Much has happened since 2003 when the Securities and Exchange Commission (SEC) adopted rules mandated by the Sarbanes-Oxley Act of 2002 (SOA) that, among other things, expanded and formalized the responsibilities of audit committees. Following suit, the major U.S. exchanges (the NYSE and NASDAQ, for example) issued listing requirements defining additional expectations for audit committees, including more stringent requirements with regard to director independence. These requirements were discussed in Issue 9 of Volume I of The Bulletin, “The Expanded Responsibilities of the Audit Committee: A New Mandate,” and in several Protiviti SEC Flash Reports issued at that time. Rather than focus on history, this issue of The Bulletin provides observations and ideas for boards and their audit committees regarding matters they should consider during the coming year.
The new audit committee agenda
Audit committees have a busy agenda over the next 12 months. There are many aspects of the audit committee charter requiring attention, including the myriad of committee activities around the rules issued by the SEC and the listing standards promulgated by the exchanges, as noted above. As they have over the last two years, audit committees must continue to address a long list of nonstandard items.
A new agenda is emerging for the audit committee. Following are eight items on that agenda:
- Drive sustainability, cost-effectiveness and value of the SOA compliance exercise.
- Take a fresh look at the anti-fraud program.
- Learn from historical enterprise risk assessments and trends that indicate changes in risk profiles.
- Monitor internal audit rebalancing.
- Inquire as to internal audit quality assurance reviews.
- Insist on a cost-effective and transparent attestation process.
- Evaluate the organization’s financial reporting risk profile.
- Resolve remaining significant deficiencies.
Each of these agenda items is discussed further below.
Drive sustainability, cost-effectiveness and value of the SOA compliance exercise
On May 10, 2006, the SEC held a roundtable discussion on the second year experiences with the SOA internal control reporting and attestation provisions. The following week both the SEC and Public Company Accounting Oversight Board (PCAOB) announced their plans to follow up on the roundtable results and other feedback they had received. Because many accelerated filers are preparing for their third year Section 404 assessments as these regulatory developments proceed, now is a good time to reflect on “lessons learned” for improving the sustainability of the internal control structure, the cost-effectiveness of the compliance process and the value added in terms of improvements in quality, time and cost process performance. We suggest seven lessons that audit committees should discuss with management and auditors:
- Deploy a top-down approach to focus on what’s important – Even though management fraud has been most often perpetrated at the company level and in the period-end financial reporting process, and not within the upstream routine processes, most of the Section 404 compliance work is targeted to the detailed process-level controls. This incongruity needs to be addressed.
- Consider qualitative and quantitative factors to implement a truly risk-based approach – Last year, the PCAOB staff indicated that “quantitative measures alone are not determinative as to whether an account should be identified as significant.” Since that guidance was issued, significant traction applying it in practice hasn’t occurred. Qualitative factors should at least be considered when planning the nature, timing and extent of independent testing.
- Optimize IT controls to increase the cost-effectiveness of the controls portfolio – The cost of relying extensively on manual controls in sophisticated financial reporting processes has never been as evident as it is today. Management must assess the controls portfolio to balance the mix of automated and manual controls and increase controls cost-effectiveness.
- Apply continuous process-level testing techniques to improve reliability of results – For data-intensive, high-volume transaction processes, management should deploy automated monitoring tools and data analytics to evaluate processing results on a more comprehensive and reliable basis than sample-driven manual testing. Use of these tools can eliminate the need for performing labor-intensive manual tests of controls.
- Improve operational effectiveness and efficiency of upstream financial reporting processes – Many companies have expressed, and continue to express, the view that Section 404 compliance costs need to be reduced by making the compliance process more cost-effective. Now is the time for companies to transition their line of sight from “pass/fail” to “process capability.” This transition is important because process capability refers to the quality, time and cost performance of the business processes impacting financial reporting as well as the nature and extent of financial reporting related risks sourced within those business processes. Only by focusing on process capability will management succeed in fully realizing the value of Section 404 compliance activity. Companies making progress with this transition discover quickly that it is more cost-effective to manage total compliance costs rather than limit their focus to managing external audit costs.
