Internal audit: active ingredient in reform mix. (Audit).
Shareholders expect audit committees to be independent and effective watchdogs over financial reporting for the corporate boards on which they serve. In turn, audit committee members look to senior management to set the right ethical tone, communicate accurate and timely information, identify risks and understand controls for good risk management.
The Sarbanes-Oxley Act envisions all players in the financial reporting scheme acting together to create and sustain a culture of accountability and transparency. As companies design and implement strategies to comply with new disclosure requirements, they must ensure the plan coordinates control activities with each other while integrating the governance efforts of the board and management.
So how does all this happen? Companies don't want to fall into the position of always playing catch-up to have quality governance in place. Management must recognize and accept that it is operating in a changed, sometimes overwhelming, environment--even though SEC and exchange rules impacting some reporting requirements are not yet finalized.
Given all the new regulations and mandates companies must now abide by, it's a mistake to ignore or underestimate internal audit's role as one of the cornerstones of good governance. An internal auditor is not someone who just reviews past performance--the internal audit function must be an integral and equal component of corporate oversight.
The Institute of Internal Auditors (IIA), headquartered in Altamonte Springs, Fla., was a strong voice in last year's push for written disclosures on internal controls in any initiative intended to improve financial reporting and governance processes. "You can't legislate integrity, but if the overall objective of Sarbanes-Oxley is to rebuild investor trust, then formal rules must be put into place to raise everyone's awareness of responsibilities, risks and controls," says William G. Bishop 3rd, president of IIA. "Many people within organizations are on the line now, and compliance failures can result in serious consequences and criminal penalties."
While there's simply no way to completely prevent abuses, "there are enough new checks and balances for people responsible for financial reporting to make them think very seriously about ever misrepresenting information on financial statements," observes Frank J. Borelli, former CFO of Marsh & McLennan Cos. and a former chairman of FEI.
In a healthy corporate setting, auditors are not at odds with management, and "audit committees have always been charged with monitoring the scope of internal audit's activities," says Borelli. Internal audit can be the catalyst to assess internal controls and help focus attention on any weaknesses and how to fix them.
Here are some recommendations and best practices to leverage internal audit in the control and disclosure process as the relationships of management, boards and auditors (both internal and external) evolve in the aftermath of Sarbanes-Oxley:
Step 1: Start with the right internal control framework. Businesses need reliable systems to support mandatory CEO and CFO certifications on disclosure controls and procedures and reporting on the effectiveness of internal controls. The most widely accepted framework for internal control, which has been part of U.S. auditing standards since 1992, comes from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Internal auditors, as frontline participants and critics of control assessment and risk management, are uniquely qualified to establish and implement a system based on the COSO components of:
* Control environment--the foundation for all elements of an internal control system, providing ethics and discipline.
* Risk assessment--identification and analysis of relevant risks that hinder strategic objectives.
* Control activities--policies and procedures to ensure management objectives are achieved and risk management strategies are implemented.
* Information and communication--communication of responsibilities from management to employees in ways that allow tasks to be performed.
* Monitoring--evaluation and assessment of internal controls by parties outside and within the process.
If a company has no comprehensive internal control framework, it will, at a minimum, be unable to document how it fulfills its reporting responsibilities under the new rules. Once the internal audit team establishes and evaluates the internal control program, all the players in the governance scheme, as well as employees throughout the company, need to understand how it works and why.
Before a company can reach conclusions about the effectiveness of its internal controls and procedures for financial reporting, management must have a clear understanding of what the controls are and what "effectiveness" means. Thus, the COSO components can be a useful tool to implement disclosure procedures and controls and, if necessary, can be tailored to identify risk gaps in ethical values, commitment to competence and management philosophy.
A survey conducted earlier this year by the IIA to review practices developed since the passage of Sarbanes-Oxley found that approximately 63 percent of large publicly traded companies use the COSO framework to support CEO/CFO certifications on internal controls.
Step 2. Adopt specific procedures for operation of disclosure controls. This is where internal auditors can step to the plate to identify and implement new or additional controls for both financial and non-financial disclosures. To assist CEOs and CFOs with their reporting obligations, the SEC recommends that companies have a disclosure committee to act, in effect, as overseer of public disclosures.
