When one considers the corporate bureaucracy designed to ensure good corporate citizenship, the audit committee stands out. No committee of the board has the broad ranging purview of the audit committee, and those powers and duties have expanded over the years. With great power, however, comes great responsibility.

Since March 2010, the U.S. Securities and Exchange Commission (SEC) has brought four suits against the members of audit committees of public corporations, alleging that they were not independent and thus allowed others to engage in securities and other frauds. In class actions, derivative suits, and other private civil litigation, naming the members of the audit committee has become routine, even where the audit committee has taken action to investigate and remediate wrongful conduct. As greater reliance is placed on audit committees, not only with regard to the financial statements but also with regard to internal controls, legal compliance policies and programs, risk management, and investigation of alleged wrongdoing, the likely liability horizon for audit committee members has expanded.

In large corporations, the audit committee has some insulation, both because of the practicalities of policing a large institution and the plethora of professionals who surround it. Smaller companies, however, present a much greater challenge for the members of the audit committee. While the SEC and the exchanges have made clear that the expanding role and responsibilities of the audit committee are not meant to garner expanded liability, as a practical matter, and a legal one, it seems inevitable.

The Audit Committee

In 1939, the New York Stock Exchange, reacting to the SEC’s findings of accounting fraud in connection with McKesson & Robbins, suggested that a committee of non-management directors select the company’s auditors. Over the years, the SEC, the New York Stock Exchange, and the American Institute of Certified Public Accountants have announced refinements to the structure and purpose of the audit committee.

The attributes of the audit committee are clear, simple, and meaningful. It is comprised of “independent” directors. The NYSE listing standards state that a director is not independent unless “the director has no material relationship with the listed company (either directly or as a partner, shareholder or officer of an organization that has a relationship with the company).” Persons, or members of their immediate families, who over the preceding three years have been (a) an executive officer of the corporation, (b) received compensation (other than directors’ fees and the like) in excess of $100,000 from the corporation, (c) served the corporation as a professional, or (d) serves as an executive officer or employee of a company that does more than $1 million of business (or 2 percent of their gross revenues) with the corporation are not independent. The NYSE even labels as not independent persons who are executive officers of an unrelated company where one or more of the subject corporation’s executive officers serve on the unrelated company’s compensation committee. Clearly, the idea is that these independents cannot be beholden to corporate management in any respect.

The need for independence is evident when one considers the responsibilities reposed in the audit committee. In addition to selecting the independent auditor, the audit committee generally meets with the auditor in advance of the annual audit, reviews the audit plan, entertains issues that arise during the course of the audit, and if necessary terminates the auditor. The audit committee is charged with the responsibility of ensuring the independence of the auditor.

On the other side of the coin, the audit committee works with management—primarily the CFO—with regard to accounting and financial reporting. One member of the audit committee is designated the “audit committee financial expert,” and companies must disclose whether they have an audit committee financial expert, and if not, why not. The audit committee financial expert must have knowledge of generally accepted accounting principles and financial statements and the application of those principles to accounting for estimates, accruals, and reserves; experience in preparing or auditing financial statements or experience supervising those who have done so; an understanding of financial reporting and internal financial controls; and an understanding of the function of the audit committee. Sarbanes Oxley Act of 2002, 116 Stat. 745, 790.

The corporation’s internal controls with regard to accounting, financial reporting, and operations are also within the purview of the audit committee. So too are matters regarding regulatory compliance, which is potentially a huge undertaking. After the decision in Caremark in 1996, the design, maintenance, operation, and implementation of effective programs and policies used to detect and, if possible, prevent violations of law have become critical to the exposure of corporate officers and directors to liability. Likewise, the presence or absence of effective compliance policies and programs can have a great influence on a corporation’s exposure to criminal sanctions and even the prosecutor’s decision to exercise discretion to indict a corporation. Responsibility for internal controls and for compliance programs puts the audit committee at the heart of corporate responsibility and potentially at the center of the cross hairs of liability.

Finally, as if there were any need to up the ante, the audit committee frequently plays a role in oversight of risk management. This function is related to the functions described immediately above, since high risk areas may implicate internal controls and/or corporate compliance policies and programs.

In 2000, the SEC issued Release No. 24-42266 (the Release), setting forth final rules regarding audit committee disclosure effective Jan. 31, 2000. See 17 CFR 210, 228-229, 240. Citing advances in technology, and increased pressure on companies to meet market expectations, the SEC leaned heavily on audit committees, which it says “play a critical role in the financial reporting system by overseeing and monitoring management’s and the independent auditors’ participation in the financial reporting process,” to ensure that the “financial reporting process … remain[s] disciplined and credible.” Release at 2.

The then-new rule requires that companies include in their proxy statements a report of whether their audit committee has (a) reviewed the audited financials and discussed them with management; (b) discussed with the independent auditors the matters required by Statement on Accounting Standards (SAS) No. 61 (including the quality and acceptability of accounting principles used, unusual transactions, and issues raised by management and auditors); and (c) received certification of independence from the auditors. Id.

For some reason, the SEC, having grouped together the three report topics set forth above, separately stated a fourth report topic: that the audit committee recommended to the board that the audited financials be included in the company’s annual report. This fourth report might be trouble. In addressing concerns raised by commentators that the new report requirements will expose audit committee members to increased risk of liability, the SEC stated explicitly that “[i]t is not our intention to subject audit committee members to increased liability.” Release at 4. The SEC pointed out that it had considered, and rejected, a requirement that the audit committee state, with language that tracks Rule 10b-5, whether it was aware of any fact that would render the financials untrue or misleading. It is difficult to see, however, how the audit committee could affirmatively recommend to the board the inclusion of the financials in the company’s Form 10-K without implicitly vouching for the accuracy of the financials. The rule provides safe harbor protection from the antifraud provisions of the proxy rules, but the SEC specifically declined to provide insulation from liability in private civil litigation as not being “necessary or appropriate.” Id. at 11. The SEC concluded that since the new rules provide more specificity for the audit committee function, the number of breach of fiduciary duty claims might decrease (id.) and that by requiring the audit committee members to review the financials with management, thereby making the committee members more informed than they otherwise might have been, the protection of state business judgment rules will be more available to committee members (id. at 7). Unfortunately, the SEC provided no authority for these propositions or any examples or further explanation.

The SEC’s optimism might be misplaced. Of course, audit committee members already sign public filings and find themselves routinely embroiled in litigation when the accuracy of public filings is questioned. The expanding role of the audit committee in matters that are frequently at the heart of litigation would, however, seem to make it easier for plaintiffs to articulate claims against audit committee members.

Recent Actions Against Committee Members

In February 2011, the SEC commenced an action against the members of the audit committee of a public company called DAB Industries, a manufacturer of body armor founded and controlled by David A. Brooks, who was found criminally and civilly liable for accounting fraud, misappropriation of corporate funds, and insider trading. The SEC claimed that the members of the audit committee, Jerome Krantz, Cary Chasin, and Gary Nadelman, were longtime friends and neighbors of Brooks who depended on Brooks for financial support and were entirely dominated by him. Krantz was Brooks’ insurance agent. Chasin previously worked at DHB, which was his sole source of income from 1997 to 2000. Nadelman is alleged to have been a “significant investor” in a private company largely owned and later taken public by Brooks. The three were alleged to have received “lucrative warrants” in 2003, 2004, and 2005, as well as other perquisites.

At virtually every turn, the committee failed properly to acquit its responsibilities and engaged in conscious avoidance of important red flags, allowing Brooks to control and subvert what should have been the investigative and protective process and joining him in the wrongdoing. Although each of the three was charged with substantive violations, the vast bulk of the allegations were cast in terms of aiding and abetting Brooks’ wrongdoings, sending a loud and clear message: the audit committee is supposed to be the watchdog and if it is not going to serve that role, then its members are responsible. The defendants entered into consent decrees imposing lifetime bars on service to public companies and fines and disgorgement ranging from $200,000 to just under $1 million.

