Everything you’ve always wanted to ask an Audit Committee member (but were too afraid to ask)

 

a RApport Q&A

October 20, 2023

What is the biggest audit/finance disaster you've faced as a member of the Audit Committee?

By what metrics or standards do you judge the competency of a finance or accounting team?

And what are the most important questions to ask the independent auditor in the closed session of an Audit Committee meeting after management leaves?

If you’ve recently joined your first biotech board or Audit Committee (or hope to do so soon), these questions should be on your mind. And if you’re a seasoned director, you probably have an idea of how you’d answer them – but might be curious what your peers would say. RA Capital’s board-building platform, Gateway, makes “leveling up” on best practices as a board member easier than ever by letting us collect best practices from the biotech community. 

We recently kicked off a “community learning cycle” by gathering audit-related questions from many non-audit-savvy biotech board members and posing them to other Gateway members with audit expertise. It’s called a cycle because we then asked the Audit experts to surface their own questions for those with other expertise, driving a Q&A cycle throughout the whole community so that we can all eventually learn from everyone.  

We start with Audit because it’s clearly the sexiest topic. No… truly, for those of us who came to biotech for the science, it’s basically like getting an injection into your eyeball. You wish you didn’t have to get it but you really can’t look away. So here we are. Let’s look together.

We asked three Gateway members who are or have been on Audit Committees – Kim Drapkin (CEO, Graphite Bio), Adam Mostafa (CFO, X4 Pharmaceuticals), and Sen Sundaram (former CEO, Terns Pharmaceuticals) – to offer advice. The answers below have been edited and condensed for clarity.

Before we dive in, it helps to appreciate the role of the Audit Committee and auditors in the governance of a biotech company. In short, they are there to make sure that the company’s finances are being run properly and that every dollar has been spent and invested exactly as has been reported. They don’t necessarily tell you whether it was wise to fund a trial, but they will tell you whether the money that you thought was spent on the trial was actually spent on something else. Proper audit means that investors can trust what they read in the financial statements. Audit also confirms that the company has other effective controls and processes for preventing fraud and remaining compliant with applicable reporting standards. 

Business requires that we all trust each other, but good business practices tell us that we should trust and verify. Audit is all about verification, which allows everyone to have that much more trust. To work, Audit has to be done well. This Q&A is about how to do it well.

Q: What are the most important questions to ask the independent auditor at an Audit Committee meeting?

Adam Mostafa: The timing of the questions in the meeting is important. I have found that at times management tends to put the ‘positives’ upfront only to squeeze in the problematic aspects at the end when we have less time to resolve them, so I always start with an early “Did anything go wrong?” type of query so the meeting is appropriately topic-weighted.

It’s also important to consider who’s in the room. I ask fairly early on if the finance team and auditors felt there was agreeable coordination or if there were disagreements or controversy of any kind. This prompts an opening from either side to appropriately expose it and, if not, get a quick sense that all is well. If this question comes up in the closed session, you will get one viewpoint or something like “Everything was agreed on” with no opportunity to read body language.

Lastly, I typically ask what the teams have learned this quarter that they will apply going forward. I don't see this experience as a static quarter-by-quarter look but an optimally evolving dialogue that should improve and be refined over time as the business changes and progresses, the finance team develops additional experience, and the auditors get more familiar with the company and sector. So I think it is important to inject a 'growth/improvement' aspect into the conversation as well.

Identifying learnings can be overlooked as the Audit Committee is traditionally seen as less of an upside forum and more of a downside-mitigation-only body. Examples of learnings that can improve Audit Committee effectiveness and impact could include ensuring the right balance of skills, experiences, competencies, and expertise are represented on committees over time; improving enterprise risk management practices; or suggesting trainings around evolving or emerging topics such as new tax developments or ESG considerations).

Kim Drapkin: My go-to questions are “What do you see as the biggest accounting and financial reporting risks we are facing?” and “What accounting positions did we take in our financial statements that require management judgment, and how do you perceive the level of risk in our position?“

To me, the most important questions speak to understanding and avoiding the risk of a material misstatement that necessitates a restatement. Most of my public companies are not revenue-generating beyond collaborations, and earnings are not important to investors. I like to make sure we aren't taking unnecessary risks in our accounting positions. For example, if it is more conservative to record revenue one way I want to make sure we are not being unnecessarily aggressive, as there is no benefit and only risk if we are reviewed by the SEC. Another area that always carries a risk for misstatement is clinical trial accrual. I want to understand the sophistication of the clinical accrual process and how good they are at estimating costs, which requires a good working relationship between clinical and finance.

Q: What questions do you ask the independent auditor in the closed session of an Audit Committee meeting after management leaves?

