(The news featured below is a selection from the news covered in the Federal Securities Report Letter, which is distributed to subscribers of the Federal Securities Law Reports.)

Federal Reserve Governor Examines Internal Auditor Functions

Noting that the Sarbanes-Oxley Act is a wake-up call for internal auditors, Federal Reserve Board Governor Susan Schmidt Bies exhorted them to " step up to the plate "and help corporate risk officers and managers reinvigorate the risk assessment and control process over financial reporting. As part of this effort, she continued, internal auditors must demonstrate independence from management and loyalty to the audit committee. She warned them not to become roaming internal management consultants because going down that path would lead to loss of independence. In remarks at the Institute for Internal Auditors, Ms. Bies also emphasized that the board of directors and senior management cannot delegate the responsibility for having an effective system of internal control.

Section 404 of the Sarbanes-Oxley Act requires management to present its assessment of the effectiveness of the company's internal controls in the annual report. In addition, the company's outside auditor must attest to management's assessment of internal controls as an integral part of its audit report. Section 404 is modeled on provisions in the Federal Deposit Insurance Corporation Improvement Act requiring an annual management report on the quality of internal controls and outside auditor attestation to that control evaluation.

According to the Federal Reserve official, the message that the Sarbanes-Oxley Act delivers to internal auditors is that they are uniquely positioned within the company to ensure that its corporate governance, financial reporting and disclosure controls, and risk-management practices are functioning effectively. Although internal auditors are not specifically mentioned in Sarbanes-Oxley, they have within their purview of internal control the responsibility to evaluate all of an entity's systems, processes, operations, functions, and activities.

In the view of Gov. Bies, since directors do not serve full time, it is important that the internal auditor establish an annual agenda for boards and audit committees to focus their attention on the high-risk and emerging risk areas, while ensuring that there are effective preventive controls over the low-risk areas. The challenge of the auditor is to ensure that the internal audit staff has the expertise and ongoing training to meet the specific and changing risks of the organization.

Boards of directors are responsible for ensuring an effective audit process and adequate internal controls. In her view, the reporting lines of the internal audit function should be such that the information that directors receive is impartial and not unduly influenced by management. Internal audit is a key element of management's responsibility to validate the strength of internal controls.

Gov. Bies believes internal controls are the responsibility of line managers, who must determine the acceptable level of risk in their line of business and assure themselves that the combination of earnings, capital, and internal controls is sufficient to compensate for the risk exposures. Supporting functions such as accounting, internal audit, risk management, credit review, compliance, and legal should independently monitor the control processes to ensure that they are effective and that risks are measured appropriately.

The results of these independent reviews should be routinely reported to executive management and the board. Directors should be sufficiently engaged in the process to determine whether these reviews are in fact independent of the operating areas and whether the auditors conducting the reviews can speak freely. In addition, she stressed that directors must demand that management fix problems promptly and provide appropriate evidence to internal audit confirming this. Gov. Bies advised internal auditors that they will not be effective unless they report directly to the audit committee, adding that the company's entire quality assurance and monitoring program will be tainted if internal auditors are not accountable to the audit committee.

If an audit committee asks for recommendations on how to improve independence, she continued, the internal auditor's response should be that the test for any recommended change is whether it makes management more accountable for the ongoing effectiveness of internal controls and makes the internal audit function more effective in both monitoring and process validation. If the audit committee is not ready for accommodation on this point, she advised that the issue be raised with the full board and the outside auditor.

She also urged internal auditors to abandon the idea of becoming the roaming general management consultant within the company, adding that auditors lose their independence when they perform management consulting roles for which they later will have to render an opinion. Auditors uniquely have both the ability and responsibility to look across all of the management silos within the company and make sure that the system of internal controls has no gaps and that the control framework is continually reviewed to keep up with corporate initiatives and reorganizations.

Finally, she noted that internal auditors are the independent eyes and ears of the audit committee around the organization. They know which managers and which projects are likely to entail greater weaknesses in controls. By helping senior management address these risks before losses occur, reasoned Gov. Bies, internal auditors help protect the reputation of managers and the company as well as increasing their own credibility. Prompt reporting to the audit committee and timely resolution of audit findings will build additional credibility with the committee, she believes, provided that internal auditors follow through to ensure that managers are taking control and governance issues seriously.