guidelines on public appointments to maximise the benefits of external expertise and independent judgment.
Public service objectives further distinguish the role of audit committees in government entities placing a greater emphasis on members' personal qualities. The Australian government guide offers a discussion of process issues in the establishment and operation of audit committees designed to help public entities apply principles of better practice. The Better Practice Guide Public Sector Audit Committees also includes alternative audit committee charters which may be tailored to an entity's particular circumstances. The Australian public sector entities are statutorily required to establish an audit committee, and the guide applies to all entities governed by the Financial Management and Accountability Act 1997 and the Commonwealth Authorities and Companies Act 1997. The guide states explicitly that audit committee members, over and above the functions specified in the charter, have a responsibility to exercise due diligence and act in good faith in the best interest of the entity. One of the recommended personal qualities is the ability to appreciate an entity's culture and values in considering ethical issues that might arise. This usefully extends staff and officials' responsibilities (normally established in internal codes of conduct or ethics) to the external members of the audit committee. The guide calls upon the committee members to adopt a culture of 'continuous improvement' rather than a punitive approach, arguing that it is a more constructive way of interacting with management.
Reflecting developments in the corporate sector, the extent of legal liability is emerging as a source of concern, although this varies from one country to another. Although the Australian guide is pragmatic rather than prescriptive, it goes further than the UK Treasury. The good practice guidelines clearly state that the PAC will not accept any lack of knowledge of internal control vulnerabilities as a justification for poorly managed or realised risk. The Better Practice Guide Public Sector Audit Committees also include alternative audit committee charters which may be tailored to an entity's particular circumstances. The Australian public sector entities are statutorily required to establish an audit committee, and the guide applies to all entities governed by the Financial Management and Accountability Act 1997 and the Commonwealth Authorities and Companies Act 1997. The handbook recommends that audit committee members arrange for appropriate indemnity insurance. Their liability is limited in that it will not be greater than that of an executive of (or a service provider to) the entity.
[The third part of the article will be published on Saturday]
Jamaluddin Ahmed PhD, FCA is General Secretary, Bangladesh Economic Association and Member, Board of Directors, Bangladesh Bank.