The document discusses the expanding role of audit committees in modern businesses, emphasizing their responsibilities in financial reporting, risk management, and addressing third-party risks, including activist investors and cybersecurity threats. It highlights the importance of transparency, audit quality, and compliance with regulations such as the Foreign Corrupt Practices Act. Audit committees are encouraged to actively evaluate these risks to improve governance and safeguard the organization against significant operational disruptions.

1. Learn more at www.mhmcpa.com
ADVISORY
Our roots run deep®
The role of audit committees continues to expand to keep pace with the modern business operating
environment. In addition to responsibility for a company’s financial reporting and management, audit
committees increasingly take an active role in an organization’s risk management strategy.
How Audit Committees Can Help with
Third-Party Risks
Audit committees can be instrumental in helping
their organizations implement procedures to address
the challenges they face. They can also assist with
addressing internal and external audit findings or
with exploring best practices for addressing areas of
operations that may be vulnerable to disruption or
extraordinary risks.
One key area that audit committees should be examining
is risks and threats from third parties. From activist
investors to cybersecurity, outside threats and interests
can present significant obstacles to an organization’s
day-to-day functioning if the right safeguards are not in
place. Additionally, shifts in the regulatory environment
may also bring renewed scrutiny on risk management,
and organizations should be prepared to address these
challenges. By considering the hot topics in third-party
risks, audit committees can improve their oversight of the
company’s governance and risk management.
Activist Investors
Shareholders with a significant stake in an organization
who try to influence company policy are frequently called
activist investors. Shareholders who gain decision-
making control or influence may try to use their influence
for a range of functions, from altering the company’s
strategic mission to attempting to oust a member of the
board of directors. Activist investors may try to influence
a company to take actions that will most benefit his/her
investor group, and sometimes, these actions may not
result in improvements or be in the best interests of all
shareholders.
Activist investors became more common during the
economic recession. As companies struggled in the
difficult operating environment, investors searched
for opportunities to insert themselves on the board of
directors of various companies to make changes. Though
the economy is recovering, activist investors remain
part of the operating environment. Activist hedge funds
controlled roughly $122 billion in assets at the end of
2015, according to an analysis by Hedge Fund Research,
and that only accounts for a portion of the activist
investor activity.
Audit committees can help their organizations take steps
early to reduce their risk of becoming subject to activist
investors. They should encourage their organizations
to reexamine their policies. One of the first steps an
organization could take would be to evaluate the kinds of
controls and procedures that surround the shareholders’
rights and responsibilities in the organization’s corporate
governance. Voting rights could be examined to
determine if there are powers or requirements that would
make a company more vulnerable to an activist investor
disrupting its operations. For example, the company’s
governance documents might be amended to redefine
the percentage of votes required to remove a board
member or to limit the types of decisions that require
shareholder approval.
The audit committee can also influence the tone at the
top to ensure a company considers transparency in its
disclosures to shareholders. An organization that has a
robust set of disclosure procedures in place regarding