The head of internal audit can be responsible for establishing the committee and ensuring it includes the appropriate individuals and reports to the CEO and CFO. As a member of the disclosure committee, "the head of internal audit will have to maintain a balancing act to guard against independence problems by giving advice but not making decisions," says IIA's Bishop. The disclosure committee will need to obtain input from counsel and the external auditor, collect information on existing controls and assess their effectiveness using COSO criteria--then conduct gap analyses.
Of course, there's work for the audit committee, too. "The audit committee will need to become familiar with the process for establishing the disclosure committee, find out what information will be gathered for the CEO/CFO certifications each quarter and discuss with both the internal and external auditors their satisfaction with the process," says Borelli, who presently chairs the audit committees of two public companies.
Step 3. Foster a corporate culture that synchronizes all the components of good governance. One way companies can do this is to ask questions and evaluate the answers about what its board, management, internal audit team and the external auditor must do to fulfill their responsibilities under Sarbanes-Oxley and other mandates. Some companies may choose to create a separate corporate governance committee charged, for example, with understanding what must be reported to regulators and when, as well as with reviewing the company's published codes of ethics.
Reporting relationships will be one of the areas that will change significantly for many organizations as the audit committee assumes oversight over both external and in-ternal audit. "In my opinion, the best aspect of the Sarbanes-Oxley Act is placing audit committees squarely in the role of overseeing the entire audit process," says Ellen H. Masterson, global partner for assurance methodology at Pricewaterhouse-Coopers LLP.
"Although external auditors are not going to stop returning calls to the CFO, we're going to strengthen our relationships with the internal auditor and the audit committee. One of the tangible costs to businesses will be an increase in the number and the duration of audit committee meetings. With all the new financial reporting and disclosure requirements, both external and internal auditors will have enhanced responsibilities and lots more work to do."
The ability of the internal audit team and audit committee to work well together will affect how audit committee members fulfill their responsibilities to the rest of the board and to investors. "Internal audit, ideally, should report functionally to the audit committee with dotted-line [administrative] reporting to the CEO as a best practice," says Bishop. "For some organizations, this will be a real culture shock." Adds Borelli: "It's an excellent idea for audit committees to interact with internal audit as part of the committee's overall oversight responsibilities for financial reporting and internal controls."
Audit committee oversight of the internal audit function includes: working with senior management to evaluate the performance of the internal audit leader; guaranteeing that internal auditors have access to the audit committee and can meet privately with its members; confirming that audit activities are performed according to professional standards; and ensuring that internal auditors have sufficient resources.
Likewise, internal auditors need to raise their visibility throughout the organization and support governance efforts by staying ahead of issues that may affect the company's risk vulnerability; they should serve as an educational resource to management and the board.
Investors want greater protection, and Congress has mandated certain activities to respond to those expectations. Will the outcome of Sarbanes-Oxley be better-managed companies and better results for shareholders? "Businesses are being asked to disclose more and more information, and to do so more quickly," says Masterson. "As time goes by, everyone in the corporate governance chain will become more efficient and perform their responsibilities better. We all have to recognize that the value to the company will be there for what we're trying to achieve."
Top management, the audit committee, internal audit and the external auditor, in their respective roles, will find themselves traversing a new corporate governance landscape as the dynamics change in response to the commitment to reform.
RELATED ARTICLE: Steps To Take Prior to Reporting To the SEC
Establish a written compliance procedure specifying how disclosure controls will operate
Disclose to the audit committee any significant deficiencies in internal controls and what remedial actions were taken
Review all representations necessary for the CEO/CFO certifications in the relevant reporting period
Cynthia Waller Vallario is a business writer and lawyer in Livingston, N.J., specializing in corporate governance. She can be reached at firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Author:||Vallario, Cynthia Waller|
|Date:||Jun 1, 2003|
|Previous Article:||Demystifying the rating agencies. (Credit Ratings).|
|Next Article:||Climbing toward a common goal. (Stock Options).|