Tone at the Top: Making the Music Match the Words

Published by

Roger O. Goldman

“What would you do if I sang out of tune? Would you stand up and walk out on me? Lend me your ears and I’ll sing you a song, and I’ll try not to sing out of key. Oh, I get by with a little help from my friends.”

When The Beatles first recorded that song in 1967, it’s a safe bet they weren’t thinking about corporate governance and the role of the board of directors. Yet, as I’ve pondered the array of corporate scandals over the past decade, I found these fifty-one-year-old lyrics floating to the forefront of my mind.

Here’s why.

Whenever there is a highly publicized failure of corporate governance, the first question that’s typically posed is, “Where was the board?” However, in my experience—after 20-plus years of service in public and private companies, both in the for-profit and nonprofit sectors—that question rarely gets to the heart of the matter because process isn’t the primary culprit. A better question is, “What happened and why?”

Conventional wisdom examines whether the board had sufficient information, process, and the right reports. What often doesn’t get scrutinized is whether the board had the right people in the right places and if the chair or lead director is doing his or her job setting the tone at the top.

In this rapidly changing, complex world, it is incumbent upon the chair or lead director to continuously improve both the process and substance of governance, even in the strongest and healthiest of companies. This is where The Beatles’ lyrics come into play.

The Complexities of Conducting

The role of the chair or lead director is similar to that of an orchestra conductor. The conductor’s primary duties are to interpret the musical score of the composer via an ensemble of players. Using indications within the score, the conductor sets the tempo, shapes the phrasing, and guides the players to perform in concert. While it sounds simple enough, it’s a task of enormous complexity.

The sheet music that an orchestra is given can be likened to the committee charters and board responsibilities. The paper needs to contain the “right tune” and the right mix of notes, etc., but those same notes can be played beautifully or poorly, in harmony or in discordance. Even if individual performers are playing well, one bad violinist can wreck the whole orchestra if his or her part is not minimized or if the conductor doesn’t have the power or influence to get rid of the bad player. Taking the analogy further, the conductor also has to spot the talented players (i.e. board members), even if they are hidden away or young, and feature them.

Then there’s the pacing of the score—think board process. Whether it’s played loudly, softly, fast or slow, is a matter of feel. That’s what the conductor is expressing with his or her gestures and baton-waving. And, of course, the conductor has to be ahead of the music, so the sound carries to the audience, as well as anticipate what’s next.

So, you can have all the scores (or board processes) you want, but if the conductor can’t make the band of sterling musicians work together, the net result is less than stellar performance.

It’s doubly challenging in cases where the board doesn’t have an independent chair because the power of the lead director is usually quite limited, leaving him or her to conduct solely through influence versus explicit authority. In the corporate realm, these are some of the factors that must be considered when making governance better.

Soft Yet Hard

In its recent report, the NACD Blue Ribbon Commission on Culture as a Corporate Asset aptly stated, “While it is often perceived as a ‘soft issue,’ [culture] is actually a hard issue—both in the sense of having concrete impact, and in the sense of being difficult to assess.” The same is true of tone at the top. It can be incredibly hard to assess because it’s ethereal in nature, like the orchestra conductor filling the concert hall with melodious music.

But it does come down to the interactions among the board and its committees, and the transparency of information flow between management and the board at all levels. The responsibility for the “tone” of these interactions, i.e., getting the music to sound good, resides with the board chair or lead director.

In the collective interest of corporations and shareholders everywhere, there’s much to be gained by the ongoing tuning of this tone. Regularly posing the following questions is one example:

  • Are your governance processes appropriate for the speed of change today?
  • Is there sufficient clarity about the roles and responsibilities of the directors and management?
  • Are the right people in the right places for today and tomorrow?
  • Is the orchestra playing in concert in the eyes of the audiences, i.e.. customers, employees, shareholders and the broader community?

The answers are less important than asking the questions and bringing this kind of curiosity to the board room now.

As the aforementioned NACD Blue Ribbon Commission reported, even for companies with healthy cultures, resting on laurels isn’t an option. The stakes are simply too high and the operating environment too volatile not to seek continuous improvement.

It concluded that, “Performed properly, culture oversight not only can be embedded into directors’ existing activities, but also can significantly improve the quality and impact of the board’s work overall.” This notion of making the music match the words when setting the tone at the top goes right along with the Commission’s finding. That, and a little help from friends, might even mean singing on key.

Roger O. Goldman is chair of the executive committee of American Express National Bank, lead director of Seacoast Bank, and former chair of the board for Lighthouse International. Opinions are his own.

Talk to Your Auditors About Cybersecurity

Published by

Cindy Fornelli

If you’ve ever seen a television ad for a prescription drug, chances are you heard a soothing voice urging you to “talk to your doctor” about the treatment in question.

