Dancing on a Wire: Audit Committee Oversight of a Company’s Compliance Program
There are many interdependent pieces of a compliance program; if one function fails, the effectiveness of a compliance program can be seriously threatened.
The audit/compliance committee has a critical role – it has responsibility for monitoring and supervision of a compliance program. Specifically the audit/compliance committee frequently initiates and establishes a company’s compliance tone. If the issue is important to the audit/compliance committee, compliance will be important to the senior executives and so forth down the line.
An audit/compliance committee has to balance its activities between too much oversight and too little oversight. What do I mean by this delicate dance between too much and too little?
An audit/compliance committee has to be careful not to micro-manage compliance activities and transform itself into the ultimate backstop or manager on compliance issues. An important example is the resolution of audit findings and ensuring timely remediation of audit findings.
If an internal audit report identifies a significant remedial step that a company needs to initiate, the internal auditor has to establish firm deadlines to make sure the problem is fixed. If needed, the internal auditor has to enlist the CFO to ensure timely remediation.
The audit/compliance committee should monitor the status of remediation actions and ensure that senior management resolves the issues in a timely manner. However, it is not the audit/compliance committee’s job to reach out and direct the manager to fix the problem.
This is an important point because the audit/compliance committee cannot usurp senior management’s responsibilities and must act consistent with the board’s mission. If an audit/compliance committee finds itself in an operational position, the company is suffering from a serious senior management failure.
The audit/compliance committee and senior management has to carefully monitor the proper division of responsibilities between supervision and operational functions. Senior management cannot avoid important operational issues by “raising” compliance issues that require operational actions, and adherence to policies and procedures.
Conversely, the audit/compliance committee cannot fill a vacuum created by a senior executive’s failure to act. If a senior manager is performing poorly, the audit/compliance committee has to take steps to improve performance or bring in new executives.
An audit/compliance committee has to establish a clear message of accountability. As part of this message, the audit/compliance committee has to provide general directions, review important compliance metrics and reports on ethics and compliance issues, follow-up on important issues, and hold senior managers accountable for overall ethics and compliance performance.
Senior managers have important ethics and compliance responsibilities. That goes without saying. While Wal-Mart has made senior executive bonuses and compensation partially dependent on performance of compliance responsibilities, most senior managers are not specifically pushed to complete ethics and compliance tasks. That is unfortunate and should be on every company’s agenda for review.
Senior managers have to perform their jobs and carry out their responsibilities. If they do not, there is a risk, in the compliance arena, that the audit/compliance committee may be required to extend its actions into operational ethics and compliance responsibilities.