Chapter 3: Governance: GRC in Action 73
Roles of the board and audit committee
With the explicit declaration in SOX that corpo-
rate leaders carry responsibility and account-
ability for the integrity of information provided to
investors and regulators, they must understand
what their role should be within a governance
framework in order to comply with the expecta-
tions created by SOX.
Board of Directors:In what has come to be
known as the Caremark case (Caremark
International Inc. Derivative Litigation; 698 A.2d
959; Del. Ch. 1996) former Delaware Supreme
Court Chief Justice E. Norman Veasey estab-
lished what is commonly termed the Caremark
Standard for Corporate Compliance programs.
Essentially, Veasey is answering the following
questions for the board of directors: What kind
of compliance program needs to be established
to fulfill the duty of oversight? And, how far must
directors go to fulfill the duty of disclosure?
Veasey then established the following seven
protocols:
The board must truly be independent.The board should engage in governance,
not merely be advisors.
Quarterly meetings on the topic of compli-
ance (GRC) should be held and directors
should expect to spend a minimum of 100
hours per year on these issues.There should be a regular evaluation of the
CEO and independently advised audit, nom-
inating, and compensation committees on
the board of directors.
The board should establish and monitor
compliance programs.There should be a limit to the number of
boards that directors may serve on.
The board should carefully review disclo-
sure documents to make sure that relevantaudiences and materials are made reason-
ably available.
Audit Committee:For those who draw the short
stick and are assigned to the audit committee,
the following are questions you should consider
when measuring potential risk to non-compli-
ance. These also directly relate to how this
committee should operate within a functional
governing framework.Are you in control of the agenda or are man-
agement and the auditors?
Do you know the effectiveness of internal
controls?Do you recognize or know about off-balance
sheet financing practices or past history at
the company?
How do you find out about third-party
transactions?Do you know what the fees for non-audit
related services by the audit firm are — the
amount and what services are involved?
What credentials do auditors and internal
control personnel have to evaluate ramifi-
cations on financial, technology, legal, and
operational decisions affected by internal
control weaknesses?Do you understand the business areas and
inherent risks associated with the company?
Is there a process for acquiring independent
information on risks and major decisions?Do you have a handle on management prac-
tices and culture that encourage or discour-
age integrity breaches in the company?
Does compensation encourage risk-taking
or conservatism among corporate officers?