Sen Sundaram: “How's morale amongst the internal finance/audit team?” I find that the finance team is so interconnected with the entire company that they are often aware of underlying issues, complaints, and disagreements that may be bubbling under the surface below the top layer of management. For example, the finance team may complain that folks are always challenging the budget or seeking exceptions or that auditors are spending too much time fixing payroll or equity comp mistakes.

Adam Mostafa:  I ask the auditors' views on management's approach, culture, and general priority around financial reporting, and how that compares to other companies they work with. I have found this helpful to unearth, for example, if there is a passive “We'll get to it when we get to it” kind of mindset – which can flag some degree of incremental risk – versus a proactive, buttoned-up culture from the top down when it comes to financial reporting and disclosure. This can also be a broader signal for management style that may flow into other functional areas of the business.

I have also dealt with overachievers who tend to want to impress and “do it all,” so I ask about resources related to the company's future plans and trajectory. This can yield comments like “The company really needs somebody in such-and-such a position or someone to do X, Y, or Z work or oversight,” which can then be communicated back to the team as they consider hiring plans, risks, and budget determinations.

Lastly, I ask the auditors for their views of the Audit Committee itself and the focus of our agenda, new or priority topics, coordination with management, and level of oversight, and again ask them to relate what they see to other companies or clients. I think feedback from all relevant sources is important and encourages transparency so we can improve and stay aligned as the business develops. I have found auditors may be a bit surprised or uncomfortable about these questions but asking them encourages the sentiment that we're all working together to support the business and can always find room for improvement.

Q: What is the biggest audit/finance disaster you've faced as a member of the Audit Committee? What led to that disaster and what red flags do you now look for to prevent it from happening again?

Sen Sundaram: The biggest issue I’ve run into was a company running out of money and ultimately liquidating. I saw that the company was spreading its resources across too many expensive programs with long timelines to financeable catalysts and my pleas to rationalize expenses and reprioritize programs fell on deaf ears as the CEO and board felt they could finance repeatedly. I think this represents a common issue that financially-minded board members bring up, but needs to be balanced by the recognition that biotechs must put capital at risk to create value. To help find the balance, I commonly ask for an elephant slide if one isn't included in the standard set of board materials.

Adam Mostafa: We had an issue come up where the financial disclosure we provided was not in line with guidance from a particular public stock exchange. This related to a filing that had to be effective in order for a time-sensitive and critical financing to be consummated. Further, our financials were about to go stale if the financing was not done within a short timeframe, which would have put the company in a very difficult financial position. We ended up scheduling “twelfth-hour” meetings with a variety of partners including the exchange and the investors coming into the deal to align timing and get everything done on time.

The experience taught me that it's important to consider all audiences in any financial disclosure (and related transaction) and align deliverables, risk mitigation measures, timing of filings, etc, to keep everyone happy and on the right timeline. A red flag indicating potential risk in this area may be a very narrow viewpoint or consideration list when it comes to a material corporate maneuver. Sometimes small companies focus only on what's in front of them, particularly during high-pressure and time-sensitive financing processes, and neglect other parties – be it an exchange, a partner, etc. – who have certain consent, approval, or disclosure rights or expectations. It’s important to keep a running list of every key party that could have a say in an urgent matter and keep them in mind as you progress through a situation or project to avoid negative last-second surprises. Getting the views of other management team members, board members, and other relevant stakeholders may help fill in blind spots.

Kim Drapkin: I think the biggest disaster I’ve faced was the SVB crisis. The disruption it caused in operating our companies highlighted the risk of keeping all operating cash in one institution. I've always insisted on using more than one investment group, but now I suggest maintaining a backup operating account if the company is not with a “too big to fail” bank. In addition to a backup operating account, I ask for the investment policy to include two investment accounts and ensure that cash at FDIC-backed banks sweeps to an unrelated mutual fund at night. Also, one time a company we were reverse merging with thought it would be a good idea to change auditors during the audit process. That was stupid and a huge mistake. Never switch auditors during a deal or close to year-end! Only do that if it cannot be avoided.

Adam Mostafa: On the subject of the SVB crisis, I have put a few treasury risk management plans in place for companies before and since. It may sound obvious, but diversification with safe, secure, liquid instruments like money market funds across multiple banking partners is important. For cash-burning biotechs looking to generate outsized returns, it is not about optimizing incremental treasury or fixed-income yield but about cash safety and preservation so that assets can be reliably deployed into the business. Maintaining an active dialogue to understand the various banking risk measures of your counterparties is important – regularly keeping track of leverage ratios, credit ratings, deposit ratios, etc. is helpful. We keep a quarterly report that shows where our cash resides along with these various safety and liquidity statistics so we understand where there may be emerging risks. In terms of managing through a crisis, prompt communication is important to keep stakeholders comfortable, as well as making investors, partners, and the board aware of the situation and your actions to mitigate any increased or perceived risks.

