Management reports on internal controls.What do they say about your company? EXECUTIVE SUMMARY * PUBLIC COMPANIES INCREASINGLY INCLUDE management reports on internal controls in their annual reports even though no regulators require them. * SINCE ACCOUNTANTS AND AUDITORS ARE DIRECTLY involved in auditing financial statements and reviewing internal controls, they are in a good position to suggest what degree of reporting is appropriate. * MANAGEMENT REPORTS ON INTERNAL CONTROLS provide a unique opportunity for management to discuss issues and concerns not communicated elsewhere in the annual report. * SINCE THESE REPORTS FIRST STARTED APPEARING, there is a growing consensus as to what the contents should include: financial statement presentation; purpose, nature and components of internal controls; and the roles of internal audit, the independent auditor Independent Auditor An external auditor with a certified public accounting designation that qualifies him or her to provide an auditor's report. Notes: These auditors aren't affiliated with the company being audited. and the audit committee. Also, unique programs can be emphasized. * COMPANIES ARE CAREFUL TO POINT OUT the inherent limitations of internal controls. A significant number of the companies studied acknowledge that "the systems are designed to provide only a reasonable assurance of meeting stated objectives." * IF INDEPENDENT ATTESTATION The act of attending the execution of a document and bearing witness to its authenticity, by signing one's name to it to affirm that it is genuine. The certification by a custodian of records that a copy of an original document is a true copy that is demonstrated by his or her OF MANAGEMENT reports were required, such a mandate would have a significant impact on the roles of both the independent auditor and management. Unless specifically engaged to evaluate a company's internal control system, the auditor typically is not giving an opinion on the adequacy of the controls. Turn to page xx of a publicly traded company's annual report. If there's a section where management discusses its internal controls, that company has found a venue to communicate with its shareholders--current and potential--about the strategies and policies it has adopted to ensure that the company is "under control." Public companies increasingly include management reports on internal controls in their annual reports as a good corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. practice. At least for now, management has considerable latitude latitude, angular distance of any point on the surface of the earth north or south of the equator. The equator is latitude 0°, and the North Pole and South Pole are latitudes 90°N and 90°S, respectively. in deciding what it wishes to address in these reports. Should management be required to report on internal controls, and should independent auditors have to attest To solemnly declare verbally or in writing that a particular document or testimony about an event is a true and accurate representation of the facts; to bear witness to. To formally certify by a signature that the signer has been present at the execution of a particular writing so as to such reports? Although neither the SEC nor FASB FASB See: Financial Accounting Standards Board FASB See Financial Accounting Standards Board (FASB). require them, these reports have existed for more than a decade; the debate on their mandatory inclusion has been waged for more than 20 years. There are, of course, varying opinions as to whether the needs of financial statement users are being met by existing reporting requirements. Since accountants and auditors are the professionals directly involved in auditing financial statements and reviewing internal controls, they may be in the best position to suggest what degree of reporting is appropriate. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the 1999 edition of Accounting Trends and Techniques, approximately 58% of public companies included management reports in their 1 OK. This is the one place in an annual report where management can focus readers' attention on issues not systematically discussed elsewhere. A content analysis can help both the writers and users of the reports, as well as the outside auditors, in determining what specific items warrant inclusion. The content of the reports varies considerably. While the focus in general is on the effectiveness of internal controls, the specific components of internal control are by no means consistent across companies. The differences noted in the reports may reflect the variations in how companies structure their internal control systems or they may reflect the differences in the companies' reporting philosophies. Since the reports first started appearing about 10 years ago, preparers have reached agreement on some of the routine items to be included, and now discuss the features of their overall control systems that are unique or of special significance. Management reports typically discuss the following topics: * Financial statement presentation. * The purpose, nature and components of the company's internal controls. * The role of internal audit. * The role of the audit committee. * The role of the independent auditor. FINANCIAL STATEMENT PRESENTATION An analysis of the annual reports of the 1998 Fortune 100 revealed 78 companies had included management reports, virtually all of which began with a statement that management took responsibility for the presentation of the reports in this study of the financial statements. Ninety-seven percent said the financial statements conformed to GAAP GAAP See: Generally Accepted Accounting Principles GAAP See generally accepted accounting principles (GAAP). and 15% said the financial statements represented fairly the company's financial position and results of operations (see exhibit 1, page 59). [Exhibit 1 ILLUSTRATION OMITTED] PURPOSE AND NATURE OF INTERNAL CONTROLS All but 2 of the 78 companies said they maintained a system of internal control. Most noted the purpose of that system: 87% identified reliable financial reporting and 81%, safeguarding of assets (see exhibit 2, below). Just over half of the reports--54%--said the objective was encouraging adherence adherence /ad·her·ence/ (ad-her´ens) the act or condition of sticking to something. immune adherence to management's prescribed pre·scribe v. pre·scribed, pre·scrib·ing, pre·scribes v.tr. 1. To set down as a rule or guide; enjoin. See Synonyms at dictate. 