We are currently witnessing the most comprehensive change in corporate governance requirements since the Great Depression. A loss of investor confidence and the need for greater accountability among companies have been discussed at length in the media and on Capitol Hill. These developments have spurred a series of legislative and regulatory actions designed to re-establish trust in corporations. Many factors – including high-profile business failures, well-publicized restatements of financial reports, concerns over auditor independence and conflict of interest issues – have resulted in the current state of affairs.
Our next issue of The Bulletin will explore the importance of an oversight structure and a process view as certifying executives evaluate and report on the effectiveness of their company’s internal management processes supporting disclosures in public reports.
Prior to President Bush signing the Sarbanes-Oxley Act into law, the Securities and Exchange Commission took the initiative to restore investor confidence by requiring the chief executive officer and chief financial officer for large registrants to certify their most recently filed annual report and quarterly reports. However, the Sarbanes-Oxley Act significantly expanded the SEC’s certification requirement and made executive certification of public reports a permanent requirement for all registrants. (For an up-to-date summary of the latest rules, go to www.protiviti.com)
And these changes are only the beginning. Rating agencies will likely factor corporate governance more explicitly into the rating process. The SEC will issue new regulations over time. More laws could be forthcoming.
This is a defining moment in the history of our capital markets and the economy. Even companies with scrupulous governance processes are feeling pressured to take further actions.
While following the rules and adhering to ethical business practices are critical in this new environment, a dedicated long-term focus on doing the right things – in addition to doing them right – is much more likely to hold up under scrutiny. This commitment starts at the top and must filter down throughout the company. Following are examples of the right things boards and management should consider as they work to improve corporate governance:
Emphasize the key elements supporting executive certifications – organizational culture, processes and controls, and communication.
Some companies are having managers with significant financial or operational responsibility sign representation letters before the CEO and CFO certify public filings. If this approach becomes an exercise in superfluous documentation, it will not hold up over time. The focus needs to be on maintaining and continually improving the underlying processes and controls that produce reported information.
Every company should ask: Does the culture reinforce responsible and ethical business practices? Does it increase the focus on quality financial reporting and disclosure, or does it foster undesirable pressures that could lead to "creative accounting" or procrastination in disclosing information to investors? Some companies tell us they are evaluating reward structures in place for their CFOs and controllers to make sure there is adequate balance between quality financial reporting and profitability. One company’s CEO has been traveling worldwide to meet with divisional and department heads and emphasize the importance of upholding the highest standards in corporate responsibility. This CEO has encouraged his managers to report directly to him any financial reporting issues or other concerns. Another company invited employees to meet with directors after a board meeting to reinforce the company’s commitment to addressing the new reforms and provide an opportunity for discussions between the employees and directors.
CEOs and CFOs are now required by law to evaluate the effectiveness of their internal controls over activities that record, process, summarize and report information included in public reports. Key questions for companies to address include:
- How will this evaluation be done? By whom?
- When? How often?
- What is the scope of the evaluation?
- When are the results summarized for the certifying officers?
- How will existing monitoring activities be relied upon?
- How will significant process or internal control weaknesses be reported to the auditors and the audit committee?
These and other questions need to be answered in order to maintain and improve organizational processes and controls and help satisfy the evaluation requirements of the new law.
Management should lead by example and have senior executives communicate the importance of quality and responsible business behavior. For example, some companies tell us their CEOs are emphasizing the importance of quality and ethical behavior in everything the company does. Other companies are publishing their corporate governance approach and views on their websites. Whichever strategies they choose, companies need to become more vocal as to how they govern themselves and monitor the results they are achieving.
Exercise the board’s mandate to define and maintain director independence.
Under the new NYSE and NASDAQ listing requirements, the board is ultimately responsible for determining independence. Will the board be able to adhere to this mandate without undue influence from the CEO? The listing requirements are clear: This is one of the board’s primary responsibilities. They should expect greater scrutiny of the qualifications and independence of their members, both now and in the future. Each board should evaluate independence with an eye toward complying with the spirit as well as the letter of the requirements.
Conduct periodic self-evaluations of board performance.
While not a formal requirement, independent directors should periodically assess board effectiveness, either under the direction of the chairman, if separate from the CEO, or under the guidance of an independent lead director. Alternatively, a designated governance committee can perform the assessment and report the results to the board. Currently, few boards perform self-assessments. Those that do often report that the process is constructive and drives effective change. In light of recent events, boards should conduct these reviews and publicly disclose their results.
Position the audit committee to succeed with qualified independent directors.
Current listing standards (the NYSE and AMEX, for example) require at least one audit committee member be an expert in accounting or finance. Although most executives believe their audit committee members are of high caliber, some report that these audit committees do not include anyone they would consider a financial expert. Under the new rules, many companies acknowledge they are considering replacing or adding members to their audit committees. We expect boards to actively recruit independent board members with the requisite financial expertise to serve in these roles.
Implement meaningful compliance programs.
The new rules require a code of conduct to promote responsible business practices. By itself, a code has little substance unless it is reinforced with a compliance program that is monitored and enforced by management. Compliance efforts and results should be documented and reported in a timely manner to the board and to the CEO and CFO.
Take a more conservative approach to accounting and reporting.
