With the release of Issue 12, the first volume of The Bulletin, Protiviti’s newsletter focusing on corporate governance and risk management, comes to a close. Protiviti addressed an array of significant business concerns in Volume 1, most of which stemmed from requirements of the Sarbanes-Oxley Act (SOA) and the ongoing compliance efforts of public companies worldwide. We offered recommendations and strategies for meeting new executive certification and internal control reporting standards established by SOA. We also provided in-depth analysis of areas such as audit committees, technology risks, codes of conduct and complaint-reporting processes. Each issue of Volume 1 is available on www.protiviti.com.
We are pleased to present you with a summary of Volume 1 of The Bulletin, and look forward to sending you the first issue of Volume 2.
Issue 1 — “The Role of Personal Accountability in the New Environment”
SOA and other regulatory rulings set forth new corporate governance standards for public companies in the United States. In this challenging environment, it is the shared responsibility of management and the board of directors to define roles, responsibilities and authorities to make decisions and take action, and to establish the appropriate framework for reinforcing personal accountability. Issue 1 of The Bulletin focuses on the importance of taking these steps and establishing clear accountabilities, particularly as they relate to managing the enterprise’s risks. Issue 1 elaborates on certain standards when setting accountability, including balancing shareholder value creation with shareholder value protection, making discussions of risk tolerance more explicit, aligning performance measures and compensation systems, focusing on the selection of internal auditors and external auditors, establishing accountability for auditor performance, and taking specific steps to encourage responsible behavior.
Issue 2 — “The Changing Corporate Governance Landscape and its Implications”
New corporate governance requirements, established by SOA, mandate the inclusion of executive certifications in public reports. In this environment, companies are feeling greater pressures to take further actions. This issue of The Bulletin reviews examples of the “right things” boards and management should do as they work to improve corporate governance. These include: emphasizing the key elements supporting executive certification – culture, processes and controls, and communication; exercising the board’s mandate to define and maintain director independence; conducting periodic self-evaluations of board performance; positioning the audit committee to succeed with qualified independent directors; implementing meaningful compliance programs; taking a more conservative approach to accounting and reporting; increasing effectiveness of the independent audit; establishing an internal audit function and/or increasing the focus on internal auditing; and improving accounting management.
Issue 3 — “Executive Certifications: Same Responsibilities, Higher Stakes”
Executive management has always been responsible for the quality and fairness of public reporting. However, under Sarbanes-Oxley, the risks are higher and the consequences of failure more significant. In this environment, all companies should perform a rigorous review of their disclosure processes and implement needed changes in time for their first periodic filing. Among the important questions that management must address with regard to executive certifications:
- What are we really certifying?
- What are disclosure controls and procedures? How are they different from internal control over financial reporting?
- What specific steps should we take right now?
- What should we do over the long term?
- What else should we do before we certify?
Issue 4 — “Staying Focused on Core Business Issues Amid Corporate Governance Compliance”
As companies address the myriad new corporate governance requirements established by Congress, the exchanges and regulators, it is equally imperative to address core business and profitability issues, particularly in today’s increasingly demanding global marketplace. How do companies and boards stay focused on strategic, operational and other critical business matters while moving forward with corporate governance reform? This issue of The Bulletin reviews practical guidelines for achieving a healthy balance between vital business requirements and the need to comply with corporate governance reforms.
Issue 5 — “The Code of Conduct – Laying a Cornerstone for Effective Governance”
Business ethics go beyond a moral code that differentiates between what is good and what is bad. They are the principles of conduct governing an organization and the individuals within it. These principles are defined through the day-to-day behaviors of managers and employees, creating a culture in which everyone can observe management’s actions and reactions in response to events. These observations lead, in turn, to an understanding of how individuals throughout the organization are expected to behave in similar situations. A formal, written code of conduct transforms ethical behavior into something more tangible and real.
Such a code, while a best practice among many companies, is now a requirement mandated by Sarbanes-Oxley. This issue of The Bulletin reviews important steps to consider in designing and implementing an effective code of conduct.
