Internal audit: active ingredient in reform mix. (Audit).Don't discount how internal audit, as a strategic partner in corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. , can help your organization meet challenges in the aftermath of Sarbanes-Oxley. Shareholders expect audit committees to be independent and effective watchdogs over financial reporting for the corporate boards on which they serve. In turn, audit committee members look to senior management to set the right ethical tone, communicate accurate and timely information, identify risks and understand controls for good risk management. The Sarbanes-Oxley Act See SOX. envisions all players in the financial reporting scheme acting together to create and sustain a culture of accountability and transparency. As companies design and implement strategies to comply with new disclosure requirements, they must ensure the plan coordinates control activities with each other while integrating the governance efforts of the board and management. So how does all this happen? Companies don't want to fall into the position of always playing catch-up to have quality governance in place. Management must recognize and accept that it is operating in a changed, sometimes overwhelming, environment--even though SEC and exchange rules impacting some reporting requirements are not yet finalized See finalization. . Given all the new regulations and mandates companies must now abide by, it's a mistake to ignore or underestimate internal audit's role as one of the cornerstones of good governance The terms governance and good governance are increasingly being used in development literature. Governance describes the process of decision-making and the process by which decisions are implemented (or not implemented). . An internal auditor Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. is not someone who just reviews past performance--the internal audit function must be an integral and equal component of corporate oversight. The Institute of Internal Auditors “IIA” redirects here. For IIA in decision theory, see Independence of irrelevant alternatives. Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 128,000 members with global headquarters in (IIA (1) (Information Industry Association, Washington, DC) In 1999, IIA merged with SPA (Software Publishers Association) to become the Software & Information Industry Association. See SIIA. ), headquartered in Altamonte Springs Al·ta·monte Springs A city of east-central Florida, a residential suburb of Orlando. Population: 40,900. , Fla., was a strong voice in last year's push for written disclosures on internal controls in any initiative intended to improve financial reporting and governance processes. "You can't legislate To enact laws or pass resolutions by the lawmaking process, in contrast to law that is derived from principles espoused by courts in decisions. integrity, but if the overall objective of Sarbanes-Oxley is to rebuild investor trust, then formal rules must be put into place to raise everyone's awareness of responsibilities, risks and controls," says William G. Bishop 3rd, president of IIA. "Many people within organizations are on the line now, and compliance failures can result in serious consequences and criminal penalties." While there's simply no way to completely prevent abuses, "there are enough new checks and balances for people responsible for financial reporting to make them think very seriously about ever misrepresenting information on financial statements," observes Frank J. Borelli, former CFO See Chief Financial Officer. of Marsh & McLennan Cos. and a former chairman of FEI FEI Fédération Équestre Internationale. . In a healthy corporate setting, auditors are not at odds with management, and "audit committees have always been charged with monitoring the scope of internal audit's activities," says Borelli. Internal audit can be the catalyst to assess internal controls and help focus attention on any weaknesses and how to fix them. Here are some recommendations and best practices to leverage internal audit in the control and disclosure process as the relationships of management, boards and auditors (both internal and external) evolve in the aftermath of Sarbanes-Oxley: Step 1: Start with the right internal control framework. Businesses need reliable systems to support mandatory CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. and CFO certifications on disclosure controls and procedures and reporting on the effectiveness of internal controls. The most widely accepted framework for internal control, which has been part of U.S. auditing standards since 1992, comes from the Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. (COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) ). Internal auditors, as frontline front·line also front line n. 1. A front or boundary, especially one between military, political, or ideological positions. 2. Basketball See frontcourt. 3. Football The linemen of a team. participants and critics of control assessment and risk management, are uniquely qualified to establish and implement a system based on the COSO components of: * Control environment--the foundation for all elements of an internal control system, providing ethics ethics, in philosophy, the study and evaluation of human conduct in the light of moral principles. Moral principles may be viewed either as the standard of conduct that individuals have constructed for themselves or as the body of obligations and duties that a and discipline. * Risk assessment--identification and analysis of relevant risks that hinder hin·der 1 v. hin·dered, hin·der·ing, hin·ders v.tr. 1. To be or get in the way of. 2. To obstruct or delay the progress of. v.intr. strategic objectives. * Control activities--policies and procedures to ensure management objectives are achieved and risk management strategies are implemented. * Information and communication--communication of responsibilities from management to employees in ways that allow tasks to be performed. * Monitoring--evaluation and assessment of internal controls by parties outside and within the process. If a company has no comprehensive internal control framework, it will, at a minimum, be unable to document how it fulfills its reporting responsibilities under the new rules. Once the internal audit team establishes and evaluates the internal control program, all the players in the governance scheme, as well as employees throughout the company, need to understand how it works and why. Before a company can reach conclusions about the effectiveness of its internal controls and procedures for financial reporting, management must have a clear understanding of what the controls are and what "effectiveness" means. Thus, the COSO components can be a useful tool to implement