Directors and executives of public companies have always been subject to scrutiny. However, most of them would agree that, should something go wrong, the probability of their being evaluated and investigated has increased significantly. At the same time, while there are rules to follow, accounting and reporting is not an exact science. Reasonable people can differ as to the best approach to account for and report on various transactions. It would be prudent to evaluate the accounting principles applied to reduce the extent of judgment required in their application. In the current environment, taking a more conservative position on accounting alternatives may be the best course of action.
Increase effectiveness of the independent audit.
Audit committees should work with the external auditors, internal auditors and accounting management to make the independent audit process as effective as possible. For example, many audit firms use a similar audit plan every year. As a result, management generally knows what to expect. Audit firms may also allow management to provide too much input on the scope of the plan. The audit committee should encourage variations in plans each year, with less input from management on scope. In addition, the audit committee should encourage the auditor to be more skeptical and to rely less on management representations.
Internal auditors should perform work in areas not sufficiently reviewed by the external auditors, and also review external auditor working papers to retest critical areas in a different manner. Assignments should be rotated among accounting teams, and a mandatory vacation policy adopted for key accounting management personnel to help prevent fraud or detect it if it exists. Also, guest auditor programs should be implemented so that division controllers may review each other’s accounting operations.
Other actions audit committees should take include:
- Ask probing questions. Directors and executives tell us that more questions must be asked of external auditors regarding disclosures in public filings, risks audit committees should consider, and other matters. The audit committee should ask management for more details on how they made significant accounting estimates, and ask the auditors to explain how they evaluated those estimates. They should expect to receive more information from the external auditors, such as analysis of reserve levels, judgmental issues, passed adjustments, changes in accounting principles and other areas. Audit committees also need to have frequent one-on-one dialogue with the audit partner, internal auditors and possibly the CFO. These discussions should take place without executive management present. If necessary, audit committees should request special reviews in such areas as revenue recognition, related party transactions, reserve reversals, accounting for capital expenditures and loans to officers. Internal auditors may perform some of these reviews. If aggressive positions are taken on accounting issues, the audit committee needs to be informed as to why more conservative alternatives were not chosen.
- Increase communication between meetings. Both CFOs and audit committee members have confirmed to us that the level of contact between them has increased considerably over the last several months. Audit committees are asking more questions of CFOs about earnings quality and whether certain issues apply to the company. Some CFOs have told us they are having conversations with the audit committee chairman on a weekly basis.
- Increase the independence of the CFO function. The audit committee should evaluate the performance of the CFO function and provide input on the compensation of the CFO, which will contribute to the function’s independence.
Establish an internal audit function.
The new NYSE listing requirements mandate an internal audit function for all listed companies while allowing for flexibility as to implementation. The other exchanges may follow suit. Because the NYSE does not explicitly require implementation and staffing of a separate department – or employees dedicated to the function – on a full-time basis, will companies currently without an internal audit department hire one or two people or deploy a few people part-time to satisfy this requirement? Will that approach really meet the spirit of the law? Will it be truly independent and effective? Minimum standards for an internal audit function are provided on The Institute of Internal Auditors’ website (www.theiia.org), including 19 suggestions and a list of resources for getting started.
One important consideration specifically acknowledged by the NYSE’s commentary on its rule is evaluating both the hiring of staff and the outsourcing of portions of the audit plan to outside service providers (with the exception of the external auditor). Outsourcing or co-sourcing enables a company to access specialized technical and analytical skills at the time and place they are needed without incurring the expense of hiring, retaining and developing personnel in what may be a non-core competency area.
Increase the focus on internal audit.
In the case of a firm that has an internal audit department, executive management and the audit committee should view it as critical to the success of the company. Internal audit budgets should be brought into line with the company’s risk profile and executives should make internal auditors a part of their initiatives and operations. It is not unusual for an internal audit department, often underutilized by many companies, to be staffed perpetually at 80 percent of its standard capacity. A greater sense of urgency in filling vacancies now exists so that approved audit plans can be completed on time.
Independence is another issue. The chief audit executive should report to the audit committee and have frequent meetings without executive management present. If a "dotted line" reporting to management is necessary, the audit committee should consider having the internal audit function report outside of the CFO organization, even though the CFO often has the best background to provide direction. The committee should also provide input into the compensation of the CAE.
Improve accounting management.
Over the last decade, the CFO’s job has evolved from being highly transaction oriented to one that is strategically focused. Recent events suggest that CFOs need to allocate more time to traditional accounting and reporting duties. In addition, every company should make sure at least one person in the accounting department is a GAAP technician. With the increasing complexity of GAAP, some companies are relying more heavily on their external auditors to keep them updated on accounting changes. However, several CFOs tell us it is important to have at least one technician who is an expert in GAAP as well as highly familiar with the company’s operations. This practice would help ensure all unique accounting situations are identified in a timely manner.
There is no question that the new guidelines are resulting in significant changes in corporate governance practices. However, the new rules do not take away the ultimate responsibility and authority from the board to decide what is needed to bring the company’s corporate governance up to par in these demanding times. As William W. George, former chairman & CEO of Medtronic, Inc., said during his acceptance speech for the National Association of Corporate Directors’ 2002 Director of the Year Award, "Boards must have the will, the persistence and the commitment to get it done … [they] are ultimately responsible and have the power to act accordingly." Management, internal auditors and external auditors have the opportunity to play significant roles in assisting the board to establish and reinforce a governance structure that will function effectively both now and in the future as circumstances change.