- Incorporate management’s knowledge of controls into the assessment process – Many companies continue to operate under the constraint that they must have the same body of evidence as the external auditor, i.e., they must always independently test in areas in which the auditor concludes such testing is necessary. The PCAOB has clearly stated that this should not be the case. Companies operating on this basis will find a cost-effective approach elusive.
- Don’t wait for Washington to act – Companies should focus on doing the right thing in applying the above lessons and should not wait for the SEC and PCAOB to act.
The next issue of The Bulletin is dedicated to examining these lessons further.
Take a fresh look at the anti-fraud program
During the May 2006 SEC roundtable, several panel members suggested that companies and their auditors needed to shift the focus of the Section 404 assessment to more important issues such as financial statement fraud. The PCAOB is currently in the process of revising Auditing Standard No. 2 (AS2) to sharpen the auditor’s focus on areas where there is the greatest risk of fraud and material error. The resulting amendments could increase the auditor’s emphasis on the company’s “anti-fraud program and related controls.” One of the Board’s likely objectives in this regard is to address the risk of management override of internal controls, because that controls dysfunction is a significant root cause of financial reporting fraud.
The audit committee should inquire as to where management stands with respect to documenting and evaluating the company’s anti-fraud program. Audit committees also should insist on an effective fraud risk assessment. A forthcoming issue of The Bulletin (Issue 9) will address the anti-fraud program and provide insights as to how companies should evaluate it.
Learn from historical enterprise risk assessments and trends that indicate changes in risk profiles
An important contribution of risk management is to help executives and directors make better choices during the strategy-setting process. To achieve and sustain high confidence that all potentially significant risks are identified and managed in today’s rapidly changing operating environment, boards and management need an effective enterprise risk assessment (ERA) process. The audit committee should insist that management implement annually such a process. Further, the assessment should not be focused only on financial reporting.
In Issue 10 of The Bulletin, we will focus on the vital steps in executing an effective risk assessment process. In that issue, we also will explain why integrating risk assessment with strategy-setting is important.
Monitor internal audit rebalancing
The Institute of Internal Auditors (IIA) defines internal audit as an “assurance and consulting activity” that “evaluate[s] and improve[s] the effectiveness of risk management, control and governance processes.” The internal audit function assesses the risks in operations, financial reporting and compliance activities to develop the audit plan and assign the appropriate audit resources. In recent years, the audit plan in many organizations was redirected to support the SOA compliance effort. Many internal audit departments may have gone too far in their support of SOA, diverting attention and resources away from other essential risk areas. This condition suggests a need for rebalancing, an opportunity recognized by many Chief Audit Executives (CAEs). In the effort to rebalance, many functions will consider adding resources to their audit plans, increasing their budgets and utilizing outside skill sets.
Audit committees should weigh in on the rebalancing question to ensure that appropriate emphasis is given to the right priorities. In November 2005, Protiviti released Moving Internal
Audit Back into Balance: A Post-SOX Survey, a report available on www.protiviti.com. This publication should be of great interest to executives and directors of companies with an internal audit function. It points out that, as a result of rebalancing, internal audit will continue to play a key role in SOA compliance, though internal control documentation efforts are expected to subside. The study also discusses the following:
- The audit committee will play an oversight role in the rebalancing effort.
- All constituencies – directors, management and internal auditors – recognize the need to rebalance and intend to broaden the audit plan to address more comprehensively the control objectives within the COSO internal control framework; however, they are struggling with how to do so.
- Rebalancing will provide many benefits, the largest of which will be a sharper focus on risk-based auditing.
- Rebalancing may become a “perpetual” activity because systems of internal control operate in a changing business and regulatory environment.
Inquire as to internal audit quality assurance reviews
The IIA has adopted the International Standards for the Professional Practice of Internal Auditing (Standards) requiring, among other things, each internal audit function to establish a Quality Assurance and Improvement Program (QAIP). This program evaluates the effectiveness of the internal audit function in providing assurance and consultation services to the board and executive management. While it assesses conformance to the Standards, the QAIP is primarily focused on identifying opportunities, offering recommendations for improvement, and providing counsel to the CAE and his or her staff for improving performance. External assessments of the internal audit function must be completed by January 1, 2007.
Why is this important? The Standards point out that if an external quality assessment of the internal audit function is not performed every five years, the CAE cannot assert conformance with the Standards. Because the Standards are effective as of January 1, 2002, companies have until the end of calendar 2006 to schedule and complete an external assessment.