disclosure procedures and controls and, if necessary, can be tailored to identify risk gaps in ethical values, commitment to competence and management philosophy. A survey conducted earlier this year by the IIA to review practices developed since the passage of Sarbanes-Oxley found that approximately 63 percent of large publicly traded companies publicly traded company A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. use the COSO framework to support CEO/CFO certifications on internal controls. Step 2. Adopt specific procedures for operation of disclosure controls. This is where internal auditors can step to the plate to identify and implement new or additional controls for both financial and non-financial disclosures. To assist CEOs and CFOs with their reporting obligations, the SEC recommends that companies have a disclosure committee to act, in effect, as overseer of public disclosures. The head of internal audit can be responsible for establishing the committee and ensuring it includes the appropriate individuals and reports to the CEO and CFO. As a member of the disclosure committee, "the head of internal audit will have to maintain a balancing act to guard against independence problems by giving advice but not making decisions," says IIA's Bishop. The disclosure committee will need to obtain input from counsel and the external auditor The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. , collect information on existing controls and assess their effectiveness using COSO criteria--then conduct gap analyses. Of course, there's work for the audit committee, too. "The audit committee will need to become familiar with the process for establishing the disclosure committee, find out what information will be gathered for the CEO/CFO certifications each quarter and discuss with both the internal and external auditors their satisfaction with the process," says Borelli, who presently chairs the audit committees of two public companies. Step 3. Foster a corporate culture that synchronizes all the components of good governance. One way companies can do this is to ask questions and evaluate the answers about what its board, management, internal audit team and the external auditor must do to fulfill ful·fill also ful·fil tr.v. ful·filled, ful·fill·ing, ful·fills also ful·fils 1. To bring into actuality; effect: fulfilled their promises. 2. their responsibilities under Sarbanes-Oxley and other mandates. Some companies may choose to create a separate corporate governance committee charged, for example, with understanding what must be reported to regulators and when, as well as with reviewing the company's published codes of ethics. Reporting relationships will be one of the areas that will change significantly for many organizations as the audit committee assumes oversight over both external and in-ternal audit. "In my opinion, the best aspect of the Sarbanes-Oxley Act is placing audit committees squarely square·ly adv. 1. Mathematics At right angles: sawed the beam squarely. 2. In a square shape. 3. in the role of overseeing the entire audit process," says Ellen H. Masterson, global partner for assurance methodology at Pricewaterhouse-Coopers LLP LLP - Lower Layer Protocol . "Although external auditors are not going to stop returning calls to the CFO, we're going to strengthen our relationships with the internal auditor and the audit committee. One of the tangible costs to businesses will be an increase in the number and the duration of audit committee meetings. With all the new financial reporting and disclosure requirements, both external and internal auditors will have enhanced responsibilities and lots more work to do." The ability of the internal audit team and audit committee to work well together will affect how audit committee members fulfill their responsibilities to the rest of the board and to investors. "Internal audit, ideally, should report functionally to the audit committee with dotted-line [administrative] reporting to the CEO as a best practice," says Bishop. "For some organizations, this will be a real culture shock." Adds Borelli: "It's an excellent idea for audit committees to interact with internal audit as part of the committee's overall oversight responsibilities for financial reporting and internal controls." Audit committee oversight of the internal audit function includes: working with senior management to evaluate the performance of the internal audit leader; guaranteeing that internal auditors have access to the audit committee and can meet privately with its members; confirming that audit activities are performed according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. professional standards; and ensuring that internal auditors have sufficient resources. Likewise, internal auditors need to raise their visibility throughout the organization and support governance efforts by staying ahead of issues that may affect the company's risk vulnerability; they should serve as an educational resource to management and the board. Investors want greater protection, and Congress has mandated certain activities to respond to those expectations. Will the outcome of Sarbanes-Oxley be better-managed companies and better results for shareholders? "Businesses are being asked to disclose more and more information, and to do so more quickly," says Masterson. "As time goes by, everyone in the corporate governance chain will become more efficient and perform their responsibilities better. We all have to recognize that the value to the company will be there for what we're trying to achieve." Top management, the audit committee, internal audit and the external auditor, in their respective roles, will find themselves traversing tra·verse v. tra·versed, tra·vers·ing, tra·vers·es v.tr. 1. To travel or pass across, over, or through. 2. To move to and fro over; cross and recross. 3. a new corporate governance landscape as the dynamics change in response to the commitment to reform. RELATED ARTICLE: Steps To Take Prior to Reporting To the SEC Establish a written compliance procedure specifying how disclosure controls will operate Disclose to the audit committee any significant deficiencies in internal controls and what remedial actions A remedial action is a change made to a nonconforming product or service to address the deficiency. Rework and repair are generally the remedial actions taken on products, while services usually require additional services to be performed to ensure satisfaction. were taken Review all representations necessary for the CEO/CFO certifications in the relevant reporting period Cynthia Waller Vallario is a business writer and lawyer in Livingston, N.J., specializing in corporate governance. She can be reached at cwvallario@aol.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion