As noted, audit committee engagement and practices vary widely among nonpublic companies. Yet the need for audit committees to gauge and articulate the appropriate level of governance and risk oversight for the organization, and to assist in developing and maintaining it, exists across all companies.
The appropriate level of governance and oversight will depend on several factors, notably the ownership structure and, if applicable, the exit strategy. If the latter were to include a potential public offering or sale to a company with rigorous due diligence, there may be a need for enhanced governance.
Ownership structures that include employee ownership (for example through an employee stock ownership plan (ESOP), private equity ownership, or other owners external to a family or partnership) may have different areas of focus. For example, an investment company that holds customer assets will have a different profile from a manufacturer or distributor. The audit committee should evaluate where they will focus their oversight activities accordingly.
The audit committee might also consider a framework for risk management and controls, such as the Committee of Sponsoring Organizations (COSO) framework, as a source of guidance, and consider promulgating controls that make sense given the likely costs and benefits. The costs include the investment in developing controls and the expense of maintaining them. Adding controls will also usually add steps to processes like making purchases, paying invoices and closing deals, which can decrease agility and speed, at least initially. However, benefits include enhanced processes, governance, risk management and reporting.
Factors to consider in targeting the appropriate level of governance include:
- The level of operating and reporting systems needed to support growth; attract private investors; or prepare the organization for succession, sale or IPO.
- The expectations of customers and potential partners, and the due diligence that external stakeholders may exercise.
- The actual costs and benefits for the company and its stakeholders rather than vague ideas or general arguments; in many private companies, factions argue for and against enhancements to governance without basic facts that a bit of research could provide.
- The appearances that inadequate governance and risk management can create; for example, while it may not make business sense to spend one million dollars to prevent a half million dollar loss to fraud, it can be difficult to explain to stakeholders, particularly to ESOP participants or external owners, why management did not do more to prevent fraud of any magnitude.
It can be frustrating for a dedicated board or audit committee member to make the case for greater governance in a privately held business. The key, however, is to urge owners to collaborate with the board to get to the right decision consciously and explicitly, on the basis of research and analysis, and to revisit the decision periodically as the organization grows and changes.