What’s the message? For the first time, internal auditors are required to formally evaluate how they operate within their organizations and report the results of the evaluation to the board and/or audit committee. The purpose is to improve the value and effectiveness of the internal audit activity rather than merely conform to IIA Standards. Evaluators must consider the expectations of various stakeholders, including the audit committee. Therefore, the audit committee should inquire as to the status of, approach to and results from the QAIP.
Insist on a cost-effective and transparent attestation process
Integration of the two external audits of internal control over financial reporting (ICFR) and the financial statements remains a priority. During the SEC roundtable, representatives of the audit firms reported progress on this front; however, they acknowledged they are not done. The audit committee should inquire of the external auditor as to the plan to consummate this integration, and the specific impact it will have on the audit process and costs. The committee also should request relevant information from the external auditor, such as an identification of high risk areas, an analysis of reserve levels, judgmental issues, the summary of passed adjustments, changes in accounting principles, concerns with respect to the internal control structure and areas of disagreement with management.
If the audit committee has not done so, it should set the ground rules with the auditor for defining and reporting a “disagreement.” For example, some auditors may interpret a disagreement to include only those matters requiring an exception in the audit report. Many directors want to know about any disagreement, whether resolved favorably or not.
If the committee isn’t certain as to the auditor’s point of view, it should clarify this point.
Evaluate the organization’s financial reporting risk profile
Financial reporting complexity is driven by many things – the application of detailed accounting rules, numerous exceptions to basic principles, complex business transactions, industry inconsistencies and the use of estimates. The top five issues leading to a material weakness in ICFR involve the application of accounting principles. They are tax accounting, revenue recognition, inventory/cost of sales, leases or contingencies, and fixed or intangible assets (including depreciation and amortization issues). Effective management of financial reporting requires a clear understanding of the risks arising from historical application of accounting principles and standards, and the degree to which accounting estimates are sensitive to changes in operations and management decisions. Over the next 12 months, the audit committee should obtain an understanding of the company’s financial reporting risk profile.
When financial reporting issues arise, in many cases executives and directors have little advance warning. A financial reporting risk profile strips away the black box and makes transparent the drivers and magnitude of financial reporting risks for all to see. Management is able to evaluate the risks and proactively improve (a) the specific application of accounting principles and (b) the formulation of estimates. For example, although estimates are inherent in the financial reporting process, it is important to understand the extent to which key estimates affect the consistency and reliability of reported earnings. A financial reporting risk profile identifies the estimation processes for reevaluating and updating estimates, provides insight as to the variability in the data underlying estimates and summarizes business drivers that could cause such variability. The profile can be applied to evaluate the impact of estimates and accounting policy applications on the achievement of management incentives.
A robust financial reporting risk profile creates awareness of the drivers of earnings variability, provides a sensitivity assessment of financial estimates and the underlying data, identifies financial reporting exposures and regulatory trends within the industry, proactively evaluates the reliability of estimation processes, ensures consistency in the application of accounting standards and strengthens ICFR. The ultimate objective is to improve the overall quality of financial reporting and establish the appropriate oversight and control to efficiently and effectively evaluate and manage financial reporting risk over time. A subsequent issue of The Bulletin (Volume 2, Issue 11) will address this topic.
Resolve remaining significant deficiencies
In AS2, the PCAOB lists several “strong indicators” that a material weakness in ICFR exists. One such indicator is “significant deficiencies that have been communicated to management and the audit committee remain uncorrected after some reasonable period of time.” If there are unremediated significant deficiencies, the audit committee should inquire as to management’s plan to fix them. If there isn’t a plan, the committee should understand why.
The next 12 months promise to be a time of significant opportunity for companies as they: improve the sustainability, cost-effectiveness and value-add of their SOA compliance process; improve their anti-fraud program and related controls; integrate enterprise risk assessment with strategy-setting; improve their internal audit activities; increase the cost-effectiveness of the attestation process; and improve the financial reporting risk profile. Audit committees can play a vital oversight role in making these things happen. To assist them in this process, the next four issues of The Bulletin will address many of these topics.
The Bulletin (Volume 2, Issue 7)