2. To order the use of (a medicine or other treatment). policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental , while 51% linked internal controls and ethical conduct. A few of the reports specifically cited the objective of preventing or detecting fraudulent The description of a willful act commenced with the Specific Intent to deceive or cheat, in order to cause some financial detriment to another and to engender personal financial gain. financial reporting. One company, General Electric, identified a sound, dynamic system of internal controls as "a vital ingredient" for the company's quality programs. [Exhibit 2 ILLUSTRATION OMITTED] Several reports identified specific components of their internal control structures (see exhibit 3, page 60). The most frequently cited was the existence of an internal audit function (78%), followed by the maintenance of policies and procedures (63%), the selection and training of good personnel (43%) and segregation segregation: see apartheid; integration. of duties (42%). Also mentioned were continuous review and revision of internal controls and a strong control environment or ethical climate. Almost half of the reports referred to a company code of conduct or ethics ethics, in philosophy, the study and evaluation of human conduct in the light of moral principles. Moral principles may be viewed either as the standard of conduct that individuals have constructed for themselves or as the body of obligations and duties that a policy. Several of the reports noted that the policy addressed such elements as conflict of interest, compliance with applicable laws and confidentiality concerns. [Exhibit 3 ILLUSTRATION OMITTED] Seven reports referred to a review process for assuring compliance with ethnical eth·ni·cal adj. 1. Ethnic. 2. Of or relating to ethnology. eth  ni·cal·ly adv.Adj. 1. standards. For example, an important part of International Paper Co.'s internal controls system was its ethics program and long-standing policy on ethical business conduct, including a telephone "compliance line" to report suspected violations of law or company policy and its newly established office of ethics and business practices. To ensure that personnel continued to understand the internal control system and policies governing prudent business practices, Merck said it had an ongoing "management stewardship stewardship the occupation of being a steward or custodian. Referring to animals it implies the caring sort of relationship based on an acceptance of the need to include the rights of animals in overall plans to maintain financial viability. program" for key management and financial personnel and had implemented an ethical business practices program to reinforce its commitment to high ethical standards in conducting its business. CIGNA CIGNA CG (Connecticut General Life Insurance Company) INA (Insurance Company of North America) provided each employee with a copy of the corporate policy addressing business ethics business ethics, the study and evaluation of decision making by businesses according to moral concepts and judgments. Ethical questions range from practical, narrowly defined issues, such as a company's obligation to be honest with its customers, to broader social and required that all officers, directors and certain other employees sign the policy statement annually. These statements suggest myriad ways in which corporate managements are seeking to share with outsiders their companies' commit ment to ethical principles. POINT OUT LIMITATIONS Companies also were careful to point out the inherent limitations of internal controls. Eighty-six percent of the reports acknowledged the systems' designs provided only "reasonable assurance" of meeting stated objectives. Thirty-five percent said the internal controls' cost should not exceed anticipated benefits. Sears, for example, explained that the "concept of reasonable assurance is based on the premise that the cost of internal controls should not exceed the benefits derived." A number of reports spelled out the limitations. One of the most extensive clarifications came from Enron: "It should be recognized, however, that there are inherent limitations in the effectiveness of any system of internal control. Accordingly, even an effective internal control system can provide only reasonable assurance with respect to the preparation of financial statements and safeguarding of assets. Further, because of changes in conditions, internal control system effectiveness may vary over time." In spite of in opposition to all efforts of; in defiance or contempt of; notwithstanding. See also: Spite these limitations, managements often tried to assure statement readers of the soundness of their internal controls. Although about half of the companies in the study asserted specifically that their internal controls were effective or strong, they did not address the basis for this assessment. Only three of the Fortune 100--Freddie Mac, Halliburton and Ameritech--said their assessments were based on recognized criteria for internal control, with Ameritech the only one specifically listing the five components of internal control defined by the COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) Internal