Q: For small biotechs, what key accounting judgments do you focus on and why?

Adam Mostafa: I think key accounting judgements in small biotech tend to be related to one-off items, transactions, exotic structures, fair value, impairment assessments and the various associated inputs, assumptions, and treatments. In general, a company should keep in mind situations where they will have to “live with” something for a while. For example, we had some warrants issued in a financing which had some change-of-control-triggered features which became accounted for as a liability that had to be marked to market every quarter. This became a clunky and hard to explain non-cash expense on our income statement, so it looked to the generalist or casual observer that our net income was drastically lower than it actually was. In this case we took the most conservative accounting judgment to avoid future restatement risk, although that may have been overstated. We perhaps would have been more liberal or flexible had we adjusted for the operational and communication challenges the judgment yielded.

Sen Sundaram: Managing accruals for clinical trial expenses, CMC/manufacturing, and other major contracts has been an issue at most companies that I've been involved with (though our own finance team never seemed to have this issue). In one UK company I was involved with, neither the finance lead nor the auditor had biotech experience, so getting alignment on accrual methodology was particularly painful (and if I recall correctly, there are differences in methodology between US GAAP, which the company used for SEC reporting, and UK GAAP, used for local statutory reporting).

Q: Oh no, I think I'm gonna trip 404(b) next year! Where should I start? What are the biggest failure modes for companies that are preparing to be 404(b) compliant? (For readers unfamiliar with SOX compliance, start by reading about the Sarbanes-Oxley [SOX] Act and associated regulations for the internal control environment.)

Adam Mostafa: There are firms that can help you begin the process of becoming SOX compliant. Risk assessment and documenting internal controls and then testing them (as an auditor will eventually do) is a good practice to start as you approach 404(b). One failure mode would be to not take this seriously or keep delaying and maintaining it as a low priority. This needs to become standard procedure and part of the culture, both of which take a significant amount of lead time. It’s helpful to practice ahead of time so that when you get there you are prepared. Given the resource constraints of small biotech companies, a good advisory firm who has worked with the larger audit firms that are often staffed by ex-large firm partners who have done controls/SOX testing can be worth every penny and give management and the Board comfort that things are under control with a project plan in place ahead of time.

Kim Drapkin: I always advise hiring an external group to assist in evaluating the control environment and conduct testing. One area that is usually an issue is proper segregation of duties and making sure there are enough heads to cover this. Another is making sure that the controls are not only in place but followed. It's worse to have a control that is not followed than to not have a control in place. Look for efficient ways to put controls in place that make sense for your stage of operations, make sure your consultant isn’t "going overboard” on the control environment, and sanity-check it with your peers and auditors.

I see going overboard as doing too much too soon - hiring consultants just in case you trip the market cap next June or paying to have external groups perform tests before you are required to do them. People sometimes get nervous or even bored and figure they will get ahead of everything, which can sound reasonable but costs money and takes time that presumably could be spent on more value-creating projects. Another way of going overboard is simply doing what you did at your last job, if it was at a large company. The control environment should match the stage and size of your company. 

Q: What are the top three attributes a company should look for when selecting an independent audit firm?

Sen Sundaram: Biotech experience, biotech experience, biotech experience (at the firm/regional level, because concurring partners will need to weigh in at various crucial points, but also at the team level).

Kim Drapkin: To me a good audit team comes from a reputable firm that has experience in the biotech sector. For example, I'd rather pay more to retain an EY team than one from a non-Big Four as others will not have the deal experience you need during a collaboration or other events that cause delays and often higher fees.

Adam Mostafa: First, consider the “perception variable” - if you are going public or preparing to do so, working with a known, reputable, usually larger audit firm will help investors and partners to feel most comfortable. Outside of that, I prioritize objectivity. Even though the company pays its auditors’ fees, you want an audit team that isn't afraid to speak up, contest management, and chime in with their view on best practices and procedures even if it doesn't align with that of senior management or the Audit Committee. To evaluate this you can do reference checks, leverage existing relationships through the company or board, get a sense in thorough interviews for how stiff auditors’ backbones might be.

I also look for teams who are consistently reliable communicators. It’s important to make sure the partner and team have a good reputation and approach to proactively staying in front of you as the client with what they're thinking, any upcoming guidance or treatment changes, or impending team- or policy-oriented changes at their firm.