In March 2010, the SEC commenced, and settled, an action against Vasant Raval, chair of the audit committee of InfoUSA. The CEO of InfoUSA, Vinod Gupta, used corporate assets for personal benefits and engaged in interested party transactions. Raval, as chair of the audit committee, ignored red flags, indeed ignored the results of his own investigation, and allowed Gupta to run amuck. Rather than taking meaningful corrective action, Raval wrote a report to the board, which the SEC thought omitted critical facts regarding Gupta’s expenses. Raval consented to the entry of judgment against him, was fined $50,000, and took a five year bar from serving as an officer or director of a public company.

In March 2014, the SEC commenced two additional actions against audit committee members. In AgFeed Industries, a largely China-based hog feed and production company with operations also in Tennessee, the SEC alleged that Audit Committee chair K. Ivan (Van) Gothner knew, or should have known, that the company was overstating its revenues and keeping two sets of books. Gothner failed to report that fact to the outside auditors, failed to hire a professional firm to conduct a review, and did not investigate the fraud. The case is currently pending in the Middle District of Tennessee.

The SEC also commenced and settled an administrative proceeding against Shirley Kiang, the chair of the audit committee of L&L Energy, another China-based company with headquarters in Seattle. L&L falsely reported that an individual served as its acting CFO. When that individual, who had declined the job, learned of the misrepresentation, she approached Kiang to commence an investigation. Kiang was told by the company’s chairman that the representation was false, but Kiang did not share the information with the auditors or the public, and then, by signing L&L’s 2009 Form 10-K, falsely certified that any evidence of fraud had been disclosed to the auditors and the audit committee. Kiang accepted a lifetime bar from signing SOX-certified filings with the SEC.

While these four cases hardly indicate a sea change, the message is clear: The SEC takes very seriously the role of the audit committee as gatekeeper and it will not hesitate to take action in cases where it feels the audit committee has abandoned its responsibilities.

Approach in Class and Derivative Actions

In addition to SEC enforcement actions, audit committee members are vulnerable to private civil litigation, usually in the form of class and derivative actions. Committee members are typically sued for breach of duty relating to oversight of and communication with the company’s independent auditors and management and relating to the committee’s responsibilities for the company’s compliance with legal and regulatory requirements, internal audit function, internal controls, and, of course, audited financial statements included in its public filings.

In the seminal decision in In re Caremark Int’l, Derivative Litig., 698 A.2d 959 (Del. Ch. 1996), the court set forth a recipe for board conduct. In that case, board members were alleged to be liable for failing to discover corporate employees’ violations of federal and state laws and regulations, which resulted in the company being charged with multiple felonies. The court made clear that directors will be liable for ill-advised or negligent decisions that cause the company to suffer a loss, as well as unconsidered failures to act in circumstances in which due attention and diligent monitoring would have prevented the loss. Id. at 966. On the other hand, when a director exercises a good faith effort to be informed and exercises appropriate judgment, the director satisfies his or her duty of attention. Id.

The Caremark recipe is, necessarily, amorphous. What is clear, however, is that protection against liability for company losses necessitates the board taking some form of affirmative action to employ a corporate information and reporting system so that corporate performance is actively monitored and, as issues arise, they reach the board and senior management in a timely manner. As the board’s committee responsible for overseeing financial reporting, internal controls, and legal compliance, the audit committee seems more susceptible to breach of duty claims under Caremark than are other directors.

Protecting the Audit Committee

Serving on the audit committee of a smaller company is perilous business and has become increasingly so as the duties and responsibilities of the audit committee have expanded. Decisional law may provide some level of protection, and D&O coverage and indemnification rights might cover defense costs and protect against financial responsibility for a judgment. There are, however, limits to that protection, and nothing can defray the implicit costs inherent in the diversion of attention from daily life and the anxiety engendered by litigation. Perhaps it is time for the SEC to devise safe harbors from civil liability for audit committees. Absent concrete, indelible protection, it may very well prove difficult to recruit qualified people to serve on audit committees, to the detriment of good corporate citizenship.

Eugene R. Licker chairs the securities litigation, arbitration and regulatory enforcement practice at Loeb & Loeb in New York. Amanda J. Sherman is an associate in the practice.