Control Integrated Framework: * Control environment. * Risk assessment. * Control activities. * Information and communication. * Monitoring. INTERNAL AUDIT'S ROLE The most frequently cited functions of the internal audit department were monitoring compliance with the internal control structure and assessing its effectiveness. Seventeen percent noted internal audit provides recommendations to improve controls and correct deficiencies. One company, Procter & Gamble, pointed out its use of a self-assessment program to help "individual organizations ... evaluate the effectiveness of their controls" and suggested this program supplemented the internal audit function. Jack Dierkes, assistant director of the company's internal audit unit, offered this perspective: "P&G believes that controls are the responsibility of the line organization. One role of internal auditing is to audit the line organization, identify gaps and ensure the appropriate action plans are put in place. Since our audit cycle is about three years, we find it helpful to supplement the audits with self-assessments [which] are led by the line organization and conducted about once a year. The internal controls group is available as needed as needed prn. See prn order. to help the line organization conduct an effective self-assessment. Ideally, problems are identified and fixed before internal auditing conducts official audits." Most of the reports did not define the reporting structure of the internal audit department, although Merrill Lynch Merrill Lynch & Co., Inc. (NYSE: MER TYO: 8675 ), through its subsidiaries and affiliates, provides capital markets services, investment banking and advisory services, wealth management, asset management, insurance, banking and related products and services on a global basis. said its corporate audit department reported directly to the audit and finance committee of the board of directors; P&G noted that internal audit ultimately reported to the CFO See Chief Financial Officer. , and two organizations, Fannie-Mae and General Electric, said internal audit was organizationally independent of the activities it reviewed. THE AUDIT COMMITTEE'S ROLE Seventy-four (95%) of the reports referred to an audit committee. Of these, 92% said its members were independent or not part of management and that the audit committee regularly met with the independent auditor (81%), the internal audit director (78%) and management (76%) (see exhibit 4, above). Of the seventy-four companies, in 69% the independent auditor had full and free access to the audit committee and in 60% the internal audit director had the same access. It is not surprising that many management reports addressed the role of audit committees in light of work of the Blue Ribbon Committee Noun 1. blue ribbon committee - an independent and exclusive commission of nonpartisan statesmen and experts formed to investigate some important governmental issue blue ribbon commission on Improving the Effectiveness of Corporate Audit Committees (see "Blue-Ribbon Panel Blue-Ribbon Panel (sometimes called a Blue Ribbon Commission) is an informal term generally used to describe a group of exceptional persons appointed to investigate or study a given question. Issues Its 10 Commandments," JofA, Apr. 99, page 4). Incidentally, of the reports reviewed in this study, none referred to all the committee's recommendations, and the nature and extent of the information provided varies. (See "Audit Committee Rules to Improve Disclosure" JofA Apr.00, page 15.) Management reports identified the following responsibilities of the audit committee; the percentages in parentheses See parenthesis. parentheses - See left parenthesis, right parenthesis. refer to the portion of the 74 companies with an audit committee. * Oversight
Oversight may refer to:
* Review of internal controls (81%). * Review the scope and results of internal and independent audits performed (69%). * Oversight of the internal and independent audit functions (27%). * Make recommendations concerning the selection of the independent auditor (26%). * Oversight of management (20%). Two reports (those of Merrill Lynch and J.C. Penney) said the audit committee had responsibility for compliance with acceptable business standards and ethics; J.C. Penney's reviewed audit and nonaudit services and fees. Ameritech said its audit committee was responsible for "assuring the independence" of the independent auditor. A few reports in exhibit 4 discussed the size of the committee and frequency of its meetings. [Exhibit 4 ILLUSTRATION OMITTED] WHAT THE INDEPENDENT AUDITOR DOES Most of the management reports (85%) referred to the independent audit of the company, with 44% referring to the audit report in the annual report (see exhibit 5, page 64). Several (40%) said the audit was conducted in accordance Accordance is Bible Study Software for Macintosh developed by OakTree Software, Inc.[] As well as a standalone program, it is the base software packaged by Zondervan in their Bible Study suites for Macintosh. with GAAS See gallium arsenide. , including appropriate tests of accounting procedures and records. A few noted that all financial records and minutes were made available to the independent auditor or that the representations made to the independent auditor were valid. Half of the reports said the independent auditor had included some consideration of internal controls. The wording used to describe the nature of this consideration varied. Most common was the term review of internal controls, followed closely by evaluation or assessment of, consideration of, and obtaining an understanding of. Also used were study, testing and examination of internal controls. Only half of the reports referring to the external auditor's consideration of internal controls explained that the purpose of such consideration was to assist in