I have found it challenging to work with audit firms that need to be educated in basic biotech business topics. Having sector expertise is key so the financial treatment, approaches, relevance, and considerations fit into the broader business, and there is less lost in translation. In regard to “lower-tier” or cheaper firms, sometimes they work out and sometimes they are staffed with subpar professionals whose work needs to be checked and who can make mistakes or not stay on top of things – so you get what you pay for.

Q: Is the Audit Committee responsible for cybersecurity oversight?

Sen Sundaram: Yes, as it is generally a risk-mitigation function that doesn't fall under the purview of the Nominating and Governance or Compensation committees. Cyber responsibility could also be assigned to the full board. At one company where I was CFO, we coincidentally implemented a number of IT policies on finance employees (two-factor authentication, use of domain-joined devices only, geographic limits) that happened to stymie a phishing attack that a temp bookkeeper fell victim to about two days before we implemented this policy. The logs show that attackers (logging in from South Africa) were immediately locked out before they did any damage, though they potentially got access to some emailed invoices during those two days (which we notified the relevant parties about).

Adam Mostafa: I think the Audit Committee can assist on this front and perhaps take on specialized topical aspects of cybersecurity, but the Board should be responsible for related oversight. This is an enterprise-wide risk that touches supply chain, quality, vendor management, CRO/CMO counterparties, commercial efforts, and more. It underlies many aspects of the business where directors outside the Audit Committee may well have insights and expertise, including from other boards. This is in addition to the global nature of the risk, its potential management and mitigation measures, and the meaningful time, resources and costs associated with those initiatives. We had a situation where a significant counterparty – not our company itself – was just about taken down by a cyberattack. While our defenses were formidable, we relied on this counterparty for an important aspect of the business and it had vulnerabilities that were exploited. We neglected to think carefully about this and now maintain a more constant dialogue with our key counterparties about their own cybersecurity measures and put clear plans in place to react to issues. Unfortunately, we did much of that work after the fact.

Q: By what metrics or standards do you judge the competency of a finance or accounting team?

Kim Drapkin: I like to know that there are at least a few CPAs who have SEC and technical accounting experience. Also, I like the team to complement the CFO – for example, if the CFO is an ex-banker, I really want a strong CPA as my VP of Finance. I want to know that someone really understands the technical accounting and SEC process. When teams are not complementary, I tend to see bloated headcounts to compensate for their leaders’ insecurities – the leaders don't know what the team should look like because they have never worked the operating roles themselves, so they tend to overhire. Even at a relatively mature biotech company, if you have a strong team, you shouldn’t need more than five or six people in your finance organization.

Adam Mostafa: One metric would be: Has the team earned (or is it earning) the trust of management, the board, and the auditors? This captures aspects such as process fluidity and transparency, taking ownership and accountability, anticipating and flagging challenges, seeking both a strategic and tactical understanding of the work product and its ramifications, and soliciting advice/guidance when needed. Another metric would be demonstrating competence in understanding and communicating what the numbers mean for the business – what does this imply in terms of resource allocation, time/runway to achieve priorities, or financing strategy adjustments? The “behind the numbers” view helps illustrate a high-level ability to wield the finance function in service of value creation and progress. A third metric would be more objective: competency around accounting matters, like staying updated on the latest and most relevant approaches along with maintaining consistently reliable, high-quality, precise, and timely financial reporting.


I want more materials like this. How do I “Level Up”?

If you haven’t signed up for Gateway yet, consider doing so now (read a detailed refresher on the platform here). It’s free and accessible to any member of the industry.

Gateway’s “Level Up” modules house a growing library of content tailor-made for board directors, spanning topics like Board Recruiting & Performance; Finance & Strategy; Compensation & Operations; Commercialization; Product-Market Fit; and Clinical & Regulatory.

Being curious ourselves, we’re adding more articles, interviews, slide decks, and videos all the time, so we hope this first wave of materials whets your appetite. There will probably be something new to explore each time you return to the site.

Here’s a taste of what we’re building:

Additionally, Gateway allows current and prospective board members to profile their strengths and interests across more than 20 key domains (e.g., clinical development, taking a company public, auditing financials, mentoring management, etc.), then crunches the numbers to figure out where a particular board is strong and where they have space to improve. If a board is weak in any particular areas, Gateway can suggest candidates who are strong in those domains. Are two members of the board retiring soon? No problem – just uncheck them from your current roster, review the skill gaps their departures create, and ask Gateway to suggest candidates who could best round out the board and restore its diversity and strengths.


Please click here for important RA Capital disclosures.


Further Reading


Previous
Previous

A going concern clause isn’t always a concern

Next
Next

Why we’re stuck on Hyku Biosciences