Issue 6 — “Internal Controls Over Financial Reporting: Understanding Section 404 of Sarbanes-Oxley”
Sections 302 and 906 of SOA lay a foundation for restoring investor confidence in the integrity of public reporting.
Building on that foundation, Section 404 requires management to file an internal control report with the annual report on Form 10-K. This issue of The Bulletin focuses on the SEC’s proposed rules for Section 404. Questions addressed include, among others:
- What does Section 404 require?
- When is Section 404 effective?
- What is internal control over financial reporting?
- Which companies must comply with Section 404?
- Who should be involved in complying with Section 404?
- What has to be done to comply?
Issue 7 — “Strengthening Governance Through Risk Management”
Risk is a fact of life. Even the best ideas, the most talented people, the best products currently available in the marketplace and the most carefully thought-through strategies do not guarantee sustainable success. Ultimately, it isn’t the strongest or the smartest companies that survive and prosper, but the organizations that successfully adapt to change. Boards and management know the price of surprise is steep and should work together on an effective plan for managing risk. Recommendations detailed in this issue of The Bulletin include adopting a common language, knowing the risks the organization is taking … and why, identifying risks by asking the right questions, managing risks strategically, continuously improving risk management capabilities, and implementing effective oversight.
Issue 8 — “Internal Control Over Financial Reporting – An Update on Section 404 of Sarbanes-Oxley”
This issue updated Issue 6 when the SEC finalized its rules on Section 404 of SOA, requiring companies to file an annual internal control report. That report must contain statements from management regarding the effectiveness of the company’s internal control over financial reporting.
Additionally, the company’s auditor must attest to management’s assertions in the internal control report. This issue of The Bulletin addresses these final rules and what they mean to public companies.
Issue 9 — “The Expanded Responsibilities of the Audit Committee: A New Mandate”
In 2003, the SEC adopted rules mandated by SOA that, among other things, expanded and formalized the responsibilities of audit committees. This issue of The Bulletin explores the new requirements of audit committees and their implications. Key points addressed include SOA expansion of audit committee authority, the requirement to disclose the audit committee financial expert, the requirement for audit committees to pre-approve audit and non-audit services, the need for the audit committee charter to cite the “rules of the road,” and keys to an effectively functioning audit committee.
Issue 10 — “Technology Risks and Controls: What You Need to Know”
Disclosure and internal controls seem to be commanding the headlines these days, with particular emphasis on complying with Sections 302 and 404 of SOA. Where do controls over information technology (IT) fit in this picture? Why is IT important? Why should directors and senior executives care? This issue of The Bulletin addresses these and other questions relating to technology risks and controls, including what’s required, what are examples of key risks in an IT context, and how outsourcing situations are considered.
Issue 11 — “Establishing an Effective Complaint and Confidential, Anonymous Reporting Process”
In 2003, the SEC issued rules, pursuant to SOA Section 301, requiring audit committees to establish procedures for “(a) the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters, and (b) the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.” This edition of The Bulletin focuses on issues audit committees and management should consider as they collaborate to comply with Section 301 and provides guidance as to the steps that should be taken to comply with it.
Issue 12 — “Building Upon Section 404 Compliance: Moving Beyond Year One”
Compliance with Sections 302 and 404 of the SarbanesOxley Act has commanded the radar of CEOs and CFOs (the “certifying officers”) in recent months. As companies move beyond “first time through” compliance, however, questions arise. How will companies transition from the intensive project mode of the first year to an ongoing process in year two? How will companies implement a compliance process at costs that are reasonable and sustainable on an ongoing basis? How will controls documentation get updated for changes in business processes and systems? How will control deficiencies get fixed going forward? Who will get the job done? How will the certifying officers know it gets done? If something happens to cause the organization’s controls to come under attack, certifying officers should be able to make a convincing case that they did everything they could do to improve or advance the maturity of key business processes, the financial reporting process and the compliance process. The suggestions we provide in this issue of The Bulletin will help them make that case.
The Bulletin (Volume 1 closing summary)