the design of the audit and not to provide support for an opinion on the adequacy of controls. DRAWING DISTINCTIONS If independent attestation of management reports were required, such a mandate would have a significant impact on the roles of both the independent auditor and management in this process. In traditional auditing and attestation services Noun 1. attestation service - a consulting service in which a CPA expresses a conclusion about the reliability of a written statement that is the responsibility of someone else attestation report , the profession draws a sharp line between an "audit" and a "review." Specific standards guide the practitioner in providing these differentiated services Offerings that can be classified by type, or quality, of service. For example, a differentiated services network could prioritize real time traffic for a higher fee. . Perhaps equally critically, the audit and review reports themselves attempt to clarify for the readers the nature and extent of the work performed. The management reports usually do not make similar distinctions. A statement in a management report that the independentauditor has "considered" "reviewed" or "examined" the company's internal controls unintentionally might cause a reader to infer that the auditor has indicated the internal control system is working effectively. In most cases, such an inference (logic) inference - The logical process by which new facts are derived from known facts by the application of inference rules. See also symbolic inference, type inference. would be misleading since the auditor was not engaged to express an opinion on the adequacy of the controls. Unless specifically engaged to assess or evaluate a company's internal control system, independent auditors examine internal controls only for the purpose of designing their overall audit tests of the financial records. Beyond that, no testing of internal controls is required. For this reason the language that is used may merit closer scrutiny. Auditing standards require that the auditor read other information in a document which may be relevant to the audit or to the propriety pro·pri·e·ty n. pl. pro·pri·e·ties 1. The quality of being proper; appropriateness. 2. Conformity to prevailing customs and usages. 3. proprieties The usages and customs of polite society. of the report. SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. no. 8, Other Information in Documents Containing Audited Financial Statements, cautions the auditor to discuss the information with the client if he or she becomes aware that such information conflicts with his or her knowledge of such matters, or if a material misstatement mis·state tr.v. mis·stat·ed, mis·stat·ing, mis·states To state wrongly or falsely. mis·state ment n. of fact exists, the auditor should consider notifying no·ti·fy tr.v. no·ti·fied, no·ti·fy·ing, no·ti·fies 1. To give notice to; inform: notified the citizens of the curfew by posting signs. 2. the client in writing of his or her views concerning the information and consulting legal counsel. Since management reports are typically included in companies' annual reports, which contain audited financial statements, the auditor is required to read them. "In reading such information, the auditor should evaluate specific references by management that deal with the auditor's consideration of internal controls in planning and performing the audit of the financial statements, particularly if such reference would lead the reader to assume that the auditor had performed more work than required under generally accepted accounting standards or would lead the reader to believe the auditor was giving assurances on internal control" (from AICPA AICPA See American Institute of Certified Public Accountants (AICPA). , Professional Standards, AU section 9550.14, Other Information in Documents Containing Audited Financial Statements: Auditing Interpretations of Section 550). [Exhibit 5 ILLUSTRATION OMITTED] The findings of this study indicated that the word most commonly used to describe the nature of the auditor's consideration of the company's internal controls was "reviewed." Because "a statement by management that the auditors had `reviewed' the company's internal controls would be inappropriate," (see footnote Text that appears at the bottom of a page that adds explanation. It is often used to give credit to the source of information. When accumulated and printed at the end of a document, they are called "endnotes." to AU section 9550.14), auditors may need to more closely scrutinize scru·ti·nize tr.v. scru·ti·nized, scru·ti·niz·ing, scru·ti·niz·es To examine or observe with great care; inspect critically. scru clients' management reports to comply with the standard's guidance (see exhibit 5, above). The profession should consider the results of this study in the debate on whether to mandate management reports of publicly traded companies publicly traded company A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. and, if so, what those reports should include. Management reports can be another vehicle to improve corporate governance structures. The strength of the management report is the unique opportunity it affords management to address in a focused part of its annual report those concerns it believes are especially important for its company. The report becomes a vehicle for defining management's control strategy, for explaining how its practices compare with those of other companies, and for highlighting where its efforts may represent cutting-edge attempts to make its company more profitable and efficient. Companies with innovative programs can use these reports to emphasize how important these initiatives are. RELATED ARTICLE: Importance of Information Sources In a global survey released earlier this year, 69% of investment professionals said the overall quality of financial information disclosed by most publicly traded companies had improved. Nearly three out of four respondents In the context of marketing research, a representative sample drawn from a larger population of people from whom information is collected and used to develop or confirm marketing strategy. pointed to executive interviews as key sources of information, followed by annual reports and financial news releases. Source: Corporate Disclosure Survey, Association for Investment Management and Reasearch, Charlottesville, Virginia Charlottesville is an independent city located within the confines of Albemarle County in the Commonwealth of Virginia, United States, and named after Princess Sophia Charlotte of Mecklenburg-Strelitz, the wife of King George III of the United Kingdom. , www.aim.org/standards. [GRAPH OMITTED] RELATED ARTICLE: Improve Business Reporting by Evaluating Internal Controls The report, Internal Control--Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a U.S. private-sector initiative, formed in 1985. (COSO) in 1992, did not give an opinion on whether internal control reports by management and independent attestation of them should be required. However, the report did indicate that company management should continuously and periodically evaluate the effectiveness of its internal controls. In 1994, the AICPA examined the information needs of professional investors and creditors and their advisers, and noted, "Although users are not enthusiastic about expanding the scope of audits, one exception relates to internal control. They believe that business reporting would benefit from increased auditor involvement in internal accounting controls" (from Improving Business Reporting--A Customer Focus: Meeting the Information Needs of Investors and Creditors, page 105. For other information, see "Letter From the Chairman of the AICPA Special Committee on Financial Reporting," JofA, Oct.94, page 39). RELATED ARTICLE: Why Include a Report of Management in the Annual Report? According to Ameritech's general auditor, Bruce Adamec, "the principal reason for including the management report on controls in[our] annual report is to inform investors about the roles management and the Board Audit Committee play in the financial reporting process" "Management and the board believe it is paramount that we acknowledge that the financial statements are the company's and that top management explicitly takes responsibility for the company's financial reporting process and its system of internal controls. Additionally, an important disclosure is the extent to which management assures itself and the board that the controls are effective." Adamec sees the report of management as a signal to investors that management and the board place a high priority on internal controls. He also points out that the report communicates the same message to employees, helping to set the appropriate "tone at the top" in the terminology of Report of the National Commission on Fraudulent Financial Reporting (the Treadway report). He further notes that the management report has had a positive impact on the audit committee and management itself. "Signing the report has given top management and the board audit committee a heightened awareness and interest in performing their internal control responsibilities." RELATED ARTICLE: Seven Effective Uses of Management Reports Including management reports in the company's annual report is one of the steps public companies have taken to improve corporate and financial disclosure to their shareholders and interested third parties. There are good reasons to use these reports: * Communicate how your company provides an effective system of internal controls. * Discuss how your company uses internal controls to help protect its resources and reach its strategic goals. Identify the components of internal controls that are especially important to you, and reassure re·as·sure tr.v. re·as·sured, re·as·sur·ing, re·as·sures 1. To restore confidence to. 2. To assure again. 3. To reinsure. the users of the report that your system of controls is working. * Point out the ways internal audit assures overall goals and objectives are being met. * Clarify the audit committee's role. Use the report to emphasize its enhanced functions. * Explain how your company uses its independent auditors to help manage or assess its control systems. * Take advantage of the location of the management report in the annual report to explain how your company's practices compare with other leading companies in industry. * Highlight what's unique about your company. For example, if you've adopted a code of ethical conduct for your employees, advertise that here. DAVID David, in the Bible David, d. c.970 B.C., king of ancient Israel (c.1010–970 B.C.), successor of Saul. The Book of First Samuel introduces him as the youngest of eight sons who is anointed king by Samuel to replace Saul, who had been deemed a failure. M. WILLIS, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , Ph.D, is an assistant professor of business administration at Illinois Wesleyan University History and academics Illinois Wesleyan University (IWU) is an independent, residential, liberal arts university. Illinois Wesleyan is a private co-educational university with an enrollment of 2,137 and a student/faculty ratio of 12 to 1. , Bloomington. His e-mail address See Internet address. e-mail address - electronic mail address is dwillis@titan.iwu.edu. SUSAN S. LIGHTLE, CPA, Ph.D, is an associate professor of accountancy at Wright State University, Dayton, Ohio Dayton is a city in southwestern Ohio, United States. It is the county seat and largest city of Montgomery County. As of the 2005 census estimate, the population of Dayton was 158,873. . Her e-mail address is susan.lightle@wright.edu. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion