As part of its “On the audit committee’s agenda” series, the Deloitte Center for Board Effectiveness has released Who’s in charge: The audit committee’s role in ethics and compliance oversight (April 2023). The paper is a high-level discussion of audit committee oversight of ethics and compliance, particularly issues arising from the committee’s statutorily-mandated responsibility for procedures, such as hotlines, for receipt of employee complaints regarding questionable accounting or auditing matters. Themes of the discussion include:
Responsibilities and resources. The audit committee should consider whether it is the proper committee to oversee a particular area of compliance. Some types of risks may be better overseen by other committees “thereby conserving the audit committee’s resources for matters that more directly relate to its key areas of risk management oversight.”
Risk as a starting point. In addressing ethics and compliance, the questions an audit committee should consider asking include “What are the greatest areas of ethical and compliance risks we face?” and “Are we looking at the right risks, and if not, what risks should we be looking at?” Both newly public and long-established companies may benefit from a fresh look at ethics and compliance risks.
Questions for management. Once the relevant risks have been identified, the committee should seek management’s assistance in determining whether the company’s policies, processes, and procedures optimally address those risks. Key questions for management are –
Do we have the right policies in place? Are there key risks for which we don’t have policies?
Have existing policies been updated to address recent developments, including changes in the company, in law or regulation, and otherwise?
Do we have the right management resources to monitor and enforce compliance with our policies? How are we using technology to monitor and enforce our policies?
Critical importance of employee communications. Effective communications with employees are essential. Communications should attract and retain employees’ attention and result in “sticky” messaging. “The dramatic increase in hybrid and remote work arrangements in the current environment has complicated these challenges at the same time that it may lead to heightened incidence of fraud.”