Now, I may not have a silky voice fit for TV, but I do have a similar message for the distinguished readers of the NACD Board Leaders’ Blog: Talk to your auditors about cybersecurity.

The Importance of Communicating About Cybersecurity

Unlike a blockbuster pharmaceutical, there is no magic pill that can solve the big, complex, and evolving issue of cybersecurity. In recent years, however, the key elements of a sound approach to cybersecurity have become clearer, and one of those elements is communication.

Regulators certainly recognize the importance of communication from businesses to investors. In September 2017, Securities and Exchange Commission (SEC) Chair Jay Clayton stated, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important.”

Accordingly, the SEC remains strongly focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed. Likewise, investor groups, such as the Council of Institutional Investors, have also asked company boards to strive for transparency in reporting efforts around cyber threats.

At companies, communication is no less critical between and among boards of directors, company management, external auditors, and internal auditors. Each group has a role to play, and each must have a grasp of the others’ roles. Ongoing dialogue fosters this understanding.

CPA Firms and Cybersecurity: Bringing Expertise and Values

Before jumping into a dialogue with external auditors, a board member might wonder, “Why talk to an accounting firm about cybersecurity?” It’s a fair question, with two simple answers.

  • Deep expertise. Not only do certified public accounting (CPA) firms provide independent assurance services in both the financial statement audit and a variety of other subject matters, they have played a role in assisting companies with information security for decades. In fact, four of the leading 13 information security and cybersecurity consultants are public accounting firms.
  • Strong values: CPAs bring to bear strong values that have defined and guided the profession for over a century. Foremost among these values are independence, objectivity, and skepticism.

Key Topics to Discuss with Your Auditor

So, having established that a conversation with a CPA firm about cybersecurity is a good idea, what is there to talk about with your auditors? The Center for Audit Quality (CAQ) has recently released a cybersecurity tool for board members to guide these conversations. The tool, which leverages resources from NACD and others, covers areas including the following important topics.

How the Financial Statement Auditor Considers Cybersecurity Risk

An essential starting point in the dialogue is to get clarity on the current roles and responsibilities of the financial statement auditor when it comes to cybersecurity. This conversation may include, if applicable, the audit of the effectiveness of a company’s internal control over financial reporting (ICFR).

A talk with the external auditor might involve the following questions.

  1. How does the financial statement auditor’s approach include the consideration of cybersecurity risks when identifying and assessing risks of material misstatement for the financial statement and ICFR audits?
  2. If, as part of understanding how the company uses information technology in the context of its financial statements and ICFR, the financial statement auditor identifies a cybersecurity risk, how does that risk get addressed in the audit process?
  3. Why don’t the financial statement auditor’s procedures on an ICFR audit address all of the company’s enterprise-wide cybersecurity risks and controls?
  4. What impact does a cybersecurity breach have on the financial statement auditor’s assessment of ICFR?
  5. In the event of a cybersecurity breach that results in a potential need for a contingent liability that could be material, what is the audit response of the financial statement auditor?

How CPA Firms Can Assist Boards in Cyber-Risk Oversight

Although cybersecurity risk management practices are typically beyond the scope of a typical financial statement audit, the CPA profession’s commitment to continuous improvement, public service, and increased investor confidence has resulted in a greater focus on this area.

One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). The voluntary framework, known as SOC for Cybersecurity, enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives.

Here are seven questions to ask CPA firms about these initiatives.

  1. How can the AICPA framework be used as a self-assessment tool to help management or the auditor (via a readiness engagement) identify opportunities for improvement in the company’s cybersecurity risk management program?
  2. How is the AICPA’s cybersecurity risk reporting framework used by auditors as part of an attestation service to evaluate management’s description of its cybersecurity risk management program? How does it determine whether controls within the program were effective at achieving the company’s cybersecurity objectives?
  3. What technical expertise do CPA firms possess that qualify them to perform a readiness engagement or an examination to validate effectiveness of controls specific to a company’s cybersecurity risk management program?
  4. The SOC for Cybersecurity examination cannot prevent or detect a cybersecurity threat or breach. Accordingly, what is the goal of the cybersecurity examination?
  5. What factors should be considered by the company and the CPA firm prior to engaging its financial statement auditors to perform the readiness assessment or examination for entities subject to SEC independence rules?
  6. What is the audit profession doing to help address cybersecurity risks from third party vendors or service providers?
  7. What other types of engagements are available to help board members with cybersecurity risk oversight?

These questions, of course, are just a starting point. I urge you to read the CAQ tool for more ideas on how you can—and here I switch to my smoothest TV-announcer voice—talk to your auditors about cybersecurity.

Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.