2. Learn more at www.mhmcpa.com
ADVISORY
Our roots run deep®
shareholder communication may be able to help its
shareholders understand its strategy, why management
is electing to make certain decisions, why those
decisions are in the best interests of all shareholders and
to provide stakeholders with an avenue to communicate
their concerns to leadership. A robust and transparent
communication strategy may significantly reduce the
risk that an activist shareholder would be successful in
rallying support for actions that contradict or conflict with
management and the board of directors’ plans.
Assessing Audit Quality
One of the most important tasks audit committees
undertake involves selecting and monitoring their
organization’s audit firm. Finding a quality auditor can be
complicated because each audit poses unique risks and
considerations, so a one-size-fits-all set of audit quality
criteria cannot be applied.
Nevertheless, the global regulatory environment has
shown that audit quality is a concern that organizations
are focused on. Recent studies by almost all of the global
regulators, including in the U.S., the Department of Labor
(DOL) and the Public Company Accounting Oversight
Board (PCAOB), found high rates of deficiencies among
audits they reviewed. These findings have led regulators
to take a closer look at whether a comprehensive set of
audit quality indicators could, or should, be developed.
Audit committees should be driving the conversation
around audit quality indicators. Today, there are very few
published sources of information or statistics available
that an audit committee can look to in order to assist in
making determinations about the relative quality of one
audit versus another or one audit firm versus another.
The regulators and professional service groups are
leading the charge in an effort to develop this type of
information and to make it available to audit committee
members. Indeed, how to define audit quality and
what specific metrics are indicative of quality are very
subjective. As a result, audit quality has been judged
by the audit committees using company-specific criteria
to determine whether the audit committee has made
a good choice in auditor selection and received a high
quality audit.
The AICPA’s Center for Audit Quality and the PCAOB
have both proposed certain audit quality indicators to
help audit committees with their selection process.
Audit committees should familiarize themselves with
these resources and other recommendations on how to
evaluate audit quality while keeping in mind that these
are meant to be guides to consider in auditor selection
rather than rules.
In order to appropriately evaluate audit quality indicators,
it is important to have context. Otherwise, blanket
comparisons between audit firms of any particular
statistic may not yield a fair result when applied to a
company’s specific environment or operation. Audit
committees should be engaged in a meaningful
conversation with their audit firm representatives to
understand how various metrics of audit quality impact
the audit firm as well as their own organization and the
risk that circumstances could potentially reduce quality if
not appropriately managed.
Cybersecurity
Cybersecurity presents one of the largest threats in the
modern business environment. Audit committees should
be assisting their organizations in evaluating their level
of cybersecurity risk. A breach of a company’s systems
can be very costly to remediate and result in significant
reputational damage, and to avoid this, organizations
need to be sure their information technology systems
and data are adequately protected.
Audit committees should be knowledgeable about the
internal controls management has put in place related to
network access, server access and vendor management
and how effective those controls are expected to be.

3. Learn more at www.mhmcpa.com
ADVISORY
Our roots run deep®
Stronger environments generally have multiple levels of
protection around each entry point, so that if a breach
occurs at one level, the outside user does not have
unfettered access to all of an organization’s sensitive
information.
Another reason audit committees should be up-to-date
on cybersecurity principles is that cyber controls are
increasingly becoming focal points for auditors as well,
particularly controls around protecting financial data and
information subject to the various privacy laws. External
auditors may raise questions about how financial
statement data are protected in the current environment,
and audit committees may be able to help ensure these
risks are addressed.
Ethical Compliance
Fraud is another common risk in the modern business
environment, and regulators have continued to focus
on punishing those who participate in such activities.
One such example has been in some of the recent
activities and enforcement actions that have involved
violations of the Foreign Corrupt Practices Act (FCPA).
The FCPA contains a number of provisions, one of which
is designed to prevent U.S. companies from engaging in
actions that would constitute bribes of foreign officials.
A number of recent SEC enforcement actions and
settlements demonstrate that this area cannot be left
to chance. As can be seen in these recent settlements,
companies can be subjected to, among other things,
censure, large fines, and the requirement to return any
profits that arose from engaging in the illegal activities.
In these actions, the SEC has focused on the lack of
internal controls to prevent the actions from occurring or
identifying and correcting them in a timely manner when
they did occur. Some allegations have also involved the
failure to respond to information that would suggest that
problems exist (e.g., tips from a whistleblower hotline
or claims by employees). Audit committees need to
understand how their organizations are equipped to deal
with these risks and what controls are in place to monitor
compliance and to address issues as they arise as well
as whether those controls are effective.
Risky Business
There is no shortage of risks facing the modern company,
and as such, audit committees have their work cut out
for them. Being proactive in addressing emerging risks,
particularly those that involve third parties, is essential
to mitigating or even preventing larger consequences.
For more information about how your audit committee
can help the organization better face its key challenges,
please contact your local MHM professional.
If you have any specific questions, comments
or concerns about this topic, please contact:
Rich Howard
Professional Standards Group
rhoward@cbiz.com | 949.450.4402
©Copyright2016.MayerHoffmanMcCannP